diff --git a/CLOBBER b/CLOBBER
index 6881acdc0fcf..a69337ad6c5e 100644
--- a/CLOBBER
+++ b/CLOBBER
@@ -22,4 +22,4 @@
 # changes to stick? As of bug 928195, this shouldn't be necessary! Please
 # don't change CLOBBER for WebIDL changes any more.
 
-Bug 1210154 - Update the clang toolchain
+Bug 1215696 - Update mp4parse to v0.1.1
diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js
index 7acdef9e1527..88e5edac66da 100644
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -257,6 +257,9 @@ XPCOMUtils.defineLazyModuleGetter(this, "ReaderMode",
 XPCOMUtils.defineLazyModuleGetter(this, "ReaderParent",
   "resource:///modules/ReaderParent.jsm");
 
+XPCOMUtils.defineLazyModuleGetter(this, "LoginManagerParent",
+  "resource://gre/modules/LoginManagerParent.jsm");
+
 var gInitialPages = [
   "about:blank",
   "about:newtab",
@@ -1194,6 +1197,10 @@ var gBrowserInit = {
       }
     }, false, true);
 
+    gBrowser.addEventListener("InsecureLoginFormsStateChange", function() {
+      gIdentityHandler.refreshForInsecureLoginForms();
+    });
+
     let uriToLoad = this._getUriToLoad();
     if (uriToLoad && uriToLoad != "about:blank") {
       if (uriToLoad instanceof Ci.nsISupportsArray) {
@@ -7056,9 +7063,7 @@ var gIdentityHandler = {
     }
 
     // Then, update the user interface with the available data.
-    if (this._identityBox) {
-      this.refreshIdentityBlock();
-    }
+    this.refreshIdentityBlock();
     // Handle a location change while the Control Center is focused
     // by closing the popup (bug 1207542)
     if (shouldHidePopup) {
@@ -7071,6 +7076,20 @@ var gIdentityHandler = {
     // information we don't want to suddenly change the panel contents.
   },
 
+  /**
+   * This is called asynchronously when requested by the Logins module, after
+   * the insecure login forms state for the page has been updated.
+   */
+  refreshForInsecureLoginForms() {
+    // Check this._uri because we don't want to refresh the user interface if
+    // this is called before the first page load in the window for any reason.
+    if (!this._uri) {
+      Cu.reportError("Unexpected early call to refreshForInsecureLoginForms.");
+      return;
+    }
+    this.refreshIdentityBlock();
+  },
+
   /**
    * Attempt to provide proper IDN treatment for host names
    */
@@ -7107,6 +7126,10 @@ var gIdentityHandler = {
    * Updates the identity block user interface with the data from this object.
    */
   refreshIdentityBlock() {
+    if (!this._identityBox) {
+      return;
+    }
+
     let icon_label = "";
     let tooltip = "";
     let icon_country_label = "";
@@ -7175,6 +7198,11 @@ var gIdentityHandler = {
           this._identityBox.classList.add("weakCipher");
         }
       }
+      if (LoginManagerParent.hasInsecureLoginForms(gBrowser.selectedBrowser)) {
+        // Insecure login forms can only be present on "unknown identity"
+        // pages, either already insecure or with mixed active content loaded.
+        this._identityBox.classList.add("insecureLoginForms");
+      }
       tooltip = gNavigatorBundle.getString("identity.unknown.tooltip");
     }
 
@@ -7212,6 +7240,12 @@ var gIdentityHandler = {
       connection = "secure";
     }
 
+    // Determine if there are insecure login forms.
+    let loginforms = "secure";
+    if (LoginManagerParent.hasInsecureLoginForms(gBrowser.selectedBrowser)) {
+      loginforms = "insecure";
+    }
+
     // Determine the mixed content state.
     let mixedcontent = [];
     if (this._isMixedPassiveContentLoaded) {
@@ -7249,6 +7283,7 @@ var gIdentityHandler = {
     for (let id of elementIDs) {
       let element = document.getElementById(id);
       updateAttribute(element, "connection", connection);
+      updateAttribute(element, "loginforms", loginforms);
       updateAttribute(element, "ciphers", ciphers);
       updateAttribute(element, "mixedcontent", mixedcontent);
       updateAttribute(element, "isbroken", this._isBroken);
diff --git a/browser/base/content/test/general/browser.ini b/browser/base/content/test/general/browser.ini
index 0af044441ef3..c50ddb821f15 100644
--- a/browser/base/content/test/general/browser.ini
+++ b/browser/base/content/test/general/browser.ini
@@ -268,7 +268,7 @@ tags = mcb
 tags = mcb
 [browser_bug906190.js]
 tags = mcb
-skip-if = buildapp == "mulet" || e10s # Bug 1093642 - test manipulates content and relies on content focus
+skip-if = buildapp == "mulet" || e10s || os == "linux" # Bug 1093642 - test manipulates content and relies on content focus, Bug 1212520 - Re-enable on Linux
 [browser_mixedContentFromOnunload.js]
 tags = mcb
 [browser_mixedContentFramesOnHttp.js]
@@ -322,6 +322,7 @@ skip-if = e10s # Bug 863514 - no gesture support.
 [browser_homeDrop.js]
 skip-if = buildapp == 'mulet'
 [browser_identity_UI.js]
+[browser_insecureLoginForms.js]
 [browser_keywordBookmarklets.js]
 skip-if = e10s # Bug 1102025 - different principals for the bookmarklet only in e10s mode (unclear if test or 'real' issue)
 [browser_keywordSearch.js]
diff --git a/browser/base/content/test/general/browser_insecureLoginForms.js b/browser/base/content/test/general/browser_insecureLoginForms.js
new file mode 100644
index 000000000000..fabb66cbfb91
--- /dev/null
+++ b/browser/base/content/test/general/browser_insecureLoginForms.js
@@ -0,0 +1,92 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+// Load directly from the browser-chrome support files of login tests.
+const testUrlPath =
+      "://example.com/browser/toolkit/components/passwordmgr/test/browser/";
+
+/**
+ * Waits for the given number of occurrences of InsecureLoginFormsStateChange
+ * on the given browser element.
+ */
+function waitForInsecureLoginFormsStateChange(browser, count) {
+  return BrowserTestUtils.waitForEvent(browser, "InsecureLoginFormsStateChange",
+                                       false, () => --count == 0);
+}
+
+/**
+ * Checks the insecure login forms logic for the identity block.
+ */
+add_task(function* test_simple() {
+  for (let scheme of ["http", "https"]) {
+    let tab = gBrowser.addTab(scheme + testUrlPath + "form_basic.html");
+    let browser = tab.linkedBrowser;
+    yield Promise.all([
+      BrowserTestUtils.switchTab(gBrowser, tab),
+      BrowserTestUtils.browserLoaded(browser),
+      // One event is triggered by pageshow and one by DOMFormHasPassword.
+      waitForInsecureLoginFormsStateChange(browser, 2),
+    ]);
+
+    let { gIdentityHandler } = gBrowser.ownerGlobal;
+    gIdentityHandler._identityBox.click();
+    document.getElementById("identity-popup-security-expander").click();
+
+    if (scheme == "http") {
+      let identityBoxImage = gBrowser.ownerGlobal
+            .getComputedStyle(document.getElementById("page-proxy-favicon"), "")
+            .getPropertyValue("list-style-image");
+      let securityViewBG = gBrowser.ownerGlobal
+            .getComputedStyle(document.getElementById("identity-popup-securityView"), "")
+            .getPropertyValue("background-image");
+      let securityContentBG = gBrowser.ownerGlobal
+            .getComputedStyle(document.getElementById("identity-popup-security-content"), "")
+            .getPropertyValue("background-image");
+      is(identityBoxImage,
+         "url(\"chrome://browser/skin/identity-mixed-active-loaded.svg\")",
+         "Using expected icon image in the identity block");
+      is(securityViewBG,
+         "url(\"chrome://browser/skin/controlcenter/mcb-disabled.svg\")",
+         "Using expected icon image in the Control Center main view");
+      is(securityContentBG,
+         "url(\"chrome://browser/skin/controlcenter/mcb-disabled.svg\")",
+         "Using expected icon image in the Control Center subview");
+    }
+
+    // Messages should be visible when the scheme is HTTP, and invisible when
+    // the scheme is HTTPS.
+    is(Array.every(document.querySelectorAll("[when-loginforms=insecure]"),
+                   element => !is_hidden(element)),
+       scheme == "http",
+       "The relevant messages should visible or hidden.");
+
+    gIdentityHandler._identityPopup.hidden = true;
+    gBrowser.removeTab(tab);
+  }
+});
+
+/**
+ * Checks that the insecure login forms logic does not regress mixed content
+ * blocking messages when mixed active content is loaded.
+ */
+add_task(function* test_mixedcontent() {
+  yield new Promise(resolve => SpecialPowers.pushPrefEnv({
+    "set": [["security.mixed_content.block_active_content", false]],
+  }, resolve));
+
+  // Load the page with the subframe in a new tab.
+  let tab = gBrowser.addTab("https" + testUrlPath + "insecure_test.html");
+  let browser = tab.linkedBrowser;
+  yield Promise.all([
+    BrowserTestUtils.switchTab(gBrowser, tab),
+    BrowserTestUtils.browserLoaded(browser),
+    // Two events are triggered by pageshow and one by DOMFormHasPassword.
+    waitForInsecureLoginFormsStateChange(browser, 3),
+  ]);
+
+  assertMixedContentBlockingState(browser, { activeLoaded: true,
+                                             activeBlocked: false,
+                                             passiveLoaded: false });
+
+  gBrowser.removeTab(tab);
+});
diff --git a/browser/base/content/test/general/head.js b/browser/base/content/test/general/head.js
index 86adcb9e53fc..c202c592a9e9 100644
--- a/browser/base/content/test/general/head.js
+++ b/browser/base/content/test/general/head.js
@@ -890,6 +890,13 @@ function assertMixedContentBlockingState(tabbrowser, states = {}) {
     }
   }
 
+  if (activeLoaded || activeBlocked || passiveLoaded) {
+    doc.getElementById("identity-popup-security-expander").click();
+    is(Array.filter(doc.querySelectorAll("[observes=identity-popup-mcb-learn-more]"),
+                    element => !is_hidden(element)).length, 1,
+       "The 'Learn more' link should be visible once.");
+  }
+
   gIdentityHandler._identityPopup.hidden = true;
 }
 
diff --git a/browser/components/controlcenter/content/panel.inc.xul b/browser/components/controlcenter/content/panel.inc.xul
index 2648b93d8640..205a7df6ca83 100644
--- a/browser/components/controlcenter/content/panel.inc.xul
+++ b/browser/components/controlcenter/content/panel.inc.xul
@@ -41,6 +41,7 @@
             <description when-mixedcontent="active-loaded">&identity.activeLoaded;</description>
             <description class="identity-popup-warning-yellow"
                          when-ciphers="weak">&identity.weakEncryption;</description>
+            <description when-loginforms="insecure">&identity.insecureLoginForms;</description>
           </vbox>
         </vbox>
         <button id="identity-popup-security-expander"
@@ -116,7 +117,11 @@
                      when-connection="secure secure-ev"/>
 
         <!-- Connection is Not Secure -->
-        <description when-connection="not-secure">&identity.description.insecure;</description>
+        <description when-connection="not-secure"
+                     and-when-loginforms="secure">&identity.description.insecure;</description>
+
+        <!-- Insecure login forms -->
+        <description when-loginforms="insecure">&identity.description.insecureLoginForms;</description>
 
         <!-- Weak Cipher -->
         <description when-ciphers="weak">&identity.description.weakCipher;</description>
@@ -138,8 +143,14 @@
                      class="identity-popup-warning-yellow">&identity.description.passiveLoaded3; <label observes="identity-popup-mcb-learn-more"/></description>
 
         <!-- Active Mixed Content Blocking Disabled -->
-        <description when-mixedcontent="active-loaded">&identity.description.activeLoaded;</description>
-        <description when-mixedcontent="active-loaded">&identity.description.activeLoaded2; <label observes="identity-popup-mcb-learn-more"/></description>
+        <description when-mixedcontent="active-loaded"
+                     and-when-loginforms="secure">&identity.description.activeLoaded;</description>
+        <description when-mixedcontent="active-loaded"
+                     and-when-loginforms="secure">&identity.description.activeLoaded2; <label observes="identity-popup-mcb-learn-more"/></description>
+        <!-- Show only the first message when there are insecure login forms,
+             and make sure the Learn More link is included. -->
+        <description when-mixedcontent="active-loaded"
+                     and-when-loginforms="insecure">&identity.description.activeLoaded; <label observes="identity-popup-mcb-learn-more"/></description>
 
         <!-- Buttons to enable/disable mixed content blocking. -->
         <button when-mixedcontent="active-blocked"
diff --git a/browser/components/extensions/ext-browserAction.js b/browser/components/extensions/ext-browserAction.js
index 6965706e8736..500098958510 100644
--- a/browser/components/extensions/ext-browserAction.js
+++ b/browser/components/extensions/ext-browserAction.js
@@ -1,3 +1,7 @@
+/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* vim: set sts=2 sw=2 et tw=80: */
+"use strict";
+
 XPCOMUtils.defineLazyModuleGetter(this, "CustomizableUI",
                                   "resource:///modules/CustomizableUI.jsm");
 
@@ -14,22 +18,11 @@ var {
 // WeakMap[Extension -> BrowserAction]
 var browserActionMap = new WeakMap();
 
-// WeakMap[Extension -> docshell]
-// This map is a cache of the windowless browser that's used to render ImageData
-// for the browser_action icon.
-var imageRendererMap = new WeakMap();
-
 function browserActionOf(extension)
 {
   return browserActionMap.get(extension);
 }
 
-function makeWidgetId(id)
-{
-  id = id.toLowerCase();
-  return id.replace(/[^a-z0-9_-]/g, "_");
-}
-
 var nextActionId = 0;
 
 // Responsible for the browser_action section of the manifest as well
@@ -40,13 +33,25 @@ function BrowserAction(options, extension)
   this.id = makeWidgetId(extension.id) + "-browser-action";
   this.widget = null;
 
-  this.title = new DefaultWeakMap(extension.localize(options.default_title));
-  this.badgeText = new DefaultWeakMap();
-  this.badgeBackgroundColor = new DefaultWeakMap();
-  this.icon = new DefaultWeakMap(options.default_icon);
-  this.popup = new DefaultWeakMap(options.default_popup);
+  let title = extension.localize(options.default_title || "");
+  let popup = extension.localize(options.default_popup || "");
+  if (popup) {
+    popup = extension.baseURI.resolve(popup);
+  }
 
-  this.context = null;
+  this.defaults = {
+    title: title,
+    badgeText: "",
+    badgeBackgroundColor: null,
+    icon: IconDetails.normalize({ path: options.default_icon }, extension,
+                                null, true),
+    popup: popup,
+  };
+
+  this.tabContext = new TabContext(tab => Object.create(this.defaults),
+                                   extension);
+
+  EventEmitter.decorate(this);
 }
 
 BrowserAction.prototype = {
@@ -62,10 +67,9 @@ BrowserAction.prototype = {
         node.setAttribute("class", "toolbarbutton-1 chromeclass-toolbar-additional badged-button");
         node.setAttribute("constrain-size", "true");
 
-        this.updateTab(null, node);
+        this.updateButton(node, this.defaults);
 
         let tabbrowser = document.defaultView.gBrowser;
-        tabbrowser.tabContainer.addEventListener("TabSelect", this);
 
         node.addEventListener("command", event => {
           let tab = tabbrowser.selectedTab;
@@ -80,155 +84,58 @@ BrowserAction.prototype = {
         return node;
       },
     });
+
+    this.tabContext.on("tab-select",
+                       (evt, tab) => { this.updateWindow(tab.ownerDocument.defaultView); })
+
     this.widget = widget;
   },
 
-  handleEvent(event) {
-    if (event.type == "TabSelect") {
-      let window = event.target.ownerDocument.defaultView;
-      let tabbrowser = window.gBrowser;
-      let instance = CustomizableUI.getWidget(this.id).forWindow(window);
-      if (instance) {
-        this.updateTab(tabbrowser.selectedTab, instance.node);
-      }
-    }
-  },
-
   togglePopup(node, popupResource) {
-    let popupURL = this.extension.baseURI.resolve(popupResource);
-
-    let document = node.ownerDocument;
-    let panel = document.createElement("panel");
-    panel.setAttribute("class", "browser-action-panel");
-    panel.setAttribute("type", "arrow");
-    panel.setAttribute("flip", "slide");
-    node.appendChild(panel);
-
-    panel.addEventListener("popuphidden", () => {
-      this.context.unload();
-      this.context = null;
-      panel.remove();
-    });
-
-    const XUL_NS = "http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul";
-    let browser = document.createElementNS(XUL_NS, "browser");
-    browser.setAttribute("type", "content");
-    browser.setAttribute("disableglobalhistory", "true");
-    panel.appendChild(browser);
-
-    let loadListener = () => {
-      panel.removeEventListener("load", loadListener);
-
-      this.context = new ExtensionPage(this.extension, {
-        type: "popup",
-        contentWindow: browser.contentWindow,
-        uri: Services.io.newURI(popupURL, null, null),
-        docShell: browser.docShell,
-      });
-      GlobalManager.injectInDocShell(browser.docShell, this.extension, this.context);
-      browser.setAttribute("src", popupURL);
-
-      let contentLoadListener = () => {
-        browser.removeEventListener("load", contentLoadListener);
-
-        let contentViewer = browser.docShell.contentViewer;
-        let width = {}, height = {};
-        try {
-          contentViewer.getContentSize(width, height);
-          [width, height] = [width.value, height.value];
-        } catch (e) {
-          // getContentSize can throw
-          [width, height] = [400, 400];
-        }
-
-        let window = document.defaultView;
-        width /= window.devicePixelRatio;
-        height /= window.devicePixelRatio;
-        width = Math.min(width, 800);
-        height = Math.min(height, 800);
-
-        browser.setAttribute("width", width);
-        browser.setAttribute("height", height);
-
-        let anchor = document.getAnonymousElementByAttribute(node, "class", "toolbarbutton-icon");
-        panel.openPopup(anchor, "bottomcenter topright", 0, 0, false, false);
-      };
-      browser.addEventListener("load", contentLoadListener, true);
-    };
-    panel.addEventListener("load", loadListener);
+    openPanel(node, popupResource, this.extension);
   },
 
-  // Initialize the toolbar icon and popup given that |tab| is the
-  // current tab and |node| is the CustomizableUI node. Note: |tab|
-  // will be null if we don't know the current tab yet (during
-  // initialization).
-  updateTab(tab, node) {
-    let window = node.ownerDocument.defaultView;
-
-    let title = this.getProperty(tab, "title");
-    if (title) {
-      node.setAttribute("tooltiptext", title);
-      node.setAttribute("label", title);
+  // Update the toolbar button |node| with the tab context data
+  // in |tabData|.
+  updateButton(node, tabData) {
+    if (tabData.title) {
+      node.setAttribute("tooltiptext", tabData.title);
+      node.setAttribute("label", tabData.title);
+      node.setAttribute("aria-label", tabData.title);
     } else {
       node.removeAttribute("tooltiptext");
       node.removeAttribute("label");
+      node.removeAttribute("aria-label");
     }
 
-    let badgeText = this.badgeText.get(tab);
-    if (badgeText) {
-      node.setAttribute("badge", badgeText);
+    if (tabData.badgeText) {
+      node.setAttribute("badge", tabData.badgeText);
     } else {
       node.removeAttribute("badge");
     }
 
-    function toHex(n) {
-      return Math.floor(n / 16).toString(16) + (n % 16).toString(16);
-    }
-
     let badgeNode = node.ownerDocument.getAnonymousElementByAttribute(node,
                                         'class', 'toolbarbutton-badge');
     if (badgeNode) {
-      let color = this.badgeBackgroundColor.get(tab);
+      let color = tabData.badgeBackgroundColor;
       if (Array.isArray(color)) {
         color = `rgb(${color[0]}, ${color[1]}, ${color[2]})`;
       }
-      badgeNode.style.backgroundColor = color;
+      badgeNode.style.backgroundColor = color || "";
     }
 
-    let iconURL = this.getIcon(tab, node);
+    let iconURL = IconDetails.getURL(
+      tabData.icon, node.ownerDocument.defaultView, this.extension);
     node.setAttribute("image", iconURL);
   },
 
-  // Note: tab is allowed to be null here.
-  getIcon(tab, node) {
-    let icon = this.icon.get(tab);
-
-    let url;
-    if (typeof(icon) != "object") {
-      url = icon;
-    } else {
-      let window = node.ownerDocument.defaultView;
-      let utils = window.QueryInterface(Ci.nsIInterfaceRequestor)
-                        .getInterface(Components.interfaces.nsIDOMWindowUtils);
-      let res = {value: 1}
-      utils.getResolution(res);
-
-      let size = res.value == 1 ? 19 : 38;
-      url = icon[size];
-    }
-
-    if (url) {
-      return this.extension.baseURI.resolve(url);
-    } else {
-      return "chrome://browser/content/extension.svg";
-    }
-  },
-
   // Update the toolbar button for a given window.
   updateWindow(window) {
-    let tab = window.gBrowser ? window.gBrowser.selectedTab : null;
-    let node = CustomizableUI.getWidget(this.id).forWindow(window).node;
-    this.updateTab(tab, node);
+    let widget = this.widget.forWindow(window);
+    if (widget) {
+      let tab = window.gBrowser.selectedTab;
+      this.updateButton(widget.node, this.tabContext.get(tab));
+    }
   },
 
   // Update the toolbar button when the extension changes the icon,
@@ -240,12 +147,8 @@ BrowserAction.prototype = {
         this.updateWindow(tab.ownerDocument.defaultView);
       }
     } else {
-      let e = Services.wm.getEnumerator("navigator:browser");
-      while (e.hasMoreElements()) {
-        let window = e.getNext();
-        if (window.gBrowser) {
-          this.updateWindow(window);
-        }
+      for (let window of WindowListManager.browserWindows()) {
+        this.updateWindow(window);
       }
     }
   },
@@ -253,30 +156,31 @@ BrowserAction.prototype = {
   // tab is allowed to be null.
   // prop should be one of "icon", "title", "badgeText", "popup", or "badgeBackgroundColor".
   setProperty(tab, prop, value) {
-    this[prop].set(tab, value);
+    if (tab == null) {
+      this.defaults[prop] = value;
+    } else {
+      this.tabContext.get(tab)[prop] = value;
+    }
+
     this.updateOnChange(tab);
   },
 
   // tab is allowed to be null.
   // prop should be one of "title", "badgeText", "popup", or "badgeBackgroundColor".
   getProperty(tab, prop) {
-    return this[prop].get(tab);
+    if (tab == null) {
+      return this.defaults[prop];
+    } else {
+      return this.tabContext.get(tab)[prop];
+    }
   },
 
   shutdown() {
-    let widget = CustomizableUI.getWidget(this.id);
-    for (let instance of widget.instances) {
-      let window = instance.node.ownerDocument.defaultView;
-      let tabbrowser = window.gBrowser;
-      tabbrowser.tabContainer.removeEventListener("TabSelect", this);
-    }
-
+    this.tabContext.shutdown();
     CustomizableUI.destroyWidget(this.id);
   },
 };
 
-EventEmitter.decorate(BrowserAction.prototype);
-
 extensions.on("manifest_browser_action", (type, directive, extension, manifest) => {
   let browserAction = new BrowserAction(manifest.browser_action, extension);
   browserAction.build();
@@ -288,37 +192,8 @@ extensions.on("shutdown", (type, extension) => {
     browserActionMap.get(extension).shutdown();
     browserActionMap.delete(extension);
   }
-  imageRendererMap.delete(extension);
 });
 
-function convertImageDataToPNG(extension, imageData)
-{
-  let webNav = imageRendererMap.get(extension);
-  if (!webNav) {
-    webNav = Services.appShell.createWindowlessBrowser(false);
-    let principal = Services.scriptSecurityManager.createCodebasePrincipal(extension.baseURI,
-                                                                           {addonId: extension.id});
-    let interfaceRequestor = webNav.QueryInterface(Ci.nsIInterfaceRequestor);
-    let docShell = interfaceRequestor.getInterface(Ci.nsIDocShell);
-
-    GlobalManager.injectInDocShell(docShell, extension, null);
-
-    docShell.createAboutBlankContentViewer(principal);
-  }
-
-  let document = webNav.document;
-  let canvas = document.createElement("canvas");
-  canvas.width = imageData.width;
-  canvas.height = imageData.height;
-  canvas.getContext("2d").putImageData(imageData, 0, 0);
-
-  let url = canvas.toDataURL("image/png");
-
-  canvas.remove();
-
-  return url;
-}
-
 extensions.registerAPI((extension, context) => {
   return {
     browserAction: {
@@ -346,12 +221,8 @@ extensions.registerAPI((extension, context) => {
 
       setIcon: function(details, callback) {
         let tab = details.tabId ? TabManager.getTab(details.tabId) : null;
-        if (details.imageData) {
-          let url = convertImageDataToPNG(extension, details.imageData);
-          browserActionOf(extension).setProperty(tab, "icon", url);
-        } else {
-          browserActionOf(extension).setProperty(tab, "icon", details.path);
-        }
+        let icon = IconDetails.normalize(details, extension, context);
+        browserActionOf(extension).setProperty(tab, "icon", icon);
       },
 
       setBadgeText: function(details) {
@@ -367,7 +238,13 @@ extensions.registerAPI((extension, context) => {
 
       setPopup: function(details) {
         let tab = details.tabId ? TabManager.getTab(details.tabId) : null;
-        browserActionOf(extension).setProperty(tab, "popup", details.popup);
+        // Note: Chrome resolves arguments to setIcon relative to the calling
+        // context, but resolves arguments to setPopup relative to the extension
+        // root.
+        // For internal consistency, we currently resolve both relative to the
+        // calling context.
+        let url = details.popup && context.uri.resolve(details.popup);
+        browserActionOf(extension).setProperty(tab, "popup", url);
       },
 
       getPopup: function(details, callback) {
diff --git a/browser/components/extensions/ext-pageAction.js b/browser/components/extensions/ext-pageAction.js
new file mode 100644
index 000000000000..23a84ed811a4
--- /dev/null
+++ b/browser/components/extensions/ext-pageAction.js
@@ -0,0 +1,246 @@
+/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* vim: set sts=2 sw=2 et tw=80: */
+"use strict";
+
+Cu.import("resource://gre/modules/ExtensionUtils.jsm");
+var {
+  EventManager,
+  DefaultWeakMap,
+  ignoreEvent,
+  runSafe,
+} = ExtensionUtils;
+
+// WeakMap[Extension -> PageAction]
+var pageActionMap = new WeakMap();
+
+
+// Handles URL bar icons, including the |page_action| manifest entry
+// and associated API.
+function PageAction(options, extension)
+{
+  this.extension = extension;
+  this.id = makeWidgetId(extension.id) + "-page-action";
+
+  let title = extension.localize(options.default_title || "");
+  let popup = extension.localize(options.default_popup || "");
+  if (popup) {
+    popup = extension.baseURI.resolve(popup);
+  }
+
+  this.defaults = {
+    show: false,
+    title: title,
+    icon: IconDetails.normalize({ path: options.default_icon }, extension,
+                                null, true),
+    popup: popup && extension.baseURI.resolve(popup),
+  };
+
+  this.tabContext = new TabContext(tab => Object.create(this.defaults),
+                                   extension);
+
+  this.tabContext.on("location-change", this.handleLocationChange.bind(this));
+
+  // WeakMap[ChromeWindow -> <xul:image>]
+  this.buttons = new WeakMap();
+
+  EventEmitter.decorate(this);
+}
+
+PageAction.prototype = {
+  // Returns the value of the property |prop| for the given tab, where
+  // |prop| is one of "show", "title", "icon", "popup".
+  getProperty(tab, prop) {
+    return this.tabContext.get(tab)[prop];
+  },
+
+  // Sets the value of the property |prop| for the given tab to the
+  // given value, symmetrically to |getProperty|.
+  //
+  // If |tab| is currently selected, updates the page action button to
+  // reflect the new value.
+  setProperty(tab, prop, value) {
+    this.tabContext.get(tab)[prop] = value;
+    if (tab.selected) {
+      this.updateButton(tab.ownerDocument.defaultView);
+    }
+  },
+
+  // Updates the page action button in the given window to reflect the
+  // properties of the currently selected tab:
+  //
+  // Updates "tooltiptext" and "aria-label" to match "title" property.
+  // Updates "image" to match the "icon" property.
+  // Shows or hides the icon, based on the "show" property.
+  updateButton(window) {
+    let tabData = this.tabContext.get(window.gBrowser.selectedTab);
+
+    if (!(tabData.show || this.buttons.has(window))) {
+      // Don't bother creating a button for a window until it actually
+      // needs to be shown.
+      return;
+    }
+
+    let button = this.getButton(window);
+
+    if (tabData.show) {
+      // Update the title and icon only if the button is visible.
+
+      if (tabData.title) {
+        button.setAttribute("tooltiptext", tabData.title);
+        button.setAttribute("aria-label", tabData.title);
+      } else {
+        button.removeAttribute("tooltiptext");
+        button.removeAttribute("aria-label");
+      }
+
+      let icon = IconDetails.getURL(tabData.icon, window, this.extension);
+      button.setAttribute("src", icon);
+    }
+
+    button.hidden = !tabData.show;
+  },
+
+  // Create an |image| node and add it to the |urlbar-icons|
+  // container in the given window.
+  addButton(window) {
+    let document = window.document;
+
+    let button = document.createElement("image");
+    button.id = this.id;
+    button.setAttribute("class", "urlbar-icon");
+
+    button.addEventListener("click", event => {
+      if (event.button == 0) {
+        this.handleClick(window);
+      }
+    });
+
+    document.getElementById("urlbar-icons").appendChild(button);
+
+    return button;
+  },
+
+  // Returns the page action button for the given window, creating it if
+  // it doesn't already exist.
+  getButton(window) {
+    if (!this.buttons.has(window)) {
+      let button = this.addButton(window);
+      this.buttons.set(window, button);
+    }
+
+    return this.buttons.get(window);
+  },
+
+  // Handles a click event on the page action button for the given
+  // window.
+  // If the page action has a |popup| property, a panel is opened to
+  // that URL. Otherwise, a "click" event is emitted, and dispatched to
+  // the any click listeners in the add-on.
+  handleClick(window) {
+    let tab = window.gBrowser.selectedTab;
+    let popup = this.tabContext.get(tab).popup;
+
+    if (popup) {
+      openPanel(this.getButton(window), popup, this.extension);
+    } else {
+      this.emit("click", tab);
+    }
+  },
+
+  handleLocationChange(eventType, tab, fromBrowse) {
+    if (fromBrowse) {
+      this.tabContext.clear(tab);
+    }
+    this.updateButton(tab.ownerDocument.defaultView);
+  },
+
+  shutdown() {
+    this.tabContext.shutdown();
+
+    for (let window of WindowListManager.browserWindows()) {
+      if (this.buttons.has(window)) {
+        this.buttons.get(window).remove();
+      }
+    }
+  },
+};
+
+PageAction.for = extension => {
+  return pageActionMap.get(extension);
+};
+
+
+extensions.on("manifest_page_action", (type, directive, extension, manifest) => {
+  let pageAction = new PageAction(manifest.page_action, extension);
+  pageActionMap.set(extension, pageAction);
+});
+
+extensions.on("shutdown", (type, extension) => {
+  if (pageActionMap.has(extension)) {
+    pageActionMap.get(extension).shutdown();
+    pageActionMap.delete(extension);
+  }
+});
+
+
+extensions.registerAPI((extension, context) => {
+  return {
+    pageAction: {
+      onClicked: new EventManager(context, "pageAction.onClicked", fire => {
+        let listener = (evt, tab) => {
+          fire(TabManager.convert(extension, tab));
+        };
+        let pageAction = PageAction.for(extension);
+
+        pageAction.on("click", listener);
+        return () => {
+          pageAction.off("click", listener);
+        };
+      }).api(),
+
+      show(tabId) {
+        let tab = TabManager.getTab(tabId);
+        PageAction.for(extension).setProperty(tab, "show", true);
+      },
+
+      hide(tabId) {
+        let tab = TabManager.getTab(tabId);
+        PageAction.for(extension).setProperty(tab, "show", false);
+      },
+
+      setTitle(details) {
+        let tab = TabManager.getTab(details.tabId);
+        PageAction.for(extension).setProperty(tab, "title", details.title);
+      },
+
+      getTitle(details, callback) {
+        let tab = TabManager.getTab(details.tabId);
+        let title = PageAction.for(extension).getProperty(tab, "title");
+        runSafe(context, callback, title);
+      },
+
+      setIcon(details, callback) {
+        let tab = TabManager.getTab(details.tabId);
+        let icon = IconDetails.normalize(details, extension, context);
+        PageAction.for(extension).setProperty(tab, "icon", icon);
+      },
+
+      setPopup(details) {
+        let tab = TabManager.getTab(details.tabId);
+        // Note: Chrome resolves arguments to setIcon relative to the calling
+        // context, but resolves arguments to setPopup relative to the extension
+        // root.
+        // For internal consistency, we currently resolve both relative to the
+        // calling context.
+        let url = details.popup && context.uri.resolve(details.popup);
+        PageAction.for(extension).setProperty(tab, "popup", url);
+      },
+
+      getPopup(details, callback) {
+        let tab = TabManager.getTab(details.tabId);
+        let popup = PageAction.for(extension).getProperty(tab, "popup");
+        runSafe(context, callback, popup);
+      },
+    }
+  };
+});
diff --git a/browser/components/extensions/ext-utils.js b/browser/components/extensions/ext-utils.js
index 193a4a288e09..1522adc1f31b 100644
--- a/browser/components/extensions/ext-utils.js
+++ b/browser/components/extensions/ext-utils.js
@@ -1,3 +1,7 @@
+/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* vim: set sts=2 sw=2 et tw=80: */
+"use strict";
+
 XPCOMUtils.defineLazyModuleGetter(this, "PrivateBrowsingUtils",
                                   "resource://gre/modules/PrivateBrowsingUtils.jsm");
 
@@ -10,6 +14,239 @@ var {
 // modules. All of the code is installed on |global|, which is a scope
 // shared among the different ext-*.js scripts.
 
+
+// Manages icon details for toolbar buttons in the |pageAction| and
+// |browserAction| APIs.
+global.IconDetails = {
+  // Accepted icon sizes.
+  SIZES: ["19", "38"],
+
+  // Normalizes the various acceptable input formats into an object
+  // with two properties, "19" and "38", containing icon URLs.
+  normalize(details, extension, context=null, localize=false) {
+    let result = {};
+
+    if (details.imageData) {
+      let imageData = details.imageData;
+
+      if (imageData instanceof Cu.getGlobalForObject(imageData).ImageData) {
+        imageData = {"19": imageData};
+      }
+
+      for (let size of this.SIZES) {
+        if (size in imageData) {
+          result[size] = this.convertImageDataToPNG(imageData[size], context);
+        }
+      }
+    }
+
+    if (details.path) {
+      let path = details.path;
+      if (typeof path != "object") {
+        path = {"19": path};
+      }
+
+      let baseURI = context ? context.uri : extension.baseURI;
+
+      for (let size of this.SIZES) {
+        if (size in path) {
+          let url = path[size];
+          if (localize) {
+            url = extension.localize(url);
+          }
+
+          url = baseURI.resolve(path[size]);
+
+          // The Chrome documentation specifies these parameters as
+          // relative paths. We currently accept absolute URLs as well,
+          // which means we need to check that the extension is allowed
+          // to load them.
+          try {
+            Services.scriptSecurityManager.checkLoadURIStrWithPrincipal(
+              extension.principal, url,
+              Services.scriptSecurityManager.DISALLOW_SCRIPT);
+          } catch (e if !context) {
+            // If there's no context, it's because we're handling this
+            // as a manifest directive. Log a warning rather than
+            // raising an error, but don't accept the URL in any case.
+            extension.manifestError(`Access to URL '${url}' denied`);
+            continue;
+          }
+
+          result[size] = url;
+        }
+      }
+    }
+
+    return result;
+  },
+
+  // Returns the appropriate icon URL for the given icons object and the
+  // screen resolution of the given window.
+  getURL(icons, window, extension) {
+    const DEFAULT = "chrome://browser/content/extension.svg";
+
+    // Use the higher resolution image if we're doing any up-scaling
+    // for high resolution monitors.
+    let res = window.devicePixelRatio;
+    let size = res > 1 ? "38" : "19";
+
+    return icons[size] || icons["19"] || icons["38"] || DEFAULT;
+  },
+
+  convertImageDataToPNG(imageData, context) {
+    let document = context.contentWindow.document;
+    let canvas = document.createElementNS("http://www.w3.org/1999/xhtml", "canvas");
+    canvas.width = imageData.width;
+    canvas.height = imageData.height;
+    canvas.getContext("2d").putImageData(imageData, 0, 0);
+
+    return canvas.toDataURL("image/png");
+  }
+};
+
+global.makeWidgetId = id => {
+  id = id.toLowerCase();
+  // FIXME: This allows for collisions.
+  return id.replace(/[^a-z0-9_-]/g, "_");
+}
+
+// Open a panel anchored to the given node, containing a browser opened
+// to the given URL, owned by the given extension. If |popupURL| is not
+// an absolute URL, it is resolved relative to the given extension's
+// base URL.
+global.openPanel = (node, popupURL, extension) => {
+  let document = node.ownerDocument;
+
+  let popupURI = Services.io.newURI(popupURL, null, extension.baseURI);
+
+  Services.scriptSecurityManager.checkLoadURIWithPrincipal(
+    extension.principal, popupURI,
+    Services.scriptSecurityManager.DISALLOW_SCRIPT);
+
+  let panel = document.createElement("panel");
+  panel.setAttribute("id", makeWidgetId(extension.id) + "-panel");
+  panel.setAttribute("class", "browser-extension-panel");
+  panel.setAttribute("type", "arrow");
+  panel.setAttribute("flip", "slide");
+
+  let anchor;
+  if (node.localName == "toolbarbutton") {
+    // Toolbar buttons are a special case. The panel becomes a child of
+    // the button, and is anchored to the button's icon.
+    node.appendChild(panel);
+    anchor = document.getAnonymousElementByAttribute(node, "class", "toolbarbutton-icon");
+  } else {
+    // In all other cases, the panel is anchored to the target node
+    // itself, and is a child of a popupset node.
+    document.getElementById("mainPopupSet").appendChild(panel);
+    anchor = node;
+  }
+
+  let context;
+  panel.addEventListener("popuphidden", () => {
+    context.unload();
+    panel.remove();
+  });
+
+  const XUL_NS = "http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul";
+  let browser = document.createElementNS(XUL_NS, "browser");
+  browser.setAttribute("type", "content");
+  browser.setAttribute("disableglobalhistory", "true");
+  panel.appendChild(browser);
+
+  let loadListener = () => {
+    panel.removeEventListener("load", loadListener);
+
+    context = new ExtensionPage(extension, {
+      type: "popup",
+      contentWindow: browser.contentWindow,
+      uri: popupURI,
+      docShell: browser.docShell,
+    });
+    GlobalManager.injectInDocShell(browser.docShell, extension, context);
+    browser.setAttribute("src", context.uri.spec);
+
+    let contentLoadListener = () => {
+      browser.removeEventListener("load", contentLoadListener, true);
+
+      let contentViewer = browser.docShell.contentViewer;
+      let width = {}, height = {};
+      try {
+        contentViewer.getContentSize(width, height);
+        [width, height] = [width.value, height.value];
+      } catch (e) {
+        // getContentSize can throw
+        [width, height] = [400, 400];
+      }
+
+      let window = document.defaultView;
+      width /= window.devicePixelRatio;
+      height /= window.devicePixelRatio;
+      width = Math.min(width, 800);
+      height = Math.min(height, 800);
+
+      browser.setAttribute("width", width);
+      browser.setAttribute("height", height);
+
+      panel.openPopup(anchor, "bottomcenter topright", 0, 0, false, false);
+    };
+    browser.addEventListener("load", contentLoadListener, true);
+  };
+  panel.addEventListener("load", loadListener);
+
+  return panel;
+}
+
+// Manages tab-specific context data, and dispatching tab select events
+// across all windows.
+global.TabContext = function TabContext(getDefaults, extension) {
+  this.extension = extension;
+  this.getDefaults = getDefaults;
+
+  this.tabData = new WeakMap();
+
+  AllWindowEvents.addListener("progress", this);
+  AllWindowEvents.addListener("TabSelect", this);
+
+  EventEmitter.decorate(this);
+}
+
+TabContext.prototype = {
+  get(tab) {
+    if (!this.tabData.has(tab)) {
+      this.tabData.set(tab, this.getDefaults(tab));
+    }
+
+    return this.tabData.get(tab);
+  },
+
+  clear(tab) {
+    this.tabData.delete(tab);
+  },
+
+  handleEvent(event) {
+    if (event.type == "TabSelect") {
+      let tab = event.target;
+      this.emit("tab-select", tab);
+      this.emit("location-change", tab);
+    }
+  },
+
+  onLocationChange(browser, webProgress, request, locationURI, flags) {
+    let gBrowser = browser.ownerDocument.defaultView.gBrowser;
+    if (browser === gBrowser.selectedBrowser) {
+      let tab = gBrowser.getTabForBrowser(browser);
+      this.emit("location-change", tab, true);
+    }
+  },
+
+  shutdown() {
+    AllWindowEvents.removeListener("progress", this);
+    AllWindowEvents.removeListener("TabSelect", this);
+  },
+};
+
 // Manages mapping between XUL tabs and extension tab IDs.
 global.TabManager = {
   _tabs: new WeakMap(),
@@ -39,9 +276,7 @@ global.TabManager = {
 
   getTab(tabId) {
     // FIXME: Speed this up without leaking memory somehow.
-    let e = Services.wm.getEnumerator("navigator:browser");
-    while (e.hasMoreElements()) {
-      let window = e.getNext();
+    for (let window of WindowListManager.browserWindows()) {
       if (!window.gBrowser) {
         continue;
       }
@@ -132,9 +367,7 @@ global.WindowManager = {
   },
 
   getWindow(id) {
-    let e = Services.wm.getEnumerator("navigator:browser");
-    while (e.hasMoreElements()) {
-      let window = e.getNext();
+    for (let window of WindowListManager.browserWindows(true)) {
       if (this.getId(window) == id) {
         return window;
       }
@@ -172,15 +405,25 @@ global.WindowListManager = {
   _openListeners: new Set(),
   _closeListeners: new Set(),
 
+  // Returns an iterator for all browser windows. Unless |includeIncomplete| is
+  // true, only fully-loaded windows are returned.
+  *browserWindows(includeIncomplete = false) {
+    let e = Services.wm.getEnumerator("navigator:browser");
+    while (e.hasMoreElements()) {
+      let window = e.getNext();
+      if (includeIncomplete || window.document.readyState == "complete") {
+        yield window;
+      }
+    }
+  },
+
   addOpenListener(listener, fireOnExisting = true) {
     if (this._openListeners.length == 0 && this._closeListeners.length == 0) {
       Services.ww.registerNotification(this);
     }
     this._openListeners.add(listener);
 
-    let e = Services.wm.getEnumerator("navigator:browser");
-    while (e.hasMoreElements()) {
-      let window = e.getNext();
+    for (let window of this.browserWindows(true)) {
       if (window.document.readyState != "complete") {
         window.addEventListener("load", this);
       } else if (fireOnExisting) {
@@ -263,7 +506,11 @@ global.AllWindowEvents = {
     list.add(listener);
 
     if (needOpenListener) {
-      WindowListManager.addOpenListener(this.openListener);
+      WindowListManager.addOpenListener(this.openListener, false);
+    }
+
+    for (let window of WindowListManager.browserWindows()) {
+      this.addWindowListener(window, type, listener);
     }
   },
 
@@ -283,9 +530,7 @@ global.AllWindowEvents = {
       }
     }
 
-    let e = Services.wm.getEnumerator("navigator:browser");
-    while (e.hasMoreElements()) {
-      let window = e.getNext();
+    for (let window of WindowListManager.browserWindows()) {
       if (type == "progress") {
         window.gBrowser.removeTabsProgressListener(listener);
       } else {
@@ -294,15 +539,19 @@ global.AllWindowEvents = {
     }
   },
 
+  addWindowListener(window, eventType, listener) {
+    if (eventType == "progress") {
+      window.gBrowser.addTabsProgressListener(listener);
+    } else {
+      window.addEventListener(eventType, listener);
+    }
+  },
+
   // Runs whenever the "load" event fires for a new window.
   openListener(window) {
     for (let [eventType, listeners] of AllWindowEvents._listeners) {
       for (let listener of listeners) {
-        if (eventType == "progress") {
-          window.gBrowser.addTabsProgressListener(listener);
-        } else {
-          window.addEventListener(eventType, listener);
-        }
+        this.addWindowListener(window, eventType, listener);
       }
     }
   },
diff --git a/browser/components/extensions/jar.mn b/browser/components/extensions/jar.mn
index 8cb33a3fe4da..faa5d5891a0e 100644
--- a/browser/components/extensions/jar.mn
+++ b/browser/components/extensions/jar.mn
@@ -7,6 +7,7 @@ browser.jar:
     content/browser/ext-utils.js
     content/browser/ext-contextMenus.js
     content/browser/ext-browserAction.js
+    content/browser/ext-pageAction.js
     content/browser/ext-tabs.js
     content/browser/ext-windows.js
     content/browser/ext-bookmarks.js
diff --git a/browser/components/extensions/test/browser/browser.ini b/browser/components/extensions/test/browser/browser.ini
index 9829dc38acee..1011ec6aefed 100644
--- a/browser/components/extensions/test/browser/browser.ini
+++ b/browser/components/extensions/test/browser/browser.ini
@@ -7,7 +7,10 @@ support-files =
 [browser_ext_simple.js]
 [browser_ext_currentWindow.js]
 [browser_ext_browserAction_simple.js]
-[browser_ext_browserAction_icon.js]
+[browser_ext_browserAction_pageAction_icon.js]
+[browser_ext_browserAction_context.js]
+[browser_ext_pageAction_context.js]
+[browser_ext_pageAction_popup.js]
 [browser_ext_contextMenus.js]
 [browser_ext_getViews.js]
 [browser_ext_tabs_executeScript.js]
diff --git a/browser/components/extensions/test/browser/browser_ext_browserAction_context.js b/browser/components/extensions/test/browser/browser_ext_browserAction_context.js
new file mode 100644
index 000000000000..6b57258773a3
--- /dev/null
+++ b/browser/components/extensions/test/browser/browser_ext_browserAction_context.js
@@ -0,0 +1,244 @@
+/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* vim: set sts=2 sw=2 et tw=80: */
+"use strict";
+
+add_task(function* testTabSwitchContext() {
+
+  let extension = ExtensionTestUtils.loadExtension({
+    manifest: {
+      "browser_action": {
+        "default_icon": "default.png",
+        "default_popup": "default.html",
+        "default_title": "Default Title",
+      },
+      "permissions": ["tabs"],
+    },
+
+    background: function () {
+      var details = [
+        { "icon": browser.runtime.getURL("default.png"),
+          "popup": browser.runtime.getURL("default.html"),
+          "title": "Default Title",
+          "badge": "",
+          "badgeBackgroundColor": null },
+        { "icon": browser.runtime.getURL("1.png"),
+          "popup": browser.runtime.getURL("default.html"),
+          "title": "Default Title",
+          "badge": "",
+          "badgeBackgroundColor": null },
+        { "icon": browser.runtime.getURL("2.png"),
+          "popup": browser.runtime.getURL("2.html"),
+          "title": "Title 2",
+          "badge": "2",
+          "badgeBackgroundColor": [0xff, 0, 0] },
+        { "icon": browser.runtime.getURL("1.png"),
+          "popup": browser.runtime.getURL("default-2.html"),
+          "title": "Default Title 2",
+          "badge": "d2",
+          "badgeBackgroundColor": [0, 0xff, 0] },
+        { "icon": browser.runtime.getURL("default-2.png"),
+          "popup": browser.runtime.getURL("default-2.html"),
+          "title": "Default Title 2",
+          "badge": "d2",
+          "badgeBackgroundColor": [0, 0xff, 0] },
+      ];
+
+      var tabs = [];
+
+      var tests = [
+        expect => {
+          browser.test.log("Initial state, expect default properties.");
+          expect(details[0]);
+        },
+        expect => {
+          browser.test.log("Change the icon in the current tab. Expect default properties excluding the icon.");
+          browser.browserAction.setIcon({ tabId: tabs[0], path: "1.png" });
+          expect(details[1]);
+        },
+        expect => {
+          browser.test.log("Create a new tab. Expect default properties.");
+          browser.tabs.create({ active: true, url: "about:blank?0" }, tab => {
+            tabs.push(tab.id);
+            expect(details[0]);
+          });
+        },
+        expect => {
+          browser.test.log("Change properties. Expect new properties.");
+          var tabId = tabs[1];
+          browser.browserAction.setIcon({ tabId, path: "2.png" });
+          browser.browserAction.setPopup({ tabId, popup: "2.html" });
+          browser.browserAction.setTitle({ tabId, title: "Title 2" });
+          browser.browserAction.setBadgeText({ tabId, text: "2" });
+          browser.browserAction.setBadgeBackgroundColor({ tabId, color: [0xff, 0, 0] });
+
+          expect(details[2]);
+        },
+        expect => {
+          browser.test.log("Navigate to a new page. Expect no changes.");
+
+          // TODO: This listener should not be necessary, but the |tabs.update|
+          // callback currently fires too early in e10s windows.
+          browser.tabs.onUpdated.addListener(function listener(tabId, changed) {
+            if (tabId == tabs[1] && changed.url) {
+              browser.tabs.onUpdated.removeListener(listener);
+              expect(details[2]);
+            }
+          });
+
+          browser.tabs.update(tabs[1], { url: "about:blank?1" });
+        },
+        expect => {
+          browser.test.log("Switch back to the first tab. Expect previously set properties.");
+          browser.tabs.update(tabs[0], { active: true }, () => {
+            expect(details[1]);
+          });
+        },
+        expect => {
+          browser.test.log("Change default values, expect those changes reflected.");
+          browser.browserAction.setIcon({ path: "default-2.png" });
+          browser.browserAction.setPopup({ popup: "default-2.html" });
+          browser.browserAction.setTitle({ title: "Default Title 2" });
+          browser.browserAction.setBadgeText({ text: "d2" });
+          browser.browserAction.setBadgeBackgroundColor({ color: [0, 0xff, 0] });
+          expect(details[3]);
+        },
+        expect => {
+          browser.test.log("Switch back to tab 2. Expect former value, unaffected by changes to defaults in previous step.");
+          browser.tabs.update(tabs[1], { active: true }, () => {
+            expect(details[2]);
+          });
+        },
+        expect => {
+          browser.test.log("Delete tab, switch back to tab 1. Expect previous results again.");
+          browser.tabs.remove(tabs[1], () => {
+            expect(details[3]);
+          });
+        },
+        expect => {
+          browser.test.log("Create a new tab. Expect new default properties.");
+          browser.tabs.create({ active: true, url: "about:blank?2" }, tab => {
+            tabs.push(tab.id);
+            expect(details[4]);
+          });
+        },
+        expect => {
+          browser.test.log("Delete tab.");
+          browser.tabs.remove(tabs[2], () => {
+            expect(details[3]);
+          });
+        },
+      ];
+
+      // Gets the current details of the browser action, and returns a
+      // promise that resolves to an object containing them.
+      function getDetails() {
+        return new Promise(resolve => {
+          return browser.tabs.query({ active: true, currentWindow: true }, resolve);
+        }).then(tabs => {
+          var tabId = tabs[0].id;
+
+          return Promise.all([
+            new Promise(resolve => browser.browserAction.getTitle({tabId}, resolve)),
+            new Promise(resolve => browser.browserAction.getPopup({tabId}, resolve)),
+            new Promise(resolve => browser.browserAction.getBadgeText({tabId}, resolve)),
+            new Promise(resolve => browser.browserAction.getBadgeBackgroundColor({tabId}, resolve))])
+        }).then(details => {
+          return Promise.resolve({ title: details[0],
+                                   popup: details[1],
+                                   badge: details[2],
+                                   badgeBackgroundColor: details[3] });
+        });
+      }
+
+
+      // Runs the next test in the `tests` array, checks the results,
+      // and passes control back to the outer test scope.
+      function nextTest() {
+        var test = tests.shift();
+
+        test(expecting => {
+          // Check that the API returns the expected values, and then
+          // run the next test.
+          getDetails().then(details => {
+            browser.test.assertEq(expecting.title, details.title,
+                                  "expected value from getTitle");
+
+            browser.test.assertEq(expecting.popup, details.popup,
+                                  "expected value from getPopup");
+
+            browser.test.assertEq(expecting.badge, details.badge,
+                                  "expected value from getBadge");
+
+            browser.test.assertEq(String(expecting.badgeBackgroundColor),
+                                  String(details.badgeBackgroundColor),
+                                  "expected value from getBadgeBackgroundColor");
+
+            // Check that the actual icon has the expected values, then
+            // run the next test.
+            browser.test.sendMessage("nextTest", expecting, tests.length);
+          });
+        });
+      }
+
+      browser.test.onMessage.addListener((msg) => {
+        if (msg != "runNextTest") {
+          browser.test.fail("Expecting 'runNextTest' message");
+        }
+
+        nextTest();
+      });
+
+      browser.tabs.query({ active: true, currentWindow: true }, resultTabs => {
+        tabs[0] = resultTabs[0].id;
+
+        nextTest();
+      });
+    },
+  });
+
+  let browserActionId = makeWidgetId(extension.id) + "-browser-action";
+
+  function checkDetails(details) {
+    let button = document.getElementById(browserActionId);
+
+    ok(button, "button exists");
+
+    is(button.getAttribute("image"), details.icon, "icon URL is correct");
+    is(button.getAttribute("tooltiptext"), details.title, "image title is correct");
+    is(button.getAttribute("label"), details.title, "image label is correct");
+    is(button.getAttribute("aria-label"), details.title, "image aria-label is correct");
+    is(button.getAttribute("badge"), details.badge, "badge text is correct");
+
+    if (details.badge && details.badgeBackgroundColor) {
+      let badge = button.ownerDocument.getAnonymousElementByAttribute(
+        button, 'class', 'toolbarbutton-badge');
+
+      let badgeColor = window.getComputedStyle(badge).backgroundColor;
+      let color = details.badgeBackgroundColor;
+      let expectedColor = `rgb(${color[0]}, ${color[1]}, ${color[2]})`
+
+      is(badgeColor, expectedColor, "badge color is correct");
+    }
+
+
+    // TODO: Popup URL.
+  }
+
+  let awaitFinish = new Promise(resolve => {
+    extension.onMessage("nextTest", (expecting, testsRemaining) => {
+      checkDetails(expecting);
+
+      if (testsRemaining) {
+        extension.sendMessage("runNextTest")
+      } else {
+        resolve();
+      }
+    });
+  });
+
+  yield extension.startup();
+
+  yield awaitFinish;
+
+  yield extension.unload();
+});
diff --git a/browser/components/extensions/test/browser/browser_ext_browserAction_icon.js b/browser/components/extensions/test/browser/browser_ext_browserAction_icon.js
deleted file mode 100644
index 5baea7fb33f6..000000000000
--- a/browser/components/extensions/test/browser/browser_ext_browserAction_icon.js
+++ /dev/null
@@ -1,40 +0,0 @@
-add_task(function* () {
-  let extension = ExtensionTestUtils.loadExtension({
-    manifest: {
-      "browser_action": {},
-      "background": {
-        "page": "background.html",
-      }
-    },
-
-    files: {
-      "background.html": `<canvas id="canvas" width="2" height="2">
-        <script src="background.js"></script>`,
-
-      "background.js": function() {
-        var canvas = document.getElementById("canvas");
-        var canvasContext = canvas.getContext("2d");
-
-        canvasContext.clearRect(0, 0, canvas.width, canvas.height);
-        canvasContext.fillStyle = "green";
-        canvasContext.fillRect(0, 0, 1, 1);
-
-        var url = canvas.toDataURL("image/png");
-        var imageData = canvasContext.getImageData(0, 0, canvas.width, canvas.height);
-        browser.browserAction.setIcon({imageData});
-
-        browser.test.sendMessage("imageURL", url);
-      }
-    },
-  });
-
-  let [_, url] = yield Promise.all([extension.startup(), extension.awaitMessage("imageURL")]);
-
-  let widgetId = makeWidgetId(extension.id) + "-browser-action";
-  let node = CustomizableUI.getWidget(widgetId).forWindow(window).node;
-
-  let image = node.getAttribute("image");
-  is(image, url, "image is correct");
-
-  yield extension.unload();
-});
diff --git a/browser/components/extensions/test/browser/browser_ext_browserAction_pageAction_icon.js b/browser/components/extensions/test/browser/browser_ext_browserAction_pageAction_icon.js
new file mode 100644
index 000000000000..1655f3ea9209
--- /dev/null
+++ b/browser/components/extensions/test/browser/browser_ext_browserAction_pageAction_icon.js
@@ -0,0 +1,345 @@
+/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* vim: set sts=2 sw=2 et tw=80: */
+"use strict";
+
+// Test that various combinations of icon details specs, for both paths
+// and ImageData objects, result in the correct image being displayed in
+// all display resolutions.
+add_task(function* testDetailsObjects() {
+  function background() {
+    function getImageData(color) {
+      var canvas = document.createElement("canvas");
+      canvas.width = 2;
+      canvas.height = 2;
+      var canvasContext = canvas.getContext("2d");
+
+      canvasContext.clearRect(0, 0, canvas.width, canvas.height);
+      canvasContext.fillStyle = color;
+      canvasContext.fillRect(0, 0, 1, 1);
+
+      return {
+        url: canvas.toDataURL("image/png"),
+        imageData: canvasContext.getImageData(0, 0, canvas.width, canvas.height),
+      };
+    }
+
+    var imageData = {
+      red: getImageData("red"),
+      green: getImageData("green"),
+    };
+
+    var iconDetails = [
+      // Only paths.
+      { details: { "path": "a.png" },
+        resolutions: {
+          "1": browser.runtime.getURL("data/a.png"),
+          "2": browser.runtime.getURL("data/a.png"), } },
+      { details: { "path": "/a.png" },
+        resolutions: {
+          "1": browser.runtime.getURL("a.png"),
+          "2": browser.runtime.getURL("a.png"), } },
+      { details: { "path": { "19": "a.png" } },
+        resolutions: {
+          "1": browser.runtime.getURL("data/a.png"),
+          "2": browser.runtime.getURL("data/a.png"), } },
+      { details: { "path": { "38": "a.png" } },
+        resolutions: {
+          "1": browser.runtime.getURL("data/a.png"),
+          "2": browser.runtime.getURL("data/a.png"), } },
+      { details: { "path": { "19": "a.png", "38": "a-x2.png" } },
+        resolutions: {
+          "1": browser.runtime.getURL("data/a.png"),
+          "2": browser.runtime.getURL("data/a-x2.png"), } },
+
+      // Only ImageData objects.
+      { details: { "imageData": imageData.red.imageData },
+        resolutions: {
+          "1": imageData.red.url,
+          "2": imageData.red.url, } },
+      { details: { "imageData": { "19": imageData.red.imageData } },
+        resolutions: {
+          "1": imageData.red.url,
+          "2": imageData.red.url, } },
+      { details: { "imageData": { "38": imageData.red.imageData } },
+        resolutions: {
+          "1": imageData.red.url,
+          "2": imageData.red.url, } },
+      { details: { "imageData": {
+          "19": imageData.red.imageData,
+          "38": imageData.green.imageData } },
+        resolutions: {
+          "1": imageData.red.url,
+          "2": imageData.green.url, } },
+
+      // Mixed path and imageData objects.
+      //
+      // The behavior is currently undefined if both |path| and
+      // |imageData| specify icons of the same size.
+      { details: {
+          "path": { "19": "a.png" },
+          "imageData": { "38": imageData.red.imageData } },
+        resolutions: {
+          "1": browser.runtime.getURL("data/a.png"),
+          "2": imageData.red.url, } },
+      { details: {
+          "path": { "38": "a.png" },
+          "imageData": { "19": imageData.red.imageData } },
+        resolutions: {
+          "1": imageData.red.url,
+          "2": browser.runtime.getURL("data/a.png"), } },
+
+      // A path or ImageData object by itself is treated as a 19px icon.
+      { details: {
+          "path": "a.png",
+          "imageData": { "38": imageData.red.imageData } },
+        resolutions: {
+          "1": browser.runtime.getURL("data/a.png"),
+          "2": imageData.red.url, } },
+      { details: {
+          "path": { "38": "a.png" },
+          "imageData": imageData.red.imageData, },
+        resolutions: {
+          "1": imageData.red.url,
+          "2": browser.runtime.getURL("data/a.png"), } },
+    ];
+
+    // Allow serializing ImageData objects for logging.
+    ImageData.prototype.toJSON = () => "<ImageData>";
+
+    var tabId;
+
+    browser.test.onMessage.addListener((msg, test) => {
+      if (msg != "setIcon") {
+        browser.test.fail("expecting 'setIcon' message");
+      }
+
+      var details = iconDetails[test.index];
+      var expectedURL = details.resolutions[test.resolution];
+
+      var detailString = JSON.stringify(details);
+      browser.test.log(`Setting browerAction/pageAction to ${detailString} expecting URL ${expectedURL}`)
+
+      browser.browserAction.setIcon(Object.assign({tabId}, details.details));
+      browser.pageAction.setIcon(Object.assign({tabId}, details.details));
+
+      browser.test.sendMessage("imageURL", expectedURL);
+    });
+
+    // Generate a list of tests and resolutions to send back to the test
+    // context.
+    //
+    // This process is a bit convoluted, because the outer test context needs
+    // to handle checking the button nodes and changing the screen resolution,
+    // but it can't pass us icon definitions with ImageData objects. This
+    // shouldn't be a problem, since structured clones should handle ImageData
+    // objects without issue. Unfortunately, |cloneInto| implements a slightly
+    // different algorithm than we use in web APIs, and does not handle them
+    // correctly.
+    var tests = [];
+    for (var [idx, icon] of iconDetails.entries()) {
+      for (var res of Object.keys(icon.resolutions)) {
+        tests.push({ index: idx, resolution: Number(res) });
+      }
+    }
+
+    // Sort by resolution, so we don't needlessly switch back and forth
+    // between each test.
+    tests.sort(test => test.resolution);
+
+    browser.tabs.query({ active: true, currentWindow: true }, tabs => {
+      tabId = tabs[0].id;
+      browser.pageAction.show(tabId);
+
+      browser.test.sendMessage("ready", tests);
+    });
+  }
+
+  let extension = ExtensionTestUtils.loadExtension({
+    manifest: {
+      "browser_action": {},
+      "page_action": {},
+      "background": {
+        "page": "data/background.html",
+      }
+    },
+
+    files: {
+      "data/background.html": `<script src="background.js"></script>`,
+      "data/background.js": background,
+    },
+  });
+
+  const RESOLUTION_PREF = "layout.css.devPixelsPerPx";
+  registerCleanupFunction(() => {
+    SpecialPowers.clearUserPref(RESOLUTION_PREF);
+  });
+
+  let browserActionId = makeWidgetId(extension.id) + "-browser-action";
+  let pageActionId = makeWidgetId(extension.id) + "-page-action";
+
+  let [, tests] = yield Promise.all([extension.startup(), extension.awaitMessage("ready")]);
+
+  for (let test of tests) {
+    SpecialPowers.setCharPref(RESOLUTION_PREF, String(test.resolution));
+    is(window.devicePixelRatio, test.resolution, "window has the required resolution");
+
+    extension.sendMessage("setIcon", test);
+
+    let imageURL = yield extension.awaitMessage("imageURL");
+
+    let browserActionButton = document.getElementById(browserActionId);
+    is(browserActionButton.getAttribute("image"), imageURL, "browser action has the correct image");
+
+    let pageActionImage = document.getElementById(pageActionId);
+    is(pageActionImage.src, imageURL, "page action has the correct image");
+  }
+
+  yield extension.unload();
+});
+
+// Test that default icon details in the manifest.json file are handled
+// correctly.
+add_task(function *testDefaultDetails() {
+  // TODO: Test localized variants.
+  let icons = [
+    "foo/bar.png",
+    "/foo/bar.png",
+    { "19": "foo/bar.png" },
+    { "38": "foo/bar.png" },
+    { "19": "foo/bar.png", "38": "baz/quux.png" },
+  ];
+
+  let expectedURL = new RegExp(String.raw`^moz-extension://[^/]+/foo/bar\.png$`);
+
+  for (let icon of icons) {
+    let extension = ExtensionTestUtils.loadExtension({
+      manifest: {
+        "browser_action": { "default_icon": icon },
+        "page_action": { "default_icon": icon },
+      },
+
+      background: function () {
+        browser.tabs.query({ active: true, currentWindow: true }, tabs => {
+          var tabId = tabs[0].id;
+
+          browser.pageAction.show(tabId);
+          browser.test.sendMessage("ready");
+        });
+      }
+    });
+
+    yield Promise.all([extension.startup(), extension.awaitMessage("ready")]);
+
+    let browserActionId = makeWidgetId(extension.id) + "-browser-action";
+    let pageActionId = makeWidgetId(extension.id) + "-page-action";
+
+    let browserActionButton = document.getElementById(browserActionId);
+    let image = browserActionButton.getAttribute("image");
+
+    ok(expectedURL.test(image), `browser action image ${image} matches ${expectedURL}`);
+
+    let pageActionImage = document.getElementById(pageActionId);
+    image = pageActionImage.src;
+
+    ok(expectedURL.test(image), `page action image ${image} matches ${expectedURL}`);
+
+    yield extension.unload();
+
+    let node = document.getElementById(pageActionId);
+    is(node, undefined, "pageAction image removed from document");
+  }
+});
+
+
+// Check that attempts to load a privileged URL as an icon image fail.
+add_task(function* testSecureURLsDenied() {
+
+  // Test URLs passed to setIcon.
+
+  let extension = ExtensionTestUtils.loadExtension({
+    manifest: {
+      "browser_action": {},
+      "page_action": {},
+    },
+
+    background: function () {
+      browser.tabs.query({ active: true, currentWindow: true }, tabs => {
+        var tabId = tabs[0].id;
+
+        var urls = ["chrome://browser/content/browser.xul",
+                    "javascript:true"];
+
+        for (var url of urls) {
+          for (var api of ["pageAction", "browserAction"]) {
+            try {
+              browser[api].setIcon({tabId, path: url});
+
+              browser.test.fail(`Load of '${url}' succeeded. Expected failure.`);
+              browser.test.notifyFail("setIcon security tests");
+              return;
+            } catch (e) {
+              // We can't actually inspect the error here, since the
+              // error object belongs to the privileged scope of the API,
+              // rather than to the extension scope that calls into it.
+              // Just assume it's the expected security error, for now.
+              browser.test.succeed(`Load of '${url}' failed. Expected failure.`);
+            }
+          }
+        }
+
+        browser.test.notifyPass("setIcon security tests");
+      });
+    },
+  });
+
+  yield extension.startup();
+
+  yield extension.awaitFinish();
+  yield extension.unload();
+
+
+  // Test URLs included in the manifest.
+
+  let urls = ["chrome://browser/content/browser.xul",
+              "javascript:true"];
+
+  let matchURLForbidden = url => ({
+    message: new RegExp(`Loading extension.*Access to.*'${url}' denied`),
+  });
+
+  let messages = [matchURLForbidden(urls[0]),
+                  matchURLForbidden(urls[1]),
+                  matchURLForbidden(urls[0]),
+                  matchURLForbidden(urls[1])];
+
+  let waitForConsole = new Promise(resolve => {
+    // Not necessary in browser-chrome tests, but monitorConsole gripes
+    // if we don't call it.
+    SimpleTest.waitForExplicitFinish();
+
+    SimpleTest.monitorConsole(resolve, messages);
+  });
+
+  extension = ExtensionTestUtils.loadExtension({
+    manifest: {
+      "browser_action": {
+        "default_icon": {
+          "19": urls[0],
+          "38": urls[1],
+        },
+      },
+      "page_action": {
+        "default_icon": {
+          "19": urls[0],
+          "38": urls[1],
+        },
+      },
+    },
+  });
+
+  yield extension.startup();
+  yield extension.unload();
+
+  SimpleTest.endMonitorConsole();
+  yield waitForConsole;
+});
diff --git a/browser/components/extensions/test/browser/browser_ext_pageAction_context.js b/browser/components/extensions/test/browser/browser_ext_pageAction_context.js
new file mode 100644
index 000000000000..7a495ecdad36
--- /dev/null
+++ b/browser/components/extensions/test/browser/browser_ext_pageAction_context.js
@@ -0,0 +1,209 @@
+/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* vim: set sts=2 sw=2 et tw=80: */
+"use strict";
+
+add_task(function* testTabSwitchContext() {
+
+  let extension = ExtensionTestUtils.loadExtension({
+    manifest: {
+      "page_action": {
+        "default_icon": "default.png",
+        "default_popup": "default.html",
+        "default_title": "Default Title",
+      },
+      "permissions": ["tabs"],
+    },
+
+    background: function () {
+      var details = [
+        { "icon": browser.runtime.getURL("default.png"),
+          "popup": browser.runtime.getURL("default.html"),
+          "title": "Default Title" },
+        { "icon": browser.runtime.getURL("1.png"),
+          "popup": browser.runtime.getURL("default.html"),
+          "title": "Default Title" },
+        { "icon": browser.runtime.getURL("2.png"),
+          "popup": browser.runtime.getURL("2.html"),
+          "title": "Title 2" },
+      ];
+
+      var tabs = [];
+
+      var tests = [
+        expect => {
+          browser.test.log("Initial state. No icon visible.");
+          expect(null);
+        },
+        expect => {
+          browser.test.log("Show the icon on the first tab, expect default properties.");
+          browser.pageAction.show(tabs[0]);
+          expect(details[0]);
+        },
+        expect => {
+          browser.test.log("Change the icon. Expect default properties excluding the icon.");
+          browser.pageAction.setIcon({ tabId: tabs[0], path: "1.png" });
+          expect(details[1]);
+        },
+        expect => {
+          browser.test.log("Create a new tab. No icon visible.");
+          browser.tabs.create({ active: true, url: "about:blank?0" }, tab => {
+            tabs.push(tab.id);
+            expect(null);
+          });
+        },
+        expect => {
+          browser.test.log("Change properties. Expect new properties.");
+          var tabId = tabs[1];
+          browser.pageAction.show(tabId);
+          browser.pageAction.setIcon({ tabId, path: "2.png" });
+          browser.pageAction.setPopup({ tabId, popup: "2.html" });
+          browser.pageAction.setTitle({ tabId, title: "Title 2" });
+
+          expect(details[2]);
+        },
+        expect => {
+          browser.test.log("Navigate to a new page. Expect icon hidden.");
+
+          // TODO: This listener should not be necessary, but the |tabs.update|
+          // callback currently fires too early in e10s windows.
+          browser.tabs.onUpdated.addListener(function listener(tabId, changed) {
+            if (tabId == tabs[1] && changed.url) {
+              browser.tabs.onUpdated.removeListener(listener);
+              expect(null);
+            }
+          });
+
+          browser.tabs.update(tabs[1], { url: "about:blank?1" });
+        },
+        expect => {
+          browser.test.log("Show the icon. Expect default properties again.");
+          browser.pageAction.show(tabs[1]);
+          expect(details[0]);
+        },
+        expect => {
+          browser.test.log("Switch back to the first tab. Expect previously set properties.");
+          browser.tabs.update(tabs[0], { active: true }, () => {
+            expect(details[1]);
+          });
+        },
+        expect => {
+          browser.test.log("Hide the icon on tab 2. Switch back, expect hidden.");
+          browser.pageAction.hide(tabs[1]);
+          browser.tabs.update(tabs[1], { active: true }, () => {
+            expect(null);
+          });
+        },
+        expect => {
+          browser.test.log("Switch back to tab 1. Expect previous results again.");
+          browser.tabs.remove(tabs[1], () => {
+            expect(details[1]);
+          });
+        },
+        expect => {
+          browser.test.log("Hide the icon. Expect hidden.");
+          browser.pageAction.hide(tabs[0]);
+          expect(null);
+        },
+      ];
+
+      // Gets the current details of the page action, and returns a
+      // promise that resolves to an object containing them.
+      function getDetails() {
+        return new Promise(resolve => {
+          return browser.tabs.query({ active: true, currentWindow: true }, resolve);
+        }).then(tabs => {
+          var tabId = tabs[0].id;
+
+          return Promise.all([
+            new Promise(resolve => browser.pageAction.getTitle({tabId}, resolve)),
+            new Promise(resolve => browser.pageAction.getPopup({tabId}, resolve))])
+        }).then(details => {
+          return Promise.resolve({ title: details[0],
+                                   popup: details[1] });
+        });
+      }
+
+
+      // Runs the next test in the `tests` array, checks the results,
+      // and passes control back to the outer test scope.
+      function nextTest() {
+        var test = tests.shift();
+
+        test(expecting => {
+          function finish() {
+            // Check that the actual icon has the expected values, then
+            // run the next test.
+            browser.test.sendMessage("nextTest", expecting, tests.length);
+          }
+
+          if (expecting) {
+            // Check that the API returns the expected values, and then
+            // run the next test.
+            getDetails().then(details => {
+              browser.test.assertEq(expecting.title, details.title,
+                                    "expected value from getTitle");
+
+              browser.test.assertEq(expecting.popup, details.popup,
+                                    "expected value from getPopup");
+
+              finish();
+            });
+          } else {
+            finish();
+          }
+        });
+      }
+
+      browser.test.onMessage.addListener((msg) => {
+        if (msg != "runNextTest") {
+          browser.test.fail("Expecting 'runNextTest' message");
+        }
+
+        nextTest();
+      });
+
+      browser.tabs.query({ active: true, currentWindow: true }, resultTabs => {
+        tabs[0] = resultTabs[0].id;
+
+        nextTest();
+      });
+    },
+  });
+
+  let pageActionId = makeWidgetId(extension.id) + "-page-action";
+
+  function checkDetails(details) {
+    let image = document.getElementById(pageActionId);
+    if (details == null) {
+      ok(image == null || image.hidden, "image is hidden");
+    } else {
+      ok(image, "image exists");
+
+      is(image.src, details.icon, "icon URL is correct");
+      is(image.getAttribute("tooltiptext"), details.title, "image title is correct");
+      is(image.getAttribute("aria-label"), details.title, "image aria-label is correct");
+      // TODO: Popup URL.
+    }
+  }
+
+  let awaitFinish = new Promise(resolve => {
+    extension.onMessage("nextTest", (expecting, testsRemaining) => {
+      checkDetails(expecting);
+
+      if (testsRemaining) {
+        extension.sendMessage("runNextTest")
+      } else {
+        resolve();
+      }
+    });
+  });
+
+  yield extension.startup();
+
+  yield awaitFinish;
+
+  yield extension.unload();
+
+  let node = document.getElementById(pageActionId);
+  is(node, undefined, "pageAction image removed from document");
+});
diff --git a/browser/components/extensions/test/browser/browser_ext_pageAction_popup.js b/browser/components/extensions/test/browser/browser_ext_pageAction_popup.js
new file mode 100644
index 000000000000..6c46bbb3e6db
--- /dev/null
+++ b/browser/components/extensions/test/browser/browser_ext_pageAction_popup.js
@@ -0,0 +1,215 @@
+/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* vim: set sts=2 sw=2 et tw=80: */
+"use strict";
+
+function promisePopupShown(popup) {
+  return new Promise(resolve => {
+    if (popup.popupOpen) {
+      resolve();
+    } else {
+      let onPopupShown = event => {
+        popup.removeEventListener("popupshown", onPopupShown);
+        resolve();
+      };
+      popup.addEventListener("popupshown", onPopupShown);
+    }
+  });
+}
+
+add_task(function* testPageActionPopup() {
+  let extension = ExtensionTestUtils.loadExtension({
+    manifest: {
+      "background": {
+        "page": "data/background.html"
+      },
+      "page_action": {
+        "default_popup": "popup-a.html"
+      }
+    },
+
+    files: {
+      "popup-a.html": `<script src="popup-a.js"></script>`,
+      "popup-a.js": function() {
+        browser.runtime.sendMessage("from-popup-a");
+      },
+
+      "data/popup-b.html": `<script src="popup-b.js"></script>`,
+      "data/popup-b.js": function() {
+        browser.runtime.sendMessage("from-popup-b");
+      },
+
+      "data/background.html": `<script src="background.js"></script>`,
+
+      "data/background.js": function() {
+        var tabId;
+
+        var tests = [
+          () => {
+            sendClick({ expectEvent: false, expectPopup: "a" });
+          },
+          () => {
+            sendClick({ expectEvent: false, expectPopup: "a" });
+          },
+          () => {
+            browser.pageAction.setPopup({ tabId, popup: "popup-b.html" });
+            sendClick({ expectEvent: false, expectPopup: "b" });
+          },
+          () => {
+            sendClick({ expectEvent: false, expectPopup: "b" });
+          },
+          () => {
+            browser.pageAction.setPopup({ tabId, popup: "" });
+            sendClick({ expectEvent: true, expectPopup: null });
+          },
+          () => {
+            sendClick({ expectEvent: true, expectPopup: null });
+          },
+          () => {
+            browser.pageAction.setPopup({ tabId, popup: "/popup-a.html" });
+            sendClick({ expectEvent: false, expectPopup: "a" });
+          },
+        ];
+
+        var expect = {};
+        function sendClick({ expectEvent, expectPopup }) {
+          expect = { event: expectEvent, popup: expectPopup };
+          browser.test.sendMessage("send-click");
+        }
+
+        browser.runtime.onMessage.addListener(msg => {
+          if (expect.popup) {
+            browser.test.assertEq(msg, `from-popup-${expect.popup}`,
+                                  "expected popup opened");
+          } else {
+            browser.test.fail("unexpected popup");
+          }
+
+          expect.popup = null;
+          browser.test.sendMessage("next-test");
+        });
+
+        browser.pageAction.onClicked.addListener(() => {
+          if (expect.event) {
+            browser.test.succeed("expected click event received");
+          } else {
+            browser.test.fail("unexpected click event");
+          }
+
+          expect.event = false;
+          browser.test.sendMessage("next-test");
+        });
+
+        browser.test.onMessage.addListener((msg) => {
+          if (msg != "next-test") {
+            browser.test.fail("Expecting 'next-test' message");
+          }
+
+          if (tests.length) {
+            var test = tests.shift();
+            test();
+          } else {
+            browser.test.notifyPass("pageaction-tests-done");
+          }
+        });
+
+        browser.tabs.query({ active: true, currentWindow: true }, tabs => {
+          tabId = tabs[0].id;
+
+          browser.pageAction.show(tabId);
+          browser.test.sendMessage("next-test");
+        });
+      },
+    },
+  });
+
+  let pageActionId = makeWidgetId(extension.id) + "-page-action";
+  let panelId = makeWidgetId(extension.id) + "-panel";
+
+  extension.onMessage("send-click", () => {
+    let image = document.getElementById(pageActionId);
+
+    let evt = new MouseEvent("click", {});
+    image.dispatchEvent(evt);
+  });
+
+  extension.onMessage("next-test", Task.async(function* () {
+    let panel = document.getElementById(panelId);
+    if (panel) {
+      yield promisePopupShown(panel);
+      panel.hidePopup();
+
+      panel = document.getElementById(panelId);
+      is(panel, undefined, "panel successfully removed from document after hiding");
+    }
+
+    extension.sendMessage("next-test");
+  }));
+
+
+  yield Promise.all([extension.startup(), extension.awaitFinish("pageaction-tests-done")]);
+
+  yield extension.unload();
+
+  let node = document.getElementById(pageActionId);
+  is(node, undefined, "pageAction image removed from document");
+
+  let panel = document.getElementById(panelId);
+  is(panel, undefined, "pageAction panel removed from document");
+});
+
+
+add_task(function* testPageActionSecurity() {
+  const URL = "chrome://browser/content/browser.xul";
+
+  let matchURLForbidden = url => ({
+    message: new RegExp(`Loading extension.*Access to.*'${URL}' denied`),
+  });
+
+  let messages = [/Access to restricted URI denied/,
+                  /Access to restricted URI denied/];
+
+  let waitForConsole = new Promise(resolve => {
+    // Not necessary in browser-chrome tests, but monitorConsole gripes
+    // if we don't call it.
+    SimpleTest.waitForExplicitFinish();
+
+    SimpleTest.monitorConsole(resolve, messages);
+  });
+
+  let extension = ExtensionTestUtils.loadExtension({
+    manifest: {
+      "browser_action": { "default_popup": URL },
+      "page_action": { "default_popup": URL },
+    },
+
+    background: function () {
+      browser.tabs.query({ active: true, currentWindow: true }, tabs => {
+        var tabId = tabs[0].id;
+
+        browser.pageAction.show(tabId);
+        browser.test.sendMessage("ready");
+      });
+    },
+  });
+
+  yield Promise.all([extension.startup(), extension.awaitMessage("ready")]);
+
+  let browserActionId = makeWidgetId(extension.id) + "-browser-action";
+  let pageActionId = makeWidgetId(extension.id) + "-page-action";
+
+  let browserAction = document.getElementById(browserActionId);
+  let evt = new CustomEvent("command", {});
+  browserAction.dispatchEvent(evt);
+
+  let pageAction = document.getElementById(pageActionId);
+  evt = new MouseEvent("click", {});
+  pageAction.dispatchEvent(evt);
+
+  yield extension.unload();
+
+  let node = document.getElementById(pageActionId);
+  is(node, undefined, "pageAction image removed from document");
+
+  SimpleTest.endMonitorConsole();
+  yield waitForConsole;
+});
diff --git a/browser/components/nsBrowserGlue.js b/browser/components/nsBrowserGlue.js
index c01a79dc85d2..50cb616bfe6c 100644
--- a/browser/components/nsBrowserGlue.js
+++ b/browser/components/nsBrowserGlue.js
@@ -642,6 +642,7 @@ BrowserGlue.prototype = {
 
     ExtensionManagement.registerScript("chrome://browser/content/ext-utils.js");
     ExtensionManagement.registerScript("chrome://browser/content/ext-browserAction.js");
+    ExtensionManagement.registerScript("chrome://browser/content/ext-pageAction.js");
     ExtensionManagement.registerScript("chrome://browser/content/ext-contextMenus.js");
     ExtensionManagement.registerScript("chrome://browser/content/ext-tabs.js");
     ExtensionManagement.registerScript("chrome://browser/content/ext-windows.js");
diff --git a/browser/modules/ContentWebRTC.jsm b/browser/modules/ContentWebRTC.jsm
index d25ab78f5932..2e57f309fd78 100644
--- a/browser/modules/ContentWebRTC.jsm
+++ b/browser/modules/ContentWebRTC.jsm
@@ -95,6 +95,18 @@ function handlePCRequest(aSubject, aTopic, aData) {
   let { windowID, innerWindowID, callID, isSecure } = aSubject;
   let contentWindow = Services.wm.getOuterWindowWithId(windowID);
 
+  let mm = getMessageManagerForWindow(contentWindow);
+  if (!mm) {
+    // Workaround for Bug 1207784. To use WebRTC, add-ons right now use
+    // hiddenWindow.mozRTCPeerConnection which is only privileged on OSX. Other
+    // platforms end up here without a message manager.
+    // TODO: Remove once there's a better way (1215591).
+
+    // Skip permission check in the absence of a message manager.
+    Services.obs.notifyObservers(null, "PeerConnection:response:allow", callID);
+    return;
+  }
+
   if (!contentWindow.pendingPeerConnectionRequests) {
     setupPendingListsInitially(contentWindow);
   }
@@ -107,8 +119,6 @@ function handlePCRequest(aSubject, aTopic, aData) {
     documentURI: contentWindow.document.documentURI,
     secure: isSecure,
   };
-
-  let mm = getMessageManagerForWindow(contentWindow);
   mm.sendAsyncMessage("rtcpeer:Request", request);
 }
 
diff --git a/browser/themes/linux/browser.css b/browser/themes/linux/browser.css
index 0c53764831c3..83f973c5ea6c 100644
--- a/browser/themes/linux/browser.css
+++ b/browser/themes/linux/browser.css
@@ -937,6 +937,9 @@ toolbar .toolbarbutton-1:-moz-any(@primaryToolbarButtons@) > :-moz-any(.toolbarb
 
 .urlbar-icon {
   padding: 0 3px;
+  /* 16x16 icon with border-box sizing */
+  width: 22px;
+  height: 16px;
 }
 
 #urlbar-search-footer {
@@ -1942,7 +1945,7 @@ toolbarbutton.chevron > .toolbarbutton-icon {
   -moz-margin-end: 0 !important;
 }
 
-.browser-action-panel > .panel-arrowcontainer > .panel-arrowcontent {
+.browser-extension-panel > .panel-arrowcontainer > .panel-arrowcontent {
   padding: 0;
 }
 
diff --git a/browser/themes/linux/jar.mn b/browser/themes/linux/jar.mn
index f915ed2490ba..a14e867a0a0d 100644
--- a/browser/themes/linux/jar.mn
+++ b/browser/themes/linux/jar.mn
@@ -166,7 +166,7 @@ browser.jar:
   skin/classic/browser/e10s-64@2x.png (../shared/e10s-64@2x.png)
 #endif
 
-../extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/chrome.jar:
+[extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}] chrome.jar:
 % override chrome://browser/skin/feeds/audioFeedIcon.png              chrome://browser/skin/feeds/feedIcon.png
 % override chrome://browser/skin/feeds/audioFeedIcon16.png            chrome://browser/skin/feeds/feedIcon16.png
 % override chrome://browser/skin/feeds/videoFeedIcon.png              chrome://browser/skin/feeds/feedIcon.png
diff --git a/browser/themes/osx/browser.css b/browser/themes/osx/browser.css
index 7eba08348121..4028a0c7f374 100644
--- a/browser/themes/osx/browser.css
+++ b/browser/themes/osx/browser.css
@@ -1728,6 +1728,9 @@ toolbar .toolbarbutton-1 > .toolbarbutton-menubutton-button {
 
 .urlbar-icon {
   padding: 0 3px;
+  /* 16x16 icon with border-box sizing */
+  width: 22px;
+  height: 16px;
 }
 
 #urlbar-search-footer {
@@ -2015,7 +2018,6 @@ richlistitem[type~="action"][actiontype="switchtab"][selected="true"] > .ac-url-
   #page-report-button {
     list-style-image: url("chrome://browser/skin/urlbar-popup-blocked@2x.png");
     -moz-image-region: rect(0, 32px, 32px, 0);
-    width: 22px;
   }
 
   #page-report-button:hover:active,
@@ -3617,7 +3619,7 @@ notification[value="loop-sharing-notification"] .messageImage {
   padding-right: 0;
 }
 
-.browser-action-panel > .panel-arrowcontainer > .panel-arrowcontent {
+.browser-extension-panel > .panel-arrowcontainer > .panel-arrowcontent {
   padding: 0;
 }
 
diff --git a/browser/themes/osx/jar.mn b/browser/themes/osx/jar.mn
index ee9ea6eb0d30..c5d41d9a8945 100644
--- a/browser/themes/osx/jar.mn
+++ b/browser/themes/osx/jar.mn
@@ -275,7 +275,7 @@ browser.jar:
   skin/classic/browser/e10s-64@2x.png (../shared/e10s-64@2x.png)
 #endif
 
-../extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/chrome.jar:
+[extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}] chrome.jar:
 % override chrome://browser/skin/feeds/audioFeedIcon.png                   chrome://browser/skin/feeds/feedIcon.png
 % override chrome://browser/skin/feeds/audioFeedIcon16.png                 chrome://browser/skin/feeds/feedIcon16.png
 % override chrome://browser/skin/feeds/videoFeedIcon.png                   chrome://browser/skin/feeds/feedIcon.png
diff --git a/browser/themes/shared/controlcenter/panel.inc.css b/browser/themes/shared/controlcenter/panel.inc.css
index ed86bafa1866..558ce9ccb8da 100644
--- a/browser/themes/shared/controlcenter/panel.inc.css
+++ b/browser/themes/shared/controlcenter/panel.inc.css
@@ -5,7 +5,7 @@
 %endif
 
 /* Hide all conditional elements by default. */
-:-moz-any([when-connection],[when-mixedcontent],[when-ciphers]) {
+:-moz-any([when-connection],[when-mixedcontent],[when-ciphers],[when-loginforms]) {
   display: none;
 }
 
@@ -15,6 +15,8 @@
 #identity-popup[connection=secure] [when-connection~=secure],
 #identity-popup[connection=chrome] [when-connection~=chrome],
 #identity-popup[connection=file] [when-connection~=file],
+/* Show insecure login forms messages when needed. */
+#identity-popup[loginforms=insecure] [when-loginforms=insecure],
 /* Show weak cipher messages when needed. */
 #identity-popup[ciphers=weak] [when-ciphers~=weak],
 /* Show mixed content warnings when needed */
@@ -28,6 +30,14 @@
   display: inherit;
 }
 
+/* Hide redundant messages based on insecure login forms presence. */
+#identity-popup[loginforms=secure] [and-when-loginforms=insecure] {
+  display: none;
+}
+#identity-popup[loginforms=insecure] [and-when-loginforms=secure] {
+  display: none;
+}
+
 /* Hide 'not secure' message in subview when weak cipher or mixed content messages are shown. */
 #identity-popup-securityView-body:-moz-any([mixedcontent],[ciphers]) > description[when-connection=not-secure],
 /* Hide 'passive-loaded (only)' message when there is mixed passive content loaded and active blocked. */
@@ -224,6 +234,8 @@
   background-image: url(chrome://browser/skin/controlcenter/conn-degraded.svg);
 }
 
+#identity-popup[loginforms=insecure] #identity-popup-securityView,
+#identity-popup[loginforms=insecure] #identity-popup-security-content,
 #identity-popup[mixedcontent~=active-loaded][isbroken] #identity-popup-securityView,
 #identity-popup[mixedcontent~=active-loaded][isbroken] #identity-popup-security-content {
   background-image: url(chrome://browser/skin/controlcenter/mcb-disabled.svg);
diff --git a/browser/themes/shared/identity-block/identity-block.inc.css b/browser/themes/shared/identity-block/identity-block.inc.css
index 94d2ca9a35f5..fbff1230c069 100644
--- a/browser/themes/shared/identity-block/identity-block.inc.css
+++ b/browser/themes/shared/identity-block/identity-block.inc.css
@@ -123,6 +123,7 @@
   list-style-image: url(chrome://browser/skin/identity-secure.svg);
 }
 
+.insecureLoginForms > #identity-icons > #page-proxy-favicon[pageproxystate="valid"],
 .mixedActiveContent > #identity-icons > #page-proxy-favicon[pageproxystate="valid"] {
   list-style-image: url(chrome://browser/skin/identity-mixed-active-loaded.svg);
 }
diff --git a/browser/themes/windows/browser.css b/browser/themes/windows/browser.css
index 433a49fd78e3..1769009ddbe3 100644
--- a/browser/themes/windows/browser.css
+++ b/browser/themes/windows/browser.css
@@ -1325,6 +1325,9 @@ html|*.urlbar-input:-moz-lwtheme::-moz-placeholder,
 
 .urlbar-icon {
   padding: 0 3px;
+  /* 16x16 icon with border-box sizing */
+  width: 22px;
+  height: 16px;
 }
 
 .search-go-container {
@@ -2802,7 +2805,7 @@ notification[value="loop-sharing-notification"] .messageImage {
 %include browser-aero.css
 }
 
-.browser-action-panel > .panel-arrowcontainer > .panel-arrowcontent {
+.browser-extension-panel > .panel-arrowcontainer > .panel-arrowcontent {
   padding: 0;
 }
 
diff --git a/browser/themes/windows/jar.mn b/browser/themes/windows/jar.mn
index 2714571c9faf..87b07e14e94c 100644
--- a/browser/themes/windows/jar.mn
+++ b/browser/themes/windows/jar.mn
@@ -285,7 +285,7 @@ browser.jar:
   skin/classic/browser/e10s-64@2x.png (../shared/e10s-64@2x.png)
 #endif
 
-../extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/chrome.jar:
+[extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}] chrome.jar:
 % override chrome://browser/skin/page-livemarks.png                   chrome://browser/skin/feeds/feedIcon16.png
 % override chrome://browser/skin/feeds/audioFeedIcon.png              chrome://browser/skin/feeds/feedIcon.png
 % override chrome://browser/skin/feeds/audioFeedIcon16.png            chrome://browser/skin/feeds/feedIcon16.png
diff --git a/build/docs/jar-manifests.rst b/build/docs/jar-manifests.rst
index 8d4f97375f23..5ee656ac6388 100644
--- a/build/docs/jar-manifests.rst
+++ b/build/docs/jar-manifests.rst
@@ -31,6 +31,13 @@ To ship chrome files in a JAR, an indented line indicates a file to be packaged:
    <jarfile>.jar:
      path/in/jar/file_name.xul     (source/tree/location/file_name.xul)
 
+The JAR location may be preceded with a base path between square brackets::
+   [base/path] <jarfile>.jar:
+     path/in/jar/file_name.xul     (source/tree/location/file_name.xul)
+
+In this case, the jar will be directly located under the given ``base/bath``,
+while without a base path, it will be under a ``chrome`` directory.
+
 If the JAR manifest and packaged file live in the same directory, the path and
 parenthesis can be omitted. In other words, the following two lines are
 equivalent::
diff --git a/build/stlport/moz.build b/build/stlport/moz.build
index 110c8ff5f1d4..ef8627069a29 100644
--- a/build/stlport/moz.build
+++ b/build/stlport/moz.build
@@ -70,4 +70,5 @@ if CONFIG['GNU_CXX']:
 # installing it in dist/lib.
 NO_EXPAND_LIBS = True
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
diff --git a/config/rules.mk b/config/rules.mk
index 63a0b62453c3..138ef8f8ba37 100644
--- a/config/rules.mk
+++ b/config/rules.mk
@@ -1256,7 +1256,7 @@ endif
 
 libs realchrome:: $(FINAL_TARGET)/chrome
 	$(call py_action,jar_maker,\
-	  $(QUIET) -j $(FINAL_TARGET)/chrome \
+	  $(QUIET) -d $(FINAL_TARGET) \
 	  $(MAKE_JARS_FLAGS) $(DEFINES) $(ACDEFINES) $(MOZ_DEBUG_DEFINES) \
 	  $(JAR_MANIFEST))
 
diff --git a/db/sqlite3/src/moz.build b/db/sqlite3/src/moz.build
index f9faddd8faba..a9ea3dfd273e 100644
--- a/db/sqlite3/src/moz.build
+++ b/db/sqlite3/src/moz.build
@@ -9,6 +9,7 @@ EXPORTS += [
     'sqlite3.h',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 if CONFIG['MOZ_FOLD_LIBS']:
diff --git a/devtools/client/debugger/debugger-controller.js b/devtools/client/debugger/debugger-controller.js
index 5e7bee912bb5..1311d4f05e2a 100644
--- a/devtools/client/debugger/debugger-controller.js
+++ b/devtools/client/debugger/debugger-controller.js
@@ -480,10 +480,10 @@ Workers.prototype = {
     this._updateWorkerList();
   },
 
-  _onWorkerSelect: function (type, workerActor) {
+  _onWorkerSelect: function (workerActor) {
     DebuggerController.client.attachWorker(workerActor, (response, workerClient) => {
-      gDevTools.showToolbox(devtools.TargetFactory.forWorker(workerClient),
-                            "jsdebugger", devtools.Toolbox.HostType.WINDOW);
+      gDevTools.showToolbox(TargetFactory.forWorker(workerClient),
+                            "jsdebugger", Toolbox.HostType.WINDOW);
     });
   }
 };
diff --git a/devtools/client/memory/actions/breakdown.js b/devtools/client/memory/actions/breakdown.js
new file mode 100644
index 000000000000..c9c08c8678a9
--- /dev/null
+++ b/devtools/client/memory/actions/breakdown.js
@@ -0,0 +1,43 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// @TODO 1215606
+// Use this assert instead of utils when fixed.
+// const { assert } = require("devtools/shared/DevToolsUtils");
+const { breakdownEquals, createSnapshot, assert } = require("../utils");
+const { actions, snapshotState: states } = require("../constants");
+const { takeCensus } = require("./snapshot");
+
+const setBreakdownAndRefresh = exports.setBreakdownAndRefresh = function (heapWorker, breakdown) {
+  return function *(dispatch, getState) {
+    // Clears out all stored census data and sets
+    // the breakdown
+    dispatch(setBreakdown(breakdown));
+    let snapshot = getState().snapshots.find(s => s.selected);
+
+    // If selected snapshot does not have updated census if the breakdown
+    // changed, retake the census with new breakdown
+    if (snapshot && !breakdownEquals(snapshot.breakdown, breakdown)) {
+      yield dispatch(takeCensus(heapWorker, snapshot));
+    }
+  };
+};
+
+/**
+ * Clears out all census data in the snapshots and sets
+ * a new breakdown.
+ *
+ * @param {Breakdown} breakdown
+ */
+const setBreakdown = exports.setBreakdown = function (breakdown) {
+  // @TODO 1215606
+  assert(typeof breakdown === "object" && breakdown.by,
+    `Breakdowns must be an object with a \`by\` property, attempted to set: ${uneval(breakdown)}`);
+
+  return {
+    type: actions.SET_BREAKDOWN,
+    breakdown,
+  }
+};
diff --git a/devtools/client/memory/actions/moz.build b/devtools/client/memory/actions/moz.build
index 3ffb5eb0c383..2b34495dbf05 100644
--- a/devtools/client/memory/actions/moz.build
+++ b/devtools/client/memory/actions/moz.build
@@ -4,5 +4,6 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 DevToolsModules(
+    'breakdown.js',
     'snapshot.js',
 )
diff --git a/devtools/client/memory/actions/snapshot.js b/devtools/client/memory/actions/snapshot.js
index 2a671b152eb1..5ec792ed8bfd 100644
--- a/devtools/client/memory/actions/snapshot.js
+++ b/devtools/client/memory/actions/snapshot.js
@@ -6,7 +6,7 @@
 // @TODO 1215606
 // Use this assert instead of utils when fixed.
 // const { assert } = require("devtools/shared/DevToolsUtils");
-const { createSnapshot, assert } = require("../utils");
+const { getSnapshot, breakdownEquals, createSnapshot, assert } = require("../utils");
 const { actions, snapshotState: states } = require("../constants");
 
 /**
@@ -17,19 +17,36 @@ const { actions, snapshotState: states } = require("../constants");
  * @param {HeapAnalysesClient}
  * @param {Object}
  */
-const takeSnapshotAndCensus = exports.takeSnapshotAndCensus = function takeSnapshotAndCensus (front, heapWorker) {
-  return function *(dispatch, getStore) {
+const takeSnapshotAndCensus = exports.takeSnapshotAndCensus = function (front, heapWorker) {
+  return function *(dispatch, getState) {
     let snapshot = yield dispatch(takeSnapshot(front));
     yield dispatch(readSnapshot(heapWorker, snapshot));
     yield dispatch(takeCensus(heapWorker, snapshot));
   };
 };
 
+/**
+ * Selects a snapshot and if the snapshot's census is using a different
+ * breakdown, take a new census.
+ *
+ * @param {HeapAnalysesClient}
+ * @param {Snapshot}
+ */
+const selectSnapshotAndRefresh = exports.selectSnapshotAndRefresh = function (heapWorker, snapshot) {
+  return function *(dispatch, getState) {
+    dispatch(selectSnapshot(snapshot));
+
+    // Attempt to take another census; if the snapshot already is using
+    // the correct breakdown, this will noop.
+    yield dispatch(takeCensus(heapWorker, snapshot));
+  };
+};
+
 /**
  * @param {MemoryFront}
  */
-const takeSnapshot = exports.takeSnapshot = function takeSnapshot (front) {
-  return function *(dispatch, getStore) {
+const takeSnapshot = exports.takeSnapshot = function (front) {
+  return function *(dispatch, getState) {
     let snapshot = createSnapshot();
     dispatch({ type: actions.TAKE_SNAPSHOT_START, snapshot });
     dispatch(selectSnapshot(snapshot));
@@ -49,7 +66,7 @@ const takeSnapshot = exports.takeSnapshot = function takeSnapshot (front) {
  * @param {Snapshot} snapshot,
  */
 const readSnapshot = exports.readSnapshot = function readSnapshot (heapWorker, snapshot) {
-  return function *(dispatch, getStore) {
+  return function *(dispatch, getState) {
     // @TODO 1215606
     assert(snapshot.state === states.SAVED,
       "Should only read a snapshot once");
@@ -64,29 +81,42 @@ const readSnapshot = exports.readSnapshot = function readSnapshot (heapWorker, s
  * @param {HeapAnalysesClient} heapWorker
  * @param {Snapshot} snapshot,
  *
- * @see {Snapshot} model defined in devtools/client/memory/app.js
+ * @see {Snapshot} model defined in devtools/client/memory/models.js
  * @see `devtools/shared/heapsnapshot/HeapAnalysesClient.js`
  * @see `js/src/doc/Debugger/Debugger.Memory.md` for breakdown details
  */
-const takeCensus = exports.takeCensus = function takeCensus (heapWorker, snapshot) {
-  return function *(dispatch, getStore) {
+const takeCensus = exports.takeCensus = function (heapWorker, snapshot) {
+  return function *(dispatch, getState) {
     // @TODO 1215606
     assert([states.READ, states.SAVED_CENSUS].includes(snapshot.state),
       "Can only take census of snapshots in READ or SAVED_CENSUS state");
 
-    let breakdown = getStore().breakdown;
-    dispatch({ type: actions.TAKE_CENSUS_START, snapshot, breakdown });
+    let census;
+    let breakdown = getState().breakdown;
 
-    let census = yield heapWorker.takeCensus(snapshot.path, { breakdown }, { asTreeNode: true });
-    dispatch({ type: actions.TAKE_CENSUS_END, snapshot, census });
+    // If breakdown hasn't changed, don't do anything
+    if (breakdownEquals(breakdown, snapshot.breakdown)) {
+      return;
+    }
+
+    // Keep taking a census if the breakdown changes during. Recheck
+    // that the breakdown used for the census is the same as
+    // the state's breakdown.
+    do {
+      breakdown = getState().breakdown;
+      dispatch({ type: actions.TAKE_CENSUS_START, snapshot, breakdown });
+      census = yield heapWorker.takeCensus(snapshot.path, { breakdown }, { asTreeNode: true });
+    } while (!breakdownEquals(breakdown, getState().breakdown));
+
+    dispatch({ type: actions.TAKE_CENSUS_END, snapshot, breakdown, census });
   };
 };
 
 /**
  * @param {Snapshot}
- * @see {Snapshot} model defined in devtools/client/memory/app.js
+ * @see {Snapshot} model defined in devtools/client/memory/models.js
  */
-const selectSnapshot = exports.selectSnapshot = function takeSnapshot (snapshot) {
+const selectSnapshot = exports.selectSnapshot = function (snapshot) {
   return {
     type: actions.SELECT_SNAPSHOT,
     snapshot
diff --git a/devtools/client/memory/app.js b/devtools/client/memory/app.js
index f8d39b91adbf..ab6f43de162e 100644
--- a/devtools/client/memory/app.js
+++ b/devtools/client/memory/app.js
@@ -1,59 +1,18 @@
 const { DOM: dom, createClass, createFactory, PropTypes } = require("devtools/client/shared/vendor/react");
 const { connect } = require("devtools/client/shared/vendor/react-redux");
-const { selectSnapshot, takeSnapshotAndCensus } = require("./actions/snapshot");
-const { snapshotState } = require("./constants");
+const { selectSnapshotAndRefresh, takeSnapshotAndCensus } = require("./actions/snapshot");
+const { setBreakdownAndRefresh } = require("./actions/breakdown");
+const { breakdownNameToSpec, getBreakdownDisplayData } = require("./utils");
 const Toolbar = createFactory(require("./components/toolbar"));
 const List = createFactory(require("./components/list"));
 const SnapshotListItem = createFactory(require("./components/snapshot-list-item"));
 const HeapView = createFactory(require("./components/heap"));
-
-const stateModel = {
-  /**
-   * {MemoryFront}
-   * Used to communicate with the platform.
-   */
-  front: PropTypes.any,
-
-  /**
-   * {HeapAnalysesClient}
-   * Used to communicate with the worker that performs analyses on heaps.
-   */
-  heapWorker: PropTypes.any,
-
-  /**
-   * The breakdown object DSL describing how we want
-   * the census data to be.
-   * @see `js/src/doc/Debugger/Debugger.Memory.md`
-   */
-  breakdown: PropTypes.object.isRequired,
-
-  /**
-   * {Array<Snapshot>}
-   * List of references to all snapshots taken
-   */
-  snapshots: PropTypes.arrayOf(PropTypes.shape({
-    // Unique ID for a snapshot
-    id: PropTypes.number.isRequired,
-    // fs path to where the snapshot is stored; used to
-    // identify the snapshot for HeapAnalysesClient.
-    path: PropTypes.string,
-    // Whether or not this snapshot is currently selected.
-    selected: PropTypes.bool.isRequired,
-    // Whther or not the snapshot has been read into memory.
-    // Only needed to do once.
-    snapshotRead: PropTypes.bool.isRequired,
-    // State the snapshot is in
-    // @see ./constants.js
-    state: PropTypes.oneOf(Object.keys(snapshotState)).isRequired,
-    // Data of a census breakdown
-    census: PropTypes.any,
-  }))
-};
+const { app: appModel } = require("./models");
 
 const App = createClass({
   displayName: "memory-tool",
 
-  propTypes: stateModel,
+  propTypes: appModel,
 
   childContextTypes: {
     front: PropTypes.any,
@@ -75,17 +34,17 @@ const App = createClass({
       dom.div({ id: "memory-tool" }, [
 
         Toolbar({
-          buttons: [{
-            className: "take-snapshot",
-            onClick: () => dispatch(takeSnapshotAndCensus(front, heapWorker))
-          }]
+          breakdowns: getBreakdownDisplayData(),
+          onTakeSnapshotClick: () => dispatch(takeSnapshotAndCensus(front, heapWorker)),
+          onBreakdownChange: breakdown =>
+            dispatch(setBreakdownAndRefresh(heapWorker, breakdownNameToSpec(breakdown))),
         }),
 
         dom.div({ id: "memory-tool-container" }, [
           List({
             itemComponent: SnapshotListItem,
             items: snapshots,
-            onClick: snapshot => dispatch(selectSnapshot(snapshot))
+            onClick: snapshot => dispatch(selectSnapshotAndRefresh(heapWorker, snapshot))
           }),
 
           HeapView({
diff --git a/devtools/client/memory/components/heap.js b/devtools/client/memory/components/heap.js
index 44babd9d2d5f..d1ae90f544c9 100644
--- a/devtools/client/memory/components/heap.js
+++ b/devtools/client/memory/components/heap.js
@@ -1,6 +1,7 @@
 const { DOM: dom, createClass, PropTypes } = require("devtools/client/shared/vendor/react");
 const { getSnapshotStatusText } = require("../utils");
 const { snapshotState: states } = require("../constants");
+const { snapshot: snapshotModel } = require("../models");
 const TAKE_SNAPSHOT_TEXT = "Take snapshot";
 
 /**
@@ -14,7 +15,7 @@ const Heap = module.exports = createClass({
 
   propTypes: {
     onSnapshotClick: PropTypes.func.isRequired,
-    snapshot: PropTypes.any,
+    snapshot: snapshotModel,
   },
 
   render() {
@@ -22,7 +23,6 @@ const Heap = module.exports = createClass({
     let pane;
     let census = snapshot ? snapshot.census : null;
     let state = snapshot ? snapshot.state : "initial";
-    let statusText = getSnapshotStatusText(snapshot);
 
     switch (state) {
       case "initial":
@@ -35,7 +35,8 @@ const Heap = module.exports = createClass({
       case states.READING:
       case states.READ:
       case states.SAVING_CENSUS:
-        pane = dom.div({ className: "heap-view-panel", "data-state": state }, statusText);
+        pane = dom.div({ className: "heap-view-panel", "data-state": state },
+          getSnapshotStatusText(snapshot));
         break;
       case states.SAVED_CENSUS:
         pane = dom.div({ className: "heap-view-panel", "data-state": "loaded" }, JSON.stringify(census || {}));
diff --git a/devtools/client/memory/components/snapshot-list-item.js b/devtools/client/memory/components/snapshot-list-item.js
index 7bb8285bc263..f06539dda194 100644
--- a/devtools/client/memory/components/snapshot-list-item.js
+++ b/devtools/client/memory/components/snapshot-list-item.js
@@ -1,12 +1,13 @@
 const { DOM: dom, createClass, PropTypes } = require("devtools/client/shared/vendor/react");
 const { getSnapshotStatusText } = require("../utils");
+const { snapshot: snapshotModel } = require("../models");
 
 const SnapshotListItem = module.exports = createClass({
   displayName: "snapshot-list-item",
 
   propTypes: {
     onClick: PropTypes.func,
-    item: PropTypes.any.isRequired,
+    item: snapshotModel.isRequired,
     index: PropTypes.number.isRequired,
   },
 
diff --git a/devtools/client/memory/components/toolbar.js b/devtools/client/memory/components/toolbar.js
index 48da52b60b01..60b0493cf915 100644
--- a/devtools/client/memory/components/toolbar.js
+++ b/devtools/client/memory/components/toolbar.js
@@ -1,16 +1,26 @@
-const { DOM, createClass } = require("devtools/client/shared/vendor/react");
+const { DOM, createClass, PropTypes } = require("devtools/client/shared/vendor/react");
 
 const Toolbar = module.exports = createClass({
   displayName: "toolbar",
+  propTypes: {
+    breakdowns: PropTypes.arrayOf(PropTypes.shape({
+      name: PropTypes.string.isRequired,
+      displayName: PropTypes.string.isRequired,
+    })).isRequired,
+    onTakeSnapshotClick: PropTypes.func.isRequired,
+    onBreakdownChange: PropTypes.func.isRequired,
+  },
 
   render() {
-    let buttons = this.props.buttons;
+    let { onTakeSnapshotClick, onBreakdownChange, breakdowns } = this.props;
     return (
-      DOM.div({ className: "devtools-toolbar" }, ...buttons.map(spec => {
-        return DOM.button(Object.assign({}, spec, {
-          className: `${spec.className || "" } devtools-button`
-        }));
-      }))
+      DOM.div({ className: "devtools-toolbar" }, [
+        DOM.button({ className: `take-snapshot devtools-button`, onClick: onTakeSnapshotClick }),
+        DOM.select({
+          className: `select-breakdown`,
+          onChange: e => onBreakdownChange(e.target.value),
+        }, breakdowns.map(({ name, displayName }) => DOM.option({ value: name }, displayName)))
+      ])
     );
   }
 });
diff --git a/devtools/client/memory/constants.js b/devtools/client/memory/constants.js
index f465b397cba2..e46722a56b5c 100644
--- a/devtools/client/memory/constants.js
+++ b/devtools/client/memory/constants.js
@@ -21,6 +21,39 @@ actions.TAKE_CENSUS_END = "take-census-end";
 // Fired by UI to select a snapshot to view.
 actions.SELECT_SNAPSHOT = "select-snapshot";
 
+const COUNT = { by: "count", count: true, bytes: true };
+const INTERNAL_TYPE = { by: "internalType", then: COUNT };
+const ALLOCATION_STACK = { by: "allocationStack", then: COUNT, noStack: COUNT };
+const OBJECT_CLASS = { by: "objectClass", then: COUNT, other: COUNT };
+
+const breakdowns = exports.breakdowns = {
+  coarseType: {
+    displayName: "Coarse Type",
+    breakdown: {
+      by: "coarseType",
+      objects: ALLOCATION_STACK,
+      strings: ALLOCATION_STACK,
+      scripts: INTERNAL_TYPE,
+      other: INTERNAL_TYPE,
+    }
+  },
+
+  allocationStack: {
+    displayName: "Allocation Site",
+    breakdown: ALLOCATION_STACK,
+  },
+
+  objectClass: {
+    displayName: "Object Class",
+    breakdown: OBJECT_CLASS,
+  },
+
+  internalType: {
+    displayName: "Internal Type",
+    breakdown: INTERNAL_TYPE,
+  },
+};
+
 const snapshotState = exports.snapshotState = {};
 
 /**
diff --git a/devtools/client/memory/models.js b/devtools/client/memory/models.js
new file mode 100644
index 000000000000..f7faeb506baf
--- /dev/null
+++ b/devtools/client/memory/models.js
@@ -0,0 +1,61 @@
+const { MemoryFront } = require("devtools/server/actors/memory");
+const HeapAnalysesClient = require("devtools/shared/heapsnapshot/HeapAnalysesClient");
+const { PropTypes } = require("devtools/client/shared/vendor/react");
+const { snapshotState: states } = require("./constants");
+
+/**
+ * The breakdown object DSL describing how we want
+ * the census data to be.
+ * @see `js/src/doc/Debugger/Debugger.Memory.md`
+ */
+let breakdownModel = exports.breakdown = PropTypes.shape({
+  by: PropTypes.oneOf(["coarseType", "allocationStack", "objectClass", "internalType"]).isRequired,
+});
+
+/**
+ * Snapshot model.
+ */
+let snapshotModel = exports.snapshot = PropTypes.shape({
+  // Unique ID for a snapshot
+  id: PropTypes.number.isRequired,
+  // Whether or not this snapshot is currently selected.
+  selected: PropTypes.bool.isRequired,
+  // fs path to where the snapshot is stored; used to
+  // identify the snapshot for HeapAnalysesClient.
+  path: PropTypes.string,
+  // Data of a census breakdown
+  census: PropTypes.object,
+  // The breakdown used to generate the current census
+  breakdown: breakdownModel,
+  // State the snapshot is in
+  // @see ./constants.js
+  state: function (props, propName) {
+    let stateNames = Object.keys(states);
+    let current = props.state;
+    let shouldHavePath = [states.SAVED, states.READ, states.SAVING_CENSUS, states.SAVED_CENSUS];
+    let shouldHaveCensus = [states.SAVED_CENSUS];
+
+    if (!stateNames.contains(current)) {
+      throw new Error(`Snapshot state must be one of ${stateNames}.`);
+    }
+    if (shouldHavePath.contains(current) && !path) {
+      throw new Error(`Snapshots in state ${current} must have a snapshot path.`);
+    }
+    if (shouldHaveCensus.contains(current) && (!props.census || !props.breakdown)) {
+      throw new Error(`Snapshots in state ${current} must have a census and breakdown.`);
+    }
+  },
+});
+
+let appModel = exports.app = {
+  // {MemoryFront} Used to communicate with platform
+  front: PropTypes.instanceOf(MemoryFront),
+  // {HeapAnalysesClient} Used to interface with snapshots
+  heapWorker: PropTypes.instanceOf(HeapAnalysesClient),
+  // The breakdown object DSL describing how we want
+  // the census data to be.
+  // @see `js/src/doc/Debugger/Debugger.Memory.md`
+  breakdown: breakdownModel.isRequired,
+  // List of reference to all snapshots taken
+  snapshots: PropTypes.arrayOf(snapshotModel).isRequired,
+};
diff --git a/devtools/client/memory/moz.build b/devtools/client/memory/moz.build
index 773679f87045..5285b816f565 100644
--- a/devtools/client/memory/moz.build
+++ b/devtools/client/memory/moz.build
@@ -14,6 +14,7 @@ DevToolsModules(
     'app.js',
     'constants.js',
     'initializer.js',
+    'models.js',
     'panel.js',
     'reducers.js',
     'store.js',
diff --git a/devtools/client/memory/reducers/breakdown.js b/devtools/client/memory/reducers/breakdown.js
index 0a3e82cb1b66..8e344e400386 100644
--- a/devtools/client/memory/reducers/breakdown.js
+++ b/devtools/client/memory/reducers/breakdown.js
@@ -1,15 +1,16 @@
-const { actions } = require("../constants");
+const { actions, breakdowns } = require("../constants");
+const DEFAULT_BREAKDOWN = breakdowns.coarseType.breakdown;
 
-// Hardcoded breakdown for now
-const DEFAULT_BREAKDOWN = {
-  by: "internalType",
-  then: { by: "count", count: true, bytes: true }
+let handlers = Object.create(null);
+
+handlers[actions.SET_BREAKDOWN] = function (_, action) {
+  return Object.assign({}, action.breakdown);
 };
 
-/**
- * Not much to do here yet until we can change breakdowns,
- * but this gets it in our store.
- */
 module.exports = function (state=DEFAULT_BREAKDOWN, action) {
-  return Object.assign({}, DEFAULT_BREAKDOWN);
+  let handle = handlers[action.type];
+  if (handle) {
+    return handle(state, action);
+  }
+  return state;
 };
diff --git a/devtools/client/memory/reducers/snapshots.js b/devtools/client/memory/reducers/snapshots.js
index 30246f42463b..a7f684209d7f 100644
--- a/devtools/client/memory/reducers/snapshots.js
+++ b/devtools/client/memory/reducers/snapshots.js
@@ -33,6 +33,7 @@ handlers[actions.TAKE_CENSUS_START] = function (snapshots, action) {
   let snapshot = getSnapshot(snapshots, action.snapshot);
   snapshot.state = states.SAVING_CENSUS;
   snapshot.census = null;
+  snapshot.breakdown = action.breakdown;
   return [...snapshots];
 };
 
@@ -40,6 +41,7 @@ handlers[actions.TAKE_CENSUS_END] = function (snapshots, action) {
   let snapshot = getSnapshot(snapshots, action.snapshot);
   snapshot.state = states.SAVED_CENSUS;
   snapshot.census = action.census;
+  snapshot.breakdown = action.breakdown;
   return [...snapshots];
 };
 
diff --git a/devtools/client/memory/test/unit/head.js b/devtools/client/memory/test/unit/head.js
index 2f5aac327118..18dda8824723 100644
--- a/devtools/client/memory/test/unit/head.js
+++ b/devtools/client/memory/test/unit/head.js
@@ -59,3 +59,32 @@ function waitUntilState (store, predicate) {
 
   return deferred.promise;
 }
+
+function waitUntilSnapshotState (store, expected) {
+  let predicate = () => {
+    let snapshots = store.getState().snapshots;
+    do_print(snapshots.map(x => x.state));
+    return snapshots.length === expected.length &&
+           expected.every((state, i) => state === "*" || snapshots[i].state === state);
+  };
+  do_print(`Waiting for snapshots to be of state: ${expected}`);
+  return waitUntilState(store, predicate);
+}
+
+function isBreakdownType (census, type) {
+  // Little sanity check, all censuses should have atleast a children array
+  if (!census || !Array.isArray(census.children)) {
+    return false;
+  }
+  switch (type) {
+    case "coarseType":
+      return census.children.find(c => c.name === "objects");
+    case "objectClass":
+      return census.children.find(c => c.name === "Function");
+    case "internalType":
+      return census.children.find(c => c.name === "js::BaseShape") &&
+             !census.children.find(c => c.name === "objects");
+    default:
+      throw new Error(`isBreakdownType does not yet support ${type}`);
+  }
+}
diff --git a/devtools/client/memory/test/unit/test_action-set-breakdown-and-refresh-01.js b/devtools/client/memory/test/unit/test_action-set-breakdown-and-refresh-01.js
new file mode 100644
index 000000000000..981b6ce9adf3
--- /dev/null
+++ b/devtools/client/memory/test/unit/test_action-set-breakdown-and-refresh-01.js
@@ -0,0 +1,92 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+/**
+ * Tests the task creator `setBreakdownAndRefreshAndRefresh()` for breakdown changing.
+ * We test this rather than `setBreakdownAndRefresh` directly, as we use the refresh action
+ * in the app itself composed from `setBreakdownAndRefresh`
+ */
+
+let { breakdowns, snapshotState: states } = require("devtools/client/memory/constants");
+let { breakdownEquals } = require("devtools/client/memory/utils");
+let { setBreakdownAndRefresh } = require("devtools/client/memory/actions/breakdown");
+let { takeSnapshotAndCensus, selectSnapshotAndRefresh } = require("devtools/client/memory/actions/snapshot");
+
+function run_test() {
+  run_next_test();
+}
+
+add_task(function *() {
+  let front = new StubbedMemoryFront();
+  let heapWorker = new HeapAnalysesClient();
+  yield front.attach();
+  let store = Store();
+  let { getState, dispatch } = store;
+
+  // Test default breakdown with no snapshots
+  equal(getState().breakdown.by, "coarseType", "default coarseType breakdown selected at start.");
+  dispatch(setBreakdownAndRefresh(heapWorker, breakdowns.objectClass.breakdown));
+  equal(getState().breakdown.by, "objectClass", "breakdown changed with no snapshots");
+
+  // Test invalid breakdowns
+  ok(getState().errors.length === 0, "No error actions in the queue.");
+  dispatch(setBreakdownAndRefresh(heapWorker, {}));
+  yield waitUntilState(store, () => getState().errors.length === 1);
+  ok(true, "Emits an error action when passing in an invalid breakdown object");
+
+  equal(getState().breakdown.by, "objectClass",
+    "current breakdown unchanged when passing invalid breakdown");
+
+  // Test new snapshots
+  dispatch(takeSnapshotAndCensus(front, heapWorker));
+  yield waitUntilSnapshotState(store, [states.SAVED_CENSUS]);
+  ok(isBreakdownType(getState().snapshots[0].census, "objectClass"),
+    "New snapshots use the current, non-default breakdown");
+
+
+  // Updates when changing breakdown during `SAVING`
+  dispatch(takeSnapshotAndCensus(front, heapWorker));
+  yield waitUntilSnapshotState(store, [states.SAVED_CENSUS, states.SAVING]);
+  dispatch(setBreakdownAndRefresh(heapWorker, breakdowns.coarseType.breakdown));
+  yield waitUntilSnapshotState(store, [states.SAVED_CENSUS, states.SAVED_CENSUS]);
+
+  ok(isBreakdownType(getState().snapshots[1].census, "coarseType"),
+    "Breakdown can be changed while saving snapshots, uses updated breakdown in census");
+
+
+  // Updates when changing breakdown during `SAVING_CENSUS`
+  dispatch(takeSnapshotAndCensus(front, heapWorker));
+  yield waitUntilSnapshotState(store, [states.SAVED_CENSUS, states.SAVED_CENSUS, states.SAVING_CENSUS]);
+  dispatch(setBreakdownAndRefresh(heapWorker, breakdowns.objectClass.breakdown));
+  yield waitUntilSnapshotState(store, [states.SAVED_CENSUS, states.SAVED_CENSUS, states.SAVED_CENSUS]);
+
+  ok(breakdownEquals(getState().snapshots[2].breakdown, breakdowns.objectClass.breakdown),
+    "Breakdown can be changed while saving census, stores updated breakdown in snapshot");
+  ok(isBreakdownType(getState().snapshots[2].census, "objectClass"),
+    "Breakdown can be changed while saving census, uses updated breakdown in census");
+
+  // Updates census on currently selected snapshot when changing breakdown
+  ok(getState().snapshots[2].selected, "Third snapshot currently selected");
+  dispatch(setBreakdownAndRefresh(heapWorker, breakdowns.internalType.breakdown));
+  yield waitUntilState(store, () => isBreakdownType(getState().snapshots[2].census, "internalType"));
+  ok(isBreakdownType(getState().snapshots[2].census, "internalType"),
+    "Snapshot census updated when changing breakdowns after already generating one census");
+
+  // Does not update unselected censuses
+  ok(!getState().snapshots[1].selected, "Second snapshot unselected currently");
+  ok(breakdownEquals(getState().snapshots[1].breakdown, breakdowns.coarseType.breakdown),
+    "Second snapshot using `coarseType` breakdown still and not yet updated to correct breakdown");
+  ok(isBreakdownType(getState().snapshots[1].census, "coarseType"),
+    "Second snapshot using `coarseType` still for census and not yet updated to correct breakdown");
+
+  // Updates to current breakdown when switching to stale snapshot
+  dispatch(selectSnapshotAndRefresh(heapWorker, getState().snapshots[1]));
+  yield waitUntilSnapshotState(store, [states.SAVED_CENSUS, states.SAVING_CENSUS, states.SAVED_CENSUS]);
+  yield waitUntilSnapshotState(store, [states.SAVED_CENSUS, states.SAVED_CENSUS, states.SAVED_CENSUS]);
+
+  ok(getState().snapshots[1].selected, "Second snapshot selected currently");
+  ok(breakdownEquals(getState().snapshots[1].breakdown, breakdowns.internalType.breakdown),
+    "Second snapshot using `internalType` breakdown and updated to correct breakdown");
+  ok(isBreakdownType(getState().snapshots[1].census, "internalType"),
+    "Second snapshot using `internalType` for census and updated to correct breakdown");
+});
diff --git a/devtools/client/memory/test/unit/test_action-set-breakdown-and-refresh-02.js b/devtools/client/memory/test/unit/test_action-set-breakdown-and-refresh-02.js
new file mode 100644
index 000000000000..0ee6e8107672
--- /dev/null
+++ b/devtools/client/memory/test/unit/test_action-set-breakdown-and-refresh-02.js
@@ -0,0 +1,38 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+/**
+ * Tests the task creator `setBreakdownAndRefreshAndRefresh()` for custom
+ * breakdowns.
+ */
+
+let { snapshotState: states } = require("devtools/client/memory/constants");
+let { breakdownEquals } = require("devtools/client/memory/utils");
+let { setBreakdownAndRefresh } = require("devtools/client/memory/actions/breakdown");
+let { takeSnapshotAndCensus } = require("devtools/client/memory/actions/snapshot");
+let custom = { by: "internalType", then: { by: "count", bytes: true }};
+
+function run_test() {
+  run_next_test();
+}
+
+add_task(function *() {
+  let front = new StubbedMemoryFront();
+  let heapWorker = new HeapAnalysesClient();
+  yield front.attach();
+  let store = Store();
+  let { getState, dispatch } = store;
+
+  dispatch(setBreakdownAndRefresh(heapWorker, custom));
+  ok(breakdownEquals(getState().breakdown, custom),
+    "Custom breakdown stored in breakdown state.");
+
+  dispatch(takeSnapshotAndCensus(front, heapWorker));
+  yield waitUntilSnapshotState(store, [states.SAVED_CENSUS]);
+
+  ok(breakdownEquals(getState().snapshots[0].breakdown, custom),
+    "New snapshot stored custom breakdown when done taking census");
+  ok(getState().snapshots[0].census.children.length, "Census has some children");
+  // Ensure we don't have `count` in any results
+  ok(getState().snapshots[0].census.children.every(c => !c.count), "Census used custom breakdown");
+});
diff --git a/devtools/client/memory/test/unit/test_action-set-breakdown.js b/devtools/client/memory/test/unit/test_action-set-breakdown.js
new file mode 100644
index 000000000000..c65a7874c35f
--- /dev/null
+++ b/devtools/client/memory/test/unit/test_action-set-breakdown.js
@@ -0,0 +1,45 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+/**
+ * Tests the action creator `setBreakdown()` for breakdown changing.
+ * Does not test refreshing the census information, check `setBreakdownAndRefresh` action
+ * for that.
+ */
+
+let { breakdowns, snapshotState: states } = require("devtools/client/memory/constants");
+let { setBreakdown } = require("devtools/client/memory/actions/breakdown");
+let { takeSnapshotAndCensus } = require("devtools/client/memory/actions/snapshot");
+
+function run_test() {
+  run_next_test();
+}
+
+add_task(function *() {
+  let front = new StubbedMemoryFront();
+  let heapWorker = new HeapAnalysesClient();
+  yield front.attach();
+  let store = Store();
+  let { getState, dispatch } = store;
+
+  // Test default breakdown with no snapshots
+  equal(getState().breakdown.by, "coarseType", "default coarseType breakdown selected at start.");
+  dispatch(setBreakdown(breakdowns.objectClass.breakdown));
+  equal(getState().breakdown.by, "objectClass", "breakdown changed with no snapshots");
+
+  // Test invalid breakdowns
+  try {
+    dispatch(setBreakdown({}));
+    ok(false, "Throws when passing in an invalid breakdown object");
+  } catch (e) {
+    ok(true, "Throws when passing in an invalid breakdown object");
+  }
+  equal(getState().breakdown.by, "objectClass",
+    "current breakdown unchanged when passing invalid breakdown");
+
+  // Test new snapshots
+  dispatch(takeSnapshotAndCensus(front, heapWorker));
+  yield waitUntilSnapshotState(store, [states.SAVED_CENSUS]);
+  ok(isBreakdownType(getState().snapshots[0].census, "objectClass"),
+    "New snapshots use the current, non-default breakdown");
+});
diff --git a/devtools/client/memory/test/unit/test_action-take-census.js b/devtools/client/memory/test/unit/test_action-take-census.js
index 25bfdd216d9c..7019d41ce80d 100644
--- a/devtools/client/memory/test/unit/test_action-take-census.js
+++ b/devtools/client/memory/test/unit/test_action-take-census.js
@@ -5,7 +5,8 @@
  * Tests the async reducer responding to the action `takeCensus(heapWorker, snapshot)`
  */
 
-var { snapshotState: states } = require("devtools/client/memory/constants");
+var { snapshotState: states, breakdowns } = require("devtools/client/memory/constants");
+var { breakdownEquals } = require("devtools/client/memory/utils");
 var { ERROR_TYPE } = require("devtools/client/shared/redux/middleware/task");
 var actions = require("devtools/client/memory/actions/snapshot");
 
@@ -43,7 +44,9 @@ add_task(function *() {
 
   snapshot = store.getState().snapshots[0];
   ok(snapshot.census, "Snapshot has census after saved census");
-  ok(snapshot.census.children.length, "Census is in tree node form with the default breakdown");
-  ok(snapshot.census.children.find(t => t.name === "JSObject"),
+  ok(snapshot.census.children.length, "Census is in tree node form");
+  ok(isBreakdownType(snapshot.census, "coarseType"),
     "Census is in tree node form with the default breakdown");
+  ok(breakdownEquals(snapshot.breakdown, breakdowns.coarseType.breakdown),
+    "Snapshot stored correct breakdown used for the census");
 });
diff --git a/devtools/client/memory/test/unit/test_utils.js b/devtools/client/memory/test/unit/test_utils.js
new file mode 100644
index 000000000000..8267df2ac4e4
--- /dev/null
+++ b/devtools/client/memory/test/unit/test_utils.js
@@ -0,0 +1,51 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+/**
+ * Tests the task creator `takeSnapshotAndCensus()` for the whole flow of
+ * taking a snapshot, and its sub-actions.
+ */
+
+let utils = require("devtools/client/memory/utils");
+let { snapshotState: states, breakdowns } = require("devtools/client/memory/constants");
+let { Preferences } = require("resource://gre/modules/Preferences.jsm");
+
+function run_test() {
+  run_next_test();
+}
+
+add_task(function *() {
+  ok(utils.breakdownEquals(breakdowns.allocationStack.breakdown, {
+    by: "allocationStack",
+    then: { by: "count", count: true, bytes: true },
+    noStack: { by: "count", count: true, bytes: true },
+  }), "utils.breakdownEquals() passes with preset"),
+
+  ok(!utils.breakdownEquals(breakdowns.allocationStack.breakdown, {
+    by: "allocationStack",
+    then: { by: "count", count: false, bytes: true },
+    noStack: { by: "count", count: true, bytes: true },
+  }), "utils.breakdownEquals() fails when deep properties do not match");
+
+  ok(!utils.breakdownEquals(breakdowns.allocationStack.breakdown, {
+    by: "allocationStack",
+    then: { by: "count", bytes: true },
+    noStack: { by: "count", count: true, bytes: true },
+  }), "utils.breakdownEquals() fails when deep properties are missing.");
+
+  let s1 = utils.createSnapshot();
+  let s2 = utils.createSnapshot();
+  ok(s1.state, states.SAVING, "utils.createSnapshot() creates snapshot in saving state");
+  ok(s1.id !== s2.id, "utils.createSnapshot() creates snapshot with unique ids");
+
+  ok(utils.breakdownEquals(utils.breakdownNameToSpec("coarseType"), breakdowns.coarseType.breakdown),
+    "utils.breakdownNameToSpec() works for presets");
+  ok(utils.breakdownEquals(utils.breakdownNameToSpec("coarseType"), breakdowns.coarseType.breakdown),
+    "utils.breakdownNameToSpec() works for presets");
+
+  let custom = { by: "internalType", then: { by: "count", bytes: true }};
+  Preferences.set("devtools.memory.custom-breakdowns", JSON.stringify({ "My Breakdown": custom }));
+
+  ok(utils.breakdownEquals(utils.getCustomBreakdowns()["My Breakdown"], custom),
+    "utils.getCustomBreakdowns() returns custom breakdowns");
+});
diff --git a/devtools/client/memory/test/unit/xpcshell.ini b/devtools/client/memory/test/unit/xpcshell.ini
index e1711390dfa4..e4c5d9d259ac 100644
--- a/devtools/client/memory/test/unit/xpcshell.ini
+++ b/devtools/client/memory/test/unit/xpcshell.ini
@@ -6,6 +6,10 @@ firefox-appdir = browser
 skip-if = toolkit == 'android' || toolkit == 'gonk'
 
 [test_action-select-snapshot.js]
+[test_action-set-breakdown.js]
+[test_action-set-breakdown-and-refresh-01.js]
+[test_action-set-breakdown-and-refresh-02.js]
 [test_action-take-census.js]
 [test_action-take-snapshot.js]
 [test_action-take-snapshot-and-census.js]
+[test_utils.js]
diff --git a/devtools/client/memory/utils.js b/devtools/client/memory/utils.js
index 80a45d71f226..359d7e3eebbb 100644
--- a/devtools/client/memory/utils.js
+++ b/devtools/client/memory/utils.js
@@ -1,5 +1,7 @@
+const { Preferences } = require("resource://gre/modules/Preferences.jsm");
+const CUSTOM_BREAKDOWN_PREF = "devtools.memory.custom-breakdowns";
 const DevToolsUtils = require("devtools/shared/DevToolsUtils");
-const { snapshotState: states } = require("./constants");
+const { snapshotState: states, breakdowns } = require("./constants");
 const SAVING_SNAPSHOT_TEXT = "Saving snapshot...";
 const READING_SNAPSHOT_TEXT = "Reading snapshot...";
 const SAVING_CENSUS_TEXT = "Taking heap census...";
@@ -14,6 +16,78 @@ exports.assert = function (condition, message) {
   }
 };
 
+/**
+ * Returns an array of objects with the unique key `name`
+ * and `displayName` for each breakdown.
+ *
+ * @return {Object{name, displayName}}
+ */
+exports.getBreakdownDisplayData = function () {
+  return exports.getBreakdownNames().map(name => {
+    // If it's a preset use the display name value
+    let preset = breakdowns[name];
+    let displayName = name;
+    if (preset && preset.displayName) {
+      displayName = preset.displayName;
+    }
+    return { name, displayName };
+  });
+};
+
+/**
+ * Returns an array of the unique names for each breakdown in
+ * presets and custom pref.
+ *
+ * @return {Array<Breakdown>}
+ */
+exports.getBreakdownNames = function () {
+  let custom = exports.getCustomBreakdowns();
+  return Object.keys(Object.assign({}, breakdowns, custom));
+};
+
+/**
+ * Returns custom breakdowns defined in `devtools.memory.custom-breakdowns` pref.
+ *
+ * @return {Object}
+ */
+exports.getCustomBreakdowns = function () {
+  let customBreakdowns = Object.create(null);
+  try {
+    customBreakdowns = JSON.parse(Preferences.get(CUSTOM_BREAKDOWN_PREF)) || Object.create(null);
+  } catch (e) {
+    DevToolsUtils.reportException(
+      `String stored in "${CUSTOM_BREAKDOWN_PREF}" pref cannot be parsed by \`JSON.parse()\`.`);
+  }
+  return customBreakdowns;
+}
+
+/**
+ * Converts a breakdown preset name, like "allocationStack", and returns the
+ * spec for the breakdown. Also checks properties of keys in the `devtools.memory.custom-breakdowns`
+ * pref. If not found, returns an empty object.
+ *
+ * @param {String} name
+ * @return {Object}
+ */
+
+exports.breakdownNameToSpec = function (name) {
+  let customBreakdowns = exports.getCustomBreakdowns();
+
+  // If breakdown is already a breakdown, use it
+  if (typeof name === "object") {
+    return name;
+  }
+  // If it's in our custom breakdowns, use it
+  else if (name in customBreakdowns) {
+    return customBreakdowns[name];
+  }
+  // If breakdown name is in our presets, use that
+  else if (name in breakdowns) {
+    return breakdowns[name].breakdown;
+  }
+  return Object.create(null);
+};
+
 /**
  * Returns a string representing a readable form of the snapshot's state.
  *
@@ -21,16 +95,26 @@ exports.assert = function (condition, message) {
  * @return {String}
  */
 exports.getSnapshotStatusText = function (snapshot) {
-  switch (snapshot && snapshot.state) {
+  exports.assert((snapshot || {}).state,
+    `Snapshot must have expected state, found ${(snapshot || {}).state}.`);
+
+  switch (snapshot.state) {
     case states.SAVING:
       return SAVING_SNAPSHOT_TEXT;
     case states.SAVED:
     case states.READING:
       return READING_SNAPSHOT_TEXT;
-    case states.READ:
     case states.SAVING_CENSUS:
       return SAVING_CENSUS_TEXT;
+    // If it's read, it shouldn't have any label, as we could've cleared the
+    // census cache by changing the breakdown, and we should lazily
+    // go to SAVING_CENSUS. If it's SAVED_CENSUS, we have no status to display.
+    case states.READ:
+    case states.SAVED_CENSUS:
+      return "";
   }
+
+  DevToolsUtils.reportException(`Snapshot in unexpected state: ${snapshot.state}`);
   return "";
 }
 
@@ -66,3 +150,43 @@ exports.createSnapshot = function createSnapshot () {
     path: null,
   };
 };
+
+/**
+ * Takes two objects and compares them deeply, returning
+ * a boolean indicating if they're equal or not. Used for breakdown
+ * comparison.
+ *
+ * @param {Any} obj1
+ * @param {Any} obj2
+ * @return {Boolean}
+ */
+exports.breakdownEquals = function (obj1, obj2) {
+  let type1 = typeof obj1;
+  let type2 = typeof obj2;
+
+  // Quick checks
+  if (type1 !== type2 || (Array.isArray(obj1) !== Array.isArray(obj2))) {
+    return false;
+  }
+
+  if (obj1 === obj2) {
+    return true;
+  }
+
+  if (Array.isArray(obj1)) {
+    if (obj1.length !== obj2.length) { return false; }
+    return obj1.every((_, i) => exports.breakdownEquals(obj[1], obj2[i]));
+  }
+  else if (type1 === "object") {
+    let k1 = Object.keys(obj1);
+    let k2 = Object.keys(obj2);
+
+    if (k1.length !== k2.length) {
+      return false;
+    }
+
+    return k1.every(k => exports.breakdownEquals(obj1[k], obj2[k]));
+  }
+
+  return false;
+};
diff --git a/devtools/client/preferences/devtools.js b/devtools/client/preferences/devtools.js
index 6dc253838e4c..6c49d0301dbb 100644
--- a/devtools/client/preferences/devtools.js
+++ b/devtools/client/preferences/devtools.js
@@ -103,6 +103,8 @@ pref("devtools.debugger.ui.variables-searchbox-visible", false);
 // Enable the Memory tools
 pref("devtools.memory.enabled", false);
 
+pref("devtools.memory.custom-breakdowns", "{}");
+
 // Enable the Performance tools
 pref("devtools.performance.enabled", true);
 
diff --git a/devtools/shared/heapsnapshot/census-tree-node.js b/devtools/shared/heapsnapshot/census-tree-node.js
index c9ec918782b2..54567c63e0eb 100644
--- a/devtools/shared/heapsnapshot/census-tree-node.js
+++ b/devtools/shared/heapsnapshot/census-tree-node.js
@@ -63,7 +63,7 @@ CensusTreeNodeBreakdowns.internalType = function (node, breakdown, report) {
   for (let key of Object.keys(report)) {
     node.children.push(new CensusTreeNode(breakdown.then, report[key], key));
   }
-}
+};
 
 CensusTreeNodeBreakdowns.objectClass = function (node, breakdown, report) {
   node.children = [];
@@ -71,14 +71,18 @@ CensusTreeNodeBreakdowns.objectClass = function (node, breakdown, report) {
     let bd = key === "other" ? breakdown.other : breakdown.then;
     node.children.push(new CensusTreeNode(bd, report[key], key));
   }
-}
+};
 
 CensusTreeNodeBreakdowns.coarseType = function (node, breakdown, report) {
   node.children = [];
   for (let type of Object.keys(breakdown).filter(type => COARSE_TYPES.has(type))) {
     node.children.push(new CensusTreeNode(breakdown[type], report[type], type));
   }
-}
+};
+
+CensusTreeNodeBreakdowns.allocationStack = function (node, breakdown, report) {
+  node.children = [];
+};
 
 function sortByBytes (a, b) {
   return (b.bytes || 0) - (a.bytes || 0);
diff --git a/devtools/shared/webconsole/network-monitor.js b/devtools/shared/webconsole/network-monitor.js
index 74dd65dbc0be..1151f2bd9dd0 100644
--- a/devtools/shared/webconsole/network-monitor.js
+++ b/devtools/shared/webconsole/network-monitor.js
@@ -787,7 +787,7 @@ NetworkMonitor.prototype = {
     // associated with a load group. Bug 1160837 will hopefully introduce a
     // platform fix that will render the following code entirely useless.
     if (aChannel.loadInfo &&
-        aChannel.loadInfo.contentPolicyType == Ci.nsIContentPolicy.TYPE_BEACON) {
+        aChannel.loadInfo.externalContentPolicyType == Ci.nsIContentPolicy.TYPE_BEACON) {
       let nonE10sMatch = this.window &&
                          aChannel.loadInfo.loadingDocument === this.window.document;
       let e10sMatch = this.topFrame &&
@@ -838,7 +838,7 @@ NetworkMonitor.prototype = {
 
     // Determine if this is an XHR request.
     httpActivity.isXHR = event.isXHR =
-        (aChannel.loadInfo.contentPolicyType === Ci.nsIContentPolicy.TYPE_XMLHTTPREQUEST);
+        (aChannel.loadInfo.externalContentPolicyType === Ci.nsIContentPolicy.TYPE_XMLHTTPREQUEST);
 
     // Determine the HTTP version.
     let httpVersionMaj = {};
diff --git a/docshell/test/unit/test_bug442584.js b/docshell/test/unit/test_bug442584.js
index 75df23ab4fc7..174bdb7e3084 100644
--- a/docshell/test/unit/test_bug442584.js
+++ b/docshell/test/unit/test_bug442584.js
@@ -14,13 +14,11 @@ function run_test() {
   }
 
   // Make sure the queue has items in it...
-  var queue = prefetch.enumerateQueue();
-  do_check_true(queue.hasMoreElements());
+  do_check_true(prefetch.hasMoreElements());
 
   // Now disable the pref to force the queue to empty...
   prefs.setBoolPref("network.prefetch-next", false);
-  queue = prefetch.enumerateQueue();
-  do_check_false(queue.hasMoreElements());
+  do_check_false(prefetch.hasMoreElements());
 
   // Now reenable the pref, and add more items to the queue.
   prefs.setBoolPref("network.prefetch-next", true);
@@ -28,7 +26,5 @@ function run_test() {
     var uri = ios.newURI("http://localhost/" + i, null, null);
     prefetch.prefetchURI(uri, uri, null, true);
   }
-  queue = prefetch.enumerateQueue();
-  do_check_true(queue.hasMoreElements());
+  do_check_true(prefetch.hasMoreElements());
 }
-
diff --git a/dom/base/Element.cpp b/dom/base/Element.cpp
index 19fe5eb9330c..ca1e3ba5e333 100644
--- a/dom/base/Element.cpp
+++ b/dom/base/Element.cpp
@@ -1720,6 +1720,9 @@ Element::UnbindFromTree(bool aDeep, bool aNullParent)
   nsIDocument* document =
     HasFlag(NODE_FORCE_XBL_BINDINGS) ? OwnerDoc() : GetComposedDoc();
 
+  if (HasPointerLock()) {
+    nsIDocument::UnlockPointer();
+  }
   if (aNullParent) {
     if (IsFullScreenAncestor()) {
       // The element being removed is an ancestor of the full-screen element,
@@ -1731,9 +1734,6 @@ Element::UnbindFromTree(bool aDeep, bool aNullParent)
       // Fully exit full-screen.
       nsIDocument::ExitFullscreenInDocTree(OwnerDoc());
     }
-    if (HasPointerLock()) {
-      nsIDocument::UnlockPointer();
-    }
 
     if (GetParent() && GetParent()->IsInUncomposedDoc()) {
       // Update the editable descendant count in the ancestors before we
diff --git a/dom/base/Element.h b/dom/base/Element.h
index 22e168850d3f..6d8f7db42d8f 100644
--- a/dom/base/Element.h
+++ b/dom/base/Element.h
@@ -668,11 +668,6 @@ public:
                            ErrorResult& aError);
   already_AddRefed<nsIHTMLCollection>
     GetElementsByClassName(const nsAString& aClassNames);
-  bool MozMatchesSelector(const nsAString& aSelector,
-                          ErrorResult& aError)
-  {
-    return Matches(aSelector, aError);
-  }
   void SetPointerCapture(int32_t aPointerId, ErrorResult& aError)
   {
     bool activeState = false;
@@ -1769,8 +1764,8 @@ NS_IMETHOD MozMatchesSelector(const nsAString& selector,                      \
                               bool* _retval) final override                   \
 {                                                                             \
   mozilla::ErrorResult rv;                                                    \
-  *_retval = Element::MozMatchesSelector(selector, rv);                       \
-  return rv.StealNSResult();                                                      \
+  *_retval = Element::Matches(selector, rv);                                  \
+  return rv.StealNSResult();                                                  \
 }                                                                             \
 NS_IMETHOD SetCapture(bool retargetToElement) final override                  \
 {                                                                             \
diff --git a/dom/base/URLSearchParams.cpp b/dom/base/URLSearchParams.cpp
index 9780a54a92c2..f20d2de57363 100644
--- a/dom/base/URLSearchParams.cpp
+++ b/dom/base/URLSearchParams.cpp
@@ -418,5 +418,23 @@ URLSearchParams::NotifyObserver()
   }
 }
 
+uint32_t
+URLSearchParams::GetIterableLength() const
+{
+  return mParams->Length();
+}
+
+const nsAString&
+URLSearchParams::GetKeyAtIndex(uint32_t aIndex) const
+{
+  return mParams->GetKeyAtIndex(aIndex);
+}
+
+const nsAString&
+URLSearchParams::GetValueAtIndex(uint32_t aIndex) const
+{
+  return mParams->GetValueAtIndex(aIndex);
+}
+
 } // namespace dom
 } // namespace mozilla
diff --git a/dom/base/URLSearchParams.h b/dom/base/URLSearchParams.h
index 3c36524d852d..84485b8d875a 100644
--- a/dom/base/URLSearchParams.h
+++ b/dom/base/URLSearchParams.h
@@ -91,6 +91,23 @@ public:
     mParams.Clear();
   }
 
+  uint32_t Length() const
+  {
+    return mParams.Length();
+  }
+
+  const nsAString& GetKeyAtIndex(uint32_t aIndex) const
+  {
+    MOZ_ASSERT(aIndex < mParams.Length());
+    return mParams[aIndex].mKey;
+  }
+
+  const nsAString& GetValueAtIndex(uint32_t aIndex) const
+  {
+    MOZ_ASSERT(aIndex < mParams.Length());
+    return mParams[aIndex].mValue;
+  }
+
 private:
   void DecodeString(const nsACString& aInput, nsAString& aOutput);
   void ConvertString(const nsACString& aInput, nsAString& aOutput);
@@ -153,6 +170,10 @@ public:
 
   void Delete(const nsAString& aName);
 
+  uint32_t GetIterableLength() const;
+  const nsAString& GetKeyAtIndex(uint32_t aIndex) const;
+  const nsAString& GetValueAtIndex(uint32_t aIndex) const;
+
   void Stringify(nsString& aRetval) const
   {
     Serialize(aRetval);
diff --git a/dom/base/nsDOMWindowUtils.cpp b/dom/base/nsDOMWindowUtils.cpp
index 1ffdc4bba45f..6abd56d3c1a1 100644
--- a/dom/base/nsDOMWindowUtils.cpp
+++ b/dom/base/nsDOMWindowUtils.cpp
@@ -3196,7 +3196,7 @@ convertSheetType(uint32_t aSheetType)
     default:
       NS_ASSERTION(false, "wrong type");
       // we must return something although this should never happen
-      return nsIDocument::SheetTypeCount;
+      return nsIDocument::AdditionalSheetTypeCount;
   }
 }
 
diff --git a/dom/base/nsDocument.cpp b/dom/base/nsDocument.cpp
index a0b79999d036..8f084d05a03e 100644
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -2413,7 +2413,7 @@ nsDocument::RemoveDocStyleSheetsFromStyleSets()
 }
 
 void
-nsDocument::RemoveStyleSheetsFromStyleSets(nsCOMArray<nsIStyleSheet>& aSheets, nsStyleSet::sheetType aType)
+nsDocument::RemoveStyleSheetsFromStyleSets(nsCOMArray<nsIStyleSheet>& aSheets, SheetType aType)
 {
   // The stylesheets should forget us
   int32_t indx = aSheets.Count();
@@ -2440,16 +2440,17 @@ nsDocument::ResetStylesheetsToURI(nsIURI* aURI)
 
   mozAutoDocUpdate upd(this, UPDATE_STYLE, true);
   RemoveDocStyleSheetsFromStyleSets();
-  RemoveStyleSheetsFromStyleSets(mOnDemandBuiltInUASheets, nsStyleSet::eAgentSheet);
-  RemoveStyleSheetsFromStyleSets(mAdditionalSheets[eAgentSheet], nsStyleSet::eAgentSheet);
-  RemoveStyleSheetsFromStyleSets(mAdditionalSheets[eUserSheet], nsStyleSet::eUserSheet);
-  RemoveStyleSheetsFromStyleSets(mAdditionalSheets[eAuthorSheet], nsStyleSet::eDocSheet);
+  RemoveStyleSheetsFromStyleSets(mOnDemandBuiltInUASheets, SheetType::Agent);
+  RemoveStyleSheetsFromStyleSets(mAdditionalSheets[eAgentSheet], SheetType::Agent);
+  RemoveStyleSheetsFromStyleSets(mAdditionalSheets[eUserSheet], SheetType::User);
+  RemoveStyleSheetsFromStyleSets(mAdditionalSheets[eAuthorSheet], SheetType::Doc);
 
   // Release all the sheets
   mStyleSheets.Clear();
   mOnDemandBuiltInUASheets.Clear();
-  for (uint32_t i = 0; i < SheetTypeCount; ++i)
-    mAdditionalSheets[i].Clear();
+  for (auto& sheets : mAdditionalSheets) {
+    sheets.Clear();
+  }
 
   // NOTE:  We don't release the catalog sheets.  It doesn't really matter
   // now, but it could in the future -- in which case not releasing them
@@ -2483,14 +2484,14 @@ static bool
 AppendAuthorSheet(nsIStyleSheet *aSheet, void *aData)
 {
   nsStyleSet *styleSet = static_cast<nsStyleSet*>(aData);
-  styleSet->AppendStyleSheet(nsStyleSet::eDocSheet, aSheet);
+  styleSet->AppendStyleSheet(SheetType::Doc, aSheet);
   return true;
 }
 
 static void
 AppendSheetsToStyleSet(nsStyleSet* aStyleSet,
                        const nsCOMArray<nsIStyleSheet>& aSheets,
-                       nsStyleSet::sheetType aType)
+                       SheetType aType)
 {
   for (int32_t i = aSheets.Count() - 1; i >= 0; --i) {
     aStyleSet->AppendStyleSheet(aType, aSheets[i]);
@@ -2502,13 +2503,13 @@ void
 nsDocument::FillStyleSet(nsStyleSet* aStyleSet)
 {
   NS_PRECONDITION(aStyleSet, "Must have a style set");
-  NS_PRECONDITION(aStyleSet->SheetCount(nsStyleSet::eDocSheet) == 0,
+  NS_PRECONDITION(aStyleSet->SheetCount(SheetType::Doc) == 0,
                   "Style set already has document sheets?");
 
   // We could consider moving this to nsStyleSet::Init, to match its
   // handling of the eAnimationSheet and eTransitionSheet levels.
-  aStyleSet->DirtyRuleProcessors(nsStyleSet::ePresHintSheet);
-  aStyleSet->DirtyRuleProcessors(nsStyleSet::eStyleAttrSheet);
+  aStyleSet->DirtyRuleProcessors(SheetType::PresHint);
+  aStyleSet->DirtyRuleProcessors(SheetType::StyleAttr);
 
   int32_t i;
   for (i = mStyleSheets.Count() - 1; i >= 0; --i) {
@@ -2528,16 +2529,16 @@ nsDocument::FillStyleSet(nsStyleSet* aStyleSet)
   for (i = mOnDemandBuiltInUASheets.Count() - 1; i >= 0; --i) {
     nsIStyleSheet* sheet = mOnDemandBuiltInUASheets[i];
     if (sheet->IsApplicable()) {
-      aStyleSet->PrependStyleSheet(nsStyleSet::eAgentSheet, sheet);
+      aStyleSet->PrependStyleSheet(SheetType::Agent, sheet);
     }
   }
 
   AppendSheetsToStyleSet(aStyleSet, mAdditionalSheets[eAgentSheet],
-                         nsStyleSet::eAgentSheet);
+                         SheetType::Agent);
   AppendSheetsToStyleSet(aStyleSet, mAdditionalSheets[eUserSheet],
-                         nsStyleSet::eUserSheet);
+                         SheetType::User);
   AppendSheetsToStyleSet(aStyleSet, mAdditionalSheets[eAuthorSheet],
-                         nsStyleSet::eDocSheet);
+                         SheetType::Doc);
 }
 
 static void
@@ -4141,7 +4142,7 @@ nsDocument::AddOnDemandBuiltInUASheet(CSSStyleSheet* aSheet)
       // do not override Firefox OS/Mobile's content.css sheet. Maybe we should
       // have an insertion point to match the order of
       // nsDocumentViewer::CreateStyleSet though?
-      shell->StyleSet()->PrependStyleSheet(nsStyleSet::eAgentSheet, aSheet);
+      shell->StyleSet()->PrependStyleSheet(SheetType::Agent, aSheet);
     }
   }
 
@@ -4373,20 +4374,20 @@ nsDocument::NotifyStyleSheetApplicableStateChanged()
   }
 }
 
-static nsStyleSet::sheetType
+static SheetType
 ConvertAdditionalSheetType(nsIDocument::additionalSheetType aType)
 {
   switch(aType) {
     case nsIDocument::eAgentSheet:
-      return nsStyleSet::eAgentSheet;
+      return SheetType::Agent;
     case nsIDocument::eUserSheet:
-      return nsStyleSet::eUserSheet;
+      return SheetType::User;
     case nsIDocument::eAuthorSheet:
-      return nsStyleSet::eDocSheet;
+      return SheetType::Doc;
     default:
-      NS_ASSERTION(false, "wrong type");
+      MOZ_ASSERT(false, "wrong type");
       // we must return something although this should never happen
-      return nsStyleSet::eSheetTypeCount;
+      return SheetType::Count;
   }
 }
 
@@ -4460,7 +4461,7 @@ nsDocument::AddAdditionalStyleSheet(additionalSheetType aType, nsIStyleSheet* aS
   BeginUpdate(UPDATE_STYLE);
   nsCOMPtr<nsIPresShell> shell = GetShell();
   if (shell) {
-    nsStyleSet::sheetType type = ConvertAdditionalSheetType(aType);
+    SheetType type = ConvertAdditionalSheetType(aType);
     shell->StyleSet()->AppendStyleSheet(type, aSheet);
   }
 
@@ -4488,7 +4489,7 @@ nsDocument::RemoveAdditionalStyleSheet(additionalSheetType aType, nsIURI* aSheet
       MOZ_ASSERT(sheetRef->IsApplicable());
       nsCOMPtr<nsIPresShell> shell = GetShell();
       if (shell) {
-        nsStyleSet::sheetType type = ConvertAdditionalSheetType(aType);
+        SheetType type = ConvertAdditionalSheetType(aType);
         shell->StyleSet()->RemoveStyleSheet(type, sheetRef);
       }
     }
diff --git a/dom/base/nsDocument.h b/dom/base/nsDocument.h
index 22e54fa924d8..91113b874455 100644
--- a/dom/base/nsDocument.h
+++ b/dom/base/nsDocument.h
@@ -1516,7 +1516,7 @@ protected:
 
   void RemoveDocStyleSheetsFromStyleSets();
   void RemoveStyleSheetsFromStyleSets(nsCOMArray<nsIStyleSheet>& aSheets, 
-                                      nsStyleSet::sheetType aType);
+                                      mozilla::SheetType aType);
   void ResetStylesheetsToURI(nsIURI* aURI);
   void FillStyleSet(nsStyleSet* aStyleSet);
 
@@ -1571,7 +1571,7 @@ protected:
 
   nsCOMArray<nsIStyleSheet> mStyleSheets;
   nsCOMArray<nsIStyleSheet> mOnDemandBuiltInUASheets;
-  nsCOMArray<nsIStyleSheet> mAdditionalSheets[SheetTypeCount];
+  nsCOMArray<nsIStyleSheet> mAdditionalSheets[AdditionalSheetTypeCount];
 
   // Array of observers
   nsTObserverArray<nsIDocumentObserver*> mObservers;
diff --git a/dom/base/nsGlobalWindow.cpp b/dom/base/nsGlobalWindow.cpp
index 4993bd800757..d16c0edcbb09 100644
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -4961,7 +4961,7 @@ nsGlobalWindow::GetInnerWidth(int32_t* aInnerWidth)
 }
 
 void
-nsGlobalWindow::SetInnerWidthOuter(int32_t aInnerWidth, ErrorResult& aError)
+nsGlobalWindow::SetInnerWidthOuter(int32_t aInnerWidth, ErrorResult& aError, bool aCallerIsChrome)
 {
   MOZ_RELEASE_ASSERT(IsOuterWindow());
 
@@ -4970,7 +4970,7 @@ nsGlobalWindow::SetInnerWidthOuter(int32_t aInnerWidth, ErrorResult& aError)
     return;
   }
 
-  CheckSecurityWidthAndHeight(&aInnerWidth, nullptr);
+  CheckSecurityWidthAndHeight(&aInnerWidth, nullptr, aCallerIsChrome);
 
   RefPtr<nsIPresShell> presShell = mDocShell->GetPresShell();
 
@@ -4999,7 +4999,7 @@ nsGlobalWindow::SetInnerWidthOuter(int32_t aInnerWidth, ErrorResult& aError)
 void
 nsGlobalWindow::SetInnerWidth(int32_t aInnerWidth, ErrorResult& aError)
 {
-  FORWARD_TO_OUTER_OR_THROW(SetInnerWidthOuter, (aInnerWidth, aError), aError, );
+  FORWARD_TO_OUTER_OR_THROW(SetInnerWidthOuter, (aInnerWidth, aError, nsContentUtils::IsCallerChrome()), aError, );
 }
 
 void
@@ -5013,14 +5013,14 @@ nsGlobalWindow::SetInnerWidth(JSContext* aCx, JS::Handle<JS::Value> aValue,
 NS_IMETHODIMP
 nsGlobalWindow::SetInnerWidth(int32_t aInnerWidth)
 {
-  FORWARD_TO_INNER(SetInnerWidth, (aInnerWidth), NS_ERROR_UNEXPECTED);
+  FORWARD_TO_OUTER(SetInnerWidth, (aInnerWidth), NS_ERROR_UNEXPECTED);
 
   if (IsFrame()) {
     return NS_OK;
   }
 
   ErrorResult rv;
-  SetInnerWidth(aInnerWidth, rv);
+  SetInnerWidthOuter(aInnerWidth, rv, /* aCallerIsChrome = */ true);
 
   return rv.StealNSResult();
 }
@@ -5062,7 +5062,7 @@ nsGlobalWindow::GetInnerHeight(int32_t* aInnerHeight)
 }
 
 void
-nsGlobalWindow::SetInnerHeightOuter(int32_t aInnerHeight, ErrorResult& aError)
+nsGlobalWindow::SetInnerHeightOuter(int32_t aInnerHeight, ErrorResult& aError, bool aCallerIsChrome)
 {
   MOZ_RELEASE_ASSERT(IsOuterWindow());
 
@@ -5081,7 +5081,7 @@ nsGlobalWindow::SetInnerHeightOuter(int32_t aInnerHeight, ErrorResult& aError)
     nsRect shellArea = presContext->GetVisibleArea();
     nscoord height = aInnerHeight;
     nscoord width = shellArea.width;
-    CheckSecurityWidthAndHeight(nullptr, &height);
+    CheckSecurityWidthAndHeight(nullptr, &height, aCallerIsChrome);
     SetCSSViewportWidthAndHeight(width,
                                  nsPresContext::CSSPixelsToAppUnits(height));
     return;
@@ -5092,14 +5092,14 @@ nsGlobalWindow::SetInnerHeightOuter(int32_t aInnerHeight, ErrorResult& aError)
 
   nsCOMPtr<nsIBaseWindow> docShellAsWin(do_QueryInterface(mDocShell));
   docShellAsWin->GetSize(&width, &height);
-  CheckSecurityWidthAndHeight(nullptr, &aInnerHeight);
+  CheckSecurityWidthAndHeight(nullptr, &aInnerHeight, aCallerIsChrome);
   aError = SetDocShellWidthAndHeight(width, CSSToDevIntPixels(aInnerHeight));
 }
 
 void
 nsGlobalWindow::SetInnerHeight(int32_t aInnerHeight, ErrorResult& aError)
 {
-  FORWARD_TO_OUTER_OR_THROW(SetInnerHeightOuter, (aInnerHeight, aError), aError, );
+  FORWARD_TO_OUTER_OR_THROW(SetInnerHeightOuter, (aInnerHeight, aError, nsContentUtils::IsCallerChrome()), aError, );
 }
 
 void
@@ -5113,14 +5113,14 @@ nsGlobalWindow::SetInnerHeight(JSContext* aCx, JS::Handle<JS::Value> aValue,
 NS_IMETHODIMP
 nsGlobalWindow::SetInnerHeight(int32_t aInnerHeight)
 {
-  FORWARD_TO_INNER(SetInnerHeight, (aInnerHeight), NS_ERROR_UNEXPECTED);
+  FORWARD_TO_OUTER(SetInnerHeight, (aInnerHeight), NS_ERROR_UNEXPECTED);
 
   if (IsFrame()) {
     return NS_OK;
   }
 
   ErrorResult rv;
-  SetInnerHeight(aInnerHeight, rv);
+  SetInnerHeightOuter(aInnerHeight, rv, /* aCallerIsChrome = */ true);
 
   return rv.StealNSResult();
 }
@@ -5225,7 +5225,7 @@ nsGlobalWindow::GetOuterHeight(int32_t* aOuterHeight)
 
 void
 nsGlobalWindow::SetOuterSize(int32_t aLengthCSSPixels, bool aIsWidth,
-                             ErrorResult& aError)
+                             ErrorResult& aError, bool aCallerIsChrome)
 {
   MOZ_ASSERT(IsOuterWindow());
 
@@ -5236,7 +5236,8 @@ nsGlobalWindow::SetOuterSize(int32_t aLengthCSSPixels, bool aIsWidth,
   }
 
   CheckSecurityWidthAndHeight(aIsWidth ? &aLengthCSSPixels : nullptr,
-                              aIsWidth ? nullptr : &aLengthCSSPixels);
+                              aIsWidth ? nullptr : &aLengthCSSPixels,
+                              aCallerIsChrome);
 
   int32_t width, height;
   aError = treeOwnerAsWin->GetSize(&width, &height);
@@ -5254,17 +5255,17 @@ nsGlobalWindow::SetOuterSize(int32_t aLengthCSSPixels, bool aIsWidth,
 }
 
 void
-nsGlobalWindow::SetOuterWidthOuter(int32_t aOuterWidth, ErrorResult& aError)
+nsGlobalWindow::SetOuterWidthOuter(int32_t aOuterWidth, ErrorResult& aError, bool aCallerIsChrome)
 {
   MOZ_RELEASE_ASSERT(IsOuterWindow());
 
-  SetOuterSize(aOuterWidth, true, aError);
+  SetOuterSize(aOuterWidth, true, aError, aCallerIsChrome);
 }
 
 void
 nsGlobalWindow::SetOuterWidth(int32_t aOuterWidth, ErrorResult& aError)
 {
-  FORWARD_TO_OUTER_OR_THROW(SetOuterWidthOuter, (aOuterWidth, aError), aError, );
+  FORWARD_TO_OUTER_OR_THROW(SetOuterWidthOuter, (aOuterWidth, aError, nsContentUtils::IsCallerChrome()), aError, );
 }
 
 void
@@ -5278,30 +5279,30 @@ nsGlobalWindow::SetOuterWidth(JSContext* aCx, JS::Handle<JS::Value> aValue,
 NS_IMETHODIMP
 nsGlobalWindow::SetOuterWidth(int32_t aOuterWidth)
 {
-  FORWARD_TO_INNER(SetOuterWidth, (aOuterWidth), NS_ERROR_UNEXPECTED);
+  FORWARD_TO_OUTER(SetOuterWidth, (aOuterWidth), NS_ERROR_UNEXPECTED);
 
   if (IsFrame()) {
     return NS_OK;
   }
 
   ErrorResult rv;
-  SetOuterWidth(aOuterWidth, rv);
+  SetOuterWidthOuter(aOuterWidth, rv, /* aCallerIsChrome = */ true);
 
   return rv.StealNSResult();
 }
 
 void
-nsGlobalWindow::SetOuterHeightOuter(int32_t aOuterHeight, ErrorResult& aError)
+nsGlobalWindow::SetOuterHeightOuter(int32_t aOuterHeight, ErrorResult& aError, bool aCallerIsChrome)
 {
   MOZ_RELEASE_ASSERT(IsOuterWindow());
 
-  SetOuterSize(aOuterHeight, false, aError);
+  SetOuterSize(aOuterHeight, false, aError, aCallerIsChrome);
 }
 
 void
 nsGlobalWindow::SetOuterHeight(int32_t aOuterHeight, ErrorResult& aError)
 {
-  FORWARD_TO_OUTER_OR_THROW(SetOuterHeightOuter, (aOuterHeight, aError), aError, );
+  FORWARD_TO_OUTER_OR_THROW(SetOuterHeightOuter, (aOuterHeight, aError, nsContentUtils::IsCallerChrome()), aError, );
 }
 
 void
@@ -5315,14 +5316,14 @@ nsGlobalWindow::SetOuterHeight(JSContext* aCx, JS::Handle<JS::Value> aValue,
 NS_IMETHODIMP
 nsGlobalWindow::SetOuterHeight(int32_t aOuterHeight)
 {
-  FORWARD_TO_INNER(SetOuterHeight, (aOuterHeight), NS_ERROR_UNEXPECTED);
+  FORWARD_TO_OUTER(SetOuterHeight, (aOuterHeight), NS_ERROR_UNEXPECTED);
 
   if (IsFrame()) {
     return NS_OK;
   }
 
   ErrorResult rv;
-  SetOuterHeight(aOuterHeight, rv);
+  SetOuterHeightOuter(aOuterHeight, rv, /* aCallerIsChrome = */ true);
 
   return rv.StealNSResult();
 }
@@ -5644,7 +5645,7 @@ nsGlobalWindow::MatchMedia(const nsAString& aMediaQueryList,
 }
 
 void
-nsGlobalWindow::SetScreenXOuter(int32_t aScreenX, ErrorResult& aError)
+nsGlobalWindow::SetScreenXOuter(int32_t aScreenX, ErrorResult& aError, bool aCallerIsChrome)
 {
   MOZ_RELEASE_ASSERT(IsOuterWindow());
 
@@ -5660,7 +5661,7 @@ nsGlobalWindow::SetScreenXOuter(int32_t aScreenX, ErrorResult& aError)
     return;
   }
 
-  CheckSecurityLeftAndTop(&aScreenX, nullptr);
+  CheckSecurityLeftAndTop(&aScreenX, nullptr, aCallerIsChrome);
   x = CSSToDevIntPixels(aScreenX);
 
   aError = treeOwnerAsWin->SetPosition(x, y);
@@ -5669,7 +5670,7 @@ nsGlobalWindow::SetScreenXOuter(int32_t aScreenX, ErrorResult& aError)
 void
 nsGlobalWindow::SetScreenX(int32_t aScreenX, ErrorResult& aError)
 {
-  FORWARD_TO_OUTER_OR_THROW(SetScreenXOuter, (aScreenX, aError), aError, );
+  FORWARD_TO_OUTER_OR_THROW(SetScreenXOuter, (aScreenX, aError, nsContentUtils::IsCallerChrome()), aError, );
 }
 
 void
@@ -5683,14 +5684,14 @@ nsGlobalWindow::SetScreenX(JSContext* aCx, JS::Handle<JS::Value> aValue,
 NS_IMETHODIMP
 nsGlobalWindow::SetScreenX(int32_t aScreenX)
 {
-  FORWARD_TO_INNER(SetScreenX, (aScreenX), NS_ERROR_UNEXPECTED);
+  FORWARD_TO_OUTER(SetScreenX, (aScreenX), NS_ERROR_UNEXPECTED);
 
   if (IsFrame()) {
     return NS_OK;
   }
 
   ErrorResult rv;
-  SetScreenX(aScreenX, rv);
+  SetScreenXOuter(aScreenX, rv, /* aCallerIsChrome = */ true);
 
   return rv.StealNSResult();
 }
@@ -5730,7 +5731,7 @@ nsGlobalWindow::GetScreenY(JSContext* aCx,
 }
 
 void
-nsGlobalWindow::SetScreenYOuter(int32_t aScreenY, ErrorResult& aError)
+nsGlobalWindow::SetScreenYOuter(int32_t aScreenY, ErrorResult& aError, bool aCallerIsChrome)
 {
   MOZ_RELEASE_ASSERT(IsOuterWindow());
 
@@ -5746,7 +5747,7 @@ nsGlobalWindow::SetScreenYOuter(int32_t aScreenY, ErrorResult& aError)
     return;
   }
 
-  CheckSecurityLeftAndTop(nullptr, &aScreenY);
+  CheckSecurityLeftAndTop(nullptr, &aScreenY, aCallerIsChrome);
   y = CSSToDevIntPixels(aScreenY);
 
   aError = treeOwnerAsWin->SetPosition(x, y);
@@ -5755,7 +5756,7 @@ nsGlobalWindow::SetScreenYOuter(int32_t aScreenY, ErrorResult& aError)
 void
 nsGlobalWindow::SetScreenY(int32_t aScreenY, ErrorResult& aError)
 {
-  FORWARD_TO_OUTER_OR_THROW(SetScreenYOuter, (aScreenY, aError), aError, );
+  FORWARD_TO_OUTER_OR_THROW(SetScreenYOuter, (aScreenY, aError, nsContentUtils::IsCallerChrome()), aError, );
 }
 
 void
@@ -5769,14 +5770,14 @@ nsGlobalWindow::SetScreenY(JSContext* aCx, JS::Handle<JS::Value> aValue,
 NS_IMETHODIMP
 nsGlobalWindow::SetScreenY(int32_t aScreenY)
 {
-  FORWARD_TO_INNER(SetScreenY, (aScreenY), NS_ERROR_UNEXPECTED);
+  FORWARD_TO_OUTER(SetScreenY, (aScreenY), NS_ERROR_UNEXPECTED);
 
   if (IsFrame()) {
     return NS_OK;
   }
 
   ErrorResult rv;
-  SetScreenY(aScreenY, rv);
+  SetScreenYOuter(aScreenY, rv, /* aCallerIsChrome = */ true);
 
   return rv.StealNSResult();
 }
@@ -5784,12 +5785,12 @@ nsGlobalWindow::SetScreenY(int32_t aScreenY)
 // NOTE: Arguments to this function should have values scaled to
 // CSS pixels, not device pixels.
 void
-nsGlobalWindow::CheckSecurityWidthAndHeight(int32_t* aWidth, int32_t* aHeight)
+nsGlobalWindow::CheckSecurityWidthAndHeight(int32_t* aWidth, int32_t* aHeight, bool aCallerIsChrome)
 {
   MOZ_ASSERT(IsOuterWindow());
 
 #ifdef MOZ_XUL
-  if (!nsContentUtils::IsCallerChrome()) {
+  if (!aCallerIsChrome) {
     // if attempting to resize the window, hide any open popups
     nsContentUtils::HidePopupsInDocument(mDoc);
   }
@@ -5848,7 +5849,7 @@ nsGlobalWindow::SetCSSViewportWidthAndHeight(nscoord aInnerWidth, nscoord aInner
 // NOTE: Arguments to this function should have values scaled to
 // CSS pixels, not device pixels.
 void
-nsGlobalWindow::CheckSecurityLeftAndTop(int32_t* aLeft, int32_t* aTop)
+nsGlobalWindow::CheckSecurityLeftAndTop(int32_t* aLeft, int32_t* aTop, bool aCallerIsChrome)
 {
   MOZ_ASSERT(IsOuterWindow());
 
@@ -5856,7 +5857,7 @@ nsGlobalWindow::CheckSecurityLeftAndTop(int32_t* aLeft, int32_t* aTop)
 
   // Check security state for use in determing window dimensions
 
-  if (!nsContentUtils::IsCallerChrome()) {
+  if (!aCallerIsChrome) {
 #ifdef MOZ_XUL
     // if attempting to move the window, hide any open popups
     nsContentUtils::HidePopupsInDocument(mDoc);
@@ -7623,7 +7624,7 @@ nsGlobalWindow::MoveToOuter(int32_t aXPos, int32_t aYPos, ErrorResult& aError, b
 
   // Mild abuse of a "size" object so we don't need more helper functions.
   nsIntSize cssPos(aXPos, aYPos);
-  CheckSecurityLeftAndTop(&cssPos.width, &cssPos.height);
+  CheckSecurityLeftAndTop(&cssPos.width, &cssPos.height, aCallerIsChrome);
 
   nsIntSize devPos = CSSToDevIntPixels(cssPos);
 
@@ -7683,7 +7684,7 @@ nsGlobalWindow::MoveByOuter(int32_t aXDif, int32_t aYDif, ErrorResult& aError, b
   cssPos.width += aXDif;
   cssPos.height += aYDif;
   
-  CheckSecurityLeftAndTop(&cssPos.width, &cssPos.height);
+  CheckSecurityLeftAndTop(&cssPos.width, &cssPos.height, aCallerIsChrome);
 
   nsIntSize newDevPos(CSSToDevIntPixels(cssPos));
 
@@ -7741,7 +7742,7 @@ nsGlobalWindow::ResizeToOuter(int32_t aWidth, int32_t aHeight, ErrorResult& aErr
   }
   
   nsIntSize cssSize(aWidth, aHeight);
-  CheckSecurityWidthAndHeight(&cssSize.width, &cssSize.height);
+  CheckSecurityWidthAndHeight(&cssSize.width, &cssSize.height, aCallerIsChrome);
 
   nsIntSize devSz(CSSToDevIntPixels(cssSize));
 
@@ -7821,7 +7822,7 @@ nsGlobalWindow::ResizeByOuter(int32_t aWidthDif, int32_t aHeightDif,
   cssSize.width += aWidthDif;
   cssSize.height += aHeightDif;
 
-  CheckSecurityWidthAndHeight(&cssSize.width, &cssSize.height);
+  CheckSecurityWidthAndHeight(&cssSize.width, &cssSize.height, aCallerIsChrome);
 
   nsIntSize newDevSize(CSSToDevIntPixels(cssSize));
 
@@ -7888,7 +7889,7 @@ nsGlobalWindow::SizeToContentOuter(ErrorResult& aError, bool aCallerIsChrome)
   }
 
   nsIntSize cssSize(DevToCSSIntPixels(nsIntSize(width, height)));
-  CheckSecurityWidthAndHeight(&cssSize.width, &cssSize.height);
+  CheckSecurityWidthAndHeight(&cssSize.width, &cssSize.height, aCallerIsChrome);
 
   nsIntSize newDevSize(CSSToDevIntPixels(cssSize));
 
diff --git a/dom/base/nsGlobalWindow.h b/dom/base/nsGlobalWindow.h
index 0c61c8c05302..41d617c17ea8 100644
--- a/dom/base/nsGlobalWindow.h
+++ b/dom/base/nsGlobalWindow.h
@@ -1207,27 +1207,27 @@ protected:
   // And the implementations of WindowCoordGetter/WindowCoordSetter.
   int32_t GetInnerWidthOuter(mozilla::ErrorResult& aError);
   int32_t GetInnerWidth(mozilla::ErrorResult& aError);
-  void SetInnerWidthOuter(int32_t aInnerWidth, mozilla::ErrorResult& aError);
+  void SetInnerWidthOuter(int32_t aInnerWidth, mozilla::ErrorResult& aError, bool aCallerIsChrome);
   void SetInnerWidth(int32_t aInnerWidth, mozilla::ErrorResult& aError);
   int32_t GetInnerHeightOuter(mozilla::ErrorResult& aError);
   int32_t GetInnerHeight(mozilla::ErrorResult& aError);
-  void SetInnerHeightOuter(int32_t aInnerHeight, mozilla::ErrorResult& aError);
+  void SetInnerHeightOuter(int32_t aInnerHeight, mozilla::ErrorResult& aError, bool aCallerIsChrome);
   void SetInnerHeight(int32_t aInnerHeight, mozilla::ErrorResult& aError);
   int32_t GetScreenXOuter(mozilla::ErrorResult& aError);
   int32_t GetScreenX(mozilla::ErrorResult& aError);
-  void SetScreenXOuter(int32_t aScreenX, mozilla::ErrorResult& aError);
+  void SetScreenXOuter(int32_t aScreenX, mozilla::ErrorResult& aError, bool aCallerIsChrome);
   void SetScreenX(int32_t aScreenX, mozilla::ErrorResult& aError);
   int32_t GetScreenYOuter(mozilla::ErrorResult& aError);
   int32_t GetScreenY(mozilla::ErrorResult& aError);
-  void SetScreenYOuter(int32_t aScreenY, mozilla::ErrorResult& aError);
+  void SetScreenYOuter(int32_t aScreenY, mozilla::ErrorResult& aError, bool aCallerIsChrome);
   void SetScreenY(int32_t aScreenY, mozilla::ErrorResult& aError);
   int32_t GetOuterWidthOuter(mozilla::ErrorResult& aError);
   int32_t GetOuterWidth(mozilla::ErrorResult& aError);
-  void SetOuterWidthOuter(int32_t aOuterWidth, mozilla::ErrorResult& aError);
+  void SetOuterWidthOuter(int32_t aOuterWidth, mozilla::ErrorResult& aError, bool aCallerIsChrome);
   void SetOuterWidth(int32_t aOuterWidth, mozilla::ErrorResult& aError);
   int32_t GetOuterHeightOuter(mozilla::ErrorResult& aError);
   int32_t GetOuterHeight(mozilla::ErrorResult& aError);
-  void SetOuterHeightOuter(int32_t aOuterHeight, mozilla::ErrorResult& aError);
+  void SetOuterHeightOuter(int32_t aOuterHeight, mozilla::ErrorResult& aError, bool aCallerIsChrome);
   void SetOuterHeight(int32_t aOuterHeight, mozilla::ErrorResult& aError);
 
   // Array of idle observers that are notified of idle events.
@@ -1457,8 +1457,8 @@ public:
 
   // Outer windows only.
   void EnsureReflowFlushAndPaint();
-  void CheckSecurityWidthAndHeight(int32_t* width, int32_t* height);
-  void CheckSecurityLeftAndTop(int32_t* left, int32_t* top);
+  void CheckSecurityWidthAndHeight(int32_t* width, int32_t* height, bool aCallerIsChrome);
+  void CheckSecurityLeftAndTop(int32_t* left, int32_t* top, bool aCallerIsChrome);
 
   // Outer windows only.
   // Arguments to this function should have values in app units
@@ -1486,7 +1486,7 @@ public:
   nsresult GetInnerSize(mozilla::CSSIntSize& aSize);
   nsIntSize GetOuterSize(mozilla::ErrorResult& aError);
   void SetOuterSize(int32_t aLengthCSSPixels, bool aIsWidth,
-                    mozilla::ErrorResult& aError);
+                    mozilla::ErrorResult& aError, bool aCallerIsChrome);
   nsRect GetInnerScreenRect();
 
   void ScrollTo(const mozilla::CSSIntPoint& aScroll,
diff --git a/dom/base/nsHostObjectProtocolHandler.cpp b/dom/base/nsHostObjectProtocolHandler.cpp
index 4e5953f739f0..07286ddfd76b 100644
--- a/dom/base/nsHostObjectProtocolHandler.cpp
+++ b/dom/base/nsHostObjectProtocolHandler.cpp
@@ -571,11 +571,14 @@ nsHostObjectProtocolHandler::NewChannel2(nsIURI* uri,
     return rv.StealNSResult();
   }
 
+  nsAutoString contentType;
+  blob->GetType(contentType);
+
   nsCOMPtr<nsIChannel> channel;
   rv = NS_NewInputStreamChannelInternal(getter_AddRefs(channel),
                                         uri,
                                         stream,
-                                        EmptyCString(), // aContentType
+                                        NS_ConvertUTF16toUTF8(contentType),
                                         EmptyCString(), // aContentCharset
                                         aLoadInfo);
   if (NS_WARN_IF(rv.Failed())) {
diff --git a/dom/base/nsIDocument.h b/dom/base/nsIDocument.h
index c91e145916a9..9c6b85946185 100644
--- a/dom/base/nsIDocument.h
+++ b/dom/base/nsIDocument.h
@@ -944,7 +944,7 @@ public:
     eAgentSheet,
     eUserSheet,
     eAuthorSheet,
-    SheetTypeCount
+    AdditionalSheetTypeCount
   };
 
   virtual nsresult LoadAdditionalStyleSheet(additionalSheetType aType, nsIURI* aSheetURI) = 0;
diff --git a/dom/base/nsScriptLoader.cpp b/dom/base/nsScriptLoader.cpp
index 8150fdffb394..530b8e9ed618 100644
--- a/dom/base/nsScriptLoader.cpp
+++ b/dom/base/nsScriptLoader.cpp
@@ -275,30 +275,41 @@ nsScriptLoader::ShouldLoadScript(nsIDocument* aDocument,
   return NS_OK;
 }
 
+class ContextMediator : public nsIStreamLoaderObserver
+{
+public:
+  explicit ContextMediator(nsScriptLoader *aScriptLoader, nsISupports *aContext)
+  : mScriptLoader(aScriptLoader)
+  , mContext(aContext) {}
+
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSISTREAMLOADEROBSERVER
+
+private:
+  virtual ~ContextMediator() {}
+  RefPtr<nsScriptLoader> mScriptLoader;
+  nsCOMPtr<nsISupports>  mContext;
+};
+
+NS_IMPL_ISUPPORTS(ContextMediator, nsIStreamLoaderObserver)
+
+NS_IMETHODIMP
+ContextMediator::OnStreamComplete(nsIStreamLoader* aLoader,
+                                  nsISupports* aContext,
+                                  nsresult aStatus,
+                                  uint32_t aStringLen,
+                                  const uint8_t* aString)
+{
+  // pass arguments through except for the aContext,
+  // we have to mediate and use mContext instead.
+  return mScriptLoader->OnStreamComplete(aLoader, mContext, aStatus,
+                                         aStringLen, aString);
+}
+
 nsresult
 nsScriptLoader::StartLoad(nsScriptLoadRequest *aRequest, const nsAString &aType,
                           bool aScriptFromHead)
 {
-  nsISupports *context = aRequest->mElement.get()
-                         ? static_cast<nsISupports *>(aRequest->mElement.get())
-                         : static_cast<nsISupports *>(mDocument);
-  nsresult rv = ShouldLoadScript(mDocument, context, aRequest->mURI, aType, aRequest->IsPreload());
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  nsCOMPtr<nsILoadGroup> loadGroup = mDocument->GetDocumentLoadGroup();
-
-  nsCOMPtr<nsPIDOMWindow> window(do_QueryInterface(mDocument->MasterDocument()->GetWindow()));
-
-  if (!window) {
-    return NS_ERROR_NULL_POINTER;
-  }
-
-  nsIDocShell *docshell = window->GetDocShell();
-
-  nsCOMPtr<nsIInterfaceRequestor> prompter(do_QueryInterface(docshell));
-
   // If this document is sandboxed without 'allow-scripts', abort.
   if (mDocument->GetSandboxFlags() & SANDBOXED_SCRIPTS) {
     return NS_OK;
@@ -307,17 +318,39 @@ nsScriptLoader::StartLoad(nsScriptLoadRequest *aRequest, const nsAString &aType,
   nsContentPolicyType contentPolicyType = aRequest->IsPreload()
                                           ? nsIContentPolicy::TYPE_INTERNAL_SCRIPT_PRELOAD
                                           : nsIContentPolicy::TYPE_INTERNAL_SCRIPT;
+  nsCOMPtr<nsINode> context;
+  if (aRequest->mElement) {
+    context = do_QueryInterface(aRequest->mElement);
+  }
+  else {
+    context = mDocument;
+  }
+
+  nsCOMPtr<nsILoadGroup> loadGroup = mDocument->GetDocumentLoadGroup();
+  nsCOMPtr<nsPIDOMWindow> window(do_QueryInterface(mDocument->MasterDocument()->GetWindow()));
+  NS_ENSURE_TRUE(window, NS_ERROR_NULL_POINTER);
+  nsIDocShell *docshell = window->GetDocShell();
+  nsCOMPtr<nsIInterfaceRequestor> prompter(do_QueryInterface(docshell));
+
+  nsSecurityFlags securityFlags =
+    aRequest->mCORSMode == CORS_NONE
+    ? nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL
+    : nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS;
+  if (aRequest->mCORSMode == CORS_USE_CREDENTIALS) {
+    securityFlags |= nsILoadInfo::SEC_REQUIRE_CORS_WITH_CREDENTIALS;
+  }
+  securityFlags |= nsILoadInfo::SEC_ALLOW_CHROME;
 
   nsCOMPtr<nsIChannel> channel;
-  rv = NS_NewChannel(getter_AddRefs(channel),
-                     aRequest->mURI,
-                     mDocument,
-                     nsILoadInfo::SEC_NORMAL,
-                     contentPolicyType,
-                     loadGroup,
-                     prompter,
-                     nsIRequest::LOAD_NORMAL |
-                     nsIChannel::LOAD_CLASSIFY_URI);
+  nsresult rv = NS_NewChannel(getter_AddRefs(channel),
+                              aRequest->mURI,
+                              context,
+                              securityFlags,
+                              contentPolicyType,
+                              loadGroup,
+                              prompter,
+                              nsIRequest::LOAD_NORMAL |
+                              nsIChannel::LOAD_CLASSIFY_URI);
 
   NS_ENSURE_SUCCESS(rv, rv);
 
@@ -356,26 +389,13 @@ nsScriptLoader::StartLoad(nsScriptLoadRequest *aRequest, const nsAString &aType,
     timedChannel->SetInitiatorType(NS_LITERAL_STRING("script"));
   }
 
+  RefPtr<ContextMediator> mediator = new ContextMediator(this, aRequest);
+
   nsCOMPtr<nsIStreamLoader> loader;
-  rv = NS_NewStreamLoader(getter_AddRefs(loader), this);
+  rv = NS_NewStreamLoader(getter_AddRefs(loader), mediator);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  nsCOMPtr<nsIStreamListener> listener = loader.get();
-
-  if (aRequest->mCORSMode != CORS_NONE) {
-    bool withCredentials = (aRequest->mCORSMode == CORS_USE_CREDENTIALS);
-    RefPtr<nsCORSListenerProxy> corsListener =
-      new nsCORSListenerProxy(listener, mDocument->NodePrincipal(),
-                              withCredentials);
-    rv = corsListener->Init(channel, DataURIHandling::Allow);
-    NS_ENSURE_SUCCESS(rv, rv);
-    listener = corsListener;
-  }
-
-  rv = channel->AsyncOpen(listener, aRequest);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  return NS_OK;
+  return channel->AsyncOpen2(loader);
 }
 
 bool
diff --git a/dom/base/nsXMLHttpRequest.cpp b/dom/base/nsXMLHttpRequest.cpp
index da9148bb42b9..92f9a45c1562 100644
--- a/dom/base/nsXMLHttpRequest.cpp
+++ b/dom/base/nsXMLHttpRequest.cpp
@@ -51,10 +51,7 @@
 #include "nsICachingChannel.h"
 #include "nsContentUtils.h"
 #include "nsCycleCollectionParticipant.h"
-#include "nsIContentPolicy.h"
-#include "nsContentPolicyUtils.h"
 #include "nsError.h"
-#include "nsCORSListenerProxy.h"
 #include "nsIHTMLDocument.h"
 #include "nsIStorageStream.h"
 #include "nsIPromptFactory.h"
@@ -126,7 +123,7 @@ using namespace mozilla::dom;
 #define XML_HTTP_REQUEST_SYNCLOOPING    (1 << 10) // Internal
 #define XML_HTTP_REQUEST_BACKGROUND     (1 << 13) // Internal
 #define XML_HTTP_REQUEST_USE_XSITE_AC   (1 << 14) // Internal
-#define XML_HTTP_REQUEST_NEED_AC_PREFLIGHT (1 << 15) // Internal
+#define XML_HTTP_REQUEST_NEED_AC_PREFLIGHT_IF_XSITE (1 << 15) // Internal
 #define XML_HTTP_REQUEST_AC_WITH_CREDENTIALS (1 << 16) // Internal
 #define XML_HTTP_REQUEST_TIMED_OUT (1 << 17) // Internal
 #define XML_HTTP_REQUEST_DELETED (1 << 18) // Internal
@@ -1533,47 +1530,15 @@ nsXMLHttpRequest::IsSystemXHR()
   return mIsSystem || nsContentUtils::IsSystemPrincipal(mPrincipal);
 }
 
-nsresult
+void
 nsXMLHttpRequest::CheckChannelForCrossSiteRequest(nsIChannel* aChannel)
 {
   // A system XHR (chrome code or a web app with the right permission) can
-  // always perform cross-site requests. In the web app case, however, we
-  // must still check for protected URIs like file:///.
-  if (IsSystemXHR()) {
-    if (!nsContentUtils::IsSystemPrincipal(mPrincipal)) {
-      nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
-      nsCOMPtr<nsIURI> uri;
-      aChannel->GetOriginalURI(getter_AddRefs(uri));
-      return secMan->CheckLoadURIWithPrincipal(
-        mPrincipal, uri, nsIScriptSecurityManager::STANDARD);
-    }
-    return NS_OK;
+  // load anything, and same-origin loads are always allowed.
+  if (!IsSystemXHR() &&
+      !nsContentUtils::CheckMayLoad(mPrincipal, aChannel, true)) {
+    mState |= XML_HTTP_REQUEST_USE_XSITE_AC;
   }
-
-  // If this is a same-origin request or the channel's URI inherits
-  // its principal, it's allowed.
-  if (nsContentUtils::CheckMayLoad(mPrincipal, aChannel, true)) {
-    return NS_OK;
-  }
-
-  // This is a cross-site request
-  mState |= XML_HTTP_REQUEST_USE_XSITE_AC;
-
-  // Check if we need to do a preflight request.
-  nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aChannel);
-  NS_ENSURE_TRUE(httpChannel, NS_ERROR_DOM_BAD_URI);
-
-  nsAutoCString method;
-  httpChannel->GetRequestMethod(method);
-  if (!mCORSUnsafeHeaders.IsEmpty() ||
-      (mUpload && mUpload->HasListeners()) ||
-      (!method.LowerCaseEqualsLiteral("get") &&
-       !method.LowerCaseEqualsLiteral("post") &&
-       !method.LowerCaseEqualsLiteral("head"))) {
-    mState |= XML_HTTP_REQUEST_NEED_AC_PREFLIGHT;
-  }
-
-  return NS_OK;
 }
 
 NS_IMETHODIMP
@@ -1680,21 +1645,6 @@ nsXMLHttpRequest::Open(const nsACString& inMethod, const nsACString& url,
 
   rv = CheckInnerWindowCorrectness();
   NS_ENSURE_SUCCESS(rv, rv);
-  int16_t shouldLoad = nsIContentPolicy::ACCEPT;
-  rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST,
-                                 uri,
-                                 mPrincipal,
-                                 doc,
-                                 EmptyCString(), //mime guess
-                                 nullptr,         //extra
-                                 &shouldLoad,
-                                 nsContentUtils::GetContentPolicy(),
-                                 nsContentUtils::GetSecurityManager());
-  if (NS_FAILED(rv)) return rv;
-  if (NS_CP_REJECTED(shouldLoad)) {
-    // Disallowed by content policy
-    return NS_ERROR_CONTENT_BLOCKED;
-  }
 
   // XXXbz this is wrong: we should only be looking at whether
   // user/password were passed, not at the values!  See bug 759624.
@@ -1717,20 +1667,27 @@ nsXMLHttpRequest::Open(const nsACString& inMethod, const nsACString& url,
   // will be automatically aborted if the user leaves the page.
   nsCOMPtr<nsILoadGroup> loadGroup = GetLoadGroup();
 
-  nsSecurityFlags secFlags = nsILoadInfo::SEC_NORMAL;
+  nsSecurityFlags secFlags;
   nsLoadFlags loadFlags = nsIRequest::LOAD_BACKGROUND;
-  if (IsSystemXHR()) {
-    // Don't give this document the system principal.  We need to keep track of
-    // mPrincipal being system because we use it for various security checks
-    // that should be passing, but the document data shouldn't get a system
-    // principal.  Hence we set the sandbox flag in loadinfo, so that 
-    // GetChannelResultPrincipal will give us the nullprincipal.
-    secFlags |= nsILoadInfo::SEC_SANDBOXED;
-
-    //For a XHR, disable interception
+  if (nsContentUtils::IsSystemPrincipal(mPrincipal)) {
+    // When chrome is loading we want to make sure to sandbox any potential
+    // result document. We also want to allow cross-origin loads.
+    secFlags = nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL |
+               nsILoadInfo::SEC_SANDBOXED;
+  }
+  else if (IsSystemXHR()) {
+    // For pages that have appropriate permissions, we want to still allow
+    // cross-origin loads, but make sure that the any potential result
+    // documents get the same principal as the loader.
+    secFlags = nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS |
+               nsILoadInfo::SEC_FORCE_INHERIT_PRINCIPAL;
     loadFlags |= nsIChannel::LOAD_BYPASS_SERVICE_WORKER;
-  } else {
-    secFlags |= nsILoadInfo::SEC_FORCE_INHERIT_PRINCIPAL;
+  }
+  else {
+    // Otherwise use CORS. Again, make sure that potential result documents
+    // use the same principal as the loader.
+    secFlags = nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS |
+               nsILoadInfo::SEC_FORCE_INHERIT_PRINCIPAL;
   }
 
   // If we have the document, use it
@@ -1755,10 +1712,10 @@ nsXMLHttpRequest::Open(const nsACString& inMethod, const nsACString& url,
                        loadFlags);
   }
 
-  if (NS_FAILED(rv)) return rv;
+  NS_ENSURE_SUCCESS(rv, rv);
 
   mState &= ~(XML_HTTP_REQUEST_USE_XSITE_AC |
-              XML_HTTP_REQUEST_NEED_AC_PREFLIGHT);
+              XML_HTTP_REQUEST_NEED_AC_PREFLIGHT_IF_XSITE);
 
   nsCOMPtr<nsIHttpChannel> httpChannel(do_QueryInterface(mChannel));
   if (httpChannel) {
@@ -1774,7 +1731,7 @@ nsXMLHttpRequest::Open(const nsACString& inMethod, const nsACString& url,
 
   ChangeState(XML_HTTP_REQUEST_OPENED);
 
-  return rv;
+  return NS_OK;
 }
 
 void
@@ -2818,14 +2775,21 @@ nsXMLHttpRequest::Send(nsIVariant* aVariant, const Nullable<RequestBody>& aBody)
 
   ResetResponse();
 
-  rv = CheckChannelForCrossSiteRequest(mChannel);
-  NS_ENSURE_SUCCESS(rv, rv);
+  CheckChannelForCrossSiteRequest(mChannel);
 
   bool withCredentials = !!(mState & XML_HTTP_REQUEST_AC_WITH_CREDENTIALS);
 
-  // Hook us up to listen to redirects and the like
-  mChannel->GetNotificationCallbacks(getter_AddRefs(mNotificationCallbacks));
-  mChannel->SetNotificationCallbacks(this);
+  if (!IsSystemXHR() && withCredentials) {
+    // This is quite sad. We have to create the channel in .open(), since the
+    // chrome-only xhr.channel API depends on that. However .withCredentials
+    // can be modified after, so we don't know what to set the
+    // SEC_REQUIRE_CORS_WITH_CREDENTIALS flag to when the channel is
+    // created. So set it here using a hacky internal API.
+
+    // Not doing this for system XHR uses since those don't use CORS.
+    nsCOMPtr<nsILoadInfo> loadInfo = mChannel->GetLoadInfo();
+    static_cast<LoadInfo*>(loadInfo.get())->SetWithCredentialsSecFlag();
+  }
 
   // Blocking gets are common enough out of XHR that we should mark
   // the channel slow by default for pipeline purposes
@@ -2846,24 +2810,6 @@ nsXMLHttpRequest::Send(nsIVariant* aVariant, const Nullable<RequestBody>& aBody)
     internalHttpChannel->SetResponseTimeoutEnabled(false);
   }
 
-  nsCOMPtr<nsIStreamListener> listener = this;
-  if (!IsSystemXHR()) {
-    // Always create a nsCORSListenerProxy here even if it's
-    // a same-origin request right now, since it could be redirected.
-    RefPtr<nsCORSListenerProxy> corsListener =
-      new nsCORSListenerProxy(listener, mPrincipal, withCredentials);
-    rv = corsListener->Init(mChannel, DataURIHandling::Allow);
-    NS_ENSURE_SUCCESS(rv, rv);
-    listener = corsListener;
-  }
-  else {
-    // Because of bug 682305, we can't let listener be the XHR object itself
-    // because JS wouldn't be able to use it. So if we haven't otherwise
-    // created a listener around 'this', do so now.
-
-    listener = new nsStreamListenerWrapper(listener);
-  }
-
   if (mIsAnon) {
     AddLoadFlags(mChannel, nsIRequest::LOAD_ANONYMOUS);
   }
@@ -2871,9 +2817,6 @@ nsXMLHttpRequest::Send(nsIVariant* aVariant, const Nullable<RequestBody>& aBody)
     AddLoadFlags(mChannel, nsIChannel::LOAD_EXPLICIT_CREDENTIALS);
   }
 
-  NS_ASSERTION(listener != this,
-               "Using an object as a listener that can't be exposed to JS");
-
   // When we are sync loading, we need to bypass the local cache when it would
   // otherwise block us waiting for exclusive access to the cache.  If we don't
   // do this, then we could dead lock in some cases (see bug 309424).
@@ -2906,10 +2849,19 @@ nsXMLHttpRequest::Send(nsIVariant* aVariant, const Nullable<RequestBody>& aBody)
   mRequestSentTime = PR_Now();
   StartTimeoutTimer();
 
+  // Check if we need to do a preflight request.
+  if (!mCORSUnsafeHeaders.IsEmpty() ||
+      (mUpload && mUpload->HasListeners()) ||
+      (!method.LowerCaseEqualsLiteral("get") &&
+       !method.LowerCaseEqualsLiteral("post") &&
+       !method.LowerCaseEqualsLiteral("head"))) {
+    mState |= XML_HTTP_REQUEST_NEED_AC_PREFLIGHT_IF_XSITE;
+  }
+
   // Set up the preflight if needed
-  if (mState & XML_HTTP_REQUEST_NEED_AC_PREFLIGHT) {
-    // Check to see if this initial OPTIONS request has already been cached
-    // in our special Access Control Cache.
+  if ((mState & XML_HTTP_REQUEST_USE_XSITE_AC) &&
+      (mState & XML_HTTP_REQUEST_NEED_AC_PREFLIGHT_IF_XSITE)) {
+    NS_ENSURE_TRUE(internalHttpChannel, NS_ERROR_DOM_BAD_URI);
 
     rv = internalHttpChannel->SetCorsPreflightParameters(mCORSUnsafeHeaders,
                                                          withCredentials, mPrincipal);
@@ -2932,16 +2884,30 @@ nsXMLHttpRequest::Send(nsIVariant* aVariant, const Nullable<RequestBody>& aBody)
     }
   }
 
+  // Hook us up to listen to redirects and the like
+  // Only do this very late since this creates a cycle between
+  // the channel and us. This cycle has to be manually broken if anything
+  // below fails.
+  mChannel->GetNotificationCallbacks(getter_AddRefs(mNotificationCallbacks));
+  mChannel->SetNotificationCallbacks(this);
+
   // Start reading from the channel
-  rv = mChannel->AsyncOpen(listener, nullptr);
+  // Because of bug 682305, we can't let listener be the XHR object itself
+  // because JS wouldn't be able to use it. So create a listener around 'this'.
+  // Make sure to hold a strong reference so that we don't leak the wrapper.
+  nsCOMPtr<nsIStreamListener> listener = new nsStreamListenerWrapper(this);
+  rv = mChannel->AsyncOpen2(listener);
+  listener = nullptr;
 
   if (NS_WARN_IF(NS_FAILED(rv))) {
-    // Drop our ref to the channel to avoid cycles
+    // Drop our ref to the channel to avoid cycles. Also drop channel's
+    // ref to us to be extra safe.
+    mChannel->SetNotificationCallbacks(mNotificationCallbacks);
     mChannel = nullptr;
+
     return rv;
   }
 
-  // Either AsyncOpen was called, or CORS will open the channel later.
   mWaitingForOnStopRequest = true;
 
   // If we're synchronous, spin an event loop here and wait
@@ -3384,17 +3350,12 @@ nsXMLHttpRequest::AsyncOnChannelRedirect(nsIChannel *aOldChannel,
   nsresult rv;
 
   if (!NS_IsInternalSameURIRedirect(aOldChannel, aNewChannel, aFlags)) {
-    rv = CheckChannelForCrossSiteRequest(aNewChannel);
-    if (NS_FAILED(rv)) {
-      NS_WARNING("nsXMLHttpRequest::OnChannelRedirect: "
-                 "CheckChannelForCrossSiteRequest returned failure");
-      return rv;
-    }
+    CheckChannelForCrossSiteRequest(aNewChannel);
 
     // Disable redirects for preflighted cross-site requests entirely for now
-    // Note, do this after the call to CheckChannelForCrossSiteRequest
-    // to make sure that XML_HTTP_REQUEST_USE_XSITE_AC is up-to-date
-    if ((mState & XML_HTTP_REQUEST_NEED_AC_PREFLIGHT)) {
+    if ((mState & XML_HTTP_REQUEST_USE_XSITE_AC) &&
+        (mState & XML_HTTP_REQUEST_NEED_AC_PREFLIGHT_IF_XSITE)) {
+       aOldChannel->Cancel(NS_ERROR_DOM_BAD_URI);
        return NS_ERROR_DOM_BAD_URI;
     }
   }
@@ -3555,7 +3516,7 @@ bool
 nsXMLHttpRequest::AllowUploadProgress()
 {
   return !(mState & XML_HTTP_REQUEST_USE_XSITE_AC) ||
-    (mState & XML_HTTP_REQUEST_NEED_AC_PREFLIGHT);
+    (mState & XML_HTTP_REQUEST_NEED_AC_PREFLIGHT_IF_XSITE);
 }
 
 /////////////////////////////////////////////////////
diff --git a/dom/base/nsXMLHttpRequest.h b/dom/base/nsXMLHttpRequest.h
index c5d39a7c980b..a317fcfe4952 100644
--- a/dom/base/nsXMLHttpRequest.h
+++ b/dom/base/nsXMLHttpRequest.h
@@ -626,7 +626,7 @@ protected:
    *
    * Also updates the XML_HTTP_REQUEST_USE_XSITE_AC bit.
    */
-  nsresult CheckChannelForCrossSiteRequest(nsIChannel* aChannel);
+  void CheckChannelForCrossSiteRequest(nsIChannel* aChannel);
 
   void StartProgressEventTimer();
 
diff --git a/dom/base/test/file_XHRResponseURL.js b/dom/base/test/file_XHRResponseURL.js
index 3581988b87ff..dbe844bc43a3 100644
--- a/dom/base/test/file_XHRResponseURL.js
+++ b/dom/base/test/file_XHRResponseURL.js
@@ -50,28 +50,6 @@ function info(aMessage) {
   message(obj);
 }
 
-function todo(aBool, aMessage) {
-  var obj = {
-    type: "todo",
-    bool: aBool,
-    message: aMessage
-  };
-  ++message.ping;
-  message(obj);
-}
-
-function todo_is(aActual, aExpected, aMessage) {
-  var obj = {
-    type: "todo_is",
-    actual: aActual,
-    expected: aExpected,
-    message: aMessage
-  };
-  ++message.ping;
-  message(obj);
-}
-
-
 function request(aURL) {
   return new Promise(function (aResolve, aReject) {
     var xhr = new XMLHttpRequest();
@@ -125,15 +103,11 @@ function testSuccessResponse() {
       message: "request to same-origin redirect to cross-origin URL",
       requestURL: "http://mochi.test:8888/tests/dom/base/test/file_XHRResponseURL.sjs?url=http://example.com/tests/dom/base/test/file_XHRResponseURL.text",
       responseURL: "http://example.com/tests/dom/base/test/file_XHRResponseURL.text",
-      skip: isInWorker(),
-      reason: "cross-origin redirect request not works on Workers, see bug 882458"
     },
     {
       message: "request to same-origin redirects several times and finally go to cross-origin URL",
       requestURL: "http://mochi.test:8888/tests/dom/base/test/file_XHRResponseURL.sjs?url=" + encodeURIComponent("http://mochi.test:8888/tests/dom/base/test/file_XHRResponseURL.sjs?url=http://example.com/tests/dom/base/test/file_XHRResponseURL.text"),
       responseURL: "http://example.com/tests/dom/base/test/file_XHRResponseURL.text",
-      skip: isInWorker(),
-      reason: "cross-origin redirect request not works on Workers, see bug 882458"
     },
 
     // tests that start with cross-origin request
@@ -151,43 +125,31 @@ function testSuccessResponse() {
       message: "request to cross-origin redirect to the same cross-origin URL",
       requestURL: "http://example.com/tests/dom/base/test/file_XHRResponseURL.sjs?url=http://example.com/tests/dom/base/test/file_XHRResponseURL.text",
       responseURL: "http://example.com/tests/dom/base/test/file_XHRResponseURL.text",
-      skip: isInWorker(),
-      reason: "cross-origin redirect request not works on Workers, see bug 882458"
     },
     {
       message: "request to cross-origin redirect to another cross-origin URL",
       requestURL: "http://example.com/tests/dom/base/test/file_XHRResponseURL.sjs?url=http://example.org/tests/dom/base/test/file_XHRResponseURL.text",
       responseURL: "http://example.org/tests/dom/base/test/file_XHRResponseURL.text",
-      skip: isInWorker(),
-      reason: "cross-origin redirect request not works on Workers, see bug 882458"
     },
     {
       message: "request to cross-origin redirects several times and finally go to same-origin URL",
       requestURL: "http://example.com/tests/dom/base/test/file_XHRResponseURL.sjs?url=" + encodeURIComponent("http://example.com/tests/dom/base/test/file_XHRResponseURL.sjs?url=http://mochi.test:8888/tests/dom/base/test/file_XHRResponseURL.text"),
       responseURL: "http://mochi.test:8888/tests/dom/base/test/file_XHRResponseURL.text",
-      skip: isInWorker(),
-      reason: "cross-origin redirect request not works on Workers, see bug 882458"
     },
     {
       message: "request to cross-origin redirects several times and finally go to the same cross-origin URL",
       requestURL: "http://example.com/tests/dom/base/test/file_XHRResponseURL.sjs?url=" + encodeURIComponent("http://example.com/tests/dom/base/test/file_XHRResponseURL.sjs?url=http://example.com/tests/dom/base/test/file_XHRResponseURL.text"),
       responseURL: "http://example.com/tests/dom/base/test/file_XHRResponseURL.text",
-      skip: isInWorker(),
-      reason: "cross-origin redirect request not works on Workers, see bug 882458"
     },
     {
       message: "request to cross-origin redirects several times and finally go to another cross-origin URL",
       requestURL: "http://example.com/tests/dom/base/test/file_XHRResponseURL.sjs?url=" + encodeURIComponent("http://example.com/tests/dom/base/test/file_XHRResponseURL.sjs?url=http://example.org/tests/dom/base/test/file_XHRResponseURL.text"),
       responseURL: "http://example.org/tests/dom/base/test/file_XHRResponseURL.text",
-      skip: isInWorker(),
-      reason: "cross-origin redirect request not works on Workers, see bug 882458"
     },
     {
       message: "request to cross-origin redirects to another cross-origin and finally go to the other cross-origin URL",
       requestURL: "http://example.com/tests/dom/base/test/file_XHRResponseURL.sjs?url=" + encodeURIComponent("http://example.org/tests/dom/base/test/file_XHRResponseURL.sjs?url=http://test1.example.com/tests/dom/base/test/file_XHRResponseURL.text"),
       responseURL: "http://test1.example.com/tests/dom/base/test/file_XHRResponseURL.text",
-      skip: isInWorker(),
-      reason: "cross-origin redirect request not works on Workers, see bug 882458"
     },
     {
       message: "request URL has fragment",
@@ -209,13 +171,8 @@ function testSuccessResponse() {
   ];
 
   var sequence = createSequentialRequest(parameters, function (aXHR, aParam) {
-    if (aParam.skip) {
-      todo(aXHR.succeeded, aParam.reason);
-      todo_is(aXHR.responseURL, aParam.responseURL, aParam.reason);
-    } else {
-      ok(aXHR.succeeded, "assert request succeeded");
-      is(aXHR.responseURL, aParam.responseURL, aParam.message);
-    }
+    ok(aXHR.succeeded, "assert request succeeded");
+    is(aXHR.responseURL, aParam.responseURL, aParam.message);
   });
 
   sequence.then(function () {
diff --git a/dom/base/test/mochitest.ini b/dom/base/test/mochitest.ini
index 1e06815c3b50..94fb3f252091 100644
--- a/dom/base/test/mochitest.ini
+++ b/dom/base/test/mochitest.ini
@@ -510,7 +510,6 @@ skip-if = (buildapp == 'b2g' && toolkit != 'gonk') #Bug 931116, b2g desktop spec
 [test_bug433533.html]
 [test_bug433662.html]
 [test_bug435425.html]
-[test_bug438519.html]
 [test_bug444030.xhtml]
 [test_bug444322.html]
 [test_bug444722.html]
diff --git a/dom/base/test/test_bug438519.html b/dom/base/test/test_bug438519.html
deleted file mode 100644
index 35508b1a6948..000000000000
--- a/dom/base/test/test_bug438519.html
+++ /dev/null
@@ -1,44 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=438519
--->
-<head>
-  <title>Test for Bug 438519</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>        
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body onload="doTest()">
-<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=438519">Mozilla Bug 438519</a>
-<p id="display"></p>
-<div id="content" style="display:none">
-
-<iframe id="empty" src="data:text/xml,<!DOCTYPE HTML []><html></html>"></iframe>
-<iframe id="missing" src="data:text/xml,<!DOCTYPE HTML><html></html>"></iframe>
-<iframe id="entity" src="data:text/xml,<!DOCTYPE HTML [ <!ENTITY foo 'foo'> ]><html></html>"></iframe>
-
-</div>
-<pre id="test">
-<script class="testbody" type="text/javascript">
-
-/** Test for Bug 218236 **/
-
-SimpleTest.waitForExplicitFinish();
-
-function doTest() {
-  function checkInternalSubset(id, expected) {
-    var e = document.getElementById(id);
-    is(e.contentDocument.doctype.internalSubset, expected, "checking '" + id + "'");
-  }
-
-  checkInternalSubset("empty", "");
-  checkInternalSubset("missing", null);
-  checkInternalSubset("entity", " <!ENTITY foo 'foo'> ");
-  SimpleTest.finish();
-}
-
-</script>
-</pre>
-</body>
-</html>
-
diff --git a/dom/base/test/test_createHTMLDocument.html b/dom/base/test/test_createHTMLDocument.html
index 501ac5d5cd3d..66b090d189bf 100644
--- a/dom/base/test/test_createHTMLDocument.html
+++ b/dom/base/test/test_createHTMLDocument.html
@@ -24,7 +24,6 @@ function checkDoc(title, expectedtitle, normalizedtitle) {
   is(doc.doctype.name, "html");
   is(doc.doctype.publicId, "");
   is(doc.doctype.systemId, "");
-  is(doc.doctype.internalSubset, null, "internalSubset should be null!");
   isElement(doc.documentElement, "html");
   isElement(doc.documentElement.firstChild, "head");
   if (title !== undefined) {
diff --git a/dom/base/test/test_urlSearchParams.html b/dom/base/test/test_urlSearchParams.html
index b43c790b707d..c42a00ad9fea 100644
--- a/dom/base/test/test_urlSearchParams.html
+++ b/dom/base/test/test_urlSearchParams.html
@@ -237,6 +237,58 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=887836
     runTest();
   }
 
+  function testIterable() {
+    var u = new URLSearchParams();
+    u.set('1','2');
+    u.set('2','4');
+    u.set('3','6');
+    u.set('4','8');
+    u.set('5','10');
+
+    var key_iter = u.keys();
+    var value_iter = u.values();
+    var entries_iter = u.entries();
+    for (var i = 0; i < 5; ++i) {
+      var v = i + 1;
+      var key = key_iter.next();
+      var value = value_iter.next();
+      var entry = entries_iter.next();
+      is(key.value, v.toString(), "Correct Key iterator: " + v.toString());
+      ok(!key.done, "Key.done is false");
+      is(value.value, (v * 2).toString(), "Correct Value iterator: " + (v * 2).toString());
+      ok(!value.done, "Value.done is false");
+      is(entry.value[0], v.toString(), "Correct Entry 0 iterator: " + v.toString());
+      is(entry.value[1], (v * 2).toString(), "Correct Entry 1 iterator: " + (v * 2).toString());
+      ok(!entry.done, "Entry.done is false");
+    }
+
+    var last = key_iter.next();
+    ok(last.done, "Nothing more to read.");
+    is(last.value, undefined, "Undefined is the last key");
+
+    last = value_iter.next();
+    ok(last.done, "Nothing more to read.");
+    is(last.value, undefined, "Undefined is the last value");
+
+    last = entries_iter.next();
+    ok(last.done, "Nothing more to read.");
+
+    key_iter = u.keys();
+    key_iter.next();
+    key_iter.next();
+    u.delete('1');
+    u.delete('2');
+    u.delete('3');
+    u.delete('4');
+    u.delete('5');
+
+    last = key_iter.next();
+    ok(last.done, "Nothing more to read.");
+    is(last.value, undefined, "Undefined is the last key");
+
+    runTest();
+  }
+
   var tests = [
     testSimpleURLSearchParams,
     testCopyURLSearchParams,
@@ -248,7 +300,8 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=887836
     testOrdering,
     testDelete,
     testGetNULL,
-    testSet
+    testSet,
+    testIterable
   ];
 
   function runTest() {
diff --git a/dom/bindings/Bindings.conf b/dom/bindings/Bindings.conf
index 1ccd06b6c957..f79de248864d 100644
--- a/dom/bindings/Bindings.conf
+++ b/dom/bindings/Bindings.conf
@@ -700,10 +700,6 @@ DOMInterfaces = {
     'notflattened': True
 },
 
-'IterableIterator': {
-    'skipGen': True
-},
-
 'KeyEvent': {
     'concrete': False
 },
diff --git a/dom/bindings/parser/WebIDL.py b/dom/bindings/parser/WebIDL.py
index ee83ad33fc88..c0860584e228 100644
--- a/dom/bindings/parser/WebIDL.py
+++ b/dom/bindings/parser/WebIDL.py
@@ -740,7 +740,7 @@ class IDLInterface(IDLObjectWithScope, IDLExposureMixins):
                                       "interface that already has %s "
                                       "declaration" %
                                       (member.maplikeOrSetlikeOrIterableType,
-                                       self.maplikeOrSetlike.maplikeOrSetlikeOrIterableType),
+                                       self.maplikeOrSetlikeOrIterable.maplikeOrSetlikeOrIterableType),
                                       [self.maplikeOrSetlikeOrIterable.location,
                                        member.location])
                 self.maplikeOrSetlikeOrIterable = member
@@ -6567,6 +6567,7 @@ class Parser(Tokenizer):
         interfaceStatements = [p for p in self._productions if
                                isinstance(p, IDLInterface)]
 
+        iterableIteratorIface = None
         for iface in interfaceStatements:
             iterable = None
             # We haven't run finish() on the interface yet, so we don't know
@@ -6578,33 +6579,30 @@ class Parser(Tokenizer):
                     iterable = m
                     break
             if iterable:
+                def simpleExtendedAttr(str):
+                    return IDLExtendedAttribute(iface.location, (str, ))
+                nextMethod = IDLMethod(
+                    iface.location,
+                    IDLUnresolvedIdentifier(iface.location, "next"),
+                    BuiltinTypes[IDLBuiltinType.Types.object], [])
+                nextMethod.addExtendedAttributes([simpleExtendedAttr("Throws")])
                 itr_ident = IDLUnresolvedIdentifier(iface.location,
                                                     iface.identifier.name + "Iterator")
                 itr_iface = IDLInterface(iface.location, self.globalScope(),
-                                         itr_ident, None, [],
+                                         itr_ident, None, [nextMethod],
                                          isKnownNonPartial=True)
-                itr_iface.addExtendedAttributes([IDLExtendedAttribute(iface.location,
-                                                                      ("NoInterfaceObject", ))])
+                itr_iface.addExtendedAttributes([simpleExtendedAttr("NoInterfaceObject")])
                 # Make sure the exposure set for the iterator interface is the
                 # same as the exposure set for the iterable interface, because
                 # we're going to generate methods on the iterable that return
                 # instances of the iterator.
                 itr_iface._exposureGlobalNames = set(iface._exposureGlobalNames)
-                # Always append generated iterable interfaces and their
-                # matching implements statements after the interface they're a
-                # member of, otherwise nativeType generation won't work
-                # correctly.
+                # Always append generated iterable interfaces after the
+                # interface they're a member of, otherwise nativeType generation
+                # won't work correctly.
                 itr_iface.iterableInterface = iface
                 self._productions.append(itr_iface)
                 iterable.iteratorType = IDLWrapperType(iface.location, itr_iface)
-                itrPlaceholder = IDLIdentifierPlaceholder(iface.location,
-                                                          IDLUnresolvedIdentifier(iface.location,
-                                                                                  "IterableIterator"))
-                implements = IDLImplementsStatement(iface.location,
-                                                    IDLIdentifierPlaceholder(iface.location,
-                                                                             itr_ident),
-                                                    itrPlaceholder)
-                self._productions.append(implements)
 
         # Then, finish all the IDLImplementsStatements.  In particular, we
         # have to make sure we do those before we do the IDLInterfaces.
diff --git a/dom/bindings/parser/tests/test_interface_maplikesetlikeiterable.py b/dom/bindings/parser/tests/test_interface_maplikesetlikeiterable.py
index d9126dbae302..ed6f4c40a482 100644
--- a/dom/bindings/parser/tests/test_interface_maplikesetlikeiterable.py
+++ b/dom/bindings/parser/tests/test_interface_maplikesetlikeiterable.py
@@ -10,20 +10,24 @@ def WebIDLTest(parser, harness):
                       "%s - Should have production count %d" % (prefix, numProductions))
         harness.ok(isinstance(results[0], WebIDL.IDLInterface),
                    "%s - Should be an IDLInterface" % (prefix))
-        harness.check(len(results[0].members), len(expectedMembers),
-                      "%s - Should be %d members" % (prefix,
-                                                     len(expectedMembers)))
+        # Make a copy, since we plan to modify it
+        expectedMembers = list(expectedMembers)
         for m in results[0].members:
             name = m.identifier.name
             if (name, type(m)) in expectedMembers:
                 harness.ok(True, "%s - %s - Should be a %s" % (prefix, name,
                                                                type(m)))
-            elif isinstance(m, WebIDL.IDLMaplikeOrSetlike):
-                harness.ok(True, "%s - %s - Should be a MaplikeOrSetlike" %
-                           (prefix, name))
+                expectedMembers.remove((name, type(m)))
             else:
                 harness.ok(False, "%s - %s - Unknown symbol of type %s" %
                            (prefix, name, type(m)))
+        # A bit of a hoop because we can't generate the error string if we pass
+        if len(expectedMembers) == 0:
+            harness.ok(True, "Found all the members")
+        else:
+            harness.ok(False,
+                       "Expected member not found: %s of type %s" %
+                       (expectedMembers[0][0], expectedMembers[0][1]))
         return results
 
     def shouldFail(prefix, iface):
@@ -38,11 +42,11 @@ def WebIDLTest(parser, harness):
                        prefix + " - Interface failed as expected")
         except Exception, e:
             harness.ok(False,
-                       prefix + " - Interface failed but not as a WebIDLError exception")
+                       prefix + " - Interface failed but not as a WebIDLError exception: %s" % e)
 
     iterableMembers = [(x, WebIDL.IDLMethod) for x in ["entries", "keys",
                                                        "values"]]
-    setROMembers = ([(x, WebIDL.IDLMethod) for x in ["has", "foreach"]] +
+    setROMembers = ([(x, WebIDL.IDLMethod) for x in ["has", "forEach"]] +
                     [("__setlike", WebIDL.IDLMaplikeOrSetlike)] +
                     iterableMembers)
     setROMembers.extend([("size", WebIDL.IDLAttribute)])
@@ -58,7 +62,7 @@ def WebIDLTest(parser, harness):
                                                            "__clear",
                                                            "__delete"]] +
                           setRWMembers)
-    mapROMembers = ([(x, WebIDL.IDLMethod) for x in ["get", "has", "foreach"]] +
+    mapROMembers = ([(x, WebIDL.IDLMethod) for x in ["get", "has", "forEach"]] +
                     [("__maplike", WebIDL.IDLMaplikeOrSetlike)] +
                     iterableMembers)
     mapROMembers.extend([("size", WebIDL.IDLAttribute)])
@@ -70,6 +74,10 @@ def WebIDLTest(parser, harness):
                                                            "__delete"]] +
                           mapRWMembers)
 
+    # OK, now that we've used iterableMembers to set up the above, append
+    # __iterable to it for the iterable<> case.
+    iterableMembers.append(("__iterable", WebIDL.IDLIterable))
+
     disallowedIterableNames = ["keys", "entries", "values"]
     disallowedMemberNames = ["forEach", "has", "size"] + disallowedIterableNames
     mapDisallowedMemberNames = ["get"] + disallowedMemberNames
@@ -86,14 +94,18 @@ def WebIDLTest(parser, harness):
                interface Foo1 {
                iterable<long>;
                };
-               """, iterableMembers)
+               """, iterableMembers,
+               # numProductions == 2 because of the generated iterator iface,
+               numProductions=2)
 
     shouldPass("Iterable (key and value)",
                """
                interface Foo1 {
                iterable<long, long>;
                };
-               """, iterableMembers)
+               """, iterableMembers,
+               # numProductions == 2 because of the generated iterator iface,
+               numProductions=2)
 
     shouldPass("Maplike (readwrite)",
                """
@@ -574,5 +586,5 @@ def WebIDLTest(parser, harness):
         if m.identifier.name in ["clear", "set", "delete"]:
             harness.ok(m.isMethod(), "%s should be a method" % m.identifier.name)
             harness.check(m.maxArgCount, 4, "%s should have 4 arguments" % m.identifier.name)
-            harness.ok(not m.isMaplikeOrSetlikeMethod(),
+            harness.ok(not m.isMaplikeOrSetlikeOrIterableMethod(),
                        "%s should not be a maplike/setlike function" % m.identifier.name)
diff --git a/dom/cache/DBSchema.cpp b/dom/cache/DBSchema.cpp
index 80b7c7d6d703..e75ff6809364 100644
--- a/dom/cache/DBSchema.cpp
+++ b/dom/cache/DBSchema.cpp
@@ -192,8 +192,7 @@ static_assert(int(HeadersGuardEnum::None) == 0 &&
 static_assert(int(RequestMode::Same_origin) == 0 &&
               int(RequestMode::No_cors) == 1 &&
               int(RequestMode::Cors) == 2 &&
-              int(RequestMode::Cors_with_forced_preflight) == 3 &&
-              int(RequestMode::EndGuard_) == 4,
+              int(RequestMode::EndGuard_) == 3,
               "RequestMode values are as expected");
 static_assert(int(RequestCredentials::Omit) == 0 &&
               int(RequestCredentials::Same_origin) == 1 &&
diff --git a/dom/canvas/WebGL2Context.h b/dom/canvas/WebGL2Context.h
index e3556ed6fd93..f3d11cac1459 100644
--- a/dom/canvas/WebGL2Context.h
+++ b/dom/canvas/WebGL2Context.h
@@ -71,6 +71,11 @@ public:
                          GLint dstX0, GLint dstY0, GLint dstX1, GLint dstY1,
                          GLbitfield mask, GLenum filter);
     void FramebufferTextureLayer(GLenum target, GLenum attachment, WebGLTexture* texture, GLint level, GLint layer);
+
+    virtual JS::Value GetFramebufferAttachmentParameter(JSContext* cx, GLenum target,
+                                                        GLenum attachment, GLenum pname,
+                                                        ErrorResult& rv) override;
+
     void InvalidateFramebuffer(GLenum target, const dom::Sequence<GLenum>& attachments,
                                ErrorResult& rv);
     void InvalidateSubFramebuffer (GLenum target, const dom::Sequence<GLenum>& attachments, GLint x, GLint y,
diff --git a/dom/canvas/WebGL2ContextFramebuffers.cpp b/dom/canvas/WebGL2ContextFramebuffers.cpp
index 62d330f2a254..abf5c3eb2d87 100644
--- a/dom/canvas/WebGL2ContextFramebuffers.cpp
+++ b/dom/canvas/WebGL2ContextFramebuffers.cpp
@@ -8,10 +8,17 @@
 #include "GLContext.h"
 #include "GLScreenBuffer.h"
 #include "WebGLContextUtils.h"
+#include "WebGLFormats.h"
 #include "WebGLFramebuffer.h"
 
 namespace mozilla {
 
+using gl::GLContext;
+using gl::GLFormats;
+using webgl::EffectiveFormat;
+using webgl::FormatInfo;
+using webgl::ComponentType;
+
 // Returns one of FLOAT, INT, UNSIGNED_INT.
 // Fixed-points (normalized ints) are considered FLOAT.
 static GLenum
@@ -418,6 +425,103 @@ WebGL2Context::FramebufferTextureLayer(GLenum target, GLenum attachment,
     fb->FramebufferTextureLayer(attachment, texture, level, layer);
 }
 
+JS::Value
+WebGL2Context::GetFramebufferAttachmentParameter(JSContext* cx,
+                                                 GLenum target,
+                                                 GLenum attachment,
+                                                 GLenum pname,
+                                                 ErrorResult& rv)
+{
+    if (IsContextLost())
+        return JS::NullValue();
+
+    // OpenGL ES 3.0.4 (August 27, 2014) 6.1. QUERYING GL STATE 240
+    // "getFramebufferAttachmentParamter returns information about attachments of a bound
+    // framebuffer object. target must be DRAW_FRAMEBUFFER, READ_FRAMEBUFFER, or
+    // FRAMEBUFFER."
+
+    if (!ValidateFramebufferTarget(target, "getFramebufferAttachmentParameter"))
+        return JS::NullValue();
+
+    // FRAMEBUFFER is equivalent to DRAW_FRAMEBUFFER.
+    if (target == LOCAL_GL_FRAMEBUFFER)
+        target = LOCAL_GL_DRAW_FRAMEBUFFER;
+
+    WebGLFramebuffer* boundFB = nullptr;
+    switch (target) {
+    case LOCAL_GL_DRAW_FRAMEBUFFER: boundFB = mBoundDrawFramebuffer; break;
+    case LOCAL_GL_READ_FRAMEBUFFER: boundFB = mBoundReadFramebuffer; break;
+    }
+
+    if (boundFB) {
+        return boundFB->GetAttachmentParameter(cx, attachment, pname, rv);
+    }
+
+    // Handle default FB
+    const gl::GLFormats& formats = gl->GetGLFormats();
+    GLenum internalFormat = LOCAL_GL_NONE;
+
+    /* If the default framebuffer is bound to target, then attachment must be BACK,
+       identifying the color buffer; DEPTH, identifying the depth buffer; or STENCIL,
+       identifying the stencil buffer. */
+    switch (attachment) {
+    case LOCAL_GL_BACK:
+        internalFormat = formats.color_texInternalFormat;
+        break;
+
+    case LOCAL_GL_DEPTH:
+        internalFormat = formats.depth;
+        break;
+
+    case LOCAL_GL_STENCIL:
+        internalFormat = formats.stencil;
+        break;
+
+    default:
+        ErrorInvalidEnum("getFramebufferAttachmentParameter: Can only query "
+                         "attachment BACK, DEPTH, or STENCIL from default "
+                         "framebuffer");
+        return JS::NullValue();
+    }
+
+    const FormatInfo* info = webgl::GetInfoBySizedFormat(internalFormat);
+    MOZ_RELEASE_ASSERT(info);
+    EffectiveFormat effectiveFormat = info->effectiveFormat;
+
+    switch (pname) {
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_OBJECT_TYPE:
+        return JS::Int32Value(LOCAL_GL_FRAMEBUFFER_DEFAULT);
+
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_RED_SIZE:
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_GREEN_SIZE:
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_BLUE_SIZE:
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_ALPHA_SIZE:
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_DEPTH_SIZE:
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_STENCIL_SIZE:
+        return JS::Int32Value(webgl::GetComponentSize(effectiveFormat, pname));
+
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_COMPONENT_TYPE:
+        if (attachment == LOCAL_GL_DEPTH_STENCIL_ATTACHMENT &&
+            pname == LOCAL_GL_FRAMEBUFFER_ATTACHMENT_COMPONENT_TYPE)
+        {
+            ErrorInvalidOperation("getFramebufferAttachmentParameter: Querying "
+                                  "FRAMEBUFFER_ATTACHMENT_COMPONENT_TYPE against "
+                                  "DEPTH_STENCIL_ATTACHMENT is an error.");
+            return JS::NullValue();
+        }
+
+        return JS::Int32Value(webgl::GetComponentType(effectiveFormat));
+
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_COLOR_ENCODING:
+        return JS::Int32Value(webgl::GetColorEncoding(effectiveFormat));
+    }
+
+    /* Any combinations of framebuffer type and pname not described above will generate an
+       INVALID_ENUM error. */
+    ErrorInvalidEnum("getFramebufferAttachmentParameter: Invalid combination of ");
+    return JS::NullValue();
+}
+
 // Map attachments intended for the default buffer, to attachments for a non-
 // default buffer.
 static bool
diff --git a/dom/canvas/WebGLContext.h b/dom/canvas/WebGLContext.h
index c6ae9bb8a2ab..171d89208c83 100644
--- a/dom/canvas/WebGLContext.h
+++ b/dom/canvas/WebGLContext.h
@@ -458,9 +458,9 @@ public:
     }
 
     GLenum GetError();
-    JS::Value GetFramebufferAttachmentParameter(JSContext* cx, GLenum target,
-                                                GLenum attachment, GLenum pname,
-                                                ErrorResult& rv);
+    virtual JS::Value GetFramebufferAttachmentParameter(JSContext* cx, GLenum target,
+                                                        GLenum attachment, GLenum pname,
+                                                        ErrorResult& rv);
 
     void GetFramebufferAttachmentParameter(JSContext* cx, GLenum target,
                                            GLenum attachment, GLenum pname,
diff --git a/dom/canvas/WebGLFormats.cpp b/dom/canvas/WebGLFormats.cpp
index 0028dde7af6f..5966e80e4cec 100644
--- a/dom/canvas/WebGLFormats.cpp
+++ b/dom/canvas/WebGLFormats.cpp
@@ -809,5 +809,319 @@ FormatUsageAuthority::AddUnpackOption(GLenum unpackFormat, GLenum unpackType,
     MOZ_ALWAYS_TRUE(didInsert);
 }
 
+////////////////////////////////////////////////////////////////////////////////
+
+struct ComponentSizes
+{
+    GLubyte redSize;
+    GLubyte greenSize;
+    GLubyte blueSize;
+    GLubyte alphaSize;
+    GLubyte depthSize;
+    GLubyte stencilSize;
+};
+
+static ComponentSizes kComponentSizes[] = {
+    // GLES 3.0.4, p128-129, "Required Texture Formats"
+    // "Texture and renderbuffer color formats"
+    { 32, 32, 32, 32,  0,  0 }, // RGBA32I,
+    { 32, 32, 32, 32,  0,  0 }, // RGBA32UI,
+    { 16, 16, 16, 16,  0,  0 }, // RGBA16I,
+    { 16, 16, 16, 16,  0,  0 }, // RGBA16UI,
+    {  8,  8,  8,  8,  0,  0 }, // RGBA8,
+    {  8,  8,  8,  8,  0,  0 }, // RGBA8I,
+    {  8,  8,  8,  8,  0,  0 }, // RGBA8UI,
+    {  8,  8,  8,  8,  0,  0 }, // SRGB8_ALPHA8,
+    { 10, 10, 10,  2,  0,  0 }, // RGB10_A2,
+    { 10, 10, 10,  2,  0,  0 }, // RGB10_A2UI,
+    {  4,  4,  4,  4,  0,  0 }, // RGBA4,
+    {  5,  5,  5,  1,  0,  0 }, // RGB5_A1,
+
+    {  8,  8,  8,  0,  0,  0 }, // RGB8,
+    {  8,  8,  8,  0,  0,  0 }, // RGB565,
+
+    { 32, 32,  0,  0,  0,  0 }, // RG32I,
+    { 32, 32,  0,  0,  0,  0 }, // RG32UI,
+    { 16, 16,  0,  0,  0,  0 }, // RG16I,
+    { 16, 16,  0,  0,  0,  0 }, // RG16UI,
+    {  8,  8,  0,  0,  0,  0 }, // RG8,
+    {  8,  8,  0,  0,  0,  0 }, // RG8I,
+    {  8,  8,  0,  0,  0,  0 }, // RG8UI,
+
+    { 32,  0,  0,  0,  0,  0 }, // R32I,
+    { 32,  0,  0,  0,  0,  0 }, // R32UI,
+    { 16,  0,  0,  0,  0,  0 }, // R16I,
+    { 16,  0,  0,  0,  0,  0 }, // R16UI,
+    {  8,  0,  0,  0,  0,  0 }, // R8,
+    {  8,  0,  0,  0,  0,  0 }, // R8I,
+    {  8,  0,  0,  0,  0,  0 }, // R8UI,
+
+    // "Texture-only color formats"
+    { 32, 32, 32, 32,  0,  0 }, // RGBA32F,
+    { 16, 16, 16, 16,  0,  0 }, // RGBA16F,
+    {  8,  8,  8,  8,  0,  0 }, // RGBA8_SNORM,
+
+    { 32, 32, 32,  0,  0,  0 }, // RGB32F,
+    { 32, 32, 32,  0,  0,  0 }, // RGB32I,
+    { 32, 32, 32,  0,  0,  0 }, // RGB32UI,
+
+    { 16, 16, 16,  0,  0,  0 }, // RGB16F,
+    { 16, 16, 16,  0,  0,  0 }, // RGB16I,
+    { 16, 16, 16,  0,  0,  0 }, // RGB16UI,
+
+    {  8,  8,  8,  0,  0,  0 }, // RGB8_SNORM,
+    {  8,  8,  8,  0,  0,  0 }, // RGB8I,
+    {  8,  8,  8,  0,  0,  0 }, // RGB8UI,
+    {  8,  8,  8,  0,  0,  0 }, // SRGB8,
+
+    { 11, 11, 11,  0,  0,  0 }, // R11F_G11F_B10F,
+    {  9,  9,  9,  0,  0,  0 }, // RGB9_E5,
+
+    { 32, 32,  0,  0,  0,  0 }, // RG32F,
+    { 16, 16,  0,  0,  0,  0 }, // RG16F,
+    {  8,  8,  0,  0,  0,  0 }, // RG8_SNORM,
+
+    { 32,  0,  0,  0,  0,  0 }, // R32F,
+    { 16,  0,  0,  0,  0,  0 }, // R16F,
+    {  8,  0,  0,  0,  0,  0 }, // R8_SNORM,
+
+    // "Depth formats"
+    {  0,  0,  0,  0, 32,  0 }, // DEPTH_COMPONENT32F,
+    {  0,  0,  0,  0, 24,  0 }, // DEPTH_COMPONENT24,
+    {  0,  0,  0,  0, 16,  0 }, // DEPTH_COMPONENT16,
+
+    // "Combined depth+stencil formats"
+    {  0,  0,  0,  0, 32,  8 }, // DEPTH32F_STENCIL0,
+    {  0,  0,  0,  0, 24,  8 }, // DEPTH24_STENCIL8,
+
+    // GLES 3.0.4, p205-206, "Required Renderbuffer Formats"
+    {  0,  0,  0,  0,  0,  8 }, // STENCIL_INDEX8,
+
+    // GLES 3.0.4, p128, table 3.12.
+    {  8,  8,  8,  8,  0,  0 }, // Luminance8Alpha8,
+    {  8,  8,  8,  0,  0,  0 }, // Luminance8,
+    {  0,  0,  0,  8,  0,  0 }, // Alpha8,
+
+    // GLES 3.0.4, p147, table 3.19
+    // GLES 3.0.4, p286+, $C.1 "ETC Compressed Texture Image Formats"
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_R11_EAC,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_SIGNED_R11_EAC,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_RG11_EAC,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_SIGNED_RG11_EAC,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_RGB8_ETC2,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_SRGB8_ETC2,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_RGB8_PUNCHTHROUGH_ALPHA1_ETC2,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_SRGB8_PUNCHTHROUGH_ALPHA1_ETC2,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_RGBA8_ETC2_EAC,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_SRGB8_ALPHA8_ETC2_EAC,
+
+    // AMD_compressed_ATC_texture
+    {  8,  8,  8,  0,  0,  0 }, // ATC_RGB_AMD,
+    {  8,  8,  8,  8,  0,  0 }, // ATC_RGBA_EXPLICIT_ALPHA_AMD,
+    {  8,  8,  8,  8,  0,  0 }, // ATC_RGBA_INTERPOLATED_ALPHA_AMD,
+
+    // EXT_texture_compression_s3tc
+    {  8,  8,  8,  0,  0,  0 }, // COMPRESSED_RGB_S3TC_DXT1,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_RGBA_S3TC_DXT1,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_RGBA_S3TC_DXT3,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_RGBA_S3TC_DXT5,
+
+    // IMG_texture_compression_pvrtc
+    {  8,  8,  8,  0,  0,  0 }, // COMPRESSED_RGB_PVRTC_4BPPV1,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_RGBA_PVRTC_4BPPV1,
+    {  8,  8,  8,  0,  0,  0 }, // COMPRESSED_RGB_PVRTC_2BPPV1,
+    {  8,  8,  8,  8,  0,  0 }, // COMPRESSED_RGBA_PVRTC_2BPPV1,
+
+    // OES_compressed_ETC1_RGB8_texture
+    {  8,  8,  8,  0,  0,  0 }, // ETC1_RGB8,
+
+    // OES_texture_float
+    { 32, 32, 32, 32,  0,  0 }, // Luminance32FAlpha32F,
+    { 32, 32, 32,  0,  0,  0 }, // Luminance32F,
+    {  0,  0,  0, 32,  0,  0 }, // Alpha32F,
+
+    // OES_texture_half_float
+    { 16, 16, 16, 16, 0, 0 }, // Luminance16FAlpha16F,
+    { 16, 16, 16,  0, 0, 0 }, // Luminance16F,
+    {  0,  0,  0, 16, 0, 0 }, // Alpha16F,
+
+    {  0, } // MAX
+};
+
+GLint
+GetComponentSize(EffectiveFormat format, GLenum component)
+{
+    ComponentSizes compSize = kComponentSizes[(int) format];
+    switch (component) {
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_RED_SIZE:
+    case LOCAL_GL_RENDERBUFFER_RED_SIZE:
+    case LOCAL_GL_RED_BITS:
+        return compSize.redSize;
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_GREEN_SIZE:
+    case LOCAL_GL_RENDERBUFFER_GREEN_SIZE:
+    case LOCAL_GL_GREEN_BITS:
+        return compSize.greenSize;
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_BLUE_SIZE:
+    case LOCAL_GL_RENDERBUFFER_BLUE_SIZE:
+    case LOCAL_GL_BLUE_BITS:
+        return compSize.blueSize;
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_ALPHA_SIZE:
+    case LOCAL_GL_RENDERBUFFER_ALPHA_SIZE:
+    case LOCAL_GL_ALPHA_BITS:
+        return compSize.alphaSize;
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_DEPTH_SIZE:
+    case LOCAL_GL_RENDERBUFFER_DEPTH_SIZE:
+    case LOCAL_GL_DEPTH_BITS:
+        return compSize.depthSize;
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_STENCIL_SIZE:
+    case LOCAL_GL_RENDERBUFFER_STENCIL_SIZE:
+    case LOCAL_GL_STENCIL_BITS:
+        return compSize.stencilSize;
+    }
+
+    return 0;
+}
+
+static GLenum kComponentTypes[] = {
+    // GLES 3.0.4, p128-129, "Required Texture Formats"
+    // "Texture and renderbuffer color formats"
+    LOCAL_GL_INT,                       // RGBA32I,
+    LOCAL_GL_UNSIGNED_INT,              // RGBA32UI,
+    LOCAL_GL_INT,                       // RGBA16I,
+    LOCAL_GL_UNSIGNED_INT,              // RGBA16UI,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // RGBA8,
+    LOCAL_GL_INT,                       // RGBA8I,
+    LOCAL_GL_UNSIGNED_INT,              // RGBA8UI,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // SRGB8_ALPHA8,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // RGB10_A2,
+    LOCAL_GL_UNSIGNED_INT,              // RGB10_A2UI,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // RGBA4,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // RGB5_A1,
+
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // RGB8,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // RGB565,
+
+    LOCAL_GL_INT,                       // RG32I,
+    LOCAL_GL_UNSIGNED_INT,              // RG32UI,
+    LOCAL_GL_INT,                       // RG16I,
+    LOCAL_GL_UNSIGNED_INT,              // RG16UI,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // RG8,
+    LOCAL_GL_INT,                       // RG8I,
+    LOCAL_GL_UNSIGNED_INT,              // RG8UI,
+
+    LOCAL_GL_INT,                       // R32I,
+    LOCAL_GL_UNSIGNED_INT,              // R32UI,
+    LOCAL_GL_INT,                       // R16I,
+    LOCAL_GL_UNSIGNED_INT,              // R16UI,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // R8,
+    LOCAL_GL_INT,                       // R8I,
+    LOCAL_GL_UNSIGNED_INT,              // R8UI,
+
+    // "Texture-only color formats"
+    LOCAL_GL_FLOAT,                     // RGBA32F,
+    LOCAL_GL_FLOAT,                     // RGBA16F,
+    LOCAL_GL_SIGNED_NORMALIZED,         // RGBA8_SNORM,
+
+    LOCAL_GL_FLOAT,                     // RGB32F,
+    LOCAL_GL_INT,                       // RGB32I,
+    LOCAL_GL_UNSIGNED_INT,              // RGB32UI,
+
+    LOCAL_GL_FLOAT,                     // RGB16F,
+    LOCAL_GL_INT,                       // RGB16I,
+    LOCAL_GL_UNSIGNED_INT,              // RGB16UI,
+
+    LOCAL_GL_SIGNED_NORMALIZED,         // RGB8_SNORM,
+    LOCAL_GL_INT,                       // RGB8I,
+    LOCAL_GL_UNSIGNED_INT,              // RGB8UI,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // SRGB8,
+
+    LOCAL_GL_FLOAT,                     // R11F_G11F_B10F,
+    LOCAL_GL_FLOAT,                     // RGB9_E5,
+
+    LOCAL_GL_FLOAT,                     // RG32F,
+    LOCAL_GL_FLOAT,                     // RG16F,
+    LOCAL_GL_SIGNED_NORMALIZED,         // RG8_SNORM,
+
+    LOCAL_GL_FLOAT,                     // R32F,
+    LOCAL_GL_FLOAT,                     // R16F,
+    LOCAL_GL_SIGNED_NORMALIZED,         // R8_SNORM,
+
+    // "Depth formats"
+    LOCAL_GL_FLOAT,                     // DEPTH_COMPONENT32F,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // DEPTH_COMPONENT24,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // DEPTH_COMPONENT16,
+
+    // "Combined depth+stencil formats"
+    LOCAL_GL_FLOAT,                     // DEPTH32F_STENCIL8,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // DEPTH24_STENCIL8,
+
+    // GLES 3.0.4, p205-206, "Required Renderbuffer Formats"
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // STENCIL_INDEX8,
+
+    // GLES 3.0.4, p128, table 3.12.
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // Luminance8Alpha8,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // Luminance8,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // Alpha8,
+
+    // GLES 3.0.4, p147, table 3.19
+    // GLES 3.0.4, p286+, $C.1 "ETC Compressed Texture Image Formats"
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_R11_EAC,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_SIGNED_R11_EAC,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_RG11_EAC,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_SIGNED_RG11_EAC,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_RGB8_ETC2,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_SRGB8_ETC2,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_RGB8_PUNCHTHROUGH_ALPHA1_ETC2,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_SRGB8_PUNCHTHROUGH_ALPHA1_ETC2,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_RGBA8_ETC2_EAC,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_SRGB8_ALPHA8_ETC2_EAC,
+
+    // AMD_compressed_ATC_texture
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // ATC_RGB_AMD,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // ATC_RGBA_EXPLICIT_ALPHA_AMD,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // ATC_RGBA_INTERPOLATED_ALPHA_AMD,
+
+    // EXT_texture_compression_s3tc
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_RGB_S3TC_DXT1,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_RGBA_S3TC_DXT1,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_RGBA_S3TC_DXT3,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_RGBA_S3TC_DXT5,
+
+    // IMG_texture_compression_pvrtc
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_RGB_PVRTC_4BPPV1,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_RGBA_PVRTC_4BPPV1,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_RGB_PVRTC_2BPPV1,
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // COMPRESSED_RGBA_PVRTC_2BPPV1,
+
+    // OES_compressed_ETC1_RGB8_texture
+    LOCAL_GL_UNSIGNED_NORMALIZED,       // ETC1_RGB8,
+
+    // OES_texture_float
+    LOCAL_GL_FLOAT,                     // Luminance32FAlpha32F,
+    LOCAL_GL_FLOAT,                     // Luminance32F,
+    LOCAL_GL_FLOAT,                     // Alpha32F,
+
+    // OES_texture_half_float
+    LOCAL_GL_FLOAT,                     // Luminance16FAlpha16F,
+    LOCAL_GL_FLOAT,                     // Luminance16F,
+    LOCAL_GL_FLOAT,                     // Alpha16F,
+
+    LOCAL_GL_NONE // MAX
+};
+
+GLenum
+GetComponentType(EffectiveFormat format)
+{
+    return kComponentTypes[(int) format];
+}
+
+GLenum
+GetColorEncoding(EffectiveFormat format)
+{
+    const bool isSRGB = (GetFormatInfo(format)->colorComponentType ==
+                         ComponentType::NormUIntSRGB);
+    return (isSRGB) ? LOCAL_GL_SRGB : LOCAL_GL_LINEAR;
+}
+
 } // namespace webgl
 } // namespace mozilla
diff --git a/dom/canvas/WebGLFormats.h b/dom/canvas/WebGLFormats.h
index 33735bab473f..e780e77b8040 100644
--- a/dom/canvas/WebGLFormats.h
+++ b/dom/canvas/WebGLFormats.h
@@ -252,13 +252,21 @@ public:
                          EffectiveFormat effectiveFormat);
 
     FormatUsageInfo* GetUsage(EffectiveFormat format);
-
     FormatUsageInfo* GetUsage(const FormatInfo* format)
     {
+        if (!format)
+            return nullptr;
+
         return GetUsage(format->effectiveFormat);
     }
 };
 
+////////////////////////////////////////////////////////////////////////////////
+
+GLint GetComponentSize(EffectiveFormat format, GLenum component);
+GLenum GetComponentType(EffectiveFormat format);
+GLenum GetColorEncoding(EffectiveFormat format);
+
 } // namespace webgl
 } // namespace mozilla
 
diff --git a/dom/canvas/WebGLFramebuffer.cpp b/dom/canvas/WebGLFramebuffer.cpp
index 34363d1b0aa9..93a8e293016d 100644
--- a/dom/canvas/WebGLFramebuffer.cpp
+++ b/dom/canvas/WebGLFramebuffer.cpp
@@ -433,6 +433,66 @@ WebGLFBAttachPoint::FinalizeAttachment(gl::GLContext* gl,
     MOZ_CRASH();
 }
 
+JS::Value
+WebGLFBAttachPoint::GetParameter(WebGLContext* context, GLenum pname)
+{
+    // TODO: WebGLTexture and WebGLRenderbuffer should store FormatInfo instead of doing
+    // this dance every time.
+    const GLenum internalFormat = EffectiveInternalFormat().get();
+    const webgl::FormatInfo* info = webgl::GetInfoBySizedFormat(internalFormat);
+    MOZ_ASSERT(info);
+
+    WebGLTexture* tex = Texture();
+
+    switch (pname) {
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_RED_SIZE:
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_GREEN_SIZE:
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_BLUE_SIZE:
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_ALPHA_SIZE:
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_DEPTH_SIZE:
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_STENCIL_SIZE:
+        return JS::Int32Value(webgl::GetComponentSize(info->effectiveFormat, pname));
+
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_COMPONENT_TYPE:
+        return JS::Int32Value(webgl::GetComponentType(info->effectiveFormat));
+
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_COLOR_ENCODING:
+        return JS::Int32Value(webgl::GetColorEncoding(info->effectiveFormat));
+
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_TEXTURE_LEVEL:
+        if (tex) {
+            return JS::Int32Value(MipLevel());
+        }
+        break;
+
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_TEXTURE_CUBE_MAP_FACE:
+        if (tex) {
+            int32_t face = 0;
+            if (tex->Target() == LOCAL_GL_TEXTURE_CUBE_MAP) {
+                face = ImageTarget().get();
+            }
+            return JS::Int32Value(face);
+        }
+        break;
+
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_TEXTURE_LAYER:
+        if (tex) {
+            int32_t layer = 0;
+            if (tex->Target() == LOCAL_GL_TEXTURE_2D_ARRAY ||
+                tex->Target() == LOCAL_GL_TEXTURE_3D)
+            {
+                layer = Layer();
+            }
+            return JS::Int32Value(layer);
+        }
+        break;
+    }
+
+    context->ErrorInvalidEnum("getFramebufferParameter: Invalid combination of "
+                              "attachment and pname.");
+    return JS::NullValue();
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 // WebGLFramebuffer
 
@@ -987,6 +1047,110 @@ WebGLFramebuffer::ValidateForRead(const char* info, TexInternalFormat* const out
     return true;
 }
 
+static bool
+AttachmentsDontMatch(const WebGLFBAttachPoint& a, const WebGLFBAttachPoint& b)
+{
+    if (a.Texture()) {
+        return (a.Texture() != b.Texture());
+    }
+
+    if (a.Renderbuffer()) {
+        return (a.Renderbuffer() != b.Renderbuffer());
+    }
+
+    return false;
+}
+
+JS::Value
+WebGLFramebuffer::GetAttachmentParameter(JSContext* cx,
+                                         GLenum attachment,
+                                         GLenum pname,
+                                         ErrorResult& rv)
+{
+    // "If a framebuffer object is bound to target, then attachment must be one of the
+    // attachment points of the framebuffer listed in table 4.6."
+    switch (attachment) {
+    case LOCAL_GL_DEPTH_ATTACHMENT:
+    case LOCAL_GL_DEPTH_STENCIL_ATTACHMENT:
+        break;
+
+    case LOCAL_GL_STENCIL_ATTACHMENT:
+        // "If attachment is DEPTH_STENCIL_ATTACHMENT, and different objects are bound to
+        //  the depth and stencil attachment points of target, the query will fail and
+        //  generate an INVALID_OPERATION error. If the same object is bound to both
+        //  attachment points, information about that object will be returned."
+
+        // Does this mean it has to be the same level or layer? Because the queries are
+        // independent of level or layer.
+        if (AttachmentsDontMatch(DepthAttachment(), StencilAttachment())) {
+            mContext->ErrorInvalidOperation("getFramebufferAttachmentParameter: "
+                                            "DEPTH_ATTACHMENT and STENCIL_ATTACHMENT "
+                                            "have different objects bound.");
+            return JS::NullValue();
+        }
+        break;
+
+    default:
+        if (attachment < LOCAL_GL_COLOR_ATTACHMENT0 ||
+            attachment > mContext->LastColorAttachment())
+        {
+            mContext->ErrorInvalidEnum("getFramebufferAttachmentParameter: Can only "
+                                       "query COLOR_ATTACHMENTi, DEPTH_ATTACHMENT, "
+                                       "DEPTH_STENCIL_ATTACHMENT, or STENCIL_ATTACHMENT "
+                                       "on framebuffer.");
+            return JS::NullValue();
+        }
+    }
+
+    if (attachment == LOCAL_GL_DEPTH_STENCIL_ATTACHMENT &&
+        pname == LOCAL_GL_FRAMEBUFFER_ATTACHMENT_COMPONENT_TYPE)
+    {
+        mContext->ErrorInvalidOperation("getFramebufferAttachmentParameter: Querying "
+                                        "FRAMEBUFFER_ATTACHMENT_COMPONENT_TYPE against "
+                                        "DEPTH_STENCIL_ATTACHMENT is an error.");
+        return JS::NullValue();
+    }
+
+    GLenum objectType = LOCAL_GL_NONE;
+    auto& fba = GetAttachPoint(attachment);
+    if (fba.Texture()) {
+        objectType = LOCAL_GL_TEXTURE;
+    } else if (fba.Renderbuffer()) {
+        objectType = LOCAL_GL_RENDERBUFFER;
+    }
+
+    switch (pname) {
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_OBJECT_TYPE:
+        return JS::Int32Value(objectType);
+
+    case LOCAL_GL_FRAMEBUFFER_ATTACHMENT_OBJECT_NAME:
+        if (objectType == LOCAL_GL_NONE) {
+            return JS::NullValue();
+        }
+
+        if (objectType == LOCAL_GL_RENDERBUFFER) {
+            const WebGLRenderbuffer* rb = fba.Renderbuffer();
+            return mContext->WebGLObjectAsJSValue(cx, rb, rv);
+        }
+
+        /* If the value of FRAMEBUFFER_ATTACHMENT_OBJECT_TYPE is TEXTURE, then */
+        if (objectType == LOCAL_GL_TEXTURE) {
+            const WebGLTexture* tex = fba.Texture();
+            return mContext->WebGLObjectAsJSValue(cx, tex, rv);
+        }
+        break;
+    }
+
+    if (objectType == LOCAL_GL_NONE) {
+        mContext->ErrorInvalidOperation("getFramebufferAttachmentParameter: No "
+                                        "attachment at %s",
+                                        mContext->EnumName(attachment));
+        return JS::NullValue();
+    }
+
+    return fba.GetParameter(mContext, pname);
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 // Goop.
 
diff --git a/dom/canvas/WebGLFramebuffer.h b/dom/canvas/WebGLFramebuffer.h
index 7e12b8f47104..a832c1ad2cd9 100644
--- a/dom/canvas/WebGLFramebuffer.h
+++ b/dom/canvas/WebGLFramebuffer.h
@@ -62,7 +62,7 @@ public:
     void SetTexImageLayer(WebGLTexture* tex, TexImageTarget target, GLint level,
                           GLint layer);
     void SetRenderbuffer(WebGLRenderbuffer* rb);
-    
+
     const WebGLTexture* Texture() const {
         return mTexturePtr;
     }
@@ -95,6 +95,8 @@ public:
 
     void FinalizeAttachment(gl::GLContext* gl,
                             FBAttachment attachmentLoc) const;
+
+    JS::Value GetParameter(WebGLContext* context, GLenum pname);
 };
 
 class WebGLFramebuffer final
@@ -225,6 +227,9 @@ public:
     }
 
     bool ValidateForRead(const char* info, TexInternalFormat* const out_format);
+
+    JS::Value GetAttachmentParameter(JSContext* cx, GLenum attachment, GLenum pname,
+                                     ErrorResult& rv);
 };
 
 } // namespace mozilla
diff --git a/dom/canvas/WebGLProgram.h b/dom/canvas/WebGLProgram.h
index f02ec793eda0..7b979e09968c 100644
--- a/dom/canvas/WebGLProgram.h
+++ b/dom/canvas/WebGLProgram.h
@@ -19,8 +19,6 @@
 #include "WebGLObjectModel.h"
 
 
-template<class> class nsRefPtr;
-
 namespace mozilla {
 class ErrorResult;
 class WebGLActiveInfo;
diff --git a/dom/events/DataTransfer.cpp b/dom/events/DataTransfer.cpp
index af7903e69b0e..d9423335f1ad 100644
--- a/dom/events/DataTransfer.cpp
+++ b/dom/events/DataTransfer.cpp
@@ -31,6 +31,7 @@
 #include "mozilla/dom/FileList.h"
 #include "mozilla/dom/BindingUtils.h"
 #include "mozilla/dom/OSFileSystem.h"
+#include "mozilla/dom/Promise.h"
 
 namespace mozilla {
 namespace dom {
diff --git a/dom/events/DataTransfer.h b/dom/events/DataTransfer.h
index 70e2376387e6..579c60d5ce9c 100644
--- a/dom/events/DataTransfer.h
+++ b/dom/events/DataTransfer.h
@@ -20,7 +20,6 @@
 #include "mozilla/Attributes.h"
 #include "mozilla/EventForwards.h"
 #include "mozilla/dom/File.h"
-#include "mozilla/dom/Promise.h"
 
 class nsINode;
 class nsITransferable;
@@ -36,6 +35,7 @@ namespace dom {
 class DOMStringList;
 class Element;
 class FileList;
+class Promise;
 template<typename T> class Optional;
 
 /**
diff --git a/dom/events/Touch.cpp b/dom/events/Touch.cpp
index b93ae71a6c5b..010d2ae00efc 100644
--- a/dom/events/Touch.cpp
+++ b/dom/events/Touch.cpp
@@ -67,6 +67,23 @@ Touch::Touch(int32_t aIdentifier,
   nsJSContext::LikelyShortLivingObjectCreated();
 }
 
+Touch::Touch(const Touch& aOther)
+  : mTarget(aOther.mTarget)
+  , mRefPoint(aOther.mRefPoint)
+  , mChanged(aOther.mChanged)
+  , mMessage(aOther.mMessage)
+  , mIdentifier(aOther.mIdentifier)
+  , mPagePoint(aOther.mPagePoint)
+  , mClientPoint(aOther.mClientPoint)
+  , mScreenPoint(aOther.mScreenPoint)
+  , mRadius(aOther.mRadius)
+  , mRotationAngle(aOther.mRotationAngle)
+  , mForce(aOther.mForce)
+  , mPointsInitialized(aOther.mPointsInitialized)
+{
+  nsJSContext::LikelyShortLivingObjectCreated();
+}
+
 Touch::~Touch()
 {
 }
diff --git a/dom/events/Touch.h b/dom/events/Touch.h
index f22aabe2124b..eeb895e2d695 100644
--- a/dom/events/Touch.h
+++ b/dom/events/Touch.h
@@ -45,6 +45,7 @@ public:
         nsIntPoint aRadius,
         float aRotationAngle,
         float aForce);
+  Touch(const Touch& aOther);
 
   NS_DECL_CYCLE_COLLECTING_ISUPPORTS
   NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS(Touch)
diff --git a/dom/events/TouchEvent.cpp b/dom/events/TouchEvent.cpp
index db08879f8651..ca7e542349c9 100644
--- a/dom/events/TouchEvent.cpp
+++ b/dom/events/TouchEvent.cpp
@@ -186,10 +186,10 @@ TouchEvent::PrefEnabled(JSContext* aCx, JSObject* aGlobal)
   int32_t flag = 0;
   if (NS_SUCCEEDED(Preferences::GetInt("dom.w3c_touch_events.enabled", &flag))) {
     if (flag == 2) {
-#ifdef XP_WIN
+#if defined(XP_WIN) || MOZ_WIDGET_GTK == 3
       static bool sDidCheckTouchDeviceSupport = false;
       static bool sIsTouchDeviceSupportPresent = false;
-      // On Windows we auto-detect based on device support.
+      // On Windows and GTK3 we auto-detect based on device support.
       if (!sDidCheckTouchDeviceSupport) {
         sDidCheckTouchDeviceSupport = true;
         sIsTouchDeviceSupportPresent = WidgetUtils::IsTouchDeviceSupportPresent();
diff --git a/dom/events/moz.build b/dom/events/moz.build
index d989b0cb5c64..d7d5decdf7dd 100644
--- a/dom/events/moz.build
+++ b/dom/events/moz.build
@@ -78,6 +78,7 @@ UNIFIED_SOURCES += [
     'CommandEvent.cpp',
     'CompositionEvent.cpp',
     'ContentEventHandler.cpp',
+    'CustomEvent.cpp',
     'DataContainerEvent.cpp',
     'DataTransfer.cpp',
     'DeviceMotionEvent.cpp',
@@ -117,7 +118,6 @@ UNIFIED_SOURCES += [
 
 # nsEventStateManager.cpp should be built separately because of Mac OS X headers.
 SOURCES += [
-    'CustomEvent.cpp',
     'EventStateManager.cpp',
 ]
 
diff --git a/dom/fetch/FetchDriver.cpp b/dom/fetch/FetchDriver.cpp
index 4b6b89ddfac8..1436b1146615 100644
--- a/dom/fetch/FetchDriver.cpp
+++ b/dom/fetch/FetchDriver.cpp
@@ -50,9 +50,9 @@ FetchDriver::FetchDriver(InternalRequest* aRequest, nsIPrincipal* aPrincipal,
   : mPrincipal(aPrincipal)
   , mLoadGroup(aLoadGroup)
   , mRequest(aRequest)
-  , mFetchRecursionCount(0)
-  , mCORSFlagEverSet(false)
+  , mHasBeenCrossSite(false)
   , mResponseAvailableCalled(false)
+  , mFetchCalled(false)
 {
 }
 
@@ -67,323 +67,104 @@ nsresult
 FetchDriver::Fetch(FetchDriverObserver* aObserver)
 {
   workers::AssertIsOnMainThread();
+  MOZ_ASSERT(!mFetchCalled);
+  mFetchCalled = true;
+
   mObserver = aObserver;
 
   Telemetry::Accumulate(Telemetry::SERVICE_WORKER_REQUEST_PASSTHROUGH,
                         mRequest->WasCreatedByFetchEvent());
 
-  return Fetch(false /* CORS flag */);
+  // FIXME(nsm): Deal with HSTS.
+
+  MOZ_RELEASE_ASSERT(!mRequest->IsSynchronous(),
+                     "Synchronous fetch not supported");
+
+  nsCOMPtr<nsIRunnable> r =
+    NS_NewRunnableMethod(this, &FetchDriver::ContinueFetch);
+  return NS_DispatchToCurrentThread(r);
 }
 
 nsresult
-FetchDriver::Fetch(bool aCORSFlag)
-{
-  // We do not currently implement parts of the spec that lead to recursion.
-  MOZ_ASSERT(mFetchRecursionCount == 0);
-  mFetchRecursionCount++;
-
-  // FIXME(nsm): Deal with HSTS.
-
-  if (!mRequest->IsSynchronous() && mFetchRecursionCount <= 1) {
-    nsCOMPtr<nsIRunnable> r =
-      NS_NewRunnableMethodWithArg<bool>(this, &FetchDriver::ContinueFetch, aCORSFlag);
-    nsresult rv = NS_DispatchToCurrentThread(r);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      FailWithNetworkError();
-    }
-    return rv;
-  }
-
-  MOZ_CRASH("Synchronous fetch not supported");
-}
-
-FetchDriver::MainFetchOp
-FetchDriver::SetTaintingAndGetNextOp(bool aCORSFlag)
+FetchDriver::SetTainting()
 {
   workers::AssertIsOnMainThread();
 
+  // If we've already been cross-site then we should be fully updated
+  if (mHasBeenCrossSite) {
+    return NS_OK;
+  }
+
   nsAutoCString url;
   mRequest->GetURL(url);
   nsCOMPtr<nsIURI> requestURI;
   nsresult rv = NS_NewURI(getter_AddRefs(requestURI), url,
                           nullptr, nullptr);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return MainFetchOp(NETWORK_ERROR);
-  }
-
-  // CSP/mixed content checks.
-  int16_t shouldLoad;
-  rv = NS_CheckContentLoadPolicy(mRequest->ContentPolicyType(),
-                                 requestURI,
-                                 mPrincipal,
-                                 mDocument,
-                                 // FIXME(nsm): Should MIME be extracted from
-                                 // Content-Type header?
-                                 EmptyCString(), /* mime guess */
-                                 nullptr, /* extra */
-                                 &shouldLoad,
-                                 nsContentUtils::GetContentPolicy(),
-                                 nsContentUtils::GetSecurityManager());
-  if (NS_WARN_IF(NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad))) {
-    // Disallowed by content policy.
-    return MainFetchOp(NETWORK_ERROR);
-  }
+  NS_ENSURE_SUCCESS(rv, rv);
 
   // Begin Step 8 of the Main Fetch algorithm
   // https://fetch.spec.whatwg.org/#fetching
 
-  nsAutoCString scheme;
-  rv = requestURI->GetScheme(scheme);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return MainFetchOp(NETWORK_ERROR);
-  }
-
   // request's current url's origin is request's origin and the CORS flag is unset
   // request's current url's scheme is "data" and request's same-origin data-URL flag is set
   // request's current url's scheme is "about"
-  rv = mPrincipal->CheckMayLoad(requestURI, false /* report */,
-                                false /* allowIfInheritsPrincipal */);
-  if ((!aCORSFlag && NS_SUCCEEDED(rv)) ||
-      (scheme.EqualsLiteral("data") && mRequest->SameOriginDataURL()) ||
-      scheme.EqualsLiteral("about")) {
-    return MainFetchOp(BASIC_FETCH);
+
+  // We have to manually check about:blank here since it's not treated as
+  // an inheriting URL by CheckMayLoad.
+  if (NS_IsAboutBlank(requestURI) ||
+       NS_SUCCEEDED(mPrincipal->CheckMayLoad(requestURI, false /* report */,
+                                             true /*allowIfInheritsPrincipal*/))) {
+    // What the spec calls "basic fetch" is handled within our necko channel
+    // code.  Therefore everything goes through HTTP Fetch
+    return NS_OK;
   }
 
+  mHasBeenCrossSite = true;
+
   // request's mode is "same-origin"
   if (mRequest->Mode() == RequestMode::Same_origin) {
-    return MainFetchOp(NETWORK_ERROR);
+    return NS_ERROR_DOM_BAD_URI;
   }
 
   // request's mode is "no-cors"
   if (mRequest->Mode() == RequestMode::No_cors) {
     mRequest->SetResponseTainting(InternalRequest::RESPONSETAINT_OPAQUE);
-    return MainFetchOp(BASIC_FETCH);
-  }
-
-  // request's current url's scheme is not one of "http" and "https"
-  if (!scheme.EqualsLiteral("http") && !scheme.EqualsLiteral("https")) {
-    return MainFetchOp(NETWORK_ERROR);
-  }
-
-  // request's mode is "cors-with-forced-preflight"
-  // request's unsafe-request flag is set and either request's method is not
-  // a simple method or a header in request's header list is not a simple header
-  if (mRequest->Mode() == RequestMode::Cors_with_forced_preflight ||
-      (mRequest->UnsafeRequest() && (!mRequest->HasSimpleMethod() ||
-                                     !mRequest->Headers()->HasOnlySimpleHeaders()))) {
-    mRequest->SetResponseTainting(InternalRequest::RESPONSETAINT_CORS);
-    mRequest->SetRedirectMode(RequestRedirect::Error);
-
-    // Note, the following text from Main Fetch step 8 is handled in
-    // nsCORSListenerProxy when CheckRequestApproved() fails:
-    //
-    //  The result of performing an HTTP fetch using request with the CORS
-    //  flag and CORS-preflight flag set. If the result is a network error,
-    //  clear cache entries using request.
-
-    return MainFetchOp(HTTP_FETCH, true /* cors */, true /* preflight */);
+    // What the spec calls "basic fetch" is handled within our necko channel
+    // code.  Therefore everything goes through HTTP Fetch
+    return NS_OK;
   }
 
   // Otherwise
   mRequest->SetResponseTainting(InternalRequest::RESPONSETAINT_CORS);
-  return MainFetchOp(HTTP_FETCH, true /* cors */, false /* preflight */);
+
+  return NS_OK;
 }
 
 nsresult
-FetchDriver::ContinueFetch(bool aCORSFlag)
+FetchDriver::ContinueFetch()
 {
   workers::AssertIsOnMainThread();
 
-  MainFetchOp nextOp = SetTaintingAndGetNextOp(aCORSFlag);
-
-  if (nextOp.mType == NETWORK_ERROR) {
-    return FailWithNetworkError();
-  }
-
-  if (nextOp.mType == BASIC_FETCH) {
-    return BasicFetch();
-  }
-
-  if (nextOp.mType == HTTP_FETCH) {
-    return HttpFetch(nextOp.mCORSFlag, nextOp.mCORSPreflightFlag);
-  }
-
-  MOZ_ASSERT_UNREACHABLE("Unexpected main fetch operation!");
-  return FailWithNetworkError();
- }
-
-nsresult
-FetchDriver::BasicFetch()
-{
-  nsAutoCString url;
-  mRequest->GetURL(url);
-  nsCOMPtr<nsIURI> uri;
-  nsresult rv = NS_NewURI(getter_AddRefs(uri),
-                 url,
-                 nullptr,
-                 nullptr);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
+  nsresult rv = HttpFetch();
+  if (NS_FAILED(rv)) {
     FailWithNetworkError();
-    return rv;
   }
-
-  nsAutoCString scheme;
-  rv = uri->GetScheme(scheme);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    FailWithNetworkError();
-    return rv;
-  }
-
-  if (scheme.LowerCaseEqualsLiteral("about")) {
-    if (url.EqualsLiteral("about:blank")) {
-      RefPtr<InternalResponse> response =
-        new InternalResponse(200, NS_LITERAL_CSTRING("OK"));
-      ErrorResult result;
-      response->Headers()->Append(NS_LITERAL_CSTRING("content-type"),
-                                  NS_LITERAL_CSTRING("text/html;charset=utf-8"),
-                                  result);
-      MOZ_ASSERT(!result.Failed());
-      nsCOMPtr<nsIInputStream> body;
-      rv = NS_NewCStringInputStream(getter_AddRefs(body), EmptyCString());
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        FailWithNetworkError();
-        return rv;
-      }
-
-      response->SetBody(body);
-      BeginResponse(response);
-      return SucceedWithResponse();
-    }
-    return FailWithNetworkError();
-  }
-
-  if (scheme.LowerCaseEqualsLiteral("blob")) {
-    RefPtr<BlobImpl> blobImpl;
-    rv = NS_GetBlobForBlobURI(uri, getter_AddRefs(blobImpl));
-    BlobImpl* blob = static_cast<BlobImpl*>(blobImpl.get());
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      FailWithNetworkError();
-      return rv;
-    }
-
-    RefPtr<InternalResponse> response = new InternalResponse(200, NS_LITERAL_CSTRING("OK"));
-    ErrorResult result;
-    uint64_t size = blob->GetSize(result);
-    if (NS_WARN_IF(result.Failed())) {
-      FailWithNetworkError();
-      return result.StealNSResult();
-    }
-
-    nsAutoString sizeStr;
-    sizeStr.AppendInt(size);
-    response->Headers()->Append(NS_LITERAL_CSTRING("Content-Length"), NS_ConvertUTF16toUTF8(sizeStr), result);
-    if (NS_WARN_IF(result.Failed())) {
-      FailWithNetworkError();
-      return result.StealNSResult();
-    }
-
-    nsAutoString type;
-    blob->GetType(type);
-    response->Headers()->Append(NS_LITERAL_CSTRING("Content-Type"), NS_ConvertUTF16toUTF8(type), result);
-    if (NS_WARN_IF(result.Failed())) {
-      FailWithNetworkError();
-      return result.StealNSResult();
-    }
-
-    nsCOMPtr<nsIInputStream> stream;
-    blob->GetInternalStream(getter_AddRefs(stream), result);
-    if (NS_WARN_IF(result.Failed())) {
-      FailWithNetworkError();
-      return result.StealNSResult();
-    }
-
-    response->SetBody(stream);
-    BeginResponse(response);
-    return SucceedWithResponse();
-  }
-
-  if (scheme.LowerCaseEqualsLiteral("data")) {
-    nsAutoCString method;
-    mRequest->GetMethod(method);
-    if (method.LowerCaseEqualsASCII("get")) {
-      nsresult rv;
-      nsCOMPtr<nsIProtocolHandler> dataHandler =
-        do_GetService(NS_NETWORK_PROTOCOL_CONTRACTID_PREFIX "data", &rv);
-
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return FailWithNetworkError();
-      }
-
-      nsCOMPtr<nsIChannel> channel;
-      rv = dataHandler->NewChannel(uri, getter_AddRefs(channel));
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return FailWithNetworkError();
-      }
-
-      nsCOMPtr<nsIInputStream> stream;
-      rv = channel->Open(getter_AddRefs(stream));
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return FailWithNetworkError();
-      }
-
-      // nsDataChannel will parse the data URI when it is Open()ed and set the
-      // correct content type and charset.
-      nsAutoCString contentType;
-      if (NS_SUCCEEDED(channel->GetContentType(contentType))) {
-        nsAutoCString charset;
-        if (NS_SUCCEEDED(channel->GetContentCharset(charset)) && !charset.IsEmpty()) {
-          contentType.AppendLiteral(";charset=");
-          contentType.Append(charset);
-        }
-      } else {
-        NS_WARNING("Could not get content type from data channel");
-      }
-
-      RefPtr<InternalResponse> response = new InternalResponse(200, NS_LITERAL_CSTRING("OK"));
-      ErrorResult result;
-      response->Headers()->Append(NS_LITERAL_CSTRING("Content-Type"), contentType, result);
-      if (NS_WARN_IF(result.Failed())) {
-        FailWithNetworkError();
-        return result.StealNSResult();
-      }
-
-      response->SetBody(stream);
-      BeginResponse(response);
-      return SucceedWithResponse();
-    }
-
-    return FailWithNetworkError();
-  }
-
-  if (scheme.LowerCaseEqualsLiteral("http") ||
-      scheme.LowerCaseEqualsLiteral("https") ||
-      scheme.LowerCaseEqualsLiteral("app")) {
-    return HttpFetch();
-  }
-
-  return FailWithNetworkError();
+ 
+  return rv;
 }
 
 // This function implements the "HTTP Fetch" algorithm from the Fetch spec.
 // Functionality is often split between here, the CORS listener proxy and the
 // Necko HTTP implementation.
 nsresult
-FetchDriver::HttpFetch(bool aCORSFlag, bool aCORSPreflightFlag, bool aAuthenticationFlag)
+FetchDriver::HttpFetch()
 {
   // Step 1. "Let response be null."
   mResponse = nullptr;
   nsresult rv;
 
-  // We need to track the CORS flag through redirects.  Since there is no way
-  // for us to go from CORS mode to non-CORS mode, we just need to remember
-  // if it has ever been set.
-  mCORSFlagEverSet = mCORSFlagEverSet || aCORSFlag;
-
   nsCOMPtr<nsIIOService> ios = do_GetIOService(&rv);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    FailWithNetworkError();
-    return rv;
-  }
+  NS_ENSURE_SUCCESS(rv, rv);
 
   nsAutoCString url;
   mRequest->GetURL(url);
@@ -393,10 +174,10 @@ FetchDriver::HttpFetch(bool aCORSFlag, bool aCORSPreflightFlag, bool aAuthentica
                           nullptr,
                           nullptr,
                           ios);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    FailWithNetworkError();
-    return rv;
-  }
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = SetTainting();
+  NS_ENSURE_SUCCESS(rv, rv);
 
   // Step 2 deals with letting ServiceWorkers intercept requests. This is
   // handled by Necko after the channel is opened.
@@ -419,19 +200,18 @@ FetchDriver::HttpFetch(bool aCORSFlag, bool aCORSPreflightFlag, bool aAuthentica
   //  - request's credentials mode is "same-origin" and either the CORS flag
   //    is unset or response tainting is "opaque"
   // is true, and unset otherwise."
-  bool useCredentials = false;
-  if (mRequest->GetCredentialsMode() == RequestCredentials::Include ||
-      (mRequest->GetCredentialsMode() == RequestCredentials::Same_origin && !aCORSFlag &&
-       mRequest->GetResponseTainting() != InternalRequest::RESPONSETAINT_OPAQUE)) {
-    useCredentials = true;
-  }
 
   // This is effectivetly the opposite of the use credentials flag in "HTTP
   // network or cache fetch" in the spec and decides whether to transmit
   // cookies and other identifying information. LOAD_ANONYMOUS also prevents
   // new cookies sent by the server from being stored.  This value will
   // propagate across redirects, which is what we want.
-  const nsLoadFlags credentialsFlag = useCredentials ? 0 : nsIRequest::LOAD_ANONYMOUS;
+  const nsLoadFlags credentialsFlag =
+    (mRequest->GetCredentialsMode() == RequestCredentials::Omit ||
+    (mHasBeenCrossSite &&
+     mRequest->GetCredentialsMode() == RequestCredentials::Same_origin &&
+     mRequest->Mode() == RequestMode::No_cors)) ?
+    nsIRequest::LOAD_ANONYMOUS : 0;
 
   // Set skip serviceworker flag.
   // While the spec also gates on the client being a ServiceWorker, we can't
@@ -439,24 +219,56 @@ FetchDriver::HttpFetch(bool aCORSFlag, bool aCORSPreflightFlag, bool aAuthentica
   const nsLoadFlags bypassFlag = mRequest->SkipServiceWorker() ?
                                  nsIChannel::LOAD_BYPASS_SERVICE_WORKER : 0;
 
+  nsSecurityFlags secFlags;
+  if (mRequest->Mode() == RequestMode::Cors &&
+      mRequest->GetCredentialsMode() == RequestCredentials::Include) {
+    secFlags = nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS |
+               nsILoadInfo::SEC_REQUIRE_CORS_WITH_CREDENTIALS;
+  } else if (mRequest->Mode() == RequestMode::Cors) {
+    secFlags = nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS;
+  } else if (mRequest->Mode() == RequestMode::Same_origin) {
+    secFlags = nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS;
+  } else if (mRequest->Mode() == RequestMode::No_cors) {
+    secFlags = nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS;
+  } else {
+    MOZ_ASSERT_UNREACHABLE("Unexpected request mode!");
+    return NS_ERROR_UNEXPECTED;
+  }
+
   // From here on we create a channel and set its properties with the
   // information from the InternalRequest. This is an implementation detail.
   MOZ_ASSERT(mLoadGroup);
   nsCOMPtr<nsIChannel> chan;
-  rv = NS_NewChannel(getter_AddRefs(chan),
-                     uri,
-                     mPrincipal,
-                     nsILoadInfo::SEC_NORMAL,
-                     mRequest->ContentPolicyType(),
-                     mLoadGroup,
-                     nullptr, /* aCallbacks */
-                     nsIRequest::LOAD_NORMAL | credentialsFlag | bypassFlag,
-                     ios);
-  mLoadGroup = nullptr;
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    FailWithNetworkError();
-    return rv;
+
+  // For dedicated workers mDocument refers to the parent document of the
+  // worker (why do we do that?). In that case we don't want to use the
+  // document here since that is not the correct principal.
+  if (mDocument && mDocument->NodePrincipal() == mPrincipal) {
+    rv = NS_NewChannel(getter_AddRefs(chan),
+                       uri,
+                       mDocument,
+                       secFlags |
+                         nsILoadInfo::SEC_ABOUT_BLANK_INHERITS,
+                       mRequest->ContentPolicyType(),
+                       mLoadGroup,
+                       nullptr, /* aCallbacks */
+                       nsIRequest::LOAD_NORMAL | credentialsFlag | bypassFlag,
+                       ios);
+  } else {
+    rv = NS_NewChannel(getter_AddRefs(chan),
+                       uri,
+                       mPrincipal,
+                       secFlags |
+                         nsILoadInfo::SEC_ABOUT_BLANK_INHERITS,
+                       mRequest->ContentPolicyType(),
+                       mLoadGroup,
+                       nullptr, /* aCallbacks */
+                       nsIRequest::LOAD_NORMAL | credentialsFlag | bypassFlag,
+                       ios);
   }
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  mLoadGroup = nullptr;
 
   // Insert ourselves into the notification callbacks chain so we can handle
   // cross-origin redirects.
@@ -485,10 +297,7 @@ FetchDriver::HttpFetch(bool aCORSFlag, bool aCORSPreflightFlag, bool aAuthentica
     nsAutoCString method;
     mRequest->GetMethod(method);
     rv = httpChan->SetRequestMethod(method);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      FailWithNetworkError();
-      return rv;
-    }
+    NS_ENSURE_SUCCESS(rv, rv);
 
     // Set the same headers.
     nsAutoTArray<InternalHeaders::Entry, 5> headers;
@@ -508,14 +317,10 @@ FetchDriver::HttpFetch(bool aCORSFlag, bool aCORSPreflightFlag, bool aAuthentica
       rv = nsContentUtils::SetFetchReferrerURIWithPolicy(mPrincipal,
                                                          mDocument,
                                                          httpChan);
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return FailWithNetworkError();
-      }
+      NS_ENSURE_SUCCESS(rv, rv);
     } else if (referrer.IsEmpty()) {
       rv = httpChan->SetReferrerWithPolicy(nullptr, net::RP_No_Referrer);
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return FailWithNetworkError();
-      }
+      NS_ENSURE_SUCCESS(rv, rv);
     } else {
       // From "Determine request's Referrer" step 3
       // "If request's referrer is a URL, let referrerSource be request's
@@ -527,26 +332,21 @@ FetchDriver::HttpFetch(bool aCORSFlag, bool aCORSPreflightFlag, bool aAuthentica
       // someone tries to use FetchDriver for non-fetch() APIs?
       nsCOMPtr<nsIURI> referrerURI;
       rv = NS_NewURI(getter_AddRefs(referrerURI), referrer, nullptr, nullptr);
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return FailWithNetworkError();
-      }
+      NS_ENSURE_SUCCESS(rv, rv);
 
       rv =
         httpChan->SetReferrerWithPolicy(referrerURI,
                                         mDocument ? mDocument->GetReferrerPolicy() :
                                                     net::RP_Default);
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return FailWithNetworkError();
-      }
+      NS_ENSURE_SUCCESS(rv, rv);
     }
 
     // Step 3 "If HTTPRequest's force Origin header flag is set..."
     if (mRequest->ForceOriginHeader()) {
       nsAutoString origin;
       rv = nsContentUtils::GetUTFOrigin(mPrincipal, origin);
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return FailWithNetworkError();
-      }
+      NS_ENSURE_SUCCESS(rv, rv);
+
       httpChan->SetRequestHeader(NS_LITERAL_CSTRING("origin"),
                                  NS_ConvertUTF16toUTF8(origin),
                                  false /* merge */);
@@ -577,7 +377,7 @@ FetchDriver::HttpFetch(bool aCORSFlag, bool aCORSPreflightFlag, bool aAuthentica
     // This is an error because the Request constructor explicitly extracts and
     // sets a content-type per spec.
     if (result.Failed()) {
-      return FailWithNetworkError();
+      return result.StealNSResult();
     }
 
     nsCOMPtr<nsIInputStream> bodyStream;
@@ -586,77 +386,49 @@ FetchDriver::HttpFetch(bool aCORSFlag, bool aCORSPreflightFlag, bool aAuthentica
       nsAutoCString method;
       mRequest->GetMethod(method);
       rv = uploadChan->ExplicitSetUploadStream(bodyStream, contentType, -1, method, false /* aStreamHasHeaders */);
-      if (NS_WARN_IF(NS_FAILED(rv))) {
-        return FailWithNetworkError();
-      }
+      NS_ENSURE_SUCCESS(rv, rv);
     }
   }
 
-  nsCOMPtr<nsIStreamListener> listener = this;
-
-  MOZ_ASSERT_IF(aCORSFlag, mRequest->Mode() == RequestMode::Cors);
-
-  // Only use nsCORSListenerProxy if we are in CORS mode.  Otherwise it
-  // will overwrite the CorsMode flag unconditionally to "cors" or
-  // "cors-with-forced-preflight".
-  if (mRequest->Mode() == RequestMode::Cors) {
-    // Passing false for the credentials flag to nsCORSListenerProxy is semantically
-    // the same as the "same-origin" RequestCredentials value.  We implement further
-    // blocking of credentials for "omit" by setting LOAD_ANONYMOUS manually above.
-    bool corsCredentials =
-      mRequest->GetCredentialsMode() == RequestCredentials::Include;
-
-    // Set up a CORS proxy that will handle the various requirements of the CORS
-    // protocol. It handles the preflight cache and CORS response headers.
-    // If the request is allowed, it will start our original request
-    // and our observer will be notified. On failure, our observer is notified
-    // directly.
-    RefPtr<nsCORSListenerProxy> corsListener =
-      new nsCORSListenerProxy(this, mPrincipal, corsCredentials);
-    rv = corsListener->Init(chan, DataURIHandling::Allow);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      return FailWithNetworkError();
-    }
-    listener = corsListener.forget();
-  }
-
   // If preflight is required, start a "CORS preflight fetch"
   // https://fetch.spec.whatwg.org/#cors-preflight-fetch-0. All the
-  // implementation is handled by NS_StartCORSPreflight, we just set up the
-  // unsafeHeaders so they can be verified against the response's
-  // "Access-Control-Allow-Headers" header.
-  if (aCORSPreflightFlag) {
-    MOZ_ASSERT(mRequest->Mode() != RequestMode::No_cors,
-               "FetchDriver::ContinueFetch() should ensure that the request is not no-cors");
-    MOZ_ASSERT(httpChan, "CORS preflight can only be used with HTTP channels");
+  // implementation is handled by the http channel calling into
+  // nsCORSListenerProxy. We just inform it which unsafe headers are included
+  // in the request.
+  if (IsUnsafeRequest()) {
+    if (mRequest->Mode() == RequestMode::No_cors) {
+      return NS_ERROR_DOM_BAD_URI;
+    }
+
+    mRequest->SetRedirectMode(RequestRedirect::Error);
+
     nsAutoTArray<nsCString, 5> unsafeHeaders;
     mRequest->Headers()->GetUnsafeHeaders(unsafeHeaders);
 
     nsCOMPtr<nsIHttpChannelInternal> internalChan = do_QueryInterface(httpChan);
-    rv = internalChan->SetCorsPreflightParameters(unsafeHeaders, useCredentials, mPrincipal);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      return FailWithNetworkError();
-    }
+    NS_ENSURE_TRUE(internalChan, NS_ERROR_DOM_BAD_URI);
+
+    rv = internalChan->SetCorsPreflightParameters(
+      unsafeHeaders,
+      mRequest->GetCredentialsMode() == RequestCredentials::Include,
+      mPrincipal);
+    NS_ENSURE_SUCCESS(rv, rv);
   }
 
-  rv = chan->AsyncOpen(listener, nullptr);
-
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return FailWithNetworkError();
-  }
+  rv = chan->AsyncOpen2(this);
+  NS_ENSURE_SUCCESS(rv, rv);
 
   // Step 4 onwards of "HTTP Fetch" is handled internally by Necko.
   return NS_OK;
 }
 
-nsresult
-FetchDriver::ContinueHttpFetchAfterNetworkFetch()
+bool
+FetchDriver::IsUnsafeRequest()
 {
-  workers::AssertIsOnMainThread();
-  MOZ_ASSERT(mResponse);
-  MOZ_ASSERT(!mResponse->IsError());
-
-  return SucceedWithResponse();
+  return mHasBeenCrossSite &&
+         (mRequest->UnsafeRequest() &&
+          (!mRequest->HasSimpleMethod() ||
+           !mRequest->Headers()->HasOnlySimpleHeaders()));
 }
 
 already_AddRefed<InternalResponse>
@@ -699,24 +471,6 @@ FetchDriver::BeginAndGetFilteredResponse(InternalResponse* aResponse, nsIURI* aF
   return filteredResponse.forget();
 }
 
-void
-FetchDriver::BeginResponse(InternalResponse* aResponse)
-{
-  RefPtr<InternalResponse> r = BeginAndGetFilteredResponse(aResponse, nullptr);
-  // Release the ref.
-}
-
-nsresult
-FetchDriver::SucceedWithResponse()
-{
-  workers::AssertIsOnMainThread();
-  if (mObserver) {
-    mObserver->OnResponseEnd();
-    mObserver = nullptr;
-  }
-  return NS_OK;
-}
-
 nsresult
 FetchDriver::FailWithNetworkError()
 {
@@ -785,7 +539,10 @@ FetchDriver::OnStartRequest(nsIRequest* aRequest,
   MOZ_ASSERT(mObserver);
 
   RefPtr<InternalResponse> response;
+  nsCOMPtr<nsIChannel> channel = do_QueryInterface(aRequest);
   nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aRequest);
+  nsCOMPtr<nsIJARChannel> jarChannel = do_QueryInterface(aRequest);
+
   if (httpChannel) {
     uint32_t responseStatus;
     httpChannel->GetResponseStatus(&responseStatus);
@@ -800,11 +557,7 @@ FetchDriver::OnStartRequest(nsIRequest* aRequest,
     if (NS_WARN_IF(NS_FAILED(rv))) {
       NS_WARNING("Failed to visit all headers.");
     }
-  } else {
-    nsCOMPtr<nsIJARChannel> jarChannel = do_QueryInterface(aRequest);
-    // If it is not an http channel, it has to be a jar one.
-    MOZ_ASSERT(jarChannel);
-
+  } else if (jarChannel) {
     // We simulate the http protocol for jar/app requests
     uint32_t responseStatus = 200;
     nsAutoCString statusText;
@@ -816,6 +569,35 @@ FetchDriver::OnStartRequest(nsIRequest* aRequest,
                                 contentType,
                                 result);
     MOZ_ASSERT(!result.Failed());
+  } else {
+    response = new InternalResponse(200, NS_LITERAL_CSTRING("OK"));
+
+    ErrorResult result;
+    nsAutoCString contentType;
+    rv = channel->GetContentType(contentType);
+    if (NS_SUCCEEDED(rv) && !contentType.IsEmpty()) {
+      nsAutoCString contentCharset;
+      channel->GetContentCharset(contentCharset);
+      if (NS_SUCCEEDED(rv) && !contentCharset.IsEmpty()) {
+        contentType += NS_LITERAL_CSTRING(";charset=") + contentCharset;
+      }
+
+      response->Headers()->Append(NS_LITERAL_CSTRING("Content-Type"),
+                                  contentType,
+                                  result);
+      MOZ_ASSERT(!result.Failed());
+    }
+
+    int64_t contentLength;
+    rv = channel->GetContentLength(&contentLength);
+    if (NS_SUCCEEDED(rv) && contentLength) {
+      nsAutoCString contentLenStr;
+      contentLenStr.AppendInt(contentLength);
+      response->Headers()->Append(NS_LITERAL_CSTRING("Content-Length"),
+                                  contentLenStr,
+                                  result);
+      MOZ_ASSERT(!result.Failed());
+    }
   }
 
   // We open a pipe so that we can immediately set the pipe's read end as the
@@ -838,7 +620,6 @@ FetchDriver::OnStartRequest(nsIRequest* aRequest,
   }
   response->SetBody(pipeInputStream);
 
-  nsCOMPtr<nsIChannel> channel = do_QueryInterface(aRequest);
   response->InitChannelInfo(channel);
 
   nsCOMPtr<nsIURI> channelURI;
@@ -899,17 +680,23 @@ FetchDriver::OnStopRequest(nsIRequest* aRequest,
     if (outputStream) {
       outputStream->CloseWithStatus(NS_BINDING_FAILED);
     }
+
     // We proceed as usual here, since we've already created a successful response
     // from OnStartRequest.
-    SucceedWithResponse();
-    return aStatusCode;
+  } else {
+    MOZ_ASSERT(mResponse);
+    MOZ_ASSERT(!mResponse->IsError());
+
+    if (mPipeOutputStream) {
+      mPipeOutputStream->Close();
+    }
   }
 
-  if (mPipeOutputStream) {
-    mPipeOutputStream->Close();
+  if (mObserver) {
+    mObserver->OnResponseEnd();
+    mObserver = nullptr;
   }
 
-  ContinueHttpFetchAfterNetworkFetch();
   return NS_OK;
 }
 
@@ -922,6 +709,12 @@ FetchDriver::AsyncOnChannelRedirect(nsIChannel* aOldChannel,
 {
   NS_PRECONDITION(aNewChannel, "Redirect without a channel?");
 
+  if (NS_IsInternalSameURIRedirect(aOldChannel, aNewChannel, aFlags) ||
+      NS_IsHSTSUpgradeRedirect(aOldChannel, aNewChannel, aFlags)) {
+    aCallback->OnRedirectVerifyCallback(NS_OK);
+    return NS_OK;
+  }
+
   // HTTP Fetch step 5, "redirect status", step 1
   if (NS_WARN_IF(mRequest->GetRedirectMode() == RequestRedirect::Error)) {
     aOldChannel->Cancel(NS_BINDING_FAILED);
@@ -936,10 +729,8 @@ FetchDriver::AsyncOnChannelRedirect(nsIChannel* aOldChannel,
   // count are done by Necko.  The pref used is "network.http.redirection-limit"
   // which is set to 20 by default.
 
-  // HTTP Fetch Step 9, "redirect status". We only unset this for spec
-  // compatibility. Any actions we take on mRequest here do not affect what the
-  //channel does.
-  mRequest->UnsetSameOriginDataURL();
+  // HTTP Fetch Step 9, "redirect status". This is enforced by the
+  // nsCORSListenerProxy. It forbids redirecting to data:
 
   // HTTP Fetch step 5, "redirect status", step 10 requires us to halt the
   // redirect, but successfully return an opaqueredirect Response to the
@@ -994,63 +785,68 @@ FetchDriver::AsyncOnChannelRedirect(nsIChannel* aOldChannel,
   mRequest->SetURL(newUrl);
 
   // Implement Main Fetch step 8 again on redirect.
-  MainFetchOp nextOp = SetTaintingAndGetNextOp(mCORSFlagEverSet);
-
-  if (nextOp.mType == NETWORK_ERROR) {
-    // Cancel the channel if Main Fetch blocks the redirect from continuing.
-    aOldChannel->Cancel(NS_ERROR_DOM_BAD_URI);
-    return NS_ERROR_DOM_BAD_URI;
-  }
-
-  // Otherwise, we rely on necko and the CORS proxy to do the right thing
-  // as the redirect is followed.  In general this means basic or http
-  // fetch.  If we've ever been CORS, we need to stay CORS.
-  MOZ_ASSERT(nextOp.mType == BASIC_FETCH || nextOp.mType == HTTP_FETCH);
-  MOZ_ASSERT_IF(mCORSFlagEverSet, nextOp.mType == HTTP_FETCH);
-  MOZ_ASSERT_IF(mCORSFlagEverSet, nextOp.mCORSFlag);
-
-  // Examine and possibly set the LOAD_ANONYMOUS flag on the channel.
-  nsLoadFlags flags;
-  rv = aNewChannel->GetLoadFlags(&flags);
+  rv = SetTainting();
   if (NS_FAILED(rv)) {
     aOldChannel->Cancel(rv);
     return rv;
   }
 
-  if (mRequest->GetCredentialsMode() == RequestCredentials::Same_origin &&
-      mRequest->GetResponseTainting() == InternalRequest::RESPONSETAINT_OPAQUE) {
+  // Requests that require preflight are not permitted to redirect.
+  // Fetch spec section 4.2 "HTTP Fetch", step 4.9 just uses the manual
+  // redirect flag to decide whether to execute step 4.10 or not. We do not
+  // represent it in our implementation.
+  // The only thing we do is to check if the request requires a preflight (part
+  // of step 4.9), in which case we abort. This part cannot be done by
+  // nsCORSListenerProxy since it does not have access to mRequest.
+  // which case. Step 4.10.3 is handled by OnRedirectVerifyCallback(), and all
+  // the other steps are handled by nsCORSListenerProxy.
+
+  if (IsUnsafeRequest()) {
+    // We can't handle redirects that require preflight yet.
+    // This is especially true for no-cors requests, which much always be
+    // blocked if they require preflight.
+
+    // Simply fire an error here.
+    aOldChannel->Cancel(NS_BINDING_FAILED);
+    return NS_BINDING_FAILED;
+  }
+
+  // Otherwise, we rely on necko and the CORS proxy to do the right thing
+  // as the redirect is followed.  In general this means http
+  // fetch.  If we've ever been CORS, we need to stay CORS.
+
+  // Possibly set the LOAD_ANONYMOUS flag on the channel.
+  if (mHasBeenCrossSite &&
+      mRequest->GetCredentialsMode() == RequestCredentials::Same_origin &&
+      mRequest->Mode() == RequestMode::No_cors) {
     // In the case of a "no-cors" mode request with "same-origin" credentials,
     // we have to set LOAD_ANONYMOUS manually here in order to avoid sending
     // credentials on a cross-origin redirect.
-    flags |= nsIRequest::LOAD_ANONYMOUS;
-    rv = aNewChannel->SetLoadFlags(flags);
+    nsLoadFlags flags;
+    rv = aNewChannel->GetLoadFlags(&flags);
+    if (NS_SUCCEEDED(rv)) {
+      flags |= nsIRequest::LOAD_ANONYMOUS;
+      rv = aNewChannel->SetLoadFlags(flags);
+    }
     if (NS_FAILED(rv)) {
       aOldChannel->Cancel(rv);
       return rv;
     }
-
-  } else if (mRequest->GetCredentialsMode() == RequestCredentials::Omit) {
-    // Make sure nothing in the redirect chain screws up our credentials
-    // settings.  LOAD_ANONYMOUS must be set if we RequestCredentials is "omit".
-    MOZ_ASSERT(flags & nsIRequest::LOAD_ANONYMOUS);
-
-  } else if (mRequest->GetCredentialsMode() == RequestCredentials::Same_origin &&
-             nextOp.mCORSFlag) {
-    // We also want to verify the LOAD_ANONYMOUS flag is set when we are in
-    // "same-origin" credentials mode and the CORS flag is set.  We can't
-    // unconditionally assert here, however, because the nsCORSListenerProxy
-    // will set the flag later in the redirect callback chain.  Instead,
-    // perform a weaker assertion here by checking if CORS flag was set
-    // before this redirect.  In that case LOAD_ANONYMOUS must still be set.
-    MOZ_ASSERT_IF(mCORSFlagEverSet, flags & nsIRequest::LOAD_ANONYMOUS);
-
-  } else {
-    // Otherwise, we should be sending credentials
-    MOZ_ASSERT(!(flags & nsIRequest::LOAD_ANONYMOUS));
   }
-
-  // Track the CORSFlag through redirects.
-  mCORSFlagEverSet = mCORSFlagEverSet || nextOp.mCORSFlag;
+#ifdef DEBUG
+  {
+    // Make sure nothing in the redirect chain screws up our credentials
+    // settings. LOAD_ANONYMOUS must be set if we RequestCredentials is "omit"
+    // or "same-origin".
+    nsLoadFlags flags;
+    aNewChannel->GetLoadFlags(&flags);
+    bool shouldBeAnon =
+      mRequest->GetCredentialsMode() == RequestCredentials::Omit ||
+      (mHasBeenCrossSite &&
+       mRequest->GetCredentialsMode() == RequestCredentials::Same_origin);
+    MOZ_ASSERT(!!(flags & nsIRequest::LOAD_ANONYMOUS) == shouldBeAnon);
+  }
+#endif
 
   aCallback->OnRedirectVerifyCallback(NS_OK);
 
@@ -1063,33 +859,6 @@ FetchDriver::CheckListenerChain()
   return NS_OK;
 }
 
-// Returns NS_OK if no preflight is required, error otherwise.
-nsresult
-FetchDriver::DoesNotRequirePreflight(nsIChannel* aChannel)
-{
-  // If this is a same-origin request or the channel's URI inherits
-  // its principal, it's allowed.
-  if (nsContentUtils::CheckMayLoad(mPrincipal, aChannel, true)) {
-    return NS_OK;
-  }
-
-  // Check if we need to do a preflight request.
-  nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aChannel);
-  NS_ENSURE_TRUE(httpChannel, NS_ERROR_DOM_BAD_URI);
-
-  nsAutoCString method;
-  httpChannel->GetRequestMethod(method);
-  if (mRequest->Mode() == RequestMode::Cors_with_forced_preflight ||
-      !mRequest->Headers()->HasOnlySimpleHeaders() ||
-      (!method.LowerCaseEqualsLiteral("get") &&
-       !method.LowerCaseEqualsLiteral("post") &&
-       !method.LowerCaseEqualsLiteral("head"))) {
-    return NS_ERROR_DOM_BAD_URI;
-  }
-
-  return NS_OK;
-}
-
 NS_IMETHODIMP
 FetchDriver::GetInterface(const nsIID& aIID, void **aResult)
 {
@@ -1117,7 +886,7 @@ void
 FetchDriver::SetDocument(nsIDocument* aDocument)
 {
   // Cannot set document after Fetch() has been called.
-  MOZ_ASSERT(mFetchRecursionCount == 0);
+  MOZ_ASSERT(!mFetchCalled);
   mDocument = aDocument;
 }
 
diff --git a/dom/fetch/FetchDriver.h b/dom/fetch/FetchDriver.h
index 270b2c056e53..72c864b3a52d 100644
--- a/dom/fetch/FetchDriver.h
+++ b/dom/fetch/FetchDriver.h
@@ -82,53 +82,27 @@ private:
   nsCOMPtr<nsIOutputStream> mPipeOutputStream;
   RefPtr<FetchDriverObserver> mObserver;
   nsCOMPtr<nsIDocument> mDocument;
-  uint32_t mFetchRecursionCount;
-  bool mCORSFlagEverSet;
+  bool mHasBeenCrossSite;
 
   DebugOnly<bool> mResponseAvailableCalled;
+  DebugOnly<bool> mFetchCalled;
 
   FetchDriver() = delete;
   FetchDriver(const FetchDriver&) = delete;
   FetchDriver& operator=(const FetchDriver&) = delete;
   ~FetchDriver();
 
-  enum MainFetchOpType
-  {
-    NETWORK_ERROR,
-    BASIC_FETCH,
-    HTTP_FETCH,
-    NUM_MAIN_FETCH_OPS
-  };
-
-  struct MainFetchOp
-  {
-    explicit MainFetchOp(MainFetchOpType aType, bool aCORSFlag = false,
-                         bool aCORSPreflightFlag = false)
-      : mType(aType), mCORSFlag(aCORSFlag),
-        mCORSPreflightFlag(aCORSPreflightFlag)
-    { }
-
-    MainFetchOpType mType;
-    bool mCORSFlag;
-    bool mCORSPreflightFlag;
-  };
-
-  nsresult Fetch(bool aCORSFlag);
-  MainFetchOp SetTaintingAndGetNextOp(bool aCORSFlag);
-  nsresult ContinueFetch(bool aCORSFlag);
-  nsresult BasicFetch();
-  nsresult HttpFetch(bool aCORSFlag = false, bool aCORSPreflightFlag = false, bool aAuthenticationFlag = false);
-  nsresult ContinueHttpFetchAfterNetworkFetch();
+  nsresult SetTainting();
+  nsresult ContinueFetch();
+  nsresult HttpFetch();
+  bool IsUnsafeRequest();
   // Returns the filtered response sent to the observer.
   // Callers who don't have access to a channel can pass null for aFinalURI.
   already_AddRefed<InternalResponse>
   BeginAndGetFilteredResponse(InternalResponse* aResponse, nsIURI* aFinalURI);
   // Utility since not all cases need to do any post processing of the filtered
   // response.
-  void BeginResponse(InternalResponse* aResponse);
   nsresult FailWithNetworkError();
-  nsresult SucceedWithResponse();
-  nsresult DoesNotRequirePreflight(nsIChannel* aChannel);
 };
 
 } // namespace dom
diff --git a/dom/fetch/Request.cpp b/dom/fetch/Request.cpp
index ae53d165dee2..d5fe048b7fa6 100644
--- a/dom/fetch/Request.cpp
+++ b/dom/fetch/Request.cpp
@@ -260,16 +260,6 @@ Request::Constructor(const GlobalObject& aGlobal,
     fallbackCache = RequestCache::Default;
   }
 
-  // CORS-with-forced-preflight is not publicly exposed and should not be
-  // considered a valid value.
-  if (aInit.mMode.WasPassed() &&
-      aInit.mMode.Value() == RequestMode::Cors_with_forced_preflight) {
-    NS_NAMED_LITERAL_STRING(sourceDescription, "'mode' member of RequestInit");
-    NS_NAMED_LITERAL_STRING(value, "cors-with-forced-preflight");
-    NS_NAMED_LITERAL_STRING(type, "RequestMode");
-    aRv.ThrowTypeError<MSG_INVALID_ENUM_VALUE>(&sourceDescription, &value, &type);
-    return nullptr;
-  }
   RequestMode mode = aInit.mMode.WasPassed() ? aInit.mMode.Value() : fallbackMode;
   RequestCredentials credentials =
     aInit.mCredentials.WasPassed() ? aInit.mCredentials.Value()
diff --git a/dom/fetch/Request.h b/dom/fetch/Request.h
index fefd47fa0bf4..b3a5fa279eb0 100644
--- a/dom/fetch/Request.h
+++ b/dom/fetch/Request.h
@@ -58,9 +58,6 @@ public:
   RequestMode
   Mode() const
   {
-    if (mRequest->mMode == RequestMode::Cors_with_forced_preflight) {
-      return RequestMode::Cors;
-    }
     return mRequest->mMode;
   }
 
diff --git a/dom/html/HTMLMediaElement.cpp b/dom/html/HTMLMediaElement.cpp
index 244f18399ad4..4ea42ca3b9cb 100644
--- a/dom/html/HTMLMediaElement.cpp
+++ b/dom/html/HTMLMediaElement.cpp
@@ -2221,13 +2221,22 @@ HTMLMediaElement::ResetConnectionState()
 
 void
 HTMLMediaElement::Play(ErrorResult& aRv)
+{
+  nsresult rv = PlayInternal(nsContentUtils::IsCallerChrome());
+  if (NS_FAILED(rv)) {
+    aRv.Throw(rv);
+  }
+}
+
+nsresult
+HTMLMediaElement::PlayInternal(bool aCallerIsChrome)
 {
   // Prevent media element from being auto-started by a script when
   // media.autoplay.enabled=false
   if (!mHasUserInteraction
       && !IsAutoplayEnabled()
       && !EventStateManager::IsHandlingUserInput()
-      && !nsContentUtils::IsCallerChrome()) {
+      && !aCallerIsChrome) {
     LOG(LogLevel::Debug, ("%p Blocked attempt to autoplay media.", this));
 #if defined(MOZ_WIDGET_ANDROID)
     nsContentUtils::DispatchTrustedEvent(OwnerDoc(),
@@ -2236,7 +2245,7 @@ HTMLMediaElement::Play(ErrorResult& aRv)
                                          false,
                                          false);
 #endif
-    return;
+    return NS_OK;
   }
 
   // Play was not blocked so assume user interacted with the element.
@@ -2257,7 +2266,7 @@ HTMLMediaElement::Play(ErrorResult& aRv)
       OwnerDoc()->Hidden()) {
     LOG(LogLevel::Debug, ("%p Blocked playback because owner hidden.", this));
     mPlayBlockedBecauseHidden = true;
-    return;
+    return NS_OK;
   }
 
   // Even if we just did Load() or ResumeLoad(), we could already have a decoder
@@ -2267,9 +2276,9 @@ HTMLMediaElement::Play(ErrorResult& aRv)
       SetCurrentTime(0);
     }
     if (!mPausedForInactiveDocumentOrChannel) {
-      aRv = mDecoder->Play();
-      if (aRv.Failed()) {
-        return;
+      nsresult rv = mDecoder->Play();
+      if (NS_FAILED(rv)) {
+        return rv;
       }
     }
   }
@@ -2305,13 +2314,13 @@ HTMLMediaElement::Play(ErrorResult& aRv)
   AddRemoveSelfReference();
   UpdatePreloadAction();
   UpdateSrcMediaStreamPlaying();
+
+  return NS_OK;
 }
 
 NS_IMETHODIMP HTMLMediaElement::Play()
 {
-  ErrorResult rv;
-  Play(rv);
-  return rv.StealNSResult();
+  return PlayInternal(/* aCallerIsChrome = */ true);
 }
 
 HTMLMediaElement::WakeLockBoolWrapper&
diff --git a/dom/html/HTMLMediaElement.h b/dom/html/HTMLMediaElement.h
index 952abeb8d55b..544331fbed09 100644
--- a/dom/html/HTMLMediaElement.h
+++ b/dom/html/HTMLMediaElement.h
@@ -711,6 +711,8 @@ protected:
     nsCOMPtr<nsITimer> mTimer;
   };
 
+  nsresult PlayInternal(bool aCallerIsChrome);
+
   /** Use this method to change the mReadyState member, so required
    * events can be fired.
    */
diff --git a/dom/imptests/failures/html/dom/test_historical.html.json b/dom/imptests/failures/html/dom/test_historical.html.json
index 24c11e708e1a..42e78b23d509 100644
--- a/dom/imptests/failures/html/dom/test_historical.html.json
+++ b/dom/imptests/failures/html/dom/test_historical.html.json
@@ -6,6 +6,5 @@
   "Historical DOM features must be removed: getAttributeNode": true,
   "Historical DOM features must be removed: getAttributeNodeNS": true,
   "Historical DOM features must be removed: setAttributeNode": true,
-  "Historical DOM features must be removed: removeAttributeNode": true,
-  "DocumentType member must be nuked: internalSubset": true
+  "Historical DOM features must be removed: removeAttributeNode": true
 }
diff --git a/dom/ipc/TabParent.cpp b/dom/ipc/TabParent.cpp
index 39b4f19f4ce9..fc09609b4aff 100644
--- a/dom/ipc/TabParent.cpp
+++ b/dom/ipc/TabParent.cpp
@@ -486,7 +486,7 @@ TabParent::ShouldSwitchProcess(nsIChannel* aChannel)
   nsCOMPtr<nsIURI> uri;
   aChannel->GetURI(getter_AddRefs(uri));
   LogChannelRelevantInfo(uri, loadingPrincipal, resultPrincipal,
-                         loadInfo->GetContentPolicyType());
+                         loadInfo->InternalContentPolicyType());
 
   // Check if the signed package is loaded from the same origin.
   bool sameOrigin = false;
@@ -497,7 +497,7 @@ TabParent::ShouldSwitchProcess(nsIChannel* aChannel)
   }
 
   // If this is not a top level document, there's no need to switch process.
-  if (nsIContentPolicy::TYPE_DOCUMENT != loadInfo->GetContentPolicyType()) {
+  if (nsIContentPolicy::TYPE_DOCUMENT != loadInfo->InternalContentPolicyType()) {
     LOG("Subresource of a document. No need to switch process.\n");
     return false;
   }
diff --git a/dom/media/MediaDecoder.cpp b/dom/media/MediaDecoder.cpp
index 01621e1acea2..3eb81973b954 100644
--- a/dom/media/MediaDecoder.cpp
+++ b/dom/media/MediaDecoder.cpp
@@ -141,8 +141,7 @@ MediaDecoder::NotifyOwnerActivityChanged()
 {
   MOZ_ASSERT(NS_IsMainThread());
 
-  if (!mOwner) {
-    NS_WARNING("MediaDecoder without a decoder owner, can't update dormant");
+  if (mShuttingDown) {
     return;
   }
 
@@ -170,7 +169,8 @@ MediaDecoder::UpdateDormantState(bool aDormantTimeout, bool aActivity)
 {
   MOZ_ASSERT(NS_IsMainThread());
 
-  if (!mDecoderStateMachine ||
+  if (mShuttingDown ||
+      !mDecoderStateMachine ||
       mPlayState == PLAY_STATE_SHUTDOWN ||
       !mOwner->GetVideoFrameContainer() ||
       (mOwner->GetMediaElement() && mOwner->GetMediaElement()->IsBeingDestroyed()) ||
@@ -256,7 +256,6 @@ MediaDecoder::StartDormantTimer()
 
   if (mIsHeuristicDormant ||
       mShuttingDown ||
-      !mOwner ||
       !mOwner->IsHidden() ||
       (mPlayState != PLAY_STATE_PAUSED &&
        !IsEnded()))
@@ -478,8 +477,6 @@ MediaDecoder::Shutdown()
 
   ChangeState(PLAY_STATE_SHUTDOWN);
 
-  mOwner = nullptr;
-
   MediaShutdownManager::Instance().Unregister(this);
 }
 
@@ -599,12 +596,8 @@ MediaDecoder::Seek(double aTime, SeekTarget::Type aSeekType)
   CallSeek(target);
 
   if (mPlayState == PLAY_STATE_ENDED) {
-    bool paused = false;
-    if (mOwner) {
-      paused = mOwner->GetPaused();
-    }
     PinForSeek();
-    ChangeState(paused ? PLAY_STATE_PAUSED : PLAY_STATE_PLAYING);
+    ChangeState(mOwner->GetPaused() ? PLAY_STATE_PAUSED : PLAY_STATE_PLAYING);
   }
   return NS_OK;
 }
@@ -664,14 +657,12 @@ MediaDecoder::MetadataLoaded(nsAutoPtr<MediaInfo> aInfo,
   mInfo = aInfo.forget();
   ConstructMediaTracks();
 
-  if (mOwner) {
-    // Make sure the element and the frame (if any) are told about
-    // our new size.
-    Invalidate();
-    if (aEventVisibility != MediaDecoderEventVisibility::Suppressed) {
-      mFiredMetadataLoaded = true;
-      mOwner->MetadataLoaded(mInfo, nsAutoPtr<const MetadataTags>(aTags.forget()));
-    }
+  // Make sure the element and the frame (if any) are told about
+  // our new size.
+  Invalidate();
+  if (aEventVisibility != MediaDecoderEventVisibility::Suppressed) {
+    mFiredMetadataLoaded = true;
+    mOwner->MetadataLoaded(mInfo, nsAutoPtr<const MetadataTags>(aTags.forget()));
   }
 }
 
@@ -706,11 +697,9 @@ MediaDecoder::FirstFrameLoaded(nsAutoPtr<MediaInfo> aInfo,
 
   mInfo = aInfo.forget();
 
-  if (mOwner) {
-    Invalidate();
-    if (aEventVisibility != MediaDecoderEventVisibility::Suppressed) {
-      mOwner->FirstFrameLoaded();
-    }
+  Invalidate();
+  if (aEventVisibility != MediaDecoderEventVisibility::Suppressed) {
+    mOwner->FirstFrameLoaded();
   }
 
   // This can run cache callbacks.
@@ -736,10 +725,8 @@ MediaDecoder::ResetConnectionState()
   if (mShuttingDown)
     return;
 
-  if (mOwner) {
-    // Notify the media element that connection gets lost.
-    mOwner->ResetConnectionState();
-  }
+  // Notify the media element that connection gets lost.
+  mOwner->ResetConnectionState();
 
   // Since we have notified the media element the connection
   // lost event, the decoder will be reloaded when user tries
@@ -754,9 +741,7 @@ MediaDecoder::NetworkError()
   if (mShuttingDown)
     return;
 
-  if (mOwner)
-    mOwner->NetworkError();
-
+  mOwner->NetworkError();
   Shutdown();
 }
 
@@ -767,9 +752,7 @@ MediaDecoder::DecodeError()
   if (mShuttingDown)
     return;
 
-  if (mOwner)
-    mOwner->DecodeError();
-
+  mOwner->DecodeError();
   Shutdown();
 }
 
@@ -815,10 +798,7 @@ MediaDecoder::PlaybackEnded()
 
   ChangeState(PLAY_STATE_ENDED);
   InvalidateWithFlags(VideoFrameContainer::INVALIDATE_FORCE);
-
-  if (mOwner)  {
-    mOwner->PlaybackEnded();
-  }
+  mOwner->PlaybackEnded();
 
   // This must be called after |mOwner->PlaybackEnded()| call above, in order
   // to fire the required durationchange.
@@ -887,7 +867,10 @@ void
 MediaDecoder::NotifySuspendedStatusChanged()
 {
   MOZ_ASSERT(NS_IsMainThread());
-  if (mResource && mOwner) {
+  if (mShuttingDown) {
+    return;
+  }
+  if (mResource) {
     bool suspended = mResource->IsSuspendedByCache();
     mOwner->NotifySuspendedByCache(suspended);
   }
@@ -897,10 +880,11 @@ void
 MediaDecoder::NotifyBytesDownloaded()
 {
   MOZ_ASSERT(NS_IsMainThread());
-  UpdatePlaybackRate();
-  if (mOwner) {
-    mOwner->DownloadProgressed();
+  if (mShuttingDown) {
+    return;
   }
+  UpdatePlaybackRate();
+  mOwner->DownloadProgressed();
 }
 
 void
@@ -908,13 +892,15 @@ MediaDecoder::NotifyDownloadEnded(nsresult aStatus)
 {
   MOZ_ASSERT(NS_IsMainThread());
 
+  if (mShuttingDown) {
+    return;
+  }
+
   DECODER_LOG("NotifyDownloadEnded, status=%x", aStatus);
 
   if (aStatus == NS_BINDING_ABORTED) {
     // Download has been cancelled by user.
-    if (mOwner) {
-      mOwner->LoadAborted();
-    }
+    mOwner->LoadAborted();
     return;
   }
 
@@ -934,9 +920,10 @@ void
 MediaDecoder::NotifyPrincipalChanged()
 {
   MOZ_ASSERT(NS_IsMainThread());
-  if (mOwner) {
-    mOwner->NotifyDecoderPrincipalChanged();
+  if (mShuttingDown) {
+    return;
   }
+  mOwner->NotifyDecoderPrincipalChanged();
 }
 
 void
@@ -978,12 +965,10 @@ MediaDecoder::OnSeekResolved(SeekResolveValue aVal)
 
   UpdateLogicalPosition(aVal.mEventVisibility);
 
-  if (mOwner) {
-    if (aVal.mEventVisibility != MediaDecoderEventVisibility::Suppressed) {
-      mOwner->SeekCompleted();
-      if (fireEnded) {
-        mOwner->PlaybackEnded();
-      }
+  if (aVal.mEventVisibility != MediaDecoderEventVisibility::Suppressed) {
+    mOwner->SeekCompleted();
+    if (fireEnded) {
+      mOwner->PlaybackEnded();
     }
   }
 }
@@ -995,10 +980,8 @@ MediaDecoder::SeekingStarted(MediaDecoderEventVisibility aEventVisibility)
   if (mShuttingDown)
     return;
 
-  if (mOwner) {
-    if (aEventVisibility != MediaDecoderEventVisibility::Suppressed) {
-      mOwner->SeekStarted();
-    }
+  if (aEventVisibility != MediaDecoderEventVisibility::Suppressed) {
+    mOwner->SeekStarted();
   }
 }
 
@@ -1052,7 +1035,7 @@ MediaDecoder::UpdateLogicalPosition(MediaDecoderEventVisibility aEventVisibility
   // frame has reflowed and the size updated beforehand.
   Invalidate();
 
-  if (mOwner && logicalPositionChanged &&
+  if (logicalPositionChanged &&
       aEventVisibility != MediaDecoderEventVisibility::Suppressed) {
     FireTimeUpdate();
   }
@@ -1063,6 +1046,10 @@ MediaDecoder::DurationChanged()
 {
   MOZ_ASSERT(NS_IsMainThread());
 
+  if (mShuttingDown) {
+    return;
+  }
+
   double oldDuration = mDuration;
   if (IsInfinite()) {
     mDuration = std::numeric_limits<double>::infinity();
@@ -1083,7 +1070,7 @@ MediaDecoder::DurationChanged()
 
   // See https://www.w3.org/Bugs/Public/show_bug.cgi?id=28822 for a discussion
   // of whether we should fire durationchange on explicit infinity.
-  if (mOwner && mFiredMetadataLoaded &&
+  if (mFiredMetadataLoaded &&
       (!mozilla::IsInfinite<double>(mDuration) || mExplicitDuration.Ref().isSome())) {
     mOwner->DispatchAsyncEvent(NS_LITERAL_STRING("durationchange"));
   }
@@ -1215,7 +1202,7 @@ MediaDecoder::SetPlaybackRate(double aPlaybackRate)
     mPausedForPlaybackRateNull = false;
     // If the playbackRate is no longer null, restart the playback, iff the
     // media was playing.
-    if (mOwner && !mOwner->GetPaused()) {
+    if (!mOwner->GetPaused()) {
       Play();
     }
   }
@@ -1346,8 +1333,9 @@ void
 MediaDecoder::FireTimeUpdate()
 {
   MOZ_ASSERT(NS_IsMainThread());
-  if (!mOwner)
+  if (mShuttingDown) {
     return;
+  }
   mOwner->FireTimeUpdate(true);
 }
 
@@ -1571,11 +1559,7 @@ MediaDecoder::ConstructMediaTracks()
 {
   MOZ_ASSERT(NS_IsMainThread());
 
-  if (mMediaTracksConstructed) {
-    return;
-  }
-
-  if (!mOwner || !mInfo) {
+  if (mShuttingDown || mMediaTracksConstructed || !mInfo) {
     return;
   }
 
@@ -1611,7 +1595,7 @@ MediaDecoder::RemoveMediaTracks()
 {
   MOZ_ASSERT(NS_IsMainThread());
 
-  if (!mOwner) {
+  if (mShuttingDown) {
     return;
   }
 
diff --git a/dom/media/MediaDecoder.h b/dom/media/MediaDecoder.h
index 0da41a37636e..316f20a88fa0 100644
--- a/dom/media/MediaDecoder.h
+++ b/dom/media/MediaDecoder.h
@@ -750,7 +750,8 @@ private:
 
   void UpdateReadyState()
   {
-    if (mOwner) {
+    MOZ_ASSERT(NS_IsMainThread());
+    if (!mShuttingDown) {
       mOwner->UpdateReadyState();
     }
   }
@@ -868,7 +869,7 @@ protected:
   // This should only ever be accessed from the main thread.
   // It is set in Init and cleared in Shutdown when the element goes away.
   // The decoder does not add a reference the element.
-  MediaDecoderOwner* mOwner;
+  MediaDecoderOwner* const mOwner;
 
   // Counters related to decode and presentation of frames.
   FrameStatistics mFrameStats;
diff --git a/dom/media/MediaDecoderReader.cpp b/dom/media/MediaDecoderReader.cpp
index 5cc3ac875e17..c674f3b9fe95 100644
--- a/dom/media/MediaDecoderReader.cpp
+++ b/dom/media/MediaDecoderReader.cpp
@@ -104,7 +104,6 @@ MediaDecoderReader::InitializationTask()
 MediaDecoderReader::~MediaDecoderReader()
 {
   MOZ_ASSERT(mShutdown);
-  ResetDecode();
   MOZ_COUNT_DTOR(MediaDecoderReader);
 }
 
@@ -250,12 +249,12 @@ MediaDecoderReader::GetBuffered()
 }
 
 RefPtr<MediaDecoderReader::MetadataPromise>
-MediaDecoderReader::AsyncReadMetadata()
+MediaDecoderReader::AsyncReadMetadataInternal()
 {
   typedef ReadMetadataFailureReason Reason;
 
   MOZ_ASSERT(OnTaskQueue());
-  DECODER_LOG("MediaDecoderReader::AsyncReadMetadata");
+  DECODER_LOG("MediaDecoderReader::AsyncReadMetadataInternal");
 
   // Attempt to read the metadata.
   RefPtr<MetadataHolder> metadata = new MetadataHolder();
diff --git a/dom/media/MediaDecoderReader.h b/dom/media/MediaDecoderReader.h
index 93e5ad35cfe0..d32461848f39 100644
--- a/dom/media/MediaDecoderReader.h
+++ b/dom/media/MediaDecoderReader.h
@@ -94,6 +94,14 @@ public:
   // on failure.
   virtual nsresult Init() { return NS_OK; }
 
+  RefPtr<MetadataPromise> AsyncReadMetadata()
+  {
+    return OnTaskQueue() ?
+           AsyncReadMetadataInternal() :
+           InvokeAsync(OwnerThread(), this, __func__,
+                       &MediaDecoderReader::AsyncReadMetadataInternal);
+  }
+
   // Release media resources they should be released in dormant state
   // The reader can be made usable again by calling ReadMetadata().
   void ReleaseMediaResources()
@@ -177,18 +185,6 @@ public:
   virtual bool HasAudio() = 0;
   virtual bool HasVideo() = 0;
 
-  // The default implementation of AsyncReadMetadata is implemented in terms of
-  // synchronous ReadMetadata() calls. Implementations may also
-  // override AsyncReadMetadata to create a more proper async implementation.
-  virtual RefPtr<MetadataPromise> AsyncReadMetadata();
-
-  // Read header data for all bitstreams in the file. Fills aInfo with
-  // the data required to present the media, and optionally fills *aTags
-  // with tag metadata from the file.
-  // Returns NS_OK on success, or NS_ERROR_FAILURE on failure.
-  virtual nsresult ReadMetadata(MediaInfo* aInfo,
-                                MetadataTags** aTags) { MOZ_CRASH(); }
-
   // Fills aInfo with the latest cached data required to present the media,
   // ReadUpdatedMetadata will always be called once ReadMetadata has succeeded.
   virtual void ReadUpdatedMetadata(MediaInfo* aInfo) { };
@@ -268,6 +264,18 @@ private:
   virtual void ReleaseMediaResourcesInternal() {}
   virtual void DisableHardwareAccelerationInternal() {}
 
+  // Read header data for all bitstreams in the file. Fills aInfo with
+  // the data required to present the media, and optionally fills *aTags
+  // with tag metadata from the file.
+  // Returns NS_OK on success, or NS_ERROR_FAILURE on failure.
+  virtual nsresult ReadMetadata(MediaInfo*, MetadataTags**) { MOZ_CRASH(); }
+
+  // The default implementation of AsyncReadMetadataInternal is implemented in
+  // terms of synchronous ReadMetadata() calls. Implementations may also
+  // override AsyncReadMetadataInternal to create a more proper async
+  // implementation.
+  virtual RefPtr<MetadataPromise> AsyncReadMetadataInternal();
+
 protected:
   friend class TrackBuffer;
   virtual void NotifyDataArrivedInternal(uint32_t aLength, int64_t aOffset) { }
diff --git a/dom/media/MediaDecoderStateMachine.cpp b/dom/media/MediaDecoderStateMachine.cpp
index 7f1c442a6de8..8ef445523ade 100644
--- a/dom/media/MediaDecoderStateMachine.cpp
+++ b/dom/media/MediaDecoderStateMachine.cpp
@@ -17,6 +17,7 @@
 
 #include "mediasink/DecodedAudioDataSink.h"
 #include "mediasink/AudioSinkWrapper.h"
+#include "mediasink/VideoSink.h"
 #include "mediasink/DecodedStream.h"
 #include "mozilla/DebugOnly.h"
 #include "mozilla/Logging.h"
@@ -202,7 +203,6 @@ MediaDecoderStateMachine::MediaDecoderStateMachine(MediaDecoder* aDecoder,
   mTaskQueue(new TaskQueue(GetMediaThreadPool(MediaThreadType::PLAYBACK),
                            /* aSupportsTailDispatch = */ true)),
   mWatchManager(this, mTaskQueue),
-  mProducerID(ImageContainer::AllocateProducerID()),
   mRealTime(aRealTime),
   mDispatchedStateMachine(false),
   mDelayedScheduler(mTaskQueue),
@@ -212,7 +212,6 @@ MediaDecoderStateMachine::MediaDecoderStateMachine(MediaDecoder* aDecoder,
   mFragmentEndTime(-1),
   mReader(aReader),
   mDecodedAudioEndTime(-1),
-  mVideoFrameEndTime(-1),
   mDecodedVideoEndTime(-1),
   mPlaybackRate(1.0),
   mLowAudioThresholdUsecs(detail::LOW_AUDIO_USECS),
@@ -305,7 +304,7 @@ MediaDecoderStateMachine::MediaDecoderStateMachine(MediaDecoder* aDecoder,
 
   mMetadataManager.Connect(mReader->TimedMetadataEvent(), OwnerThread());
 
-  mMediaSink = CreateAudioSink();
+  mMediaSink = CreateMediaSink(mAudioCaptured);
 
 #ifdef MOZ_EME
   mCDMProxyPromise.Begin(mDecoder->RequestCDMProxy()->Then(
@@ -381,6 +380,23 @@ MediaDecoderStateMachine::CreateAudioSink()
   return new AudioSinkWrapper(mTaskQueue, audioSinkCreator);
 }
 
+already_AddRefed<media::MediaSink>
+MediaDecoderStateMachine::CreateMediaSink(bool aAudioCaptured)
+{
+  // TODO: We can't really create a new DecodedStream until OutputStreamManager
+  //       is extracted. It is tricky that the implementation of DecodedStream
+  //       happens to allow reuse after shutdown without creating a new one.
+  RefPtr<media::MediaSink> audioSink = aAudioCaptured ?
+    mStreamSink : CreateAudioSink();
+
+  RefPtr<media::MediaSink> mediaSink =
+    new VideoSink(mTaskQueue, audioSink, mVideoQueue,
+                  mDecoder->GetVideoFrameContainer(), mRealTime,
+                  mDecoder->GetFrameStatistics(), AUDIO_DURATION_USECS,
+                  sVideoQueueSendToCompositorSize);
+  return mediaSink.forget();
+}
+
 bool MediaDecoderStateMachine::HasFutureAudio()
 {
   MOZ_ASSERT(OnTaskQueue());
@@ -1050,7 +1066,6 @@ void MediaDecoderStateMachine::StopPlayback()
   mDecoder->DispatchPlaybackStopped();
 
   if (IsPlaying()) {
-    RenderVideoFrames(1);
     mMediaSink->SetPlaying(false);
     MOZ_ASSERT(!IsPlaying());
   }
@@ -1489,7 +1504,8 @@ void MediaDecoderStateMachine::StopMediaSink()
   if (mMediaSink->IsStarted()) {
     DECODER_LOG("Stop MediaSink");
     mMediaSink->Stop();
-    mMediaSinkPromise.DisconnectIfExists();
+    mMediaSinkAudioPromise.DisconnectIfExists();
+    mMediaSinkVideoPromise.DisconnectIfExists();
   }
 }
 
@@ -1764,12 +1780,20 @@ MediaDecoderStateMachine::StartMediaSink()
     mAudioCompleted = false;
     mMediaSink->Start(GetMediaTime(), mInfo);
 
-    auto promise = mMediaSink->OnEnded(TrackInfo::kAudioTrack);
-    if (promise) {
-      mMediaSinkPromise.Begin(promise->Then(
+    auto videoPromise = mMediaSink->OnEnded(TrackInfo::kVideoTrack);
+    auto audioPromise = mMediaSink->OnEnded(TrackInfo::kAudioTrack);
+
+    if (audioPromise) {
+      mMediaSinkAudioPromise.Begin(audioPromise->Then(
         OwnerThread(), __func__, this,
-        &MediaDecoderStateMachine::OnMediaSinkComplete,
-        &MediaDecoderStateMachine::OnMediaSinkError));
+        &MediaDecoderStateMachine::OnMediaSinkAudioComplete,
+        &MediaDecoderStateMachine::OnMediaSinkAudioError));
+    }
+    if (videoPromise) {
+      mMediaSinkVideoPromise.Begin(videoPromise->Then(
+        OwnerThread(), __func__, this,
+        &MediaDecoderStateMachine::OnMediaSinkVideoComplete,
+        &MediaDecoderStateMachine::OnMediaSinkVideoError));
     }
   }
 }
@@ -1832,7 +1856,7 @@ bool MediaDecoderStateMachine::HasLowUndecodedData(int64_t aUsecs)
 
   int64_t endOfDecodedVideoData = INT64_MAX;
   if (HasVideo() && !VideoQueue().AtEndOfStream()) {
-    endOfDecodedVideoData = VideoQueue().Peek() ? VideoQueue().Peek()->GetEndTime() : mVideoFrameEndTime;
+    endOfDecodedVideoData = VideoQueue().Peek() ? VideoQueue().Peek()->GetEndTime() : VideoEndTime();
   }
   int64_t endOfDecodedAudioData = INT64_MAX;
   if (HasAudio() && !AudioQueue().AtEndOfStream()) {
@@ -2032,7 +2056,7 @@ MediaDecoderStateMachine::FinishDecodeFirstFrame()
   DECODER_LOG("FinishDecodeFirstFrame");
 
   if (!IsRealTime() && !mSentFirstFrameLoadedEvent) {
-    RenderVideoFrames(1);
+    mMediaSink->Redraw();
   }
 
   // If we don't know the duration by this point, we assume infinity, per spec.
@@ -2129,7 +2153,7 @@ MediaDecoderStateMachine::SeekCompleted()
   ScheduleStateMachine();
 
   if (video) {
-    RenderVideoFrames(1);
+    mMediaSink->Redraw();
     nsCOMPtr<nsIRunnable> event =
       NS_NewRunnableMethod(mDecoder, &MediaDecoder::Invalidate);
     AbstractThread::MainThread()->Dispatch(event.forget());
@@ -2256,11 +2280,10 @@ nsresult MediaDecoderStateMachine::RunStateMachine()
 
     case DECODER_STATE_DECODING_METADATA: {
       if (!mMetadataRequest.Exists()) {
-        DECODER_LOG("Dispatching AsyncReadMetadata");
+        DECODER_LOG("Calling AsyncReadMetadata");
         // Set mode to METADATA since we are about to read metadata.
         mResource->SetReadMode(MediaCacheStream::MODE_METADATA);
-        mMetadataRequest.Begin(InvokeAsync(DecodeTaskQueue(), mReader.get(), __func__,
-                                           &MediaDecoderReader::AsyncReadMetadata)
+        mMetadataRequest.Begin(mReader->AsyncReadMetadata()
           ->Then(OwnerThread(), __func__, this,
                  &MediaDecoderStateMachine::OnMetadataRead,
                  &MediaDecoderStateMachine::OnMetadataNotRead));
@@ -2285,7 +2308,7 @@ nsresult MediaDecoderStateMachine::RunStateMachine()
       // Start playback if necessary so that the clock can be properly queried.
       MaybeStartPlayback();
 
-      UpdateRenderedVideoFrames();
+      UpdatePlaybackPositionPeriodically();
       NS_ASSERTION(!IsPlaying() ||
                    mLogicallySeeking ||
                    IsStateMachineScheduled(),
@@ -2356,7 +2379,7 @@ nsresult MediaDecoderStateMachine::RunStateMachine()
       {
         // Start playback if necessary to play the remaining media.
         MaybeStartPlayback();
-        UpdateRenderedVideoFrames();
+        UpdatePlaybackPositionPeriodically();
         NS_ASSERTION(!IsPlaying() ||
                      mLogicallySeeking ||
                      IsStateMachineScheduled(),
@@ -2378,7 +2401,7 @@ nsresult MediaDecoderStateMachine::RunStateMachine()
       if (mPlayState == MediaDecoder::PLAY_STATE_PLAYING &&
           !mSentPlaybackEndedEvent)
       {
-        int64_t clockTime = std::max(AudioEndTime(), mVideoFrameEndTime);
+        int64_t clockTime = std::max(AudioEndTime(), VideoEndTime());
         clockTime = std::max(int64_t(0), std::max(clockTime, Duration().ToMicroseconds()));
         UpdatePlaybackPosition(clockTime);
 
@@ -2419,7 +2442,6 @@ MediaDecoderStateMachine::Reset()
   // crash for no samples to be popped.
   StopMediaSink();
 
-  mVideoFrameEndTime = -1;
   mDecodedVideoEndTime = -1;
   mDecodedAudioEndTime = -1;
   mAudioCompleted = false;
@@ -2469,69 +2491,6 @@ MediaDecoderStateMachine::CheckFrameValidity(VideoData* aData)
   }
 }
 
-void MediaDecoderStateMachine::RenderVideoFrames(int32_t aMaxFrames,
-                                                 int64_t aClockTime,
-                                                 const TimeStamp& aClockTimeStamp)
-{
-  MOZ_ASSERT(OnTaskQueue());
-
-  VideoFrameContainer* container = mDecoder->GetVideoFrameContainer();
-  nsAutoTArray<RefPtr<MediaData>,16> frames;
-  VideoQueue().GetFirstElements(aMaxFrames, &frames);
-  if (frames.IsEmpty() || !container) {
-    return;
-  }
-
-  nsAutoTArray<ImageContainer::NonOwningImage,16> images;
-  TimeStamp lastFrameTime;
-  for (uint32_t i = 0; i < frames.Length(); ++i) {
-    VideoData* frame = frames[i]->As<VideoData>();
-
-    bool valid = !frame->mImage || frame->mImage->IsValid();
-    frame->mSentToCompositor = true;
-
-    if (!valid) {
-      continue;
-    }
-
-    int64_t frameTime = frame->mTime;
-    if (frameTime < 0) {
-      // Frame times before the start time are invalid; drop such frames
-      continue;
-    }
-
-
-    TimeStamp t;
-    if (aMaxFrames > 1) {
-      MOZ_ASSERT(!aClockTimeStamp.IsNull());
-      int64_t delta = frame->mTime - aClockTime;
-      t = aClockTimeStamp +
-          TimeDuration::FromMicroseconds(delta / mPlaybackRate);
-      if (!lastFrameTime.IsNull() && t <= lastFrameTime) {
-        // Timestamps out of order; drop the new frame. In theory we should
-        // probably replace the previous frame with the new frame if the
-        // timestamps are equal, but this is a corrupt video file already so
-        // never mind.
-        continue;
-      }
-      lastFrameTime = t;
-    }
-
-    ImageContainer::NonOwningImage* img = images.AppendElement();
-    img->mTimeStamp = t;
-    img->mImage = frame->mImage;
-    img->mFrameID = frame->mFrameID;
-    img->mProducerID = mProducerID;
-
-    VERBOSE_LOG("playing video frame %lld (id=%x) (queued=%i, state-machine=%i, decoder-queued=%i)",
-                frame->mTime, frame->mFrameID,
-                VideoQueue().GetSize() + mReader->SizeOfVideoQueueInFrames(),
-                VideoQueue().GetSize(), mReader->SizeOfVideoQueueInFrames());
-  }
-
-  container->SetCurrentFrames(frames[0]->As<VideoData>()->mDisplay, images);
-}
-
 int64_t
 MediaDecoderStateMachine::GetClock(TimeStamp* aTimeStamp) const
 {
@@ -2541,7 +2500,8 @@ MediaDecoderStateMachine::GetClock(TimeStamp* aTimeStamp) const
   return clockTime;
 }
 
-void MediaDecoderStateMachine::UpdateRenderedVideoFrames()
+void
+MediaDecoderStateMachine::UpdatePlaybackPositionPeriodically()
 {
   MOZ_ASSERT(OnTaskQueue());
 
@@ -2553,47 +2513,19 @@ void MediaDecoderStateMachine::UpdateRenderedVideoFrames()
     DiscardStreamData();
   }
 
-  TimeStamp nowTime;
-  const int64_t clockTime = GetClock(&nowTime);
-  // Skip frames up to the frame at the playback position, and figure out
-  // the time remaining until it's time to display the next frame and drop
-  // the current frame.
-  NS_ASSERTION(clockTime >= 0, "Should have positive clock time.");
-  int64_t remainingTime = AUDIO_DURATION_USECS;
-  if (VideoQueue().GetSize() > 0) {
-    RefPtr<MediaData> currentFrame = VideoQueue().PopFront();
-    int32_t framesRemoved = 0;
-    while (VideoQueue().GetSize() > 0) {
-      MediaData* nextFrame = VideoQueue().PeekFront();
-      if (!IsRealTime() && nextFrame->mTime > clockTime) {
-        remainingTime = nextFrame->mTime - clockTime;
-        break;
-      }
-      ++framesRemoved;
-      if (!currentFrame->As<VideoData>()->mSentToCompositor) {
-        mDecoder->NotifyDecodedFrames(0, 0, 1);
-        VERBOSE_LOG("discarding video frame mTime=%lld clock_time=%lld",
-                    currentFrame->mTime, clockTime);
-      }
-      currentFrame = VideoQueue().PopFront();
-
-    }
-    VideoQueue().PushFront(currentFrame);
-    if (framesRemoved > 0) {
-      mVideoFrameEndTime = currentFrame->GetEndTime();
-      FrameStatistics& frameStats = mDecoder->GetFrameStatistics();
-      frameStats.NotifyPresentedFrame();
-    }
-  }
-
-  RenderVideoFrames(sVideoQueueSendToCompositorSize, clockTime, nowTime);
-
   // Cap the current time to the larger of the audio and video end time.
   // This ensures that if we're running off the system clock, we don't
   // advance the clock to after the media end time.
-  if (mVideoFrameEndTime != -1 || AudioEndTime() != -1) {
+  if (VideoEndTime() != -1 || AudioEndTime() != -1) {
+
+    const int64_t clockTime = GetClock();
+    // Skip frames up to the frame at the playback position, and figure out
+    // the time remaining until it's time to display the next frame and drop
+    // the current frame.
+    NS_ASSERTION(clockTime >= 0, "Should have positive clock time.");
+
     // These will be non -1 if we've displayed a video frame, or played an audio frame.
-    int64_t t = std::min(clockTime, std::max(mVideoFrameEndTime, AudioEndTime()));
+    int64_t t = std::min(clockTime, std::max(VideoEndTime(), AudioEndTime()));
     // FIXME: Bug 1091422 - chained ogg files hit this assertion.
     //MOZ_ASSERT(t >= GetMediaTime());
     if (t > GetMediaTime()) {
@@ -2605,7 +2537,7 @@ void MediaDecoderStateMachine::UpdateRenderedVideoFrames()
   // the monitor and get a staled value from GetCurrentTimeUs() which hits the
   // assertion in GetClock().
 
-  int64_t delay = std::max<int64_t>(1, remainingTime / mPlaybackRate);
+  int64_t delay = std::max<int64_t>(1, AUDIO_DURATION_USECS / mPlaybackRate);
   ScheduleStateMachineIn(delay);
 }
 
@@ -2908,22 +2840,57 @@ MediaDecoderStateMachine::AudioEndTime() const
   return -1;
 }
 
-void MediaDecoderStateMachine::OnMediaSinkComplete()
+int64_t
+MediaDecoderStateMachine::VideoEndTime() const
 {
   MOZ_ASSERT(OnTaskQueue());
+  if (mMediaSink->IsStarted()) {
+    return mMediaSink->GetEndTime(TrackInfo::kVideoTrack);
+  }
+  return -1;
+}
 
-  mMediaSinkPromise.Complete();
+void
+MediaDecoderStateMachine::OnMediaSinkVideoComplete()
+{
+  MOZ_ASSERT(OnTaskQueue());
+  VERBOSE_LOG("[%s]", __func__);
+
+  mMediaSinkVideoPromise.Complete();
+  ScheduleStateMachine();
+}
+
+void
+MediaDecoderStateMachine::OnMediaSinkVideoError()
+{
+  MOZ_ASSERT(OnTaskQueue());
+  VERBOSE_LOG("[%s]", __func__);
+
+  mMediaSinkVideoPromise.Complete();
+  if (HasAudio()) {
+    return;
+  }
+  DecodeError();
+}
+
+void MediaDecoderStateMachine::OnMediaSinkAudioComplete()
+{
+  MOZ_ASSERT(OnTaskQueue());
+  VERBOSE_LOG("[%s]", __func__);
+
+  mMediaSinkAudioPromise.Complete();
   // Set true only when we have audio.
   mAudioCompleted = mInfo.HasAudio();
   // To notify PlaybackEnded as soon as possible.
   ScheduleStateMachine();
 }
 
-void MediaDecoderStateMachine::OnMediaSinkError()
+void MediaDecoderStateMachine::OnMediaSinkAudioError()
 {
   MOZ_ASSERT(OnTaskQueue());
+  VERBOSE_LOG("[%s]", __func__);
 
-  mMediaSinkPromise.Complete();
+  mMediaSinkAudioPromise.Complete();
   // Set true only when we have audio.
   mAudioCompleted = mInfo.HasAudio();
 
@@ -2975,10 +2942,7 @@ MediaDecoderStateMachine::SetAudioCaptured(bool aCaptured)
   mMediaSink->Shutdown();
 
   // Create a new sink according to whether audio is captured.
-  // TODO: We can't really create a new DecodedStream until OutputStreamManager
-  //       is extracted. It is tricky that the implementation of DecodedStream
-  //       happens to allow reuse after shutdown without creating a new one.
-  mMediaSink = aCaptured ? mStreamSink : CreateAudioSink();
+  mMediaSink = CreateMediaSink(aCaptured);
 
   // Restore playback parameters.
   mMediaSink->SetPlaybackParams(params);
diff --git a/dom/media/MediaDecoderStateMachine.h b/dom/media/MediaDecoderStateMachine.h
index efcf098c09bc..1f3da1f8bec0 100644
--- a/dom/media/MediaDecoderStateMachine.h
+++ b/dom/media/MediaDecoderStateMachine.h
@@ -128,7 +128,6 @@ public:
   typedef MediaDecoderReader::AudioDataPromise AudioDataPromise;
   typedef MediaDecoderReader::VideoDataPromise VideoDataPromise;
   typedef MediaDecoderOwner::NextFrameStatus NextFrameStatus;
-  typedef mozilla::layers::ImageContainer::ProducerID ProducerID;
   typedef mozilla::layers::ImageContainer::FrameID FrameID;
   MediaDecoderStateMachine(MediaDecoder* aDecoder,
                            MediaDecoderReader* aReader,
@@ -465,25 +464,15 @@ protected:
   // acceleration.
   void CheckFrameValidity(VideoData* aData);
 
-  // Sets VideoQueue images into the VideoFrameContainer. Called on the shared
-  // state machine thread. Decode monitor must be held. The first aMaxFrames
-  // (at most) are set.
-  // aClockTime and aClockTimeStamp are used as the baseline for deriving
-  // timestamps for the frames; when omitted, aMaxFrames must be 1 and
-  // a null timestamp is passed to the VideoFrameContainer.
-  // If the VideoQueue is empty, this does nothing.
-  void RenderVideoFrames(int32_t aMaxFrames, int64_t aClockTime = 0,
-                         const TimeStamp& aClickTimeStamp = TimeStamp());
-
-  // If we have video, display a video frame if it's time for display has
-  // arrived, otherwise sleep until it's time for the next frame. Update the
-  // current frame time as appropriate, and trigger ready state update.  The
-  // decoder monitor must be held with exactly one lock count. Called on the
-  // state machine thread.
-  void UpdateRenderedVideoFrames();
+  // Update playback position and trigger next update by default time period.
+  // Called on the state machine thread.
+  void UpdatePlaybackPositionPeriodically();
 
   media::MediaSink* CreateAudioSink();
 
+  // Always create mediasink which contains an AudioSink or StreamSink inside.
+  already_AddRefed<media::MediaSink> CreateMediaSink(bool aAudioCaptured);
+
   // Stops the media sink and shut it down.
   // The decoder monitor must be held with exactly one lock count.
   // Called on the state machine thread.
@@ -638,12 +627,14 @@ protected:
   bool IsVideoDecoding();
 
 private:
-  // Resolved by the MediaSink to signal that all outstanding work is complete
-  // and the sink is shutting down.
-  void OnMediaSinkComplete();
+  // Resolved by the MediaSink to signal that all audio/video outstanding
+  // work is complete and identify which part(a/v) of the sink is shutting down.
+  void OnMediaSinkAudioComplete();
+  void OnMediaSinkVideoComplete();
 
-  // Rejected by the MediaSink to signal errors.
-  void OnMediaSinkError();
+  // Rejected by the MediaSink to signal errors for audio/video.
+  void OnMediaSinkAudioError();
+  void OnMediaSinkVideoError();
 
   // Return true if the video decoder's decode speed can not catch up the
   // play time.
@@ -668,10 +659,6 @@ private:
   // State-watching manager.
   WatchManager<MediaDecoderStateMachine> mWatchManager;
 
-  // Producer ID to help ImageContainer distinguish different streams of
-  // FrameIDs. A unique and immutable value per MDSM.
-  const ProducerID mProducerID;
-
   // True is we are decoding a realtime stream, like a camera stream.
   const bool mRealTime;
 
@@ -922,14 +909,14 @@ private:
   // of the audio stream, unless another frame is pushed to the hardware.
   int64_t AudioEndTime() const;
 
+  // The end time of the last rendered video frame that's been sent to
+  // compositor.
+  int64_t VideoEndTime() const;
+
   // The end time of the last decoded audio frame. This signifies the end of
   // decoded audio data. Used to check if we are low in decoded data.
   int64_t mDecodedAudioEndTime;
 
-  // The presentation end time of the last video frame which has been displayed
-  // in microseconds. Accessed from the state machine thread.
-  int64_t mVideoFrameEndTime;
-
   // The end time of the last decoded video frame. Used to check if we are low
   // on decoded video data.
   int64_t mDecodedVideoEndTime;
@@ -1192,7 +1179,9 @@ private:
   // Media data resource from the decoder.
   RefPtr<MediaResource> mResource;
 
-  MozPromiseRequestHolder<GenericPromise> mMediaSinkPromise;
+  // Track the complete & error for audio/video separately
+  MozPromiseRequestHolder<GenericPromise> mMediaSinkAudioPromise;
+  MozPromiseRequestHolder<GenericPromise> mMediaSinkVideoPromise;
 
   MediaEventListener mAudioQueueListener;
   MediaEventListener mVideoQueueListener;
diff --git a/dom/media/MediaFormatReader.cpp b/dom/media/MediaFormatReader.cpp
index 7b243d6472d5..01fd31b86705 100644
--- a/dom/media/MediaFormatReader.cpp
+++ b/dom/media/MediaFormatReader.cpp
@@ -243,7 +243,7 @@ MediaFormatReader::IsWaitingOnCDMResource() {
 }
 
 RefPtr<MediaDecoderReader::MetadataPromise>
-MediaFormatReader::AsyncReadMetadata()
+MediaFormatReader::AsyncReadMetadataInternal()
 {
   MOZ_ASSERT(OnTaskQueue());
 
@@ -1047,7 +1047,7 @@ MediaFormatReader::Update(TrackType aTrack)
 {
   MOZ_ASSERT(OnTaskQueue());
 
-  if (mShutdown || !mInitDone) {
+  if (mShutdown) {
     return;
   }
 
@@ -1058,6 +1058,10 @@ MediaFormatReader::Update(TrackType aTrack)
   auto& decoder = GetDecoderData(aTrack);
   decoder.mUpdateScheduled = false;
 
+  if (!mInitDone) {
+    return;
+  }
+
   if (UpdateReceivedNewData(aTrack)) {
     LOGV("Nothing more to do");
     return;
diff --git a/dom/media/MediaFormatReader.h b/dom/media/MediaFormatReader.h
index 9f0064e3f2de..2edc49607420 100644
--- a/dom/media/MediaFormatReader.h
+++ b/dom/media/MediaFormatReader.h
@@ -52,8 +52,6 @@ public:
     return mAudio.mTrackDemuxer;
   }
 
-  RefPtr<MetadataPromise> AsyncReadMetadata() override;
-
   void ReadUpdatedMetadata(MediaInfo* aInfo) override;
 
   RefPtr<SeekPromise>
@@ -442,6 +440,7 @@ private:
   // For Media Resource Management
   void ReleaseMediaResourcesInternal() override;
   void DisableHardwareAccelerationInternal() override;
+  RefPtr<MetadataPromise> AsyncReadMetadataInternal() override;
 };
 
 } // namespace mozilla
diff --git a/dom/media/android/AndroidMediaReader.cpp b/dom/media/android/AndroidMediaReader.cpp
index 145ba4b7579e..27b9fffce65f 100644
--- a/dom/media/android/AndroidMediaReader.cpp
+++ b/dom/media/android/AndroidMediaReader.cpp
@@ -35,8 +35,8 @@ AndroidMediaReader::AndroidMediaReader(AbstractMediaDecoder *aDecoder,
 {
 }
 
-nsresult AndroidMediaReader::ReadMetadata(MediaInfo* aInfo,
-                                          MetadataTags** aTags)
+nsresult
+AndroidMediaReader::ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags)
 {
   MOZ_ASSERT(OnTaskQueue());
 
diff --git a/dom/media/android/AndroidMediaReader.h b/dom/media/android/AndroidMediaReader.h
index 9f1888181be5..6fe481a50818 100644
--- a/dom/media/android/AndroidMediaReader.h
+++ b/dom/media/android/AndroidMediaReader.h
@@ -64,8 +64,6 @@ public:
     return true;
   }
 
-  virtual nsresult ReadMetadata(MediaInfo* aInfo,
-                                MetadataTags** aTags);
   virtual RefPtr<SeekPromise>
   Seek(int64_t aTime, int64_t aEndTime) override;
 
@@ -87,6 +85,8 @@ public:
     RefPtr<Image> mImage;
   };
 
+private:
+  virtual nsresult ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags);
 };
 
 } // namespace mozilla
diff --git a/dom/media/apple/AppleMP3Reader.cpp b/dom/media/apple/AppleMP3Reader.cpp
index 6480248bdf61..734e3ba5376b 100644
--- a/dom/media/apple/AppleMP3Reader.cpp
+++ b/dom/media/apple/AppleMP3Reader.cpp
@@ -351,8 +351,7 @@ GetProperty(AudioFileStreamID aAudioFileStream,
 
 
 nsresult
-AppleMP3Reader::ReadMetadata(MediaInfo* aInfo,
-                             MetadataTags** aTags)
+AppleMP3Reader::ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags)
 {
   MOZ_ASSERT(OnTaskQueue());
 
diff --git a/dom/media/apple/AppleMP3Reader.h b/dom/media/apple/AppleMP3Reader.h
index dffa6bf5d500..3cbc41fb05dc 100644
--- a/dom/media/apple/AppleMP3Reader.h
+++ b/dom/media/apple/AppleMP3Reader.h
@@ -31,9 +31,6 @@ public:
   virtual bool HasAudio() override;
   virtual bool HasVideo() override;
 
-  virtual nsresult ReadMetadata(MediaInfo* aInfo,
-                                MetadataTags** aTags) override;
-
   virtual RefPtr<SeekPromise>
   Seek(int64_t aTime, int64_t aEndTime) override;
 
@@ -50,10 +47,11 @@ protected:
   virtual void NotifyDataArrivedInternal(uint32_t aLength,
                                          int64_t aOffset) override;
 public:
-
   virtual bool IsMediaSeekable() override;
 
 private:
+  virtual nsresult ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags) override;
+
   void SetupDecoder();
   nsresult Read(uint32_t *aNumBytes, char *aData);
 
diff --git a/dom/media/directshow/DirectShowReader.cpp b/dom/media/directshow/DirectShowReader.cpp
index a475ff03b4ea..ca5e0ed57ec4 100644
--- a/dom/media/directshow/DirectShowReader.cpp
+++ b/dom/media/directshow/DirectShowReader.cpp
@@ -90,8 +90,7 @@ static const GUID CLSID_MPEG_LAYER_3_DECODER_FILTER =
 { 0x38BE3000, 0xDBF4, 0x11D0, {0x86, 0x0E, 0x00, 0xA0, 0x24, 0xCF, 0xEF, 0x6D} };
 
 nsresult
-DirectShowReader::ReadMetadata(MediaInfo* aInfo,
-                               MetadataTags** aTags)
+DirectShowReader::ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags)
 {
   MOZ_ASSERT(OnTaskQueue());
   HRESULT hr;
diff --git a/dom/media/directshow/DirectShowReader.h b/dom/media/directshow/DirectShowReader.h
index 8d80125ed23b..f750d585b814 100644
--- a/dom/media/directshow/DirectShowReader.h
+++ b/dom/media/directshow/DirectShowReader.h
@@ -50,9 +50,6 @@ public:
   bool HasAudio() override;
   bool HasVideo() override;
 
-  nsresult ReadMetadata(MediaInfo* aInfo,
-                        MetadataTags** aTags) override;
-
   RefPtr<SeekPromise>
   Seek(int64_t aTime, int64_t aEndTime) override;
 
@@ -64,6 +61,7 @@ public:
   bool IsMediaSeekable() override;
 
 private:
+  nsresult ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags) override;
 
   // Notifies the filter graph that playback is complete. aStatus is
   // the code to send to the filter graph. Always returns false, so
diff --git a/dom/media/gstreamer/GStreamerReader.cpp b/dom/media/gstreamer/GStreamerReader.cpp
index d12f60de6976..135c90f6c506 100644
--- a/dom/media/gstreamer/GStreamerReader.cpp
+++ b/dom/media/gstreamer/GStreamerReader.cpp
@@ -360,8 +360,8 @@ GStreamerReader::GetDataLength()
   return streamLen - mDataOffset;
 }
 
-nsresult GStreamerReader::ReadMetadata(MediaInfo* aInfo,
-                                       MetadataTags** aTags)
+nsresult
+GStreamerReader::ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags)
 {
   MOZ_ASSERT(OnTaskQueue());
   nsresult ret = NS_OK;
diff --git a/dom/media/gstreamer/GStreamerReader.h b/dom/media/gstreamer/GStreamerReader.h
index 7085d85d28a5..37cfc8cfe756 100644
--- a/dom/media/gstreamer/GStreamerReader.h
+++ b/dom/media/gstreamer/GStreamerReader.h
@@ -46,8 +46,6 @@ public:
   virtual bool DecodeAudioData() override;
   virtual bool DecodeVideoFrame(bool &aKeyframeSkip,
                                 int64_t aTimeThreshold) override;
-  virtual nsresult ReadMetadata(MediaInfo* aInfo,
-                                MetadataTags** aTags) override;
   virtual RefPtr<SeekPromise>
   Seek(int64_t aTime, int64_t aEndTime) override;
   virtual media::TimeIntervals GetBuffered() override;
@@ -70,6 +68,7 @@ public:
   virtual bool IsMediaSeekable() override;
 
 private:
+  virtual nsresult ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags) override;
 
   void ReadAndPushData(guint aLength);
   RefPtr<layers::PlanarYCbCrImage> GetImageFromBuffer(GstBuffer* aBuffer);
diff --git a/dom/media/mediasink/MediaSink.h b/dom/media/mediasink/MediaSink.h
index 129d14f77f16..e753d32466e1 100644
--- a/dom/media/mediasink/MediaSink.h
+++ b/dom/media/mediasink/MediaSink.h
@@ -93,6 +93,11 @@ public:
   // Pause/resume the playback. Only work after playback starts.
   virtual void SetPlaying(bool aPlaying) = 0;
 
+  // Single frame rendering operation may need to be done before playback
+  // started (1st frame) or right after seek completed or playback stopped.
+  // Do nothing if this sink has no video track. Can be called in any state.
+  virtual void Redraw() {};
+
   // Begin a playback session with the provided start time and media info.
   // Must be called when playback is stopped.
   virtual void Start(int64_t aStartTime, const MediaInfo& aInfo) = 0;
diff --git a/dom/media/mediasink/VideoSink.cpp b/dom/media/mediasink/VideoSink.cpp
new file mode 100644
index 000000000000..c5275a042699
--- /dev/null
+++ b/dom/media/mediasink/VideoSink.cpp
@@ -0,0 +1,380 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "VideoSink.h"
+
+namespace mozilla {
+
+extern PRLogModuleInfo* gMediaDecoderLog;
+#define VSINK_LOG(msg, ...) \
+  MOZ_LOG(gMediaDecoderLog, LogLevel::Debug, \
+    ("VideoSink=%p " msg, this, ##__VA_ARGS__))
+#define VSINK_LOG_V(msg, ...) \
+  MOZ_LOG(gMediaDecoderLog, LogLevel::Verbose, \
+  ("VideoSink=%p " msg, this, ##__VA_ARGS__))
+
+using namespace mozilla::layers;
+
+namespace media {
+
+VideoSink::VideoSink(AbstractThread* aThread,
+                     MediaSink* aAudioSink,
+                     MediaQueue<MediaData>& aVideoQueue,
+                     VideoFrameContainer* aContainer,
+                     bool aRealTime,
+                     FrameStatistics& aFrameStats,
+                     int aDelayDuration,
+                     uint32_t aVQueueSentToCompositerSize)
+  : mOwnerThread(aThread)
+  , mAudioSink(aAudioSink)
+  , mVideoQueue(aVideoQueue)
+  , mContainer(aContainer)
+  , mProducerID(ImageContainer::AllocateProducerID())
+  , mRealTime(aRealTime)
+  , mFrameStats(aFrameStats)
+  , mVideoFrameEndTime(-1)
+  , mHasVideo(false)
+  , mUpdateScheduler(aThread)
+  , mDelayDuration(aDelayDuration)
+  , mVideoQueueSendToCompositorSize(aVQueueSentToCompositerSize)
+{
+  MOZ_ASSERT(mAudioSink, "AudioSink should exist.");
+}
+
+VideoSink::~VideoSink()
+{
+}
+
+const MediaSink::PlaybackParams&
+VideoSink::GetPlaybackParams() const
+{
+  AssertOwnerThread();
+
+  return mAudioSink->GetPlaybackParams();
+}
+
+void
+VideoSink::SetPlaybackParams(const PlaybackParams& aParams)
+{
+  AssertOwnerThread();
+
+  mAudioSink->SetPlaybackParams(aParams);
+}
+
+RefPtr<GenericPromise>
+VideoSink::OnEnded(TrackType aType)
+{
+  AssertOwnerThread();
+  MOZ_ASSERT(mAudioSink->IsStarted(), "Must be called after playback starts.");
+
+  if (aType == TrackInfo::kAudioTrack) {
+    return mAudioSink->OnEnded(aType);
+  } else if (aType == TrackInfo::kVideoTrack) {
+    return mEndPromise;
+  }
+  return nullptr;
+}
+
+int64_t
+VideoSink::GetEndTime(TrackType aType) const
+{
+  AssertOwnerThread();
+  MOZ_ASSERT(mAudioSink->IsStarted(), "Must be called after playback starts.");
+
+  if (aType == TrackInfo::kVideoTrack) {
+    return mVideoFrameEndTime;
+  } else if (aType == TrackInfo::kAudioTrack) {
+    return mAudioSink->GetEndTime(aType);
+  }
+  return -1;
+}
+
+int64_t
+VideoSink::GetPosition(TimeStamp* aTimeStamp) const
+{
+  AssertOwnerThread();
+
+  return mAudioSink->GetPosition(aTimeStamp);
+}
+
+bool
+VideoSink::HasUnplayedFrames(TrackType aType) const
+{
+  AssertOwnerThread();
+  MOZ_ASSERT(aType == TrackInfo::kAudioTrack, "Not implemented for non audio tracks.");
+
+  return mAudioSink->HasUnplayedFrames(aType);
+}
+
+void
+VideoSink::SetPlaybackRate(double aPlaybackRate)
+{
+  AssertOwnerThread();
+
+  mAudioSink->SetPlaybackRate(aPlaybackRate);
+}
+
+void
+VideoSink::SetVolume(double aVolume)
+{
+  AssertOwnerThread();
+
+  mAudioSink->SetVolume(aVolume);
+}
+
+void
+VideoSink::SetPreservesPitch(bool aPreservesPitch)
+{
+  AssertOwnerThread();
+
+  mAudioSink->SetPreservesPitch(aPreservesPitch);
+}
+
+void
+VideoSink::SetPlaying(bool aPlaying)
+{
+  AssertOwnerThread();
+  VSINK_LOG_V(" playing (%d) -> (%d)", mAudioSink->IsPlaying(), aPlaying);
+
+  if (!aPlaying) {
+    // Reset any update timer if paused.
+    mUpdateScheduler.Reset();
+    // Since playback is paused, tell compositor to render only current frame.
+    RenderVideoFrames(1);
+  }
+
+  mAudioSink->SetPlaying(aPlaying);
+
+  if (mHasVideo && aPlaying) {
+    // There's no thread in VideoSink for pulling video frames, need to trigger
+    // rendering while becoming playing status. because the VideoQueue may be
+    // full already.
+    TryUpdateRenderedVideoFrames();
+  }
+}
+
+void
+VideoSink::Start(int64_t aStartTime, const MediaInfo& aInfo)
+{
+  AssertOwnerThread();
+  VSINK_LOG("[%s]", __func__);
+
+  mAudioSink->Start(aStartTime, aInfo);
+
+  mHasVideo = aInfo.HasVideo();
+
+  if (mHasVideo) {
+    mEndPromise = mEndPromiseHolder.Ensure(__func__);
+    ConnectListener();
+    TryUpdateRenderedVideoFrames();
+  }
+}
+
+void
+VideoSink::Stop()
+{
+  AssertOwnerThread();
+  MOZ_ASSERT(mAudioSink->IsStarted(), "playback not started.");
+  VSINK_LOG("[%s]", __func__);
+
+  mAudioSink->Stop();
+
+  mUpdateScheduler.Reset();
+  if (mHasVideo) {
+    DisconnectListener();
+    mEndPromiseHolder.Resolve(true, __func__);
+    mEndPromise = nullptr;
+  }
+  mVideoFrameEndTime = -1;
+}
+
+bool
+VideoSink::IsStarted() const
+{
+  AssertOwnerThread();
+
+  return mAudioSink->IsStarted();
+}
+
+bool
+VideoSink::IsPlaying() const
+{
+  AssertOwnerThread();
+
+  return mAudioSink->IsPlaying();
+}
+
+void
+VideoSink::Shutdown()
+{
+  AssertOwnerThread();
+  MOZ_ASSERT(!mAudioSink->IsStarted(), "must be called after playback stops.");
+  VSINK_LOG("[%s]", __func__);
+
+  mAudioSink->Shutdown();
+}
+
+void
+VideoSink::OnVideoQueueEvent()
+{
+  AssertOwnerThread();
+  // Listen to push event, VideoSink should try rendering ASAP if first frame
+  // arrives but update scheduler is not triggered yet.
+  TryUpdateRenderedVideoFrames();
+}
+
+void
+VideoSink::Redraw()
+{
+  AssertOwnerThread();
+  RenderVideoFrames(1);
+}
+
+void
+VideoSink::TryUpdateRenderedVideoFrames()
+{
+  AssertOwnerThread();
+  if (!mUpdateScheduler.IsScheduled() && VideoQueue().GetSize() >= 1 &&
+      mAudioSink->IsPlaying()) {
+    UpdateRenderedVideoFrames();
+  }
+}
+
+void
+VideoSink::UpdateRenderedVideoFramesByTimer()
+{
+  AssertOwnerThread();
+  mUpdateScheduler.CompleteRequest();
+  UpdateRenderedVideoFrames();
+}
+
+void
+VideoSink::ConnectListener()
+{
+  AssertOwnerThread();
+  mPushListener = VideoQueue().PushEvent().Connect(
+    mOwnerThread, this, &VideoSink::OnVideoQueueEvent);
+}
+
+void
+VideoSink::DisconnectListener()
+{
+  AssertOwnerThread();
+  mPushListener.Disconnect();
+}
+
+void
+VideoSink::RenderVideoFrames(int32_t aMaxFrames,
+                             int64_t aClockTime,
+                             const TimeStamp& aClockTimeStamp)
+{
+  AssertOwnerThread();
+
+  nsAutoTArray<RefPtr<MediaData>,16> frames;
+  VideoQueue().GetFirstElements(aMaxFrames, &frames);
+  if (frames.IsEmpty() || !mContainer) {
+    return;
+  }
+
+  nsAutoTArray<ImageContainer::NonOwningImage,16> images;
+  TimeStamp lastFrameTime;
+  MediaSink::PlaybackParams params = mAudioSink->GetPlaybackParams();
+  for (uint32_t i = 0; i < frames.Length(); ++i) {
+    VideoData* frame = frames[i]->As<VideoData>();
+
+    bool valid = !frame->mImage || frame->mImage->IsValid();
+    frame->mSentToCompositor = true;
+
+    if (!valid) {
+      continue;
+    }
+
+    int64_t frameTime = frame->mTime;
+    if (frameTime < 0) {
+      // Frame times before the start time are invalid; drop such frames
+      continue;
+    }
+
+    TimeStamp t;
+    if (aMaxFrames > 1) {
+      MOZ_ASSERT(!aClockTimeStamp.IsNull());
+      int64_t delta = frame->mTime - aClockTime;
+      t = aClockTimeStamp +
+          TimeDuration::FromMicroseconds(delta / params.mPlaybackRate);
+      if (!lastFrameTime.IsNull() && t <= lastFrameTime) {
+        // Timestamps out of order; drop the new frame. In theory we should
+        // probably replace the previous frame with the new frame if the
+        // timestamps are equal, but this is a corrupt video file already so
+        // never mind.
+        continue;
+      }
+      lastFrameTime = t;
+    }
+
+    ImageContainer::NonOwningImage* img = images.AppendElement();
+    img->mTimeStamp = t;
+    img->mImage = frame->mImage;
+    img->mFrameID = frame->mFrameID;
+    img->mProducerID = mProducerID;
+
+    VSINK_LOG_V("playing video frame %lld (id=%x) (vq-queued=%i)",
+                frame->mTime, frame->mFrameID, VideoQueue().GetSize());
+  }
+  mContainer->SetCurrentFrames(frames[0]->As<VideoData>()->mDisplay, images);
+}
+
+void
+VideoSink::UpdateRenderedVideoFrames()
+{
+  AssertOwnerThread();
+  MOZ_ASSERT(mAudioSink->IsPlaying(), "should be called while playing.");
+
+  TimeStamp nowTime;
+  const int64_t clockTime = mAudioSink->GetPosition(&nowTime);
+  // Skip frames up to the frame at the playback position, and figure out
+  // the time remaining until it's time to display the next frame and drop
+  // the current frame.
+  NS_ASSERTION(clockTime >= 0, "Should have positive clock time.");
+
+  int64_t remainingTime = mDelayDuration;
+  if (VideoQueue().GetSize() > 0) {
+    RefPtr<MediaData> currentFrame = VideoQueue().PopFront();
+    int32_t framesRemoved = 0;
+    while (VideoQueue().GetSize() > 0) {
+      MediaData* nextFrame = VideoQueue().PeekFront();
+      if (!mRealTime && nextFrame->mTime > clockTime) {
+        remainingTime = nextFrame->mTime - clockTime;
+        break;
+      }
+      ++framesRemoved;
+      if (!currentFrame->As<VideoData>()->mSentToCompositor) {
+        mFrameStats.NotifyDecodedFrames(0, 0, 1);
+        VSINK_LOG_V("discarding video frame mTime=%lld clock_time=%lld",
+                    currentFrame->mTime, clockTime);
+      }
+      currentFrame = VideoQueue().PopFront();
+    }
+    VideoQueue().PushFront(currentFrame);
+    if (framesRemoved > 0) {
+      mVideoFrameEndTime = currentFrame->GetEndTime();
+      mFrameStats.NotifyPresentedFrame();
+    }
+  }
+
+  RenderVideoFrames(mVideoQueueSendToCompositorSize, clockTime, nowTime);
+
+  TimeStamp target = nowTime + TimeDuration::FromMicroseconds(remainingTime);
+
+  RefPtr<VideoSink> self = this;
+  mUpdateScheduler.Ensure(target, [self] () {
+    self->UpdateRenderedVideoFramesByTimer();
+  }, [self] () {
+    self->UpdateRenderedVideoFramesByTimer();
+  });
+}
+
+} // namespace media
+} // namespace mozilla
diff --git a/dom/media/mediasink/VideoSink.h b/dom/media/mediasink/VideoSink.h
new file mode 100644
index 000000000000..f57560b232a5
--- /dev/null
+++ b/dom/media/mediasink/VideoSink.h
@@ -0,0 +1,154 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef VideoSink_h_
+#define VideoSink_h_
+
+#include "FrameStatistics.h"
+#include "ImageContainer.h"
+#include "MediaEventSource.h"
+#include "MediaSink.h"
+#include "MediaTimer.h"
+#include "mozilla/AbstractThread.h"
+#include "mozilla/MozPromise.h"
+#include "mozilla/RefPtr.h"
+#include "mozilla/TimeStamp.h"
+#include "VideoFrameContainer.h"
+
+namespace mozilla {
+
+class VideoFrameContainer;
+template <class T> class MediaQueue;
+
+namespace media {
+
+class VideoSink : public MediaSink
+{
+  typedef mozilla::layers::ImageContainer::ProducerID ProducerID;
+public:
+  VideoSink(AbstractThread* aThread,
+            MediaSink* aAudioSink,
+            MediaQueue<MediaData>& aVideoQueue,
+            VideoFrameContainer* aContainer,
+            bool aRealTime,
+            FrameStatistics& aFrameStats,
+            int aDelayDuration,
+            uint32_t aVQueueSentToCompositerSize);
+
+  const PlaybackParams& GetPlaybackParams() const override;
+
+  void SetPlaybackParams(const PlaybackParams& aParams) override;
+
+  RefPtr<GenericPromise> OnEnded(TrackType aType) override;
+
+  int64_t GetEndTime(TrackType aType) const override;
+
+  int64_t GetPosition(TimeStamp* aTimeStamp = nullptr) const override;
+
+  bool HasUnplayedFrames(TrackType aType) const override;
+
+  void SetPlaybackRate(double aPlaybackRate) override;
+
+  void SetVolume(double aVolume) override;
+
+  void SetPreservesPitch(bool aPreservesPitch) override;
+
+  void SetPlaying(bool aPlaying) override;
+
+  void Redraw() override;
+
+  void Start(int64_t aStartTime, const MediaInfo& aInfo) override;
+
+  void Stop() override;
+
+  bool IsStarted() const override;
+
+  bool IsPlaying() const override;
+
+  void Shutdown() override;
+
+private:
+  virtual ~VideoSink();
+
+  // VideoQueue listener related.
+  void OnVideoQueueEvent();
+  void ConnectListener();
+  void DisconnectListener();
+
+  // Sets VideoQueue images into the VideoFrameContainer. Called on the shared
+  // state machine thread. The first aMaxFrames (at most) are set.
+  // aClockTime and aClockTimeStamp are used as the baseline for deriving
+  // timestamps for the frames; when omitted, aMaxFrames must be 1 and
+  // a null timestamp is passed to the VideoFrameContainer.
+  // If the VideoQueue is empty, this does nothing.
+  void RenderVideoFrames(int32_t aMaxFrames, int64_t aClockTime = 0,
+                         const TimeStamp& aClickTimeStamp = TimeStamp());
+
+  // Triggered while videosink is started, videosink becomes "playing" status,
+  // or VideoQueue event arrived.
+  void TryUpdateRenderedVideoFrames();
+
+  // If we have video, display a video frame if it's time for display has
+  // arrived, otherwise sleep until it's time for the next frame. Update the
+  // current frame time as appropriate, and trigger ready state update.
+  // Called on the shared state machine thread.
+  void UpdateRenderedVideoFrames();
+  void UpdateRenderedVideoFramesByTimer();
+
+  void AssertOwnerThread() const
+  {
+    MOZ_ASSERT(mOwnerThread->IsCurrentThreadIn());
+  }
+
+  MediaQueue<MediaData>& VideoQueue() const {
+    return mVideoQueue;
+  }
+
+  const RefPtr<AbstractThread> mOwnerThread;
+  RefPtr<MediaSink> mAudioSink;
+  MediaQueue<MediaData>& mVideoQueue;
+  VideoFrameContainer* mContainer;
+
+  // Producer ID to help ImageContainer distinguish different streams of
+  // FrameIDs. A unique and immutable value per VideoSink.
+  const ProducerID mProducerID;
+
+  // True if we are decoding a real-time stream.
+  const bool mRealTime;
+
+  // Used to notify MediaDecoder's frame statistics
+  FrameStatistics& mFrameStats;
+
+  RefPtr<GenericPromise> mEndPromise;
+  MozPromiseHolder<GenericPromise> mEndPromiseHolder;
+  MozPromiseRequestHolder<GenericPromise> mVideoSinkEndRequest;
+
+  // The presentation end time of the last video frame which has been displayed
+  // in microseconds.
+  int64_t mVideoFrameEndTime;
+
+  // Event listeners for VideoQueue
+  MediaEventListener mPushListener;
+
+  // True if this sink is going to handle video track.
+  bool mHasVideo;
+
+  // Used to trigger another update of rendered frames in next round.
+  DelayedScheduler mUpdateScheduler;
+
+  // A delay duration to trigger next time UpdateRenderedVideoFrames().
+  // Based on the default value in MDSM.
+  const int mDelayDuration;
+
+  // Max frame number sent to compositor at a time.
+  // Based on the pref value obtained in MDSM.
+  const uint32_t mVideoQueueSendToCompositorSize;
+};
+
+} // namespace media
+} // namespace mozilla
+
+#endif
diff --git a/dom/media/mediasink/moz.build b/dom/media/mediasink/moz.build
index 931bf0fd59c6..228bd2e28100 100644
--- a/dom/media/mediasink/moz.build
+++ b/dom/media/mediasink/moz.build
@@ -8,6 +8,7 @@ UNIFIED_SOURCES += [
     'AudioSinkWrapper.cpp',
     'DecodedAudioDataSink.cpp',
     'DecodedStream.cpp',
+    'VideoSink.cpp',
 ]
 
 FINAL_LIBRARY = 'xul'
diff --git a/dom/media/ogg/OggReader.cpp b/dom/media/ogg/OggReader.cpp
index 8eaab1b1fe36..14ff9151b325 100644
--- a/dom/media/ogg/OggReader.cpp
+++ b/dom/media/ogg/OggReader.cpp
@@ -371,8 +371,8 @@ void OggReader::SetupMediaTracksInfo(const nsTArray<uint32_t>& aSerials)
   }
 }
 
-nsresult OggReader::ReadMetadata(MediaInfo* aInfo,
-                                 MetadataTags** aTags)
+nsresult
+OggReader::ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags)
 {
   MOZ_ASSERT(OnTaskQueue());
 
diff --git a/dom/media/ogg/OggReader.h b/dom/media/ogg/OggReader.h
index 5397e5296e07..c8db8bc7f5c9 100644
--- a/dom/media/ogg/OggReader.h
+++ b/dom/media/ogg/OggReader.h
@@ -69,8 +69,6 @@ public:
     return mTheoraState != 0 && mTheoraState->mActive;
   }
 
-  virtual nsresult ReadMetadata(MediaInfo* aInfo,
-                                MetadataTags** aTags) override;
   virtual RefPtr<SeekPromise>
   Seek(int64_t aTime, int64_t aEndTime) override;
   virtual media::TimeIntervals GetBuffered() override;
@@ -78,6 +76,8 @@ public:
   virtual bool IsMediaSeekable() override;
 
 private:
+  virtual nsresult ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags) override;
+
   // TODO: DEPRECATED. This uses synchronous decoding.
   // Stores the presentation time of the first frame we'd be able to play if
   // we started playback at the current position. Returns the first video
diff --git a/dom/media/omx/MediaCodecReader.cpp b/dom/media/omx/MediaCodecReader.cpp
index 0c2d78ee1f66..b6511cf09196 100644
--- a/dom/media/omx/MediaCodecReader.cpp
+++ b/dom/media/omx/MediaCodecReader.cpp
@@ -660,7 +660,7 @@ MediaCodecReader::ParseDataSegment(const char* aBuffer,
 }
 
 RefPtr<MediaDecoderReader::MetadataPromise>
-MediaCodecReader::AsyncReadMetadata()
+MediaCodecReader::AsyncReadMetadataInternal()
 {
   MOZ_ASSERT(OnTaskQueue());
 
diff --git a/dom/media/omx/MediaCodecReader.h b/dom/media/omx/MediaCodecReader.h
index 5acc707e6549..22d26ab03aac 100644
--- a/dom/media/omx/MediaCodecReader.h
+++ b/dom/media/omx/MediaCodecReader.h
@@ -70,8 +70,11 @@ protected:
   // all contents have been continuously parsed. (ex. total duration of some
   // variable-bit-rate MP3 files.)
   virtual void NotifyDataArrivedInternal(uint32_t aLength, int64_t aOffset) override;
-public:
 
+  virtual RefPtr<MediaDecoderReader::MetadataPromise>
+  AsyncReadMetadataInternal() override;
+
+public:
   // Flush the TaskQueue, flush MediaCodec and raise the mDiscontinuity.
   virtual nsresult ResetDecode() override;
 
@@ -86,8 +89,6 @@ public:
   virtual bool HasAudio();
   virtual bool HasVideo();
 
-  virtual RefPtr<MediaDecoderReader::MetadataPromise> AsyncReadMetadata() override;
-
   // Moves the decode head to aTime microseconds. aStartTime and aEndTime
   // denote the start and end times of the media in usecs, and aCurrentTime
   // is the current playback position in microseconds.
diff --git a/dom/media/omx/MediaOmxReader.cpp b/dom/media/omx/MediaOmxReader.cpp
index 48fbd3370351..ab275b0971e9 100644
--- a/dom/media/omx/MediaOmxReader.cpp
+++ b/dom/media/omx/MediaOmxReader.cpp
@@ -212,7 +212,7 @@ nsresult MediaOmxReader::InitOmxDecoder()
 }
 
 RefPtr<MediaDecoderReader::MetadataPromise>
-MediaOmxReader::AsyncReadMetadata()
+MediaOmxReader::AsyncReadMetadataInternal()
 {
   MOZ_ASSERT(OnTaskQueue());
   EnsureActive();
diff --git a/dom/media/omx/MediaOmxReader.h b/dom/media/omx/MediaOmxReader.h
index 62fc6ebf4898..6f876fabe09c 100644
--- a/dom/media/omx/MediaOmxReader.h
+++ b/dom/media/omx/MediaOmxReader.h
@@ -72,6 +72,10 @@ public:
 
 protected:
   virtual void NotifyDataArrivedInternal(uint32_t aLength, int64_t aOffset) override;
+
+  virtual RefPtr<MediaDecoderReader::MetadataPromise>
+  AsyncReadMetadataInternal() override;
+
 public:
 
   virtual nsresult ResetDecode()
@@ -95,8 +99,6 @@ public:
     return mHasVideo;
   }
 
-  virtual RefPtr<MediaDecoderReader::MetadataPromise> AsyncReadMetadata() override;
-
   virtual RefPtr<SeekPromise>
   Seek(int64_t aTime, int64_t aEndTime) override;
 
diff --git a/dom/media/omx/RtspMediaCodecReader.cpp b/dom/media/omx/RtspMediaCodecReader.cpp
index c88700856de2..1669966b4637 100644
--- a/dom/media/omx/RtspMediaCodecReader.cpp
+++ b/dom/media/omx/RtspMediaCodecReader.cpp
@@ -89,13 +89,13 @@ RtspMediaCodecReader::RequestVideoData(bool aSkipToNextKeyframe,
 }
 
 RefPtr<MediaDecoderReader::MetadataPromise>
-RtspMediaCodecReader::AsyncReadMetadata()
+RtspMediaCodecReader::AsyncReadMetadataInternal()
 {
   mRtspResource->DisablePlayoutDelay();
   EnsureActive();
 
   RefPtr<MediaDecoderReader::MetadataPromise> p =
-    MediaCodecReader::AsyncReadMetadata();
+    MediaCodecReader::AsyncReadMetadataInternal();
 
   // Send a PAUSE to the RTSP server because the underlying media resource is
   // not ready.
diff --git a/dom/media/omx/RtspMediaCodecReader.h b/dom/media/omx/RtspMediaCodecReader.h
index ab0beb3ce2f2..d88f45492278 100644
--- a/dom/media/omx/RtspMediaCodecReader.h
+++ b/dom/media/omx/RtspMediaCodecReader.h
@@ -58,12 +58,12 @@ public:
   // Disptach a DecodeAudioDataTask to decode audio data.
   virtual RefPtr<AudioDataPromise> RequestAudioData() override;
 
-  virtual RefPtr<MediaDecoderReader::MetadataPromise> AsyncReadMetadata()
-    override;
-
   virtual void HandleResourceAllocated() override;
 
 private:
+  virtual RefPtr<MediaDecoderReader::MetadataPromise>
+  AsyncReadMetadataInternal() override;
+
   // A pointer to RtspMediaResource for calling the Rtsp specific function.
   // The lifetime of mRtspResource is controlled by MediaDecoder. MediaDecoder
   // holds the MediaDecoderStateMachine and RtspMediaResource.
diff --git a/dom/media/omx/RtspOmxReader.cpp b/dom/media/omx/RtspOmxReader.cpp
index 145d8c49f43d..69b3703a61f9 100644
--- a/dom/media/omx/RtspOmxReader.cpp
+++ b/dom/media/omx/RtspOmxReader.cpp
@@ -87,14 +87,14 @@ void RtspOmxReader::EnsureActive() {
 }
 
 RefPtr<MediaDecoderReader::MetadataPromise>
-RtspOmxReader::AsyncReadMetadata()
+RtspOmxReader::AsyncReadMetadataInternal()
 {
   // Send a PLAY command to the RTSP server before reading metadata.
   // Because we might need some decoded samples to ensure we have configuration.
   mRtspResource->DisablePlayoutDelay();
 
   RefPtr<MediaDecoderReader::MetadataPromise> p =
-    MediaOmxReader::AsyncReadMetadata();
+    MediaOmxReader::AsyncReadMetadataInternal();
 
   // Send a PAUSE to the RTSP server because the underlying media resource is
   // not ready.
diff --git a/dom/media/omx/RtspOmxReader.h b/dom/media/omx/RtspOmxReader.h
index fbf745d342e1..d1e0bb8a03ba 100644
--- a/dom/media/omx/RtspOmxReader.h
+++ b/dom/media/omx/RtspOmxReader.h
@@ -66,12 +66,12 @@ public:
 
   virtual void SetIdle() override;
 
-  virtual RefPtr<MediaDecoderReader::MetadataPromise> AsyncReadMetadata()
-    override;
-
   virtual void HandleResourceAllocated() override;
 
 private:
+  virtual RefPtr<MediaDecoderReader::MetadataPromise>
+  AsyncReadMetadataInternal() override;
+
   // A pointer to RtspMediaResource for calling the Rtsp specific function.
   // The lifetime of mRtspResource is controlled by MediaDecoder. MediaDecoder
   // holds the MediaDecoderStateMachine and RtspMediaResource.
diff --git a/dom/media/platforms/gonk/GonkMediaDataDecoder.cpp b/dom/media/platforms/gonk/GonkMediaDataDecoder.cpp
index 5b59e3292e19..4939d904ae1b 100644
--- a/dom/media/platforms/gonk/GonkMediaDataDecoder.cpp
+++ b/dom/media/platforms/gonk/GonkMediaDataDecoder.cpp
@@ -207,11 +207,13 @@ GonkDecoderManager::ProcessToDo(bool aEndOfStream)
       mWaitOutput.RemoveElementAt(0);
       mDecodeCallback->Output(output);
     } else if (rv == NS_ERROR_ABORT) {
-      GMDD_LOG("eos output");
-      mWaitOutput.RemoveElementAt(0);
-      MOZ_ASSERT(mQueuedSamples.IsEmpty());
-      MOZ_ASSERT(mWaitOutput.IsEmpty());
       // EOS
+      MOZ_ASSERT(mQueuedSamples.IsEmpty());
+      mWaitOutput.RemoveElementAt(0);
+      // Sometimes the decoder attaches EOS flag to the final output buffer
+      // instead of emits EOS by itself, hence the 2nd condition.
+      MOZ_ASSERT(mWaitOutput.IsEmpty() ||
+                 (mWaitOutput.Length() == 1 && output.get()));
       if (output) {
         mDecodeCallback->Output(output);
       }
diff --git a/dom/media/raw/RawReader.cpp b/dom/media/raw/RawReader.cpp
index 19f7b8905dcb..0f546d22eed9 100644
--- a/dom/media/raw/RawReader.cpp
+++ b/dom/media/raw/RawReader.cpp
@@ -32,8 +32,8 @@ nsresult RawReader::ResetDecode()
   return MediaDecoderReader::ResetDecode();
 }
 
-nsresult RawReader::ReadMetadata(MediaInfo* aInfo,
-                                 MetadataTags** aTags)
+nsresult
+RawReader::ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags)
 {
   MOZ_ASSERT(OnTaskQueue());
 
diff --git a/dom/media/raw/RawReader.h b/dom/media/raw/RawReader.h
index e0481e901329..5b56b6e1aa17 100644
--- a/dom/media/raw/RawReader.h
+++ b/dom/media/raw/RawReader.h
@@ -36,8 +36,6 @@ public:
     return true;
   }
 
-  virtual nsresult ReadMetadata(MediaInfo* aInfo,
-                                MetadataTags** aTags) override;
   virtual RefPtr<SeekPromise>
   Seek(int64_t aTime, int64_t aEndTime) override;
 
@@ -46,6 +44,7 @@ public:
   virtual bool IsMediaSeekable() override;
 
 private:
+  virtual nsresult ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags) override;
   bool ReadFromResource(uint8_t *aBuf, uint32_t aLength);
 
   RawVideoHeader mMetadata;
diff --git a/dom/media/wave/WaveReader.cpp b/dom/media/wave/WaveReader.cpp
index d15feba15885..9c46b3f2ab44 100644
--- a/dom/media/wave/WaveReader.cpp
+++ b/dom/media/wave/WaveReader.cpp
@@ -116,8 +116,8 @@ WaveReader::~WaveReader()
   MOZ_COUNT_DTOR(WaveReader);
 }
 
-nsresult WaveReader::ReadMetadata(MediaInfo* aInfo,
-                                  MetadataTags** aTags)
+nsresult
+WaveReader::ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags)
 {
   MOZ_ASSERT(OnTaskQueue());
 
diff --git a/dom/media/wave/WaveReader.h b/dom/media/wave/WaveReader.h
index 468e20a3fcf1..bad059ee6ede 100644
--- a/dom/media/wave/WaveReader.h
+++ b/dom/media/wave/WaveReader.h
@@ -36,8 +36,6 @@ public:
     return false;
   }
 
-  virtual nsresult ReadMetadata(MediaInfo* aInfo,
-                                MetadataTags** aTags) override;
   virtual RefPtr<SeekPromise>
   Seek(int64_t aTime, int64_t aEndTime) override;
 
@@ -46,6 +44,7 @@ public:
   virtual bool IsMediaSeekable() override;
 
 private:
+  virtual nsresult ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags) override;
   bool ReadAll(char* aBuf, int64_t aSize, int64_t* aBytesRead = nullptr);
   bool LoadRIFFChunk();
   bool LoadFormatChunk(uint32_t aChunkSize);
diff --git a/dom/media/webm/WebMReader.cpp b/dom/media/webm/WebMReader.cpp
index 8797eda15ce5..f71054b55cf3 100644
--- a/dom/media/webm/WebMReader.cpp
+++ b/dom/media/webm/WebMReader.cpp
@@ -227,8 +227,10 @@ void WebMReader::Cleanup()
 }
 
 RefPtr<MediaDecoderReader::MetadataPromise>
-WebMReader::AsyncReadMetadata()
+WebMReader::AsyncReadMetadataInternal()
 {
+  MOZ_ASSERT(OnTaskQueue());
+
   RefPtr<MetadataHolder> metadata = new MetadataHolder();
 
   if (NS_FAILED(RetrieveWebMMetadata(&metadata->mInfo)) ||
diff --git a/dom/media/webm/WebMReader.h b/dom/media/webm/WebMReader.h
index 3434eef9618c..4e031b4330a6 100644
--- a/dom/media/webm/WebMReader.h
+++ b/dom/media/webm/WebMReader.h
@@ -89,8 +89,6 @@ public:
     return mHasVideo;
   }
 
-  virtual RefPtr<MetadataPromise> AsyncReadMetadata() override;
-
   virtual RefPtr<SeekPromise>
   Seek(int64_t aTime, int64_t aEndTime) override;
 
@@ -144,6 +142,8 @@ protected:
   bool ShouldSkipVideoFrame(int64_t aTimeThreshold);
 
 private:
+  virtual RefPtr<MetadataPromise> AsyncReadMetadataInternal() override;
+
   nsresult RetrieveWebMMetadata(MediaInfo* aInfo);
 
   // Get the timestamp of keyframe greater than aTimeThreshold.
diff --git a/dom/media/webspeech/synth/cocoa/OSXSpeechSynthesizerModule.cpp b/dom/media/webspeech/synth/cocoa/OSXSpeechSynthesizerModule.cpp
new file mode 100644
index 000000000000..17370a25a345
--- /dev/null
+++ b/dom/media/webspeech/synth/cocoa/OSXSpeechSynthesizerModule.cpp
@@ -0,0 +1,57 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/ModuleUtils.h"
+#include "nsIClassInfoImpl.h"
+
+#include "OSXSpeechSynthesizerService.h"
+
+using namespace mozilla::dom;
+
+#define OSXSPEECHSYNTHESIZERSERVICE_CID \
+  {0x914e73b4, 0x6337, 0x4bef, {0x97, 0xf3, 0x4d, 0x06, 0x9e, 0x05, 0x3a, 0x12}}
+
+#define OSXSPEECHSYNTHESIZERSERVICE_CONTRACTID "@mozilla.org/synthsystem;1"
+
+// Defines OSXSpeechSynthesizerServiceConstructor
+NS_GENERIC_FACTORY_SINGLETON_CONSTRUCTOR(OSXSpeechSynthesizerService,
+                                         OSXSpeechSynthesizerService::GetInstanceForService)
+
+// Defines kSAPISERVICE_CID
+NS_DEFINE_NAMED_CID(OSXSPEECHSYNTHESIZERSERVICE_CID);
+
+static const mozilla::Module::CIDEntry kCIDs[] = {
+  { &kOSXSPEECHSYNTHESIZERSERVICE_CID, true, nullptr, OSXSpeechSynthesizerServiceConstructor },
+  { nullptr }
+};
+
+static const mozilla::Module::ContractIDEntry kContracts[] = {
+  { OSXSPEECHSYNTHESIZERSERVICE_CONTRACTID, &kOSXSPEECHSYNTHESIZERSERVICE_CID },
+  { nullptr }
+};
+
+static const mozilla::Module::CategoryEntry kCategories[] = {
+  { "profile-after-change", "Sapi Speech Synth", OSXSPEECHSYNTHESIZERSERVICE_CONTRACTID },
+  { nullptr }
+};
+
+static void
+UnloadOSXSpeechSynthesizerModule()
+{
+  OSXSpeechSynthesizerService::Shutdown();
+}
+
+static const mozilla::Module kModule = {
+  mozilla::Module::kVersion,
+  kCIDs,
+  kContracts,
+  kCategories,
+  nullptr,
+  nullptr,
+  UnloadOSXSpeechSynthesizerModule
+};
+
+NSMODULE_DEFN(osxsynth) = &kModule;
diff --git a/dom/media/webspeech/synth/cocoa/OSXSpeechSynthesizerService.h b/dom/media/webspeech/synth/cocoa/OSXSpeechSynthesizerService.h
new file mode 100644
index 000000000000..52c393055289
--- /dev/null
+++ b/dom/media/webspeech/synth/cocoa/OSXSpeechSynthesizerService.h
@@ -0,0 +1,45 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_dom_OsxSpeechSynthesizerService_h
+#define mozilla_dom_OsxSpeechSynthesizerService_h
+
+#include "nsAutoPtr.h"
+#include "nsISpeechService.h"
+#include "nsIObserver.h"
+#include "mozilla/StaticPtr.h"
+
+namespace mozilla {
+namespace dom {
+
+class OSXSpeechSynthesizerService final : public nsISpeechService
+                                        , public nsIObserver
+{
+public:
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSISPEECHSERVICE
+  NS_DECL_NSIOBSERVER
+
+  bool Init();
+
+  static OSXSpeechSynthesizerService* GetInstance();
+  static already_AddRefed<OSXSpeechSynthesizerService> GetInstanceForService();
+  static void Shutdown();
+
+private:
+  OSXSpeechSynthesizerService();
+  virtual ~OSXSpeechSynthesizerService();
+
+  bool RegisterVoices();
+
+  bool mInitialized;
+  static mozilla::StaticRefPtr<OSXSpeechSynthesizerService> sSingleton;
+};
+
+} // namespace dom
+} // namespace mozilla
+
+#endif
diff --git a/dom/media/webspeech/synth/cocoa/OSXSpeechSynthesizerService.mm b/dom/media/webspeech/synth/cocoa/OSXSpeechSynthesizerService.mm
new file mode 100644
index 000000000000..2f5fa97e6f31
--- /dev/null
+++ b/dom/media/webspeech/synth/cocoa/OSXSpeechSynthesizerService.mm
@@ -0,0 +1,384 @@
+/* -*- Mode: Objective-C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 sw=2 et tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.h"
+#include "nsServiceManagerUtils.h"
+#include "nsObjCExceptions.h"
+#include "nsCocoaUtils.h"
+#include "nsThreadUtils.h"
+#include "mozilla/dom/nsSynthVoiceRegistry.h"
+#include "mozilla/dom/nsSpeechTask.h"
+#include "mozilla/Preferences.h"
+#include "mozilla/Assertions.h"
+#include "OSXSpeechSynthesizerService.h"
+
+#import <Cocoa/Cocoa.h>
+
+using namespace mozilla;
+
+class SpeechTaskCallback final : public nsISpeechTaskCallback
+{
+public:
+  SpeechTaskCallback(nsISpeechTask* aTask, NSSpeechSynthesizer* aSynth)
+    : mTask(aTask)
+    , mSpeechSynthesizer(aSynth)
+  {
+    mStartingTime = TimeStamp::Now();
+  }
+
+  NS_DECL_CYCLE_COLLECTING_ISUPPORTS
+  NS_DECL_CYCLE_COLLECTION_CLASS_AMBIGUOUS(SpeechTaskCallback, nsISpeechTaskCallback)
+
+  NS_DECL_NSISPEECHTASKCALLBACK
+
+  void OnWillSpeakWord(uint32_t aIndex);
+  void OnError(uint32_t aIndex);
+  void OnDidFinishSpeaking();
+
+private:
+  virtual ~SpeechTaskCallback()
+  {
+    [mSpeechSynthesizer release];
+  }
+
+  float GetTimeDurationFromStart();
+
+  nsCOMPtr<nsISpeechTask> mTask;
+  NSSpeechSynthesizer* mSpeechSynthesizer;
+  TimeStamp mStartingTime;
+  uint32_t mCurrentIndex;
+};
+
+NS_IMPL_CYCLE_COLLECTION(SpeechTaskCallback, mTask);
+
+NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(SpeechTaskCallback)
+  NS_INTERFACE_MAP_ENTRY(nsISpeechTaskCallback)
+  NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, nsISpeechTaskCallback)
+NS_INTERFACE_MAP_END
+
+NS_IMPL_CYCLE_COLLECTING_ADDREF(SpeechTaskCallback)
+NS_IMPL_CYCLE_COLLECTING_RELEASE(SpeechTaskCallback)
+
+NS_IMETHODIMP
+SpeechTaskCallback::OnCancel()
+{
+  NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NSRESULT;
+
+  [mSpeechSynthesizer stopSpeaking];
+  return NS_OK;
+
+  NS_OBJC_END_TRY_ABORT_BLOCK_NSRESULT;
+}
+
+NS_IMETHODIMP
+SpeechTaskCallback::OnPause()
+{
+  NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NSRESULT;
+
+  [mSpeechSynthesizer pauseSpeakingAtBoundary:NSSpeechImmediateBoundary];
+  mTask->DispatchPause(GetTimeDurationFromStart(), mCurrentIndex);
+  return NS_OK;
+
+  NS_OBJC_END_TRY_ABORT_BLOCK_NSRESULT;
+}
+
+NS_IMETHODIMP
+SpeechTaskCallback::OnResume()
+{
+  NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NSRESULT;
+
+  [mSpeechSynthesizer continueSpeaking];
+  mTask->DispatchResume(GetTimeDurationFromStart(), mCurrentIndex);
+  return NS_OK;
+
+  NS_OBJC_END_TRY_ABORT_BLOCK_NSRESULT;
+}
+
+NS_IMETHODIMP
+SpeechTaskCallback::OnVolumeChanged(float aVolume)
+{
+  NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NSRESULT;
+
+  [mSpeechSynthesizer setObject:[NSNumber numberWithFloat:aVolume]
+                    forProperty:NSSpeechVolumeProperty error:nil];
+  return NS_OK;
+
+  NS_OBJC_END_TRY_ABORT_BLOCK_NSRESULT;
+}
+
+float
+SpeechTaskCallback::GetTimeDurationFromStart()
+{
+  TimeDuration duration = TimeStamp::Now() - mStartingTime;
+  return duration.ToMilliseconds();
+}
+
+void
+SpeechTaskCallback::OnWillSpeakWord(uint32_t aIndex)
+{
+  mCurrentIndex = aIndex;
+  mTask->DispatchBoundary(NS_LITERAL_STRING("word"),
+                          GetTimeDurationFromStart(), mCurrentIndex);
+}
+
+void
+SpeechTaskCallback::OnError(uint32_t aIndex)
+{
+  mTask->DispatchError(GetTimeDurationFromStart(), aIndex);
+}
+
+void
+SpeechTaskCallback::OnDidFinishSpeaking()
+{
+  mTask->DispatchEnd(GetTimeDurationFromStart(), mCurrentIndex);
+  // no longer needed
+  mTask = nullptr;
+}
+
+@interface SpeechDelegate : NSObject<NSSpeechSynthesizerDelegate>
+{
+@private
+  SpeechTaskCallback* mCallback;
+}
+
+  - (id)initWithCallback:(SpeechTaskCallback*)aCallback;
+@end
+
+@implementation SpeechDelegate
+- (id)initWithCallback:(SpeechTaskCallback*)aCallback
+{
+  [super init];
+  mCallback = aCallback;
+  return self;
+}
+
+- (void)speechSynthesizer:(NSSpeechSynthesizer *)aSender
+            willSpeakWord:(NSRange)aRange ofString:(NSString*)aString
+{
+  mCallback->OnWillSpeakWord(aRange.location);
+}
+
+- (void)speechSynthesizer:(NSSpeechSynthesizer *)aSender
+        didFinishSpeaking:(BOOL)aFinishedSpeaking
+{
+  mCallback->OnDidFinishSpeaking();
+}
+
+- (void)speechSynthesizer:(NSSpeechSynthesizer*)aSender
+ didEncounterErrorAtIndex:(NSUInteger)aCharacterIndex
+                 ofString:(NSString*)aString
+                  message:(NSString*)aMessage
+{
+  mCallback->OnError(aCharacterIndex);
+}
+@end
+
+namespace mozilla {
+namespace dom {
+
+class RegisterVoicesRunnable final : public nsRunnable
+{
+public:
+  explicit RegisterVoicesRunnable(OSXSpeechSynthesizerService* aSpeechService)
+    : mSpeechService(aSpeechService)
+  {
+  }
+
+  NS_IMETHOD Run();
+
+private:
+  ~RegisterVoicesRunnable()
+  {
+  }
+
+  RefPtr<OSXSpeechSynthesizerService> mSpeechService;
+};
+
+NS_IMETHODIMP
+RegisterVoicesRunnable::Run()
+{
+  NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NSRESULT;
+
+  nsresult rv;
+  nsCOMPtr<nsISynthVoiceRegistry> registry =
+    do_GetService(NS_SYNTHVOICEREGISTRY_CONTRACTID, &rv);
+  if (!registry) {
+    return rv;
+  }
+
+  NSArray* voices = [NSSpeechSynthesizer availableVoices];
+  NSString* defaultVoice = [NSSpeechSynthesizer defaultVoice];
+
+  for (NSString* voice in voices) {
+    NSDictionary* attr = [NSSpeechSynthesizer attributesForVoice:voice];
+
+    nsAutoString identifier;
+    nsCocoaUtils::GetStringForNSString([attr objectForKey:NSVoiceIdentifier],
+                                       identifier);
+
+    nsAutoString name;
+    nsCocoaUtils::GetStringForNSString([attr objectForKey:NSVoiceName], name);
+
+    nsAutoString locale;
+    nsCocoaUtils::GetStringForNSString(
+      [attr objectForKey:NSVoiceLocaleIdentifier], locale);
+    locale.ReplaceChar('_', '-');
+
+    nsAutoString uri;
+    uri.AssignLiteral("urn:moz-tts:osx:");
+    uri.Append(identifier);
+    rv = registry->AddVoice(mSpeechService, uri, name, locale, true, false);
+    if (NS_WARN_IF(NS_FAILED(rv))) {
+      continue;
+    }
+
+    if ([voice isEqualToString:defaultVoice]) {
+      registry->SetDefaultVoice(uri, true);
+    }
+  }
+
+  return NS_OK;
+
+  NS_OBJC_END_TRY_ABORT_BLOCK_NSRESULT;
+}
+
+StaticRefPtr<OSXSpeechSynthesizerService> OSXSpeechSynthesizerService::sSingleton;
+
+NS_INTERFACE_MAP_BEGIN(OSXSpeechSynthesizerService)
+  NS_INTERFACE_MAP_ENTRY(nsISpeechService)
+  NS_INTERFACE_MAP_ENTRY(nsIObserver)
+  NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, nsISpeechService)
+NS_INTERFACE_MAP_END
+
+NS_IMPL_ADDREF(OSXSpeechSynthesizerService)
+NS_IMPL_RELEASE(OSXSpeechSynthesizerService)
+
+OSXSpeechSynthesizerService::OSXSpeechSynthesizerService()
+  : mInitialized(false)
+{
+}
+
+OSXSpeechSynthesizerService::~OSXSpeechSynthesizerService()
+{
+}
+
+bool
+OSXSpeechSynthesizerService::Init()
+{
+  if (Preferences::GetBool("media.webspeech.synth.test") ||
+      !Preferences::GetBool("media.webspeech.synth.enabled")) {
+    // When test is enabled, we shouldn't add OS backend (Bug 1160844)
+    return false;
+  }
+
+  // Get all the voices and register in the SynthVoiceRegistry
+  nsCOMPtr<nsIRunnable> runnable = new RegisterVoicesRunnable(this);
+  NS_DispatchToMainThread(runnable);
+
+  mInitialized = true;
+  return true;
+}
+
+NS_IMETHODIMP
+OSXSpeechSynthesizerService::Speak(const nsAString& aText,
+                                   const nsAString& aUri,
+                                   float aVolume,
+                                   float aRate,
+                                   float aPitch,
+                                   nsISpeechTask* aTask)
+{
+  NS_OBJC_BEGIN_TRY_ABORT_BLOCK_NSRESULT;
+
+  MOZ_ASSERT(StringBeginsWith(aUri, NS_LITERAL_STRING("urn:moz-tts:osx:")),
+             "OSXSpeechSynthesizerService doesn't allow this voice URI");
+
+  NSSpeechSynthesizer* synth = [[NSSpeechSynthesizer alloc] init];
+  // strlen("urn:moz-tts:osx:") == 16
+  NSString* identifier = nsCocoaUtils::ToNSString(Substring(aUri, 16));
+  [synth setVoice:identifier];
+
+  // default rate is 180-220
+  [synth setObject:[NSNumber numberWithInt:aRate * 200]
+         forProperty:NSSpeechRateProperty error:nil];
+  // volume allows 0.0-1.0
+  [synth setObject:[NSNumber numberWithFloat:aVolume]
+         forProperty:NSSpeechVolumeProperty error:nil];
+  // Use default pitch value to calculate this
+  NSNumber* defaultPitch =
+    [synth objectForProperty:NSSpeechPitchBaseProperty error:nil];
+  if (defaultPitch) {
+    int newPitch = [defaultPitch intValue] * (aPitch / 2 + 0.5);
+    [synth setObject:[NSNumber numberWithInt:newPitch]
+           forProperty:NSSpeechPitchBaseProperty error:nil];
+  }
+
+  RefPtr<SpeechTaskCallback> callback = new SpeechTaskCallback(aTask, synth);
+  nsresult rv = aTask->Setup(callback, 0, 0, 0);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  SpeechDelegate* delegate = [[SpeechDelegate alloc] initWithCallback:callback];
+  [synth setDelegate:delegate];
+  [delegate release ];
+
+  NSString* text = nsCocoaUtils::ToNSString(aText);
+  BOOL success = [synth startSpeakingString:text];
+  NS_ENSURE_TRUE(success, NS_ERROR_FAILURE);
+
+  aTask->DispatchStart();
+  return NS_OK;
+
+  NS_OBJC_END_TRY_ABORT_BLOCK_NSRESULT;
+}
+
+NS_IMETHODIMP
+OSXSpeechSynthesizerService::GetServiceType(SpeechServiceType* aServiceType)
+{
+  *aServiceType = nsISpeechService::SERVICETYPE_INDIRECT_AUDIO;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+OSXSpeechSynthesizerService::Observe(nsISupports* aSubject, const char* aTopic,
+                                     const char16_t* aData)
+{
+  if (!strcmp(aTopic, "profile-after-change")) {
+    Init();
+  }
+  return NS_OK;
+}
+
+OSXSpeechSynthesizerService*
+OSXSpeechSynthesizerService::GetInstance()
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  if (XRE_GetProcessType() != GeckoProcessType_Default) {
+    return nullptr;
+  }
+
+  if (!sSingleton) {
+    sSingleton = new OSXSpeechSynthesizerService();
+  }
+  return sSingleton;
+}
+
+already_AddRefed<OSXSpeechSynthesizerService>
+OSXSpeechSynthesizerService::GetInstanceForService()
+{
+  RefPtr<OSXSpeechSynthesizerService> speechService = GetInstance();
+  return speechService.forget();
+}
+
+void
+OSXSpeechSynthesizerService::Shutdown()
+{
+  if (!sSingleton) {
+    return;
+  }
+  sSingleton = nullptr;
+}
+
+} // namespace dom
+} // namespace mozilla
diff --git a/dom/media/webspeech/synth/cocoa/moz.build b/dom/media/webspeech/synth/cocoa/moz.build
new file mode 100644
index 000000000000..af8b396e2ab3
--- /dev/null
+++ b/dom/media/webspeech/synth/cocoa/moz.build
@@ -0,0 +1,12 @@
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+SOURCES += [
+  'OSXSpeechSynthesizerModule.cpp',
+  'OSXSpeechSynthesizerService.mm'
+]
+
+FINAL_LIBRARY = 'xul'
diff --git a/dom/media/webspeech/synth/moz.build b/dom/media/webspeech/synth/moz.build
index b3dce2a7cc1b..de03c2fc4a4a 100644
--- a/dom/media/webspeech/synth/moz.build
+++ b/dom/media/webspeech/synth/moz.build
@@ -46,6 +46,9 @@ if CONFIG['MOZ_WEBSPEECH']:
     if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'windows':
         DIRS += ['windows']
 
+    if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'cocoa':
+        DIRS += ['cocoa']
+
     if CONFIG['MOZ_SYNTH_SPEECHD']:
         DIRS += ['speechd']
 
diff --git a/dom/mobilemessage/android/SmsManager.cpp b/dom/mobilemessage/android/SmsManager.cpp
index 380f02c8c2f5..7ae90c489bca 100644
--- a/dom/mobilemessage/android/SmsManager.cpp
+++ b/dom/mobilemessage/android/SmsManager.cpp
@@ -15,6 +15,7 @@
 #include "mozilla/Services.h"
 #include "nsIMobileMessageDatabaseService.h"
 #include "nsIObserverService.h"
+#include "nsThreadUtils.h"
 
 using namespace mozilla::dom;
 using namespace mozilla::dom::mobilemessage;
diff --git a/dom/plugins/test/mochitest/browser.ini b/dom/plugins/test/mochitest/browser.ini
index b169c46f279f..ea83e3395551 100644
--- a/dom/plugins/test/mochitest/browser.ini
+++ b/dom/plugins/test/mochitest/browser.ini
@@ -2,6 +2,8 @@
 support-files =
   head.js
   plugin_test.html
+  plugin_subframe_test.html
+  plugin_no_scroll_div.html
 
 [browser_bug1163570.js]
 skip-if = (!e10s || os != "win")
diff --git a/dom/plugins/test/mochitest/browser_pluginscroll.js b/dom/plugins/test/mochitest/browser_pluginscroll.js
index 1cb9f99c8c1c..7314b84103fc 100644
--- a/dom/plugins/test/mochitest/browser_pluginscroll.js
+++ b/dom/plugins/test/mochitest/browser_pluginscroll.js
@@ -40,7 +40,7 @@ add_task(function*() {
 });
 
 /*
- * test plugin visibility when scrolling with scroll wheel and apz.
+ * test plugin visibility when scrolling with scroll wheel and apz in a top level document.
  */
 
 add_task(function* () {
@@ -105,10 +105,74 @@ add_task(function* () {
 });
 
 /*
- * test visibility when scrolling with keyboard shortcuts. This circumvents apz
- * and relies on dom scroll, which is what we want to target for this test. Note
- * this test should only run with e10s since we do not hide plugin windows when
- * scrolling in single process mode.
+ * test plugin visibility when scrolling with scroll wheel and apz in a sub document.
+ */
+
+add_task(function* () {
+  let result;
+
+  if (!apzEnabled) {
+    ok(true, "nothing to test, need apz");
+    return;
+  }
+
+  if (!pluginHideEnabled) {
+    ok(true, "nothing to test, need gfx.e10s.hide-plugins-for-scroll");
+    return;
+  }
+
+  setTestPluginEnabledState(Ci.nsIPluginTag.STATE_ENABLED, "Test Plug-in");
+
+  let testTab = gBrowser.selectedTab;
+  let pluginTab = yield BrowserTestUtils.openNewForegroundTab(gBrowser, gTestRoot + "plugin_subframe_test.html");
+
+  result = yield ContentTask.spawn(pluginTab.linkedBrowser, null, function*() {
+    let doc = content.document.getElementById("subframe").contentDocument;
+    let plugin = doc.getElementById("testplugin");
+    return !!plugin;
+  });
+  is(result, true, "plugin is loaded");
+
+  result = yield ContentTask.spawn(pluginTab.linkedBrowser, null, function*() {
+    let doc = content.document.getElementById("subframe").contentDocument;
+    let plugin = doc.getElementById("testplugin");
+    return XPCNativeWrapper.unwrap(plugin).nativeWidgetIsVisible();
+  });
+  is(result, true, "plugin is visible");
+
+  let nativeId = nativeVerticalWheelEventMsg();
+  let utils = SpecialPowers.getDOMWindowUtils(window);
+  let screenCoords = coordinatesRelativeToWindow(10, 10,
+                                                 gBrowser.selectedBrowser);
+  utils.sendNativeMouseScrollEvent(screenCoords.x, screenCoords.y,
+                                   nativeId, 0, -50, 0, 0, 0,
+                                   gBrowser.selectedBrowser);
+
+  yield waitScrollStart(gBrowser.selectedBrowser);
+
+  result = yield ContentTask.spawn(pluginTab.linkedBrowser, null, function*() {
+    let doc = content.document.getElementById("subframe").contentDocument;
+    let plugin = doc.getElementById("testplugin");
+    return XPCNativeWrapper.unwrap(plugin).nativeWidgetIsVisible();
+  });
+  is(result, false, "plugin is hidden");
+
+  yield waitScrollFinish(gBrowser.selectedBrowser);
+
+  result = yield ContentTask.spawn(pluginTab.linkedBrowser, null, function*() {
+    let doc = content.document.getElementById("subframe").contentDocument;
+    let plugin = doc.getElementById("testplugin");
+    return XPCNativeWrapper.unwrap(plugin).nativeWidgetIsVisible();
+  });
+  is(result, true, "plugin is visible");
+
+  gBrowser.removeTab(pluginTab);
+});
+
+/*
+ * test visibility when scrolling with keyboard shortcuts for a top level document.
+ * This circumvents apz and relies on dom scroll, which is what we want to target
+ * for this test.
  */
 
 add_task(function* () {
@@ -171,3 +235,68 @@ add_task(function* () {
 
   gBrowser.removeTab(pluginTab);
 });
+
+/*
+ * test visibility when scrolling with keyboard shortcuts for a sub document.
+ */
+
+add_task(function* () {
+  let result;
+
+  if (!pluginHideEnabled) {
+    ok(true, "nothing to test, need gfx.e10s.hide-plugins-for-scroll");
+    return;
+  }
+
+  setTestPluginEnabledState(Ci.nsIPluginTag.STATE_ENABLED, "Test Plug-in");
+
+  let testTab = gBrowser.selectedTab;
+  let pluginTab = yield BrowserTestUtils.openNewForegroundTab(gBrowser, gTestRoot + "plugin_subframe_test.html");
+
+  result = yield ContentTask.spawn(pluginTab.linkedBrowser, null, function*() {
+    let doc = content.document.getElementById("subframe").contentDocument;
+    let plugin = doc.getElementById("testplugin");
+    return !!plugin;
+  });
+  is(result, true, "plugin is loaded");
+
+  result = yield ContentTask.spawn(pluginTab.linkedBrowser, null, function*() {
+    let doc = content.document.getElementById("subframe").contentDocument;
+    let plugin = doc.getElementById("testplugin");
+    return XPCNativeWrapper.unwrap(plugin).nativeWidgetIsVisible();
+  });
+  is(result, true, "plugin is visible");
+
+  EventUtils.synthesizeKey("VK_END", {});
+
+  yield waitScrollStart(gBrowser.selectedBrowser);
+
+  result = yield ContentTask.spawn(pluginTab.linkedBrowser, null, function*() {
+    let doc = content.document.getElementById("subframe").contentDocument;
+    let plugin = doc.getElementById("testplugin");
+    return XPCNativeWrapper.unwrap(plugin).nativeWidgetIsVisible();
+  });
+  is(result, false, "plugin is hidden");
+
+  yield waitScrollFinish(gBrowser.selectedBrowser);
+
+  result = yield ContentTask.spawn(pluginTab.linkedBrowser, null, function*() {
+    let doc = content.document.getElementById("subframe").contentDocument;
+    let plugin = doc.getElementById("testplugin");
+    return XPCNativeWrapper.unwrap(plugin).nativeWidgetIsVisible();
+  });
+  is(result, false, "plugin is hidden");
+
+  EventUtils.synthesizeKey("VK_HOME", {});
+
+  yield waitScrollFinish(gBrowser.selectedBrowser);
+
+  result = yield ContentTask.spawn(pluginTab.linkedBrowser, null, function*() {
+    let doc = content.document.getElementById("subframe").contentDocument;
+    let plugin = doc.getElementById("testplugin");
+    return XPCNativeWrapper.unwrap(plugin).nativeWidgetIsVisible();
+  });
+  is(result, true, "plugin is visible");
+
+  gBrowser.removeTab(pluginTab);
+});
diff --git a/dom/plugins/test/mochitest/plugin_no_scroll_div.html b/dom/plugins/test/mochitest/plugin_no_scroll_div.html
new file mode 100644
index 000000000000..15ec2918bf26
--- /dev/null
+++ b/dom/plugins/test/mochitest/plugin_no_scroll_div.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+</head>
+<body>
+  <embed id="testplugin" type="application/x-test" drawmode="solid" color="ff00ff00" wmode="window"
+         style="position:absolute; top:5px; left:5px; width:500px; height:250px">
+</body>
+</html>
diff --git a/dom/plugins/test/mochitest/plugin_subframe_test.html b/dom/plugins/test/mochitest/plugin_subframe_test.html
new file mode 100644
index 000000000000..8f20c1dc856f
--- /dev/null
+++ b/dom/plugins/test/mochitest/plugin_subframe_test.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+</head>
+<body>
+  <iframe id="subframe" style="width:510px; height:260px;" src="plugin_no_scroll_div.html"></iframe>
+  <div style="display:block; height:3000px;"></div>
+</body>
+</html>
diff --git a/dom/security/nsCSPService.cpp b/dom/security/nsCSPService.cpp
index 9a04ac43768a..2c2fe79a78f9 100644
--- a/dom/security/nsCSPService.cpp
+++ b/dom/security/nsCSPService.cpp
@@ -198,13 +198,14 @@ CSPService::ShouldLoad(uint32_t aContentType,
 
   // ----- END OF TEMPORARY FAST PATH FOR CERTIFIED APPS. -----
 
-  // find the principal of the document that initiated this request and see
-  // if it has a CSP policy object
+  // query the principal of the document; if no document is passed, then
+  // fall back to using the requestPrincipal (e.g. service workers do not
+  // pass a document).
   nsCOMPtr<nsINode> node(do_QueryInterface(aRequestContext));
-  nsCOMPtr<nsIPrincipal> principal;
-  nsCOMPtr<nsIContentSecurityPolicy> csp;
-  if (node) {
-    principal = node->NodePrincipal();
+  nsCOMPtr<nsIPrincipal> principal = node ? node->NodePrincipal()
+                                          : aRequestPrincipal;
+  if (principal) {
+    nsCOMPtr<nsIContentSecurityPolicy> csp;
     principal->GetCsp(getter_AddRefs(csp));
 
     if (csp) {
@@ -236,7 +237,7 @@ CSPService::ShouldLoad(uint32_t aContentType,
     nsAutoCString uriSpec;
     aContentLocation->GetSpec(uriSpec);
     MOZ_LOG(gCspPRLog, LogLevel::Debug,
-           ("COULD NOT get nsINode for location: %s", uriSpec.get()));
+           ("COULD NOT get nsIPrincipal for location: %s", uriSpec.get()));
   }
 
   return NS_OK;
@@ -313,8 +314,7 @@ CSPService::AsyncOnChannelRedirect(nsIChannel *oldChannel,
   nsCOMPtr<nsIURI> originalUri;
   rv = oldChannel->GetOriginalURI(getter_AddRefs(originalUri));
   NS_ENSURE_SUCCESS(rv, rv);
-  nsContentPolicyType policyType =
-    nsContentUtils::InternalContentPolicyTypeToExternal(loadInfo->GetContentPolicyType());
+  nsContentPolicyType policyType = loadInfo->GetExternalContentPolicyType();
 
   int16_t aDecision = nsIContentPolicy::ACCEPT;
   csp->ShouldLoad(policyType,     // load type per nsIContentPolicy (uint32_t)
diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp
index 1dc89eef5b86..9e621f8c2d31 100644
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@@ -84,6 +84,13 @@ DoSOPChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo)
   nsIPrincipal* loadingPrincipal = aLoadInfo->LoadingPrincipal();
   bool sameOriginDataInherits =
     aLoadInfo->GetSecurityMode() == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS;
+
+  if (sameOriginDataInherits &&
+      aLoadInfo->GetAboutBlankInherits() &&
+      NS_IsAboutBlank(aURI)) {
+    return NS_OK;
+  }
+
   return loadingPrincipal->CheckMayLoad(aURI,
                                         true, // report to console
                                         sameOriginDataInherits);
@@ -111,11 +118,12 @@ DoCORSChecks(nsIChannel* aChannel, nsILoadInfo* aLoadInfo,
 nsresult
 DoContentSecurityChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo)
 {
-  nsContentPolicyType contentPolicyType = aLoadInfo->GetContentPolicyType();
-  nsCString mimeTypeGuess;
-  nsCOMPtr<nsINode> requestingContext = nullptr;
+  nsContentPolicyType contentPolicyType =
+    aLoadInfo->GetExternalContentPolicyType();
   nsContentPolicyType internalContentPolicyType =
     aLoadInfo->InternalContentPolicyType();
+  nsCString mimeTypeGuess;
+  nsCOMPtr<nsINode> requestingContext = nullptr;
 
   switch(contentPolicyType) {
     case nsIContentPolicy::TYPE_OTHER: {
@@ -124,7 +132,12 @@ DoContentSecurityChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo)
       break;
     }
 
-    case nsIContentPolicy::TYPE_SCRIPT:
+    case nsIContentPolicy::TYPE_SCRIPT: {
+      mimeTypeGuess = NS_LITERAL_CSTRING("application/javascript");
+      requestingContext = aLoadInfo->LoadingNode();
+      break;
+    }
+
     case nsIContentPolicy::TYPE_IMAGE:
     case nsIContentPolicy::TYPE_STYLESHEET:
     case nsIContentPolicy::TYPE_OBJECT:
@@ -166,9 +179,13 @@ DoContentSecurityChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo)
                  requestingContext->NodeType() == nsIDOMNode::DOCUMENT_NODE,
                  "type_xml requires requestingContext of type Document");
 
+      // We're checking for the external TYPE_XMLHTTPREQUEST here in case
+      // an addon creates a request with that type.
       if (internalContentPolicyType ==
-            nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST) {
-        mimeTypeGuess = NS_LITERAL_CSTRING("application/xml");
+            nsIContentPolicy::TYPE_INTERNAL_XMLHTTPREQUEST ||
+          internalContentPolicyType ==
+            nsIContentPolicy::TYPE_XMLHTTPREQUEST) {
+        mimeTypeGuess = EmptyCString();
       }
       else {
         MOZ_ASSERT(internalContentPolicyType ==
@@ -232,7 +249,12 @@ DoContentSecurityChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo)
       break;
     }
 
-    case nsIContentPolicy::TYPE_FETCH:
+    case nsIContentPolicy::TYPE_FETCH: {
+      mimeTypeGuess = EmptyCString();
+      requestingContext = aLoadInfo->LoadingNode();
+      break;
+    }
+
     case nsIContentPolicy::TYPE_IMAGESET: {
       MOZ_ASSERT(false, "contentPolicyType not supported yet");
       break;
@@ -244,7 +266,7 @@ DoContentSecurityChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo)
   }
 
   int16_t shouldLoad = nsIContentPolicy::ACCEPT;
-  nsresult rv = NS_CheckContentLoadPolicy(contentPolicyType,
+  nsresult rv = NS_CheckContentLoadPolicy(internalContentPolicyType,
                                           aURI,
                                           aLoadInfo->LoadingPrincipal(),
                                           requestingContext,
diff --git a/dom/security/test/cors/file_CrossSiteXHR_server.sjs b/dom/security/test/cors/file_CrossSiteXHR_server.sjs
index cdd67a9678ad..90141c31b93e 100644
--- a/dom/security/test/cors/file_CrossSiteXHR_server.sjs
+++ b/dom/security/test/cors/file_CrossSiteXHR_server.sjs
@@ -145,7 +145,7 @@ function handleRequest(request, response)
       response.setHeader("Access-Control-Expose-Headers", query.exposeHeaders);
   }
 
-  if (query.hop && query.hop < hops.length) {
+  if (!isPreflight && query.hop && query.hop < hops.length) {
     newURL = hops[query.hop].server +
              "/tests/dom/security/test/cors/file_CrossSiteXHR_server.sjs?" +
              "hop=" + (query.hop + 1) + "&hops=" + escape(query.hops);
diff --git a/dom/security/test/csp/file_service_worker.html b/dom/security/test/csp/file_service_worker.html
new file mode 100644
index 000000000000..00a2b4020609
--- /dev/null
+++ b/dom/security/test/csp/file_service_worker.html
@@ -0,0 +1,19 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1208559 - ServiceWorker registration not governed by CSP</title>
+</head>
+<body>
+<script>
+  function finish(status) {
+    window.parent.postMessage({result: status}, "*");
+  }
+
+  navigator.serviceWorker.ready.then(finish.bind(null, 'allowed'),
+                                     finish.bind(null, 'blocked'));
+  navigator.serviceWorker
+           .register("file_service_worker.js", {scope: "."})
+           .then(null, finish.bind(null, 'blocked'));
+  </script>
+</body>
+</html>
diff --git a/dom/security/test/csp/file_service_worker.js b/dom/security/test/csp/file_service_worker.js
new file mode 100644
index 000000000000..1bf583f4cc08
--- /dev/null
+++ b/dom/security/test/csp/file_service_worker.js
@@ -0,0 +1 @@
+dump("service workers: hello world");
diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini
index 0ca3b70da82c..2f1885c53a11 100644
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -130,6 +130,8 @@ support-files =
   file_report_for_import.css
   file_report_for_import.html
   file_report_for_import_server.sjs
+  file_service_worker.html
+  file_service_worker.js
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
@@ -197,3 +199,5 @@ skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolk
 [test_report_for_import.html]
 [test_blocked_uri_in_reports.html]
 skip-if = e10s || buildapp == 'b2g' # http-on-opening-request observer not supported in child process (bug 1009632)
+[test_service_worker.html]
+skip-if = buildapp == 'b2g' #no ssl support
diff --git a/dom/security/test/csp/test_service_worker.html b/dom/security/test/csp/test_service_worker.html
new file mode 100644
index 000000000000..1a2b7d173640
--- /dev/null
+++ b/dom/security/test/csp/test_service_worker.html
@@ -0,0 +1,62 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1208559 - ServiceWorker registration not governed by CSP</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * Spawning a worker from https://example.com but script-src is 'test1.example.com'
+ * CSP is not consulted
+ */
+SimpleTest.waitForExplicitFinish();
+
+var tests = [
+  {
+    policy: "default-src 'self'; script-src test1.example.com 'unsafe-inline'",
+    expected: "blocked"
+  },
+];
+
+var counter = 0;
+var curTest;
+
+window.addEventListener("message", receiveMessage, false);
+function receiveMessage(event) {
+  is(event.data.result, curTest.expected, "Should be (" + curTest.expected + ") in Test " + counter + "!");
+  loadNextTest();
+}
+
+onload = function() {
+  SpecialPowers.pushPrefEnv({"set": [
+    ["dom.serviceWorkers.exemptFromPerDomainMax", true],
+    ["dom.serviceWorkers.interception.enabled", true],
+    ["dom.serviceWorkers.enabled", true],
+    ["dom.serviceWorkers.testing.enabled", true],
+    ["dom.caches.enabled", true]
+  ]}, loadNextTest);
+}
+
+function loadNextTest() {
+  if (counter == tests.length) {
+    SimpleTest.finish();
+    return;
+  }
+  curTest = tests[counter++];
+  var src = "https://example.com/tests/dom/security/test/csp/file_testserver.sjs";
+  // append the file that should be served
+  src += "?file=" + escape("tests/dom/security/test/csp/file_service_worker.html");
+  // append the CSP that should be used to serve the file
+  src += "&csp=" + escape(curTest.policy);
+  document.getElementById("testframe").src = src;
+}
+
+</script>
+</body>
+</html>
diff --git a/dom/security/test/mixedcontentblocker/file_main.html b/dom/security/test/mixedcontentblocker/file_main.html
index 4003ccb05527..ade5eefdbde7 100644
--- a/dom/security/test/mixedcontentblocker/file_main.html
+++ b/dom/security/test/mixedcontentblocker/file_main.html
@@ -155,29 +155,20 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=62178
 
 
   // Test 1e: insecure xhr
-  var xhrsuccess = true;
   var xhr = new XMLHttpRequest;
   try {
     xhr.open("GET", baseUrl + "?type=xhr", true);
-  } catch(ex) {
-     xhrsuccess = false;
-     parent.postMessage({"test": "xhr", "msg": "insecure xhr blocked"}, "http://mochi.test:8888");
-  }
-
-  if(xhrsuccess) {
-    xhr.onreadystatechange = function (oEvent) {
-      var result = false;
-      if (xhr.readyState == 4) {
-        if (xhr.status == 200) {
-          parent.postMessage({"test": "xhr", "msg": "insecure xhr loaded"}, "http://mochi.test:8888");
-        }
-        else {
-          parent.postMessage({"test": "xhr", "msg": "insecure xhr blocked"}, "http://mochi.test:8888");
-        }
+    xhr.send();
+    xhr.onloadend = function (oEvent) {
+      if (xhr.status == 200) {
+        parent.postMessage({"test": "xhr", "msg": "insecure xhr loaded"}, "http://mochi.test:8888");
+      }
+      else {
+        parent.postMessage({"test": "xhr", "msg": "insecure xhr blocked"}, "http://mochi.test:8888");
       }
     }
-
-    xhr.send(null);
+  } catch(ex) {
+     parent.postMessage({"test": "xhr", "msg": "insecure xhr blocked"}, "http://mochi.test:8888");
   }
 
   /* Part 2: Mixed Display tests */
diff --git a/dom/svg/SVGDocument.cpp b/dom/svg/SVGDocument.cpp
index 44df77524c94..84e8e3bb9191 100644
--- a/dom/svg/SVGDocument.cpp
+++ b/dom/svg/SVGDocument.cpp
@@ -102,6 +102,14 @@ SVGDocument::EnsureNonSVGUserAgentStyleSheetsLoaded()
     return;
   }
 
+  if (IsStaticDocument()) {
+    // If we're a static clone of a document, then
+    // nsIDocument::CreateStaticClone will handle cloning the original
+    // document's sheets, including the on-demand non-SVG UA sheets,
+    // for us.
+    return;
+  }
+
   mHasLoadedNonSVGUserAgentStyleSheets = true;
 
   BeginUpdate(UPDATE_STYLE);
diff --git a/dom/tests/mochitest/dom-level2-core/exclusions.js b/dom/tests/mochitest/dom-level2-core/exclusions.js
index 818db99a1a93..cc5a0da12f27 100644
--- a/dom/tests/mochitest/dom-level2-core/exclusions.js
+++ b/dom/tests/mochitest/dom-level2-core/exclusions.js
@@ -13,7 +13,7 @@ dtdTests = ["attrgetownerelement01", "documentimportnode03",
             "getNamedItemNS03", "getNamedItemNS04", "hasAttribute02",
             "hasAttributeNS04", "importNode07", "importNode09",
             "importNode10", "importNode11", "importNode12", "importNode13",
-            "internalSubset01", "localName02", "namednodemapgetnameditemns01",
+            "localName02", "namednodemapgetnameditemns01",
             "namednodemapremovenameditemns02",
             "namednodemapremovenameditemns05", "namednodemapsetnameditemns05",
             "namednodemapsetnameditemns09", "namednodemapsetnameditemns10",
diff --git a/dom/tests/mochitest/dom-level2-core/mochitest.ini b/dom/tests/mochitest/dom-level2-core/mochitest.ini
index 421dba8c1235..120f39504014 100644
--- a/dom/tests/mochitest/dom-level2-core/mochitest.ini
+++ b/dom/tests/mochitest/dom-level2-core/mochitest.ini
@@ -93,7 +93,6 @@ support-files =
 [test_documentimportnode20.html]
 [test_documentimportnode21.html]
 [test_documentimportnode22.html]
-[test_documenttypeinternalSubset01.html]
 [test_documenttypepublicid01.html]
 [test_documenttypesystemid01.html]
 [test_domimplementationcreatedocument03.html]
@@ -192,7 +191,6 @@ support-files =
 [test_importNode15.html]
 [test_importNode16.html]
 [test_importNode17.html]
-[test_internalSubset01.html]
 [test_localName01.html]
 [test_localName02.html]
 [test_localName03.html]
diff --git a/dom/tests/mochitest/dom-level2-core/test_documenttypeinternalSubset01.html b/dom/tests/mochitest/dom-level2-core/test_documenttypeinternalSubset01.html
deleted file mode 100644
index 0935f8487a5c..000000000000
--- a/dom/tests/mochitest/dom-level2-core/test_documenttypeinternalSubset01.html
+++ /dev/null
@@ -1,123 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
-<html>
-<head>
-<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<title>http://www.w3.org/2001/DOM-Test-Suite/level2/core/documenttypeinternalSubset01</title>
-<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css">
-<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-<script type="text/javascript" src="DOMTestCase.js"></script>
-<script type="text/javascript" src="exclusions.js"></script>
-<script type="text/javascript">
-// expose test function names
-function exposeTestFunctionNames()
-{
-return ['documenttypeinternalSubset01'];
-}
-
-var docsLoaded = -1000000;
-var builder = null;
-
-//
-//   This function is called by the testing framework before
-//      running the test suite.
-//
-//   If there are no configuration exceptions, asynchronous
-//        document loading is started.  Otherwise, the status
-//        is set to complete and the exception is immediately
-//        raised when entering the body of the test.
-//
-function setUpPage() {
-   setUpPageStatus = 'running';
-   try {
-     //
-     //   creates test document builder, may throw exception
-     //
-     builder = createConfiguredBuilder();
-
-      docsLoaded = 0;
-      
-      var docRef = null;
-      if (typeof(this.doc) != 'undefined') {
-        docRef = this.doc;
-      }
-      docsLoaded += preload(docRef, "doc", "staffNS");
-        
-       if (docsLoaded == 1) {
-          setUpPage = 'complete';
-       }
-    } catch(ex) {
-    	catchInitializationError(builder, ex);
-        setUpPage = 'complete';
-    }
-}
-
-//
-//   This method is called on the completion of 
-//      each asychronous load started in setUpTests.
-//
-//   When every synchronous loaded document has completed,
-//      the page status is changed which allows the
-//      body of the test to be executed.
-function loadComplete() {
-  if (++docsLoaded == 1) {
-    setUpPageStatus = 'complete';
-    runJSUnitTests();
-    markTodos();
-    SimpleTest.finish();
-  }
-}
-
-var docName = 'documenttypeinternalSubset01';
-
-
-/**
-* 
-    The method getInternalSubset() returns the internal subset as a string. 
-  
-    Create a new DocumentType node with null values for publicId and systemId.
-    Verify that its internal subset is null.
-
-* @author IBM
-* @author Neil Delima
-* @see http://www.w3.org/TR/DOM-Level-2-Core/core#ID-Core-DocType-internalSubset
-* @see http://www.w3.org/Bugs/Public/show_bug.cgi?id=259
-*/
-function documenttypeinternalSubset01() {
-   var success;
-    if(checkInitialization(builder, "documenttypeinternalSubset01") != null) return;
-    var doc;
-      var docType;
-      var domImpl;
-      var internal;
-      var nullNS = null;
-
-      
-      var docRef = null;
-      if (typeof(this.doc) != 'undefined') {
-        docRef = this.doc;
-      }
-      doc = load(docRef, "doc", "staffNS");
-      domImpl = doc.implementation;
-docType = domImpl.createDocumentType("l2:root",nullNS,nullNS);
-      internal = docType.internalSubset;
-
-      assertNull("internalSubsetNull",internal);
-    
-}
-
-</script>
-</head>
-<body>
-<h2>Test http://www.w3.org/2001/DOM-Test-Suite/level2/core/documenttypeinternalSubset01</h2>
-<p></p>
-<p>
-Copyright (c) 2001-2004 World Wide Web Consortium, 
-(Massachusetts Institute of Technology, European Research Consortium 
-for Informatics and Mathematics, Keio University). All 
-Rights Reserved. This work is distributed under the <a href="http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231">W3C(r) Software License</a> in the 
-hope that it will be useful, but WITHOUT ANY WARRANTY; without even 
-the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
-</p>
-</body>
-</html>
diff --git a/dom/tests/mochitest/dom-level2-core/test_internalSubset01.html b/dom/tests/mochitest/dom-level2-core/test_internalSubset01.html
deleted file mode 100644
index 5cec3532cffc..000000000000
--- a/dom/tests/mochitest/dom-level2-core/test_internalSubset01.html
+++ /dev/null
@@ -1,122 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
-<html>
-<head>
-<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<title>http://www.w3.org/2001/DOM-Test-Suite/level2/core/internalSubset01</title>
-<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css">
-<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-<script type="text/javascript" src="DOMTestCase.js"></script>
-<script type="text/javascript" src="exclusions.js"></script>
-<script type="text/javascript">
-// expose test function names
-function exposeTestFunctionNames()
-{
-return ['internalSubset01'];
-}
-
-var docsLoaded = -1000000;
-var builder = null;
-
-//
-//   This function is called by the testing framework before
-//      running the test suite.
-//
-//   If there are no configuration exceptions, asynchronous
-//        document loading is started.  Otherwise, the status
-//        is set to complete and the exception is immediately
-//        raised when entering the body of the test.
-//
-function setUpPage() {
-   setUpPageStatus = 'running';
-   try {
-     //
-     //   creates test document builder, may throw exception
-     //
-     builder = createConfiguredBuilder();
-
-      docsLoaded = 0;
-      
-      var docRef = null;
-      if (typeof(this.doc) != 'undefined') {
-        docRef = this.doc;
-      }
-      docsLoaded += preload(docRef, "doc", "staff2");
-        
-       if (docsLoaded == 1) {
-          setUpPage = 'complete';
-       }
-    } catch(ex) {
-    	catchInitializationError(builder, ex);
-        setUpPage = 'complete';
-    }
-}
-
-//
-//   This method is called on the completion of 
-//      each asychronous load started in setUpTests.
-//
-//   When every synchronous loaded document has completed,
-//      the page status is changed which allows the
-//      body of the test to be executed.
-function loadComplete() {
-  if (++docsLoaded == 1) {
-    setUpPageStatus = 'complete';
-    runJSUnitTests();
-    markTodos();
-    SimpleTest.finish();
-  }
-}
-
-var docName = 'internalSubset01';
-
-
-/**
-* 
-    The "getInternalSubset()" method returns 
-   the internal subset as a string or null if there is none.
-   This does not contain the delimiting brackets.
-   
-   Retrieve the documenttype.
-   Apply the "getInternalSubset()" method.  Null is returned since there 
-   is not an internal subset.
-
-* @author NIST
-* @author Mary Brady
-* @see http://www.w3.org/TR/DOM-Level-2-Core/core#ID-Core-DocType-internalSubset
-*/
-function internalSubset01() {
-   var success;
-    if(checkInitialization(builder, "internalSubset01") != null) return;
-    var doc;
-      var docType;
-      var internal;
-      
-      var docRef = null;
-      if (typeof(this.doc) != 'undefined') {
-        docRef = this.doc;
-      }
-      doc = load(docRef, "doc", "staff2");
-      docType = doc.doctype;
-
-      internal = docType.internalSubset;
-
-      assertNull("internalSubsetNull",internal);
-    
-}
-
-</script>
-</head>
-<body>
-<h2>Test http://www.w3.org/2001/DOM-Test-Suite/level2/core/internalSubset01</h2>
-<p></p>
-<p>
-Copyright (c) 2001-2004 World Wide Web Consortium, 
-(Massachusetts Institute of Technology, European Research Consortium 
-for Informatics and Mathematics, Keio University). All 
-Rights Reserved. This work is distributed under the <a href="http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231">W3C(r) Software License</a> in the 
-hope that it will be useful, but WITHOUT ANY WARRANTY; without even 
-the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
-</p>
-</body>
-</html>
diff --git a/dom/tests/mochitest/fetch/test_fetch_basic.js b/dom/tests/mochitest/fetch/test_fetch_basic.js
index a327103043db..8b968cc6a9b2 100644
--- a/dom/tests/mochitest/fetch/test_fetch_basic.js
+++ b/dom/tests/mochitest/fetch/test_fetch_basic.js
@@ -3,6 +3,8 @@ function testAboutURL() {
     is(res.status, 200, "about:blank should load a valid Response");
     is(res.headers.get('content-type'), 'text/html;charset=utf-8',
        "about:blank content-type should be text/html;charset=utf-8");
+    is(res.headers.has('content-length'), false,
+       "about:blank should not have a content-length header");
     return res.text().then(function(v) {
       is(v, "", "about:blank body should be empty");
     });
diff --git a/dom/tests/mochitest/fetch/test_fetch_cors.js b/dom/tests/mochitest/fetch/test_fetch_cors.js
index 3c865f7c2522..cb66cf68be15 100644
--- a/dom/tests/mochitest/fetch/test_fetch_cors.js
+++ b/dom/tests/mochitest/fetch/test_fetch_cors.js
@@ -1249,7 +1249,7 @@ function testRedirects() {
                     },
                     ],
            },
-           { pass: 1,
+           { pass: 0,
              method: "POST",
              body: "hi there",
              headers: { "Content-Type": "text/plain",
@@ -1281,7 +1281,7 @@ function testRedirects() {
                     }
                     ],
            },
-           { pass: 1,
+           { pass: 0,
              method: "DELETE",
              hops: [{ server: "http://mochi.test:8888",
                     },
diff --git a/dom/tests/mochitest/pointerlock/file_removedFromDOM.html b/dom/tests/mochitest/pointerlock/file_removedFromDOM.html
index cfd0a89731a4..fb2c7a948a6e 100644
--- a/dom/tests/mochitest/pointerlock/file_removedFromDOM.html
+++ b/dom/tests/mochitest/pointerlock/file_removedFromDOM.html
@@ -5,64 +5,91 @@
 
   Test DOM tree in full screen
   -->
-  <head>
-    <title>Bug 633602 - file_DOMtree.html</title>
-    <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js">
-    </script>
-    <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js">
-    </script>
-    <script type="application/javascript" src="pointerlock_utils.js"></script>
-    <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-    <style>
-    </style>
-  </head>
-  <body>
-    <a target="_blank"
-       href="https://bugzilla.mozilla.org/show_bug.cgi?id=633602">
-      Mozilla Bug 633602
-    </a>
-    <div id="div"></div>
-    <pre id="test">
-      <script type="text/javascript">
-        /*
-         * Test for Bug 633602
-         * Checks if pointer is unlocked when element is removed from
-         * the DOM Tree
-         */
+<head>
+<title>Bug 633602 - file_DOMtree.html</title>
+<script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+<script type="application/javascript" src="pointerlock_utils.js"></script>
+<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank"
+    href="https://bugzilla.mozilla.org/show_bug.cgi?id=633602">
+  Mozilla Bug 633602
+</a>
+<div id="div"></div>
+<div id="outer"><div id="inner"></div></div>
+<pre id="test">
+<script type="text/javascript">
+/*
+  * Test for Bug 633602
+  * Checks if pointer is unlocked when element is removed from
+  * the DOM Tree
+  */
 
-        SimpleTest.waitForExplicitFinish();
+SimpleTest.waitForExplicitFinish();
 
-        var div = document.getElementById("div")
-          , removedDOM = false;
+var div = document.getElementById("div");
+var outer = document.getElementById("outer");
+var inner = document.getElementById("inner");
 
-        function runTests() {
-          ok(removedDOM, "Pointer should be unlocked when " +
-            "an element is removed the DOM Tree");
-        }
+function listenOneDocEvent(type, handler) {
+  function callback(event) {
+    document.removeEventListener(type, callback);
+    SimpleTest.executeSoon(() => handler(event));
+  }
+  document.addEventListener(type, callback);
+}
 
-        document.addEventListener("mozpointerlockchange", function (e) {
-          if (document.mozPointerLockElement === div) {
-            document.body.removeChild(div);
-            removedDOM = !document.mozPointerLockElement;
-            document.mozCancelFullScreen();
-          }
+function checkPointerLockElement(elem) {
+  if (elem) {
+    is(document.mozPointerLockElement, elem,
+       `#${elem.id} should have locked the pointer`);
+  } else {
+    ok(!document.mozPointerLockElement, "Pointer should have been unlocked");
+  }
+}
 
-        }, false);
+function start() {
+  listenOneDocEvent("mozfullscreenchange", enteredFullscreen);
+  document.documentElement.mozRequestFullScreen();
+}
 
-        document.addEventListener("mozfullscreenchange", function (e) {
-          if (document.mozFullScreenElement === div) {
-              div.mozRequestPointerLock();
-          }
-          else {
-            runTests();
-            SimpleTest.finish();
-          }
-        }, false);
+function enteredFullscreen() {
+  is(document.mozFullScreenElement, document.documentElement,
+     "Root element should have entered fullscreen");
+  listenOneDocEvent("mozpointerlockchange", lockedPointerOnDiv);
+  div.mozRequestPointerLock();
+}
 
-        function start() {
-          div.mozRequestFullScreen();
-        }
-      </script>
-    </pre>
-  </body>
+function lockedPointerOnDiv() {
+  checkPointerLockElement(div);
+  listenOneDocEvent("mozpointerlockchange", unlockedPointerFromDiv);
+  document.body.removeChild(div);
+}
+
+function unlockedPointerFromDiv() {
+  checkPointerLockElement(null);
+  listenOneDocEvent("mozpointerlockchange", lockedPointerOnInner);
+  inner.mozRequestPointerLock();
+}
+
+function lockedPointerOnInner() {
+  checkPointerLockElement(inner);
+  listenOneDocEvent("mozpointerlockchange", unlockedPointerFromInner);
+  document.body.removeChild(outer);
+}
+
+function unlockedPointerFromInner() {
+  checkPointerLockElement(null);
+  listenOneDocEvent("mozfullscreenchange", exitedFullscreen);
+  document.mozCancelFullScreen();
+}
+
+function exitedFullscreen() {
+  SimpleTest.finish();
+}
+</script>
+</pre>
+</body>
 </html>
diff --git a/dom/webidl/DocumentType.webidl b/dom/webidl/DocumentType.webidl
index bcc50992736c..89190266fdeb 100644
--- a/dom/webidl/DocumentType.webidl
+++ b/dom/webidl/DocumentType.webidl
@@ -14,9 +14,6 @@ interface DocumentType : Node {
   readonly attribute DOMString name;
   readonly attribute DOMString publicId;
   readonly attribute DOMString systemId;
-
-  // Mozilla extension
-  readonly attribute DOMString? internalSubset;
 };
 
 DocumentType implements ChildNode;
diff --git a/dom/webidl/Element.webidl b/dom/webidl/Element.webidl
index c8218bd6ab58..978cf9b6e59b 100644
--- a/dom/webidl/Element.webidl
+++ b/dom/webidl/Element.webidl
@@ -59,6 +59,8 @@ interface Element : Node {
 
   [Throws, Pure]
   boolean matches(DOMString selector);
+  [Throws, Pure, BinaryName="matches"]
+  boolean webkitMatchesSelector(DOMString selector);
 
   [Pure]
   HTMLCollection getElementsByTagName(DOMString localName);
@@ -92,7 +94,7 @@ interface Element : Node {
    *
    * See <http://dev.w3.org/2006/webapi/selectors-api2/#matchesselector>
    */
-  [Throws, Pure]
+  [Throws, Pure, BinaryName="matches"]
   boolean mozMatchesSelector(DOMString selector);
 
   // Pointer events methods.
diff --git a/dom/webidl/IterableIterator.webidl b/dom/webidl/IterableIterator.webidl
index b71c95965798..633b67b1edb5 100644
--- a/dom/webidl/IterableIterator.webidl
+++ b/dom/webidl/IterableIterator.webidl
@@ -4,14 +4,6 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
-[NoInterfaceObject,
- Exposed=(Window,Worker,System)]
-interface IterableIterator
-{
-  [Throws]
-  object next();
-};
-
 dictionary IterableKeyOrValueResult {
   any value;
   boolean done = false;
diff --git a/dom/webidl/Request.webidl b/dom/webidl/Request.webidl
index 5774946d36ea..e0c51b3f147b 100644
--- a/dom/webidl/Request.webidl
+++ b/dom/webidl/Request.webidl
@@ -54,13 +54,7 @@ enum RequestContext {
   "xslt"
 };
 
-// cors-with-forced-preflight is internal to the Fetch spec, but adding it here
-// allows us to use the various conversion conveniences offered by the WebIDL
-// codegen. The Request constructor has explicit checks to prevent it being
-// passed as a valid value, while Request.mode never returns it. Since enums
-// are only exposed as strings to client JS, this has the same effect as not
-// exposing it at all.
-enum RequestMode { "same-origin", "no-cors", "cors", "cors-with-forced-preflight" };
+enum RequestMode { "same-origin", "no-cors", "cors" };
 enum RequestCredentials { "omit", "same-origin", "include" };
 enum RequestCache { "default", "no-store", "reload", "no-cache", "force-cache", "only-if-cached" };
 enum RequestRedirect { "follow", "error", "manual" };
diff --git a/dom/webidl/URLSearchParams.webidl b/dom/webidl/URLSearchParams.webidl
index 39aa200aadd7..a5ef263895b2 100644
--- a/dom/webidl/URLSearchParams.webidl
+++ b/dom/webidl/URLSearchParams.webidl
@@ -23,6 +23,6 @@ interface URLSearchParams {
   sequence<USVString> getAll(USVString name);
   boolean has(USVString name);
   void set(USVString name, USVString value);
-  // iterable<USVString, USVString>; - Bug 1085284
+  iterable<USVString, USVString>;
   stringifier;
 };
diff --git a/dom/workers/ServiceWorkerManager.cpp b/dom/workers/ServiceWorkerManager.cpp
index ec1edbd3ecea..5792ad588923 100644
--- a/dom/workers/ServiceWorkerManager.cpp
+++ b/dom/workers/ServiceWorkerManager.cpp
@@ -49,6 +49,7 @@
 #include "mozilla/unused.h"
 #include "mozilla/EnumSet.h"
 
+#include "nsContentPolicyUtils.h"
 #include "nsContentUtils.h"
 #include "nsGlobalWindow.h"
 #include "nsNetUtil.h"
@@ -97,8 +98,6 @@ static_assert(nsIHttpChannelInternal::CORS_MODE_NO_CORS == static_cast<uint32_t>
               "RequestMode enumeration value should match Necko CORS mode value.");
 static_assert(nsIHttpChannelInternal::CORS_MODE_CORS == static_cast<uint32_t>(RequestMode::Cors),
               "RequestMode enumeration value should match Necko CORS mode value.");
-static_assert(nsIHttpChannelInternal::CORS_MODE_CORS_WITH_FORCED_PREFLIGHT == static_cast<uint32_t>(RequestMode::Cors_with_forced_preflight),
-              "RequestMode enumeration value should match Necko CORS mode value.");
 
 static_assert(nsIHttpChannelInternal::REDIRECT_MODE_FOLLOW == static_cast<uint32_t>(RequestRedirect::Follow),
               "RequestRedirect enumeration value should make Necko Redirect mode value.");
@@ -1437,6 +1436,21 @@ ServiceWorkerManager::Register(nsIDOMWindow* aWindow,
     return NS_ERROR_DOM_SECURITY_ERR;
   }
 
+  // Check content policy.
+  int16_t decision = nsIContentPolicy::ACCEPT;
+  rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER,
+                                 aScriptURI,
+                                 documentPrincipal,
+                                 doc,
+                                 EmptyCString(),
+                                 nullptr,
+                                 &decision);
+  NS_ENSURE_SUCCESS(rv, rv);
+  if (NS_WARN_IF(decision != nsIContentPolicy::ACCEPT)) {
+    return NS_ERROR_CONTENT_BLOCKED;
+  }
+
+
   rv = documentPrincipal->CheckMayLoad(aScopeURI, true /* report */,
                                        false /* allowIfInheritsPrinciple */);
   if (NS_WARN_IF(NS_FAILED(rv))) {
diff --git a/dom/workers/ServiceWorkerScriptCache.cpp b/dom/workers/ServiceWorkerScriptCache.cpp
index 0dd690d549ef..042520a145d4 100644
--- a/dom/workers/ServiceWorkerScriptCache.cpp
+++ b/dom/workers/ServiceWorkerScriptCache.cpp
@@ -115,8 +115,8 @@ public:
     // worker.
     rv = NS_NewChannel(getter_AddRefs(mChannel),
                        uri, aPrincipal,
-                       nsILoadInfo::SEC_NORMAL,
-                       nsIContentPolicy::TYPE_INTERNAL_SCRIPT,
+                       nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED,
+                       nsIContentPolicy::TYPE_INTERNAL_SERVICE_WORKER,
                        loadGroup,
                        nullptr, // aCallbacks
                        nsIChannel::LOAD_BYPASS_SERVICE_WORKER);
@@ -148,7 +148,7 @@ public:
       return rv;
     }
 
-    rv = mChannel->AsyncOpen(loader, nullptr);
+    rv = mChannel->AsyncOpen2(loader);
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return rv;
     }
diff --git a/dom/workers/test/serviceworkers/fetch/hsts/embedder.html b/dom/workers/test/serviceworkers/fetch/hsts/embedder.html
new file mode 100644
index 000000000000..c985554234e4
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/hsts/embedder.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<script>
+  window.onmessage = function(e) {
+    window.parent.postMessage(e.data, "*");
+  };
+</script>
+<iframe src="http://example.com/tests/dom/workers/test/serviceworkers/fetch/hsts/index.html"></iframe>
diff --git a/dom/workers/test/serviceworkers/fetch/hsts/hsts_test.js b/dom/workers/test/serviceworkers/fetch/hsts/hsts_test.js
new file mode 100644
index 000000000000..ab54164ed242
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/hsts/hsts_test.js
@@ -0,0 +1,11 @@
+self.addEventListener("fetch", function(event) {
+  if (event.request.url.indexOf("index.html") >= 0) {
+    event.respondWith(fetch("realindex.html"));
+  } else if (event.request.url.indexOf("image-20px.png") >= 0) {
+    if (event.request.url.indexOf("https://") == 0) {
+      event.respondWith(fetch("image-40px.png"));
+    } else {
+      event.respondWith(Response.error());
+    }
+  }
+});
diff --git a/dom/workers/test/serviceworkers/fetch/hsts/image-20px.png b/dom/workers/test/serviceworkers/fetch/hsts/image-20px.png
new file mode 100644
index 000000000000..ae6a8a6b8840
Binary files /dev/null and b/dom/workers/test/serviceworkers/fetch/hsts/image-20px.png differ
diff --git a/dom/workers/test/serviceworkers/fetch/hsts/image-40px.png b/dom/workers/test/serviceworkers/fetch/hsts/image-40px.png
new file mode 100644
index 000000000000..fe391dc8a2d7
Binary files /dev/null and b/dom/workers/test/serviceworkers/fetch/hsts/image-40px.png differ
diff --git a/dom/workers/test/serviceworkers/fetch/hsts/image.html b/dom/workers/test/serviceworkers/fetch/hsts/image.html
new file mode 100644
index 000000000000..cadbdef5af41
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/hsts/image.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<script>
+onload=function(){
+  var img = new Image();
+  img.src = "http://example.com/tests/dom/workers/test/serviceworkers/fetch/hsts/image-20px.png";
+  img.onload = function() {
+    window.parent.postMessage({status: "image", data: img.width}, "*");
+  };
+  img.onerror = function() {
+    window.parent.postMessage({status: "image", data: "error"}, "*");
+  };
+};
+</script>
diff --git a/dom/workers/test/serviceworkers/fetch/hsts/realindex.html b/dom/workers/test/serviceworkers/fetch/hsts/realindex.html
new file mode 100644
index 000000000000..aaa255aad370
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/hsts/realindex.html
@@ -0,0 +1,4 @@
+<!DOCTYPE html>
+<script>
+  window.parent.postMessage({status: "protocol", data: location.protocol}, "*");
+</script>
diff --git a/dom/workers/test/serviceworkers/fetch/hsts/register.html b/dom/workers/test/serviceworkers/fetch/hsts/register.html
new file mode 100644
index 000000000000..bcdc146aeca5
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/hsts/register.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<script>
+  function ok(v, msg) {
+    window.parent.postMessage({status: "ok", result: !!v, message: msg}, "*");
+  }
+
+  function done(reg) {
+    ok(reg.active, "The active worker should be available.");
+    window.parent.postMessage({status: "registrationdone"}, "*");
+  }
+
+  navigator.serviceWorker.ready.then(done);
+  navigator.serviceWorker.register("hsts_test.js", {scope: "."});
+</script>
diff --git a/dom/workers/test/serviceworkers/fetch/hsts/register.html^headers^ b/dom/workers/test/serviceworkers/fetch/hsts/register.html^headers^
new file mode 100644
index 000000000000..a46bf65bd989
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/hsts/register.html^headers^
@@ -0,0 +1,2 @@
+Cache-Control: no-cache
+Strict-Transport-Security: max-age=60
diff --git a/dom/workers/test/serviceworkers/fetch/hsts/unregister.html b/dom/workers/test/serviceworkers/fetch/hsts/unregister.html
new file mode 100644
index 000000000000..1f13508fa700
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/hsts/unregister.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<script>
+  navigator.serviceWorker.getRegistration(".").then(function(registration) {
+    registration.unregister().then(function(success) {
+      if (success) {
+        window.parent.postMessage({status: "unregistrationdone"}, "*");
+      }
+    }, function(e) {
+      dump("Unregistering the SW failed with " + e + "\n");
+    });
+  });
+</script>
diff --git a/dom/workers/test/serviceworkers/fetch/upgrade-insecure/embedder.html b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/embedder.html
new file mode 100644
index 000000000000..6098a45dd458
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/embedder.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<script>
+  window.onmessage = function(e) {
+    window.parent.postMessage(e.data, "*");
+    if (e.data.status == "protocol") {
+      document.querySelector("iframe").src = "image.html";
+    }
+  };
+</script>
+<iframe src="http://example.com/tests/dom/workers/test/serviceworkers/fetch/upgrade-insecure/index.html"></iframe>
diff --git a/dom/workers/test/serviceworkers/fetch/upgrade-insecure/embedder.html^headers^ b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/embedder.html^headers^
new file mode 100644
index 000000000000..602d9dc38d0a
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/embedder.html^headers^
@@ -0,0 +1 @@
+Content-Security-Policy: upgrade-insecure-requests
diff --git a/dom/workers/test/serviceworkers/fetch/upgrade-insecure/image-20px.png b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/image-20px.png
new file mode 100644
index 000000000000..ae6a8a6b8840
Binary files /dev/null and b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/image-20px.png differ
diff --git a/dom/workers/test/serviceworkers/fetch/upgrade-insecure/image-40px.png b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/image-40px.png
new file mode 100644
index 000000000000..fe391dc8a2d7
Binary files /dev/null and b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/image-40px.png differ
diff --git a/dom/workers/test/serviceworkers/fetch/upgrade-insecure/image.html b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/image.html
new file mode 100644
index 000000000000..34e24e35a432
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/image.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<script>
+onload=function(){
+  var img = new Image();
+  img.src = "http://example.com/tests/dom/workers/test/serviceworkers/fetch/upgrade-insecure/image-20px.png";
+  img.onload = function() {
+    window.parent.postMessage({status: "image", data: img.width}, "*");
+  };
+  img.onerror = function() {
+    window.parent.postMessage({status: "image", data: "error"}, "*");
+  };
+};
+</script>
diff --git a/dom/workers/test/serviceworkers/fetch/upgrade-insecure/realindex.html b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/realindex.html
new file mode 100644
index 000000000000..aaa255aad370
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/realindex.html
@@ -0,0 +1,4 @@
+<!DOCTYPE html>
+<script>
+  window.parent.postMessage({status: "protocol", data: location.protocol}, "*");
+</script>
diff --git a/dom/workers/test/serviceworkers/fetch/upgrade-insecure/register.html b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/register.html
new file mode 100644
index 000000000000..6309b9b218fe
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/register.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<script>
+  function ok(v, msg) {
+    window.parent.postMessage({status: "ok", result: !!v, message: msg}, "*");
+  }
+
+  function done(reg) {
+    ok(reg.active, "The active worker should be available.");
+    window.parent.postMessage({status: "registrationdone"}, "*");
+  }
+
+  navigator.serviceWorker.ready.then(done);
+  navigator.serviceWorker.register("upgrade-insecure_test.js", {scope: "."});
+</script>
diff --git a/dom/workers/test/serviceworkers/fetch/upgrade-insecure/unregister.html b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/unregister.html
new file mode 100644
index 000000000000..1f13508fa700
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/unregister.html
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<script>
+  navigator.serviceWorker.getRegistration(".").then(function(registration) {
+    registration.unregister().then(function(success) {
+      if (success) {
+        window.parent.postMessage({status: "unregistrationdone"}, "*");
+      }
+    }, function(e) {
+      dump("Unregistering the SW failed with " + e + "\n");
+    });
+  });
+</script>
diff --git a/dom/workers/test/serviceworkers/fetch/upgrade-insecure/upgrade-insecure_test.js b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/upgrade-insecure_test.js
new file mode 100644
index 000000000000..ab54164ed242
--- /dev/null
+++ b/dom/workers/test/serviceworkers/fetch/upgrade-insecure/upgrade-insecure_test.js
@@ -0,0 +1,11 @@
+self.addEventListener("fetch", function(event) {
+  if (event.request.url.indexOf("index.html") >= 0) {
+    event.respondWith(fetch("realindex.html"));
+  } else if (event.request.url.indexOf("image-20px.png") >= 0) {
+    if (event.request.url.indexOf("https://") == 0) {
+      event.respondWith(fetch("image-40px.png"));
+    } else {
+      event.respondWith(Response.error());
+    }
+  }
+});
diff --git a/dom/workers/test/serviceworkers/mochitest.ini b/dom/workers/test/serviceworkers/mochitest.ini
index e62c37078b62..06983fea906f 100644
--- a/dom/workers/test/serviceworkers/mochitest.ini
+++ b/dom/workers/test/serviceworkers/mochitest.ini
@@ -42,6 +42,15 @@ support-files =
   fetch/context/sharedworker.js
   fetch/context/parentsharedworker.js
   fetch/context/xml.xml
+  fetch/hsts/hsts_test.js
+  fetch/hsts/embedder.html
+  fetch/hsts/image.html
+  fetch/hsts/image-20px.png
+  fetch/hsts/image-40px.png
+  fetch/hsts/realindex.html
+  fetch/hsts/register.html
+  fetch/hsts/register.html^headers^
+  fetch/hsts/unregister.html
   fetch/https/index.html
   fetch/https/register.html
   fetch/https/unregister.html
@@ -76,6 +85,15 @@ support-files =
   fetch/sandbox/register.html
   fetch/sandbox/unregister.html
   fetch/sandbox/sandbox_test.js
+  fetch/upgrade-insecure/upgrade-insecure_test.js
+  fetch/upgrade-insecure/embedder.html
+  fetch/upgrade-insecure/embedder.html^headers^
+  fetch/upgrade-insecure/image.html
+  fetch/upgrade-insecure/image-20px.png
+  fetch/upgrade-insecure/image-40px.png
+  fetch/upgrade-insecure/realindex.html
+  fetch/upgrade-insecure/register.html
+  fetch/upgrade-insecure/unregister.html
   match_all_properties_worker.js
   match_all_clients/match_all_controlled.html
   test_serviceworker_interfaces.js
@@ -259,3 +277,7 @@ skip-if = toolkit == "android" || toolkit == "gonk"
 [test_not_intercept_plugin.html]
 [test_file_blob_upload.html]
 [test_unresolved_fetch_interception.html]
+[test_hsts_upgrade_intercept.html]
+skip-if = e10s # Bug 1214305
+[test_csp_upgrade-insecure_intercept.html]
+skip-if = e10s # Bug 1214305
diff --git a/dom/workers/test/serviceworkers/test_csp_upgrade-insecure_intercept.html b/dom/workers/test/serviceworkers/test_csp_upgrade-insecure_intercept.html
new file mode 100644
index 000000000000..45d02a409a64
--- /dev/null
+++ b/dom/workers/test/serviceworkers/test_csp_upgrade-insecure_intercept.html
@@ -0,0 +1,56 @@
+<!--
+  Any copyright is dedicated to the Public Domain.
+  http://creativecommons.org/publicdomain/zero/1.0/
+-->
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that a CSP upgraded request can be intercepted by a service worker</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content">
+<iframe></iframe>
+</div>
+<pre id="test"></pre>
+<script class="testbody" type="text/javascript">
+
+  var iframe;
+  function runTest() {
+    iframe = document.querySelector("iframe");
+    iframe.src = "https://example.com/tests/dom/workers/test/serviceworkers/fetch/upgrade-insecure/register.html";
+    window.onmessage = function(e) {
+      if (e.data.status == "ok") {
+        ok(e.data.result, e.data.message);
+      } else if (e.data.status == "registrationdone") {
+        iframe.src = "https://example.com/tests/dom/workers/test/serviceworkers/fetch/upgrade-insecure/embedder.html";
+      } else if (e.data.status == "protocol") {
+        is(e.data.data, "https:", "Correct protocol expected");
+      } else if (e.data.status == "image") {
+        is(e.data.data, 40, "The image request was upgraded before interception");
+        iframe.src = "https://example.com/tests/dom/workers/test/serviceworkers/fetch/upgrade-insecure/unregister.html";
+      } else if (e.data.status == "unregistrationdone") {
+        window.onmessage = null;
+        SimpleTest.finish();
+      }
+    };
+  }
+
+  SimpleTest.waitForExplicitFinish();
+  onload = function() {
+    SpecialPowers.pushPrefEnv({"set": [
+      ["dom.serviceWorkers.exemptFromPerDomainMax", true],
+      ["dom.serviceWorkers.enabled", true],
+      ["dom.serviceWorkers.testing.enabled", true],
+      ["dom.serviceWorkers.interception.enabled", true],
+      // This is needed so that we can test upgrading a non-secure load inside an https iframe.
+      ["security.mixed_content.block_active_content", false],
+      ["security.mixed_content.block_display_content", false],
+    ]}, runTest);
+  };
+</script>
+</pre>
+</body>
+</html>
diff --git a/dom/workers/test/serviceworkers/test_hsts_upgrade_intercept.html b/dom/workers/test/serviceworkers/test_hsts_upgrade_intercept.html
new file mode 100644
index 000000000000..ea2c1fe8ef68
--- /dev/null
+++ b/dom/workers/test/serviceworkers/test_hsts_upgrade_intercept.html
@@ -0,0 +1,66 @@
+<!--
+  Any copyright is dedicated to the Public Domain.
+  http://creativecommons.org/publicdomain/zero/1.0/
+-->
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test that an HSTS upgraded request can be intercepted by a service worker</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<div id="content">
+<iframe></iframe>
+</div>
+<pre id="test"></pre>
+<script class="testbody" type="text/javascript">
+
+  var iframe;
+  var framesLoaded = 0;
+  function runTest() {
+    iframe = document.querySelector("iframe");
+    iframe.src = "https://example.com/tests/dom/workers/test/serviceworkers/fetch/hsts/register.html";
+    window.onmessage = function(e) {
+      if (e.data.status == "ok") {
+        ok(e.data.result, e.data.message);
+      } else if (e.data.status == "registrationdone") {
+        iframe.src = "http://example.com/tests/dom/workers/test/serviceworkers/fetch/hsts/index.html";
+      } else if (e.data.status == "protocol") {
+        is(e.data.data, "https:", "Correct protocol expected");
+        switch (++framesLoaded) {
+        case 1:
+          iframe.src = "https://example.com/tests/dom/workers/test/serviceworkers/fetch/hsts/embedder.html";
+          break;
+        case 2:
+          iframe.src = "https://example.com/tests/dom/workers/test/serviceworkers/fetch/hsts/image.html";
+          break;
+        }
+      } else if (e.data.status == "image") {
+        is(e.data.data, 40, "The image request was upgraded before interception");
+        iframe.src = "https://example.com/tests/dom/workers/test/serviceworkers/fetch/hsts/unregister.html";
+      } else if (e.data.status == "unregistrationdone") {
+        window.onmessage = null;
+        SpecialPowers.cleanUpSTSData("http://example.com");
+        SimpleTest.finish();
+      }
+    };
+  }
+
+  SimpleTest.waitForExplicitFinish();
+  onload = function() {
+    SpecialPowers.pushPrefEnv({"set": [
+      ["dom.serviceWorkers.exemptFromPerDomainMax", true],
+      ["dom.serviceWorkers.enabled", true],
+      ["dom.serviceWorkers.testing.enabled", true],
+      ["dom.serviceWorkers.interception.enabled", true],
+      // This is needed so that we can test upgrading a non-secure load inside an https iframe.
+      ["security.mixed_content.block_active_content", false],
+      ["security.mixed_content.block_display_content", false],
+    ]}, runTest);
+  };
+</script>
+</pre>
+</body>
+</html>
diff --git a/dom/workers/test/test_xhr_responseURL.html b/dom/workers/test/test_xhr_responseURL.html
index fb2fd5e4e18b..2c7977450159 100644
--- a/dom/workers/test/test_xhr_responseURL.html
+++ b/dom/workers/test/test_xhr_responseURL.html
@@ -45,16 +45,6 @@ worker.addEventListener("message", function (aEvent) {
     worker.postMessage("pong");
     return;
   }
-  if (data.type === "todo") {
-    SimpleTest.todo(data.bool, data.message);
-    worker.postMessage("pong");
-    return;
-  }
-  if (data.type === "todo_is") {
-    SimpleTest.todo_is(data.actual, data.expected, data.message);
-    worker.postMessage("pong");
-    return;
-  }
   if (data.type === "redirect_test") {
     if (data.status === "start") {
       SpecialPowers.addObserver(requestObserver, "specialpowers-http-notify-request", false);
diff --git a/dom/xbl/nsBindingManager.h b/dom/xbl/nsBindingManager.h
index 805d7b72406a..a952c55cb0a5 100644
--- a/dom/xbl/nsBindingManager.h
+++ b/dom/xbl/nsBindingManager.h
@@ -27,7 +27,6 @@ class nsIURI;
 class nsXBLDocumentInfo;
 class nsIStreamListener;
 class nsXBLBinding;
-template<class E> class nsRefPtr;
 typedef nsTArray<RefPtr<nsXBLBinding> > nsBindingList;
 class nsIPrincipal;
 class nsITimer;
diff --git a/dom/xbl/nsXBLPrototypeResources.cpp b/dom/xbl/nsXBLPrototypeResources.cpp
index f3146b21664e..cd1cb192d14d 100644
--- a/dom/xbl/nsXBLPrototypeResources.cpp
+++ b/dom/xbl/nsXBLPrototypeResources.cpp
@@ -143,7 +143,7 @@ void
 nsXBLPrototypeResources::GatherRuleProcessor()
 {
   mRuleProcessor = new nsCSSRuleProcessor(mStyleSheetList,
-                                          nsStyleSet::eDocSheet,
+                                          SheetType::Doc,
                                           nullptr,
                                           mRuleProcessor);
 }
diff --git a/extensions/spellcheck/hunspell/src/moz.build b/extensions/spellcheck/hunspell/src/moz.build
index bbc052adf935..91e46eea8223 100644
--- a/extensions/spellcheck/hunspell/src/moz.build
+++ b/extensions/spellcheck/hunspell/src/moz.build
@@ -28,6 +28,7 @@ LOCAL_INCLUDES += [
     '../glue',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 include('/ipc/chromium/chromium-config.mozbuild')
diff --git a/gfx/angle/moz.build b/gfx/angle/moz.build
index b8740b382499..85ac4526f80d 100644
--- a/gfx/angle/moz.build
+++ b/gfx/angle/moz.build
@@ -160,6 +160,7 @@ if CONFIG['GKMEDIAS_SHARED_LIBRARY']:
 DEFINES['COMPONENT_BUILD'] = True
 DEFINES['ANGLE_TRANSLATOR_IMPLEMENTATION'] = True
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/gfx/angle/src/libANGLE/moz.build b/gfx/angle/src/libANGLE/moz.build
index f8eabe42c362..ec3b66aa5bd2 100644
--- a/gfx/angle/src/libANGLE/moz.build
+++ b/gfx/angle/src/libANGLE/moz.build
@@ -311,5 +311,6 @@ SOURCES['renderer/d3d/HLSLCompiler.cpp'].flags += ['-DANGLE_PRELOADED_D3DCOMPILE
 if CONFIG['MOZ_HAS_WINSDK_WITH_D3D']:
     SOURCES['renderer/d3d/d3d11/SwapChain11.cpp'].flags += ['-DANGLE_RESOURCE_SHARE_TYPE=D3D11_RESOURCE_MISC_SHARED_KEYEDMUTEX']
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
diff --git a/gfx/cairo/cairo/src/moz.build b/gfx/cairo/cairo/src/moz.build
index 6ddee048c76c..1eab57148bf3 100644
--- a/gfx/cairo/cairo/src/moz.build
+++ b/gfx/cairo/cairo/src/moz.build
@@ -185,6 +185,7 @@ UNIFIED_SOURCES += [
     'cairo.c',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/gfx/cairo/libpixman/src/moz.build b/gfx/cairo/libpixman/src/moz.build
index b2474190470b..bb2ed5abc373 100644
--- a/gfx/cairo/libpixman/src/moz.build
+++ b/gfx/cairo/libpixman/src/moz.build
@@ -58,6 +58,7 @@ SOURCES += [
     'pixman.c',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/gfx/gl/GLTextureImage.cpp b/gfx/gl/GLTextureImage.cpp
index cd05f6f126c0..1dccc262e50f 100644
--- a/gfx/gl/GLTextureImage.cpp
+++ b/gfx/gl/GLTextureImage.cpp
@@ -291,16 +291,16 @@ BasicTextureImage::BasicTextureImage(GLuint aTexture,
 static bool
 WantsSmallTiles(GLContext* gl)
 {
-    // We must use small tiles for good performance if we can't use
-    // glTexSubImage2D() for some reason.
-    if (!CanUploadSubTextures(gl))
-        return true;
-
     // We can't use small tiles on the SGX 540, because of races in texture upload.
     if (gl->WorkAroundDriverBugs() &&
         gl->Renderer() == GLRenderer::SGX540)
         return false;
 
+    // We should use small tiles for good performance if we can't use
+    // glTexSubImage2D() for some reason.
+    if (!CanUploadSubTextures(gl))
+        return true;
+
     // Don't use small tiles otherwise. (If we implement incremental texture upload,
     // then we will want to revisit this.)
     return false;
diff --git a/gfx/graphite2/src/moz.build b/gfx/graphite2/src/moz.build
index 0c932b2c513c..81bf44f12850 100644
--- a/gfx/graphite2/src/moz.build
+++ b/gfx/graphite2/src/moz.build
@@ -67,6 +67,7 @@ else:
     # thebes
     DEFINES['GRAPHITE2_STATIC'] = True
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/gfx/harfbuzz/src/moz.build b/gfx/harfbuzz/src/moz.build
index 7d14158e23fd..51dfc705c125 100644
--- a/gfx/harfbuzz/src/moz.build
+++ b/gfx/harfbuzz/src/moz.build
@@ -59,6 +59,7 @@ UNIFIED_SOURCES += [
     'hb-warning.cc',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/gfx/layers/apz/util/APZCCallbackHelper.h b/gfx/layers/apz/util/APZCCallbackHelper.h
index be3a0b175c53..2b64e67b7ae9 100644
--- a/gfx/layers/apz/util/APZCCallbackHelper.h
+++ b/gfx/layers/apz/util/APZCCallbackHelper.h
@@ -18,7 +18,6 @@ class nsIPresShell;
 class nsIWidget;
 template<class T> struct already_AddRefed;
 template<class T> class nsCOMPtr;
-template<class T> class nsRefPtr;
 
 namespace mozilla {
 namespace layers {
diff --git a/gfx/layers/composite/LayerManagerComposite.cpp b/gfx/layers/composite/LayerManagerComposite.cpp
index 4402cbf8d5d2..922ee050178b 100644
--- a/gfx/layers/composite/LayerManagerComposite.cpp
+++ b/gfx/layers/composite/LayerManagerComposite.cpp
@@ -298,6 +298,10 @@ LayerManagerComposite::EndTransaction(const TimeStamp& aTimeStamp,
     return;
   }
 
+  // We don't want our debug overlay to cause more frames to happen
+  // so we will invalidate after we've decided if something changed.
+  InvalidateDebugOverlay(mRenderBounds);
+
  if (mRoot && !(aFlags & END_NO_IMMEDIATE_REDRAW)) {
     MOZ_ASSERT(!aTimeStamp.IsNull());
     // The results of our drawing always go directly into a pixel buffer,
@@ -393,6 +397,26 @@ LayerManagerComposite::RootLayer() const
 #include "qrcode_table.h"
 #endif
 
+void
+LayerManagerComposite::InvalidateDebugOverlay(const IntRect& aBounds)
+{
+  bool drawFps = gfxPrefs::LayersDrawFPS();
+  bool drawFrameCounter = gfxPrefs::DrawFrameCounter();
+  bool drawFrameColorBars = gfxPrefs::CompositorDrawColorBars();
+
+  if (drawFps || drawFrameCounter) {
+    AddInvalidRegion(nsIntRect(0, 0, 256, 256));
+  }
+  if (drawFrameColorBars) {
+    AddInvalidRegion(nsIntRect(0, 0, 10, aBounds.height));
+  }
+
+  if (drawFrameColorBars) {
+    AddInvalidRegion(nsIntRect(0, 0, 10, aBounds.height));
+  }
+
+}
+
 static uint16_t sFrameCount = 0;
 void
 LayerManagerComposite::RenderDebugOverlay(const Rect& aBounds)
@@ -461,7 +485,6 @@ LayerManagerComposite::RenderDebugOverlay(const Rect& aBounds)
     }
 
     // Each frame is invalidate by the previous frame for simplicity
-    AddInvalidRegion(nsIntRect(0, 0, 256, 256));
   } else {
     mFPS = nullptr;
   }
@@ -477,8 +500,6 @@ LayerManagerComposite::RenderDebugOverlay(const Rect& aBounds)
                           1.0,
                           gfx::Matrix4x4());
 
-    // Each frame is invalidate by the previous frame for simplicity
-    AddInvalidRegion(nsIntRect(0, 0, sideRect.width, sideRect.height));
   }
 
 #ifdef MOZ_PROFILING
@@ -522,8 +543,6 @@ LayerManagerComposite::RenderDebugOverlay(const Rect& aBounds)
       }
     }
 
-    // Each frame is invalidate by the previous frame for simplicity
-    AddInvalidRegion(nsIntRect(0, 0, 256, 256));
   }
 #endif
 
diff --git a/gfx/layers/composite/LayerManagerComposite.h b/gfx/layers/composite/LayerManagerComposite.h
index 2e48a6bf2d97..377ba9372f97 100644
--- a/gfx/layers/composite/LayerManagerComposite.h
+++ b/gfx/layers/composite/LayerManagerComposite.h
@@ -305,6 +305,11 @@ private:
   void RenderToPresentationSurface();
 #endif
 
+  /**
+   * We need to know our invalid region before we're ready to render.
+   */
+  void InvalidateDebugOverlay(const gfx::IntRect& aBounds);
+
   /**
    * Render debug overlays such as the FPS/FrameCounter above the frame.
    */
diff --git a/gfx/layers/ipc/CompositorParent.cpp b/gfx/layers/ipc/CompositorParent.cpp
index 615b309d29eb..3c936c3d00f8 100644
--- a/gfx/layers/ipc/CompositorParent.cpp
+++ b/gfx/layers/ipc/CompositorParent.cpp
@@ -2057,7 +2057,13 @@ CrossProcessCompositorParent::ShadowLayersUpdated(
 bool
 CompositorParent::UpdatePluginWindowState(uint64_t aId)
 {
+  MonitorAutoLock lock(*sIndirectLayerTreesLock);
   CompositorParent::LayerTreeState& lts = sIndirectLayerTrees[aId];
+  if (!lts.mParent) {
+    PLUGINS_LOG("[%" PRIu64 "] layer tree compositor parent pointer is null", aId);
+    return false;
+  }
+
   // Check if this layer tree has received any shadow layer updates
   if (!lts.mUpdatedPluginDataAvailable) {
     PLUGINS_LOG("[%" PRIu64 "] no plugin data", aId);
diff --git a/gfx/ots/src/moz.build b/gfx/ots/src/moz.build
index 0f51f3fe3a57..bd51e93e5b3b 100644
--- a/gfx/ots/src/moz.build
+++ b/gfx/ots/src/moz.build
@@ -50,6 +50,7 @@ UNIFIED_SOURCES += [
 if CONFIG['GKMEDIAS_SHARED_LIBRARY']:
     NO_VISIBILITY_FLAGS = True
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/gfx/skia/generate_mozbuild.py b/gfx/skia/generate_mozbuild.py
index f8be46e48ca7..30a643697ebc 100755
--- a/gfx/skia/generate_mozbuild.py
+++ b/gfx/skia/generate_mozbuild.py
@@ -139,18 +139,23 @@ DEFINES['GR_IMPLEMENTATION'] = 1
 
 if CONFIG['GNU_CXX']:
     CXXFLAGS += [
-        '-Wno-overloaded-virtual',
-        '-Wno-unused-function',
         '-Wno-deprecated-declarations',
+        '-Wno-overloaded-virtual',
+        '-Wno-sign-compare',
+        '-Wno-unused-function',
     ]
     if CONFIG['CLANG_CXX']:
         CXXFLAGS += [
+            '-Wno-implicit-fallthrough',
             '-Wno-inconsistent-missing-override',
             '-Wno-macro-redefined',
             '-Wno-unused-private-field',
         ]
     else:
-        CXXFLAGS += ['-Wno-logical-op']
+        CXXFLAGS += [
+            '-Wno-logical-op',
+            '-Wno-maybe-uninitialized',
+        ]
     if CONFIG['CPU_ARCH'] == 'arm':
         SOURCES['skia/src/opts/SkBlitRow_opts_arm.cpp'].flags += ['-fomit-frame-pointer']
 
diff --git a/gfx/skia/moz.build b/gfx/skia/moz.build
index a7bf41f5888a..28c399638d74 100644
--- a/gfx/skia/moz.build
+++ b/gfx/skia/moz.build
@@ -583,6 +583,7 @@ if CONFIG['INTEL_ARCHITECTURE'] and CONFIG['GNU_CC'] and CONFIG['OS_ARCH'] != 'W
             'skia/src/opts/SkBlitRow_opts_SSE4_asm.S',
         ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
@@ -667,18 +668,23 @@ DEFINES['GR_IMPLEMENTATION'] = 1
 
 if CONFIG['GNU_CXX']:
     CXXFLAGS += [
-        '-Wno-overloaded-virtual',
-        '-Wno-unused-function',
         '-Wno-deprecated-declarations',
+        '-Wno-overloaded-virtual',
+        '-Wno-sign-compare',
+        '-Wno-unused-function',
     ]
     if CONFIG['CLANG_CXX']:
         CXXFLAGS += [
+            '-Wno-implicit-fallthrough',
             '-Wno-inconsistent-missing-override',
             '-Wno-macro-redefined',
             '-Wno-unused-private-field',
         ]
     else:
-        CXXFLAGS += ['-Wno-logical-op']
+        CXXFLAGS += [
+            '-Wno-logical-op',
+            '-Wno-maybe-uninitialized',
+        ]
     if CONFIG['CPU_ARCH'] == 'arm':
         SOURCES['skia/src/opts/SkBlitRow_opts_arm.cpp'].flags += ['-fomit-frame-pointer']
 
diff --git a/gfx/thebes/gfxBlur.cpp b/gfx/thebes/gfxBlur.cpp
index e75af9f275be..40281d2e54d4 100644
--- a/gfx/thebes/gfxBlur.cpp
+++ b/gfx/thebes/gfxBlur.cpp
@@ -980,7 +980,8 @@ gfxAlphaBoxBlur::BlurInsetBox(gfxContext* aDestinationCtx,
                               const Color& aShadowColor,
                               bool aHasBorderRadius,
                               const RectCornerRadii& aInnerClipRadii,
-                              const Rect aSkipRect)
+                              const Rect aSkipRect,
+                              const Point aShadowOffset)
 {
   // Blur inset shadows ALWAYS have a 0 spread radius.
   if ((aBlurRadius.width <= 0 && aBlurRadius.height <= 0)) {
@@ -1005,6 +1006,7 @@ gfxAlphaBoxBlur::BlurInsetBox(gfxContext* aDestinationCtx,
   srcInner.Deflate(Margin(slice));
 
   Rect dstOuter(aDestinationRect);
+  dstOuter.MoveBy(aShadowOffset);
   dstOuter.Inflate(Margin(extendDest));
   Rect dstInner = dstOuter;
   dstInner.Deflate(Margin(slice));
diff --git a/gfx/thebes/gfxBlur.h b/gfx/thebes/gfxBlur.h
index 456014c5eafc..1c2dc6bf6bdc 100644
--- a/gfx/thebes/gfxBlur.h
+++ b/gfx/thebes/gfxBlur.h
@@ -160,7 +160,8 @@ public:
                       const mozilla::gfx::Color& aShadowColor,
                       const bool aHasBorderRadius,
                       const RectCornerRadii& aInnerClipRadii,
-                      const mozilla::gfx::Rect aSkipRect);
+                      const mozilla::gfx::Rect aSkipRect,
+                      const mozilla::gfx::Point aShadowOffset);
 
 protected:
     already_AddRefed<mozilla::gfx::SourceSurface>
diff --git a/gfx/thebes/gfxTeeSurface.h b/gfx/thebes/gfxTeeSurface.h
index b12f9d5e3582..59148c26f857 100644
--- a/gfx/thebes/gfxTeeSurface.h
+++ b/gfx/thebes/gfxTeeSurface.h
@@ -10,8 +10,6 @@
 #include "nsTArrayForwardDeclare.h"
 #include "nsSize.h"
 
-template<class T> class nsRefPtr;
-
 /**
  * Wraps a cairo_tee_surface. The first surface in the surface list is the
  * primary surface, which answers all surface queries (including size).
diff --git a/image/imgLoader.cpp b/image/imgLoader.cpp
index b350bea31e5d..1528ffd14ce7 100644
--- a/image/imgLoader.cpp
+++ b/image/imgLoader.cpp
@@ -862,6 +862,7 @@ imgCacheEntry::imgCacheEntry(imgLoader* loader, imgRequest* request,
    mRequest(request),
    mDataSize(0),
    mTouchedTime(SecondsFromPRTime(PR_Now())),
+   mLoadTime(SecondsFromPRTime(PR_Now())),
    mExpiryTime(0),
    mMustValidate(false),
    // We start off as evicted so we don't try to update the cache. PutIntoCache
@@ -898,6 +899,11 @@ imgCacheEntry::UpdateCache(int32_t diff /* = 0 */)
   }
 }
 
+void imgCacheEntry::UpdateLoadTime()
+{
+  mLoadTime = SecondsFromPRTime(PR_Now());
+}
+
 void
 imgCacheEntry::SetHasNoProxies(bool hasNoProxies)
 {
@@ -1710,7 +1716,7 @@ imgLoader::ValidateEntry(imgCacheEntry* aEntry,
   // Special treatment for file URLs - aEntry has expired if file has changed
   nsCOMPtr<nsIFileURL> fileUrl(do_QueryInterface(aURI));
   if (fileUrl) {
-    uint32_t lastModTime = aEntry->GetTouchedTime();
+    uint32_t lastModTime = aEntry->GetLoadTime();
 
     nsCOMPtr<nsIFile> theFile;
     rv = fileUrl->GetFile(getter_AddRefs(theFile));
diff --git a/image/imgLoader.h b/image/imgLoader.h
index be98fcb6364e..12db620929cf 100644
--- a/image/imgLoader.h
+++ b/image/imgLoader.h
@@ -91,6 +91,13 @@ public:
     Touch(/* updateTime = */ false);
   }
 
+  uint32_t GetLoadTime() const
+  {
+    return mLoadTime;
+  }
+
+  void UpdateLoadTime();
+
   int32_t GetExpiryTime() const
   {
     return mExpiryTime;
@@ -164,6 +171,7 @@ private: // data
   RefPtr<imgRequest> mRequest;
   uint32_t mDataSize;
   int32_t mTouchedTime;
+  uint32_t mLoadTime;
   int32_t mExpiryTime;
   nsExpirationState mExpirationState;
   bool mMustValidate : 1;
diff --git a/image/imgRequest.cpp b/image/imgRequest.cpp
index 916d8d30f8bf..4afe6009075b 100644
--- a/image/imgRequest.cpp
+++ b/image/imgRequest.cpp
@@ -159,6 +159,7 @@ imgRequest::Init(nsIURI *aURI,
   mChannel->SetNotificationCallbacks(this);
 
   mCacheEntry = aCacheEntry;
+  mCacheEntry->UpdateLoadTime();
 
   SetLoadId(aCX);
 
diff --git a/intl/hyphenation/hyphen/moz.build b/intl/hyphenation/hyphen/moz.build
index 42db5071469b..de5d4b1a7eec 100644
--- a/intl/hyphenation/hyphen/moz.build
+++ b/intl/hyphenation/hyphen/moz.build
@@ -15,5 +15,5 @@ LOCAL_INCLUDES += [
     '../glue',
 ]
 
-# Suppress warnings in third-party code.
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
diff --git a/ipc/chromium/src/third_party/moz.build b/ipc/chromium/src/third_party/moz.build
index 89061ecded11..4740c9b6391c 100644
--- a/ipc/chromium/src/third_party/moz.build
+++ b/ipc/chromium/src/third_party/moz.build
@@ -54,6 +54,7 @@ if os_linux:
             'libevent/epoll_sub.c',
         ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
diff --git a/ipc/glue/BackgroundUtils.cpp b/ipc/glue/BackgroundUtils.cpp
index ad0f349eed71..b8e02fd2f82a 100644
--- a/ipc/glue/BackgroundUtils.cpp
+++ b/ipc/glue/BackgroundUtils.cpp
@@ -235,7 +235,7 @@ LoadInfoToLoadInfoArgs(nsILoadInfo *aLoadInfo,
       requestingPrincipalInfo,
       triggeringPrincipalInfo,
       aLoadInfo->GetSecurityFlags(),
-      aLoadInfo->GetContentPolicyType(),
+      aLoadInfo->InternalContentPolicyType(),
       aLoadInfo->GetUpgradeInsecureRequests(),
       aLoadInfo->GetInnerWindowID(),
       aLoadInfo->GetOuterWindowID(),
diff --git a/js/src/asmjs/AsmJSCompile.cpp b/js/src/asmjs/AsmJSCompile.cpp
index 2cdeb9fabb24..56f4e5801e5f 100644
--- a/js/src/asmjs/AsmJSCompile.cpp
+++ b/js/src/asmjs/AsmJSCompile.cpp
@@ -146,8 +146,8 @@ class ModuleCompiler
 
 #if defined(MOZ_VTUNE) || defined(JS_ION_PERF)
         // Perf and profiling information
-        unsigned begin = labels.begin.offset();
-        unsigned end = labels.end.offset();
+        unsigned begin = labels.nonProfilingEntry.offset();
+        unsigned end = labels.endAfterOOL.offset();
         AsmJSModule::ProfiledFunction profiledFunc(funcName, begin, end, line, column);
         if (!compileResults_->addProfiledFunction(profiledFunc))
             return false;
diff --git a/js/src/asmjs/AsmJSFrameIterator.cpp b/js/src/asmjs/AsmJSFrameIterator.cpp
index 1004ce63082b..f27592d3911f 100644
--- a/js/src/asmjs/AsmJSFrameIterator.cpp
+++ b/js/src/asmjs/AsmJSFrameIterator.cpp
@@ -280,13 +280,13 @@ js::GenerateAsmJSFunctionPrologue(MacroAssembler& masm, unsigned framePushed,
 
     masm.haltingAlign(CodeAlignment);
 
-    GenerateProfilingPrologue(masm, framePushed, AsmJSExit::None, &labels->begin);
+    GenerateProfilingPrologue(masm, framePushed, AsmJSExit::None, &labels->profilingEntry);
     Label body;
     masm.jump(&body);
 
     // Generate normal prologue:
     masm.haltingAlign(CodeAlignment);
-    masm.bind(&labels->entry);
+    masm.bind(&labels->nonProfilingEntry);
     PushRetAddr(masm);
     masm.subFromStackPtr(Imm32(framePushed + AsmJSFrameBytesAfterReturnAddress));
 
diff --git a/js/src/asmjs/AsmJSModule.cpp b/js/src/asmjs/AsmJSModule.cpp
index b8026d5470d7..4be580f6a8c3 100644
--- a/js/src/asmjs/AsmJSModule.cpp
+++ b/js/src/asmjs/AsmJSModule.cpp
@@ -363,8 +363,8 @@ AsmJSModule::finish(ExclusiveContext* cx, TokenStream& tokenStream, MacroAssembl
     // Relative link metadata: absolute addresses that refer to another point within
     // the asm.js module.
 
-    // CodeLabels are used for switch cases and loads from doubles in the
-    // constant pool.
+    // CodeLabels are used for switch cases and loads from floating-point /
+    // SIMD values in the constant pool.
     for (size_t i = 0; i < masm.numCodeLabels(); i++) {
         CodeLabel src = masm.codeLabel(i);
         int32_t labelOffset = src.dest()->offset();
@@ -1364,19 +1364,19 @@ AsmJSModule::CodeRange::CodeRange(uint32_t nameIndex, uint32_t lineNumber,
                                   const AsmJSFunctionLabels& l)
   : nameIndex_(nameIndex),
     lineNumber_(lineNumber),
-    begin_(l.begin.offset()),
+    begin_(l.profilingEntry.offset()),
     profilingReturn_(l.profilingReturn.offset()),
-    end_(l.end.offset())
+    end_(l.endAfterOOL.offset())
 {
     PodZero(&u);  // zero padding for Valgrind
     u.kind_ = Function;
-    setDeltas(l.entry.offset(), l.profilingJump.offset(), l.profilingEpilogue.offset());
+    setDeltas(l.nonProfilingEntry.offset(), l.profilingJump.offset(), l.profilingEpilogue.offset());
 
-    MOZ_ASSERT(l.begin.offset() < l.entry.offset());
-    MOZ_ASSERT(l.entry.offset() < l.profilingJump.offset());
+    MOZ_ASSERT(l.profilingEntry.offset() < l.nonProfilingEntry.offset());
+    MOZ_ASSERT(l.nonProfilingEntry.offset() < l.profilingJump.offset());
     MOZ_ASSERT(l.profilingJump.offset() < l.profilingEpilogue.offset());
     MOZ_ASSERT(l.profilingEpilogue.offset() < l.profilingReturn.offset());
-    MOZ_ASSERT(l.profilingReturn.offset() < l.end.offset());
+    MOZ_ASSERT(l.profilingReturn.offset() < l.endAfterOOL.offset());
 }
 
 void
diff --git a/js/src/asmjs/AsmJSModule.h b/js/src/asmjs/AsmJSModule.h
index bc25159b36ee..88c9093a9d62 100644
--- a/js/src/asmjs/AsmJSModule.h
+++ b/js/src/asmjs/AsmJSModule.h
@@ -102,14 +102,14 @@ enum AsmJSSimdOperation
 struct MOZ_STACK_CLASS AsmJSFunctionLabels
 {
     AsmJSFunctionLabels(jit::Label& entry, jit::Label& overflowExit)
-      : entry(entry), overflowExit(overflowExit) {}
+      : nonProfilingEntry(entry), overflowExit(overflowExit) {}
 
-    jit::Label begin;
-    jit::Label& entry;
-    jit::Label profilingJump;
-    jit::Label profilingEpilogue;
-    jit::Label profilingReturn;
-    jit::Label end;
+    jit::Label  profilingEntry;
+    jit::Label& nonProfilingEntry;
+    jit::Label  profilingJump;
+    jit::Label  profilingEpilogue;
+    jit::Label  profilingReturn;
+    jit::Label  endAfterOOL;
     mozilla::Maybe<jit::Label> overflowThunk;
     jit::Label& overflowExit;
 };
diff --git a/js/src/asmjs/AsmJSValidate.cpp b/js/src/asmjs/AsmJSValidate.cpp
index 189337986206..a92ca070420b 100644
--- a/js/src/asmjs/AsmJSValidate.cpp
+++ b/js/src/asmjs/AsmJSValidate.cpp
@@ -1520,6 +1520,7 @@ class MOZ_STACK_CLASS ModuleValidator
             if (!module().addFunctionCounts(compileResults_->functionCount(i)))
                 return false;
         }
+
 #if defined(MOZ_VTUNE) || defined(JS_ION_PERF)
         for (size_t i = 0; i < compileResults_->numProfiledFunctions(); ++i) {
             if (!module().addProfiledFunction(Move(compileResults_->profiledFunction(i))))
@@ -1527,7 +1528,7 @@ class MOZ_STACK_CLASS ModuleValidator
         }
 #endif // defined(MOZ_VTUNE) || defined(JS_ION_PERF)
 
-        // Hand in code ranges, script counts and perf profiling data to the AsmJSModule
+        // Hand in code ranges to the AsmJSModule
         for (size_t i = 0; i < compileResults_->numCodeRanges(); ++i) {
             AsmJSModule::FunctionCodeRange& codeRange = compileResults_->codeRange(i);
             if (!module().addFunctionCodeRange(codeRange.name(), Move(codeRange)))
@@ -8216,6 +8217,10 @@ EstablishPreconditions(ExclusiveContext* cx, AsmJSParser& parser)
     if (parser.pc->isArrowFunction())
         return Warn(parser, JSMSG_USE_ASM_TYPE_FAIL, "Disabled by arrow function context");
 
+    // Class constructors are also methods
+    if (parser.pc->isMethod())
+        return Warn(parser, JSMSG_USE_ASM_TYPE_FAIL, "Disabled by class constructor or method context");
+
     return true;
 }
 
diff --git a/js/src/doc/Debugger/Debugger.Object.md b/js/src/doc/Debugger/Debugger.Object.md
index 735036df53be..32f2741040aa 100644
--- a/js/src/doc/Debugger/Debugger.Object.md
+++ b/js/src/doc/Debugger/Debugger.Object.md
@@ -427,9 +427,9 @@ code), the call throws a [`Debugger.DebuggeeWouldRun`][wouldrun] exception.
 
 `asEnvironment()`
 :   If the referent is a global object, return the [`Debugger.Environment`][environment]
-    instance representing the referent as a variable environment for
-    evaluating code. If the referent is not a global object, throw a
-    `TypeError`.
+    instance representing the referent's global lexical scope. The global
+    lexical scope's enclosing scope is the global object. If the referent is
+    not a global object, throw a `TypeError`.
 
 <code>setObjectWatchpoint(<i>handler</i>)</code> <i>(future plan)</i>
 :   Set a watchpoint on all the referent's own properties, reporting events
diff --git a/js/src/frontend/Parser.h b/js/src/frontend/Parser.h
index 059520d20d73..762a5ca68f3a 100644
--- a/js/src/frontend/Parser.h
+++ b/js/src/frontend/Parser.h
@@ -130,6 +130,9 @@ struct MOZ_STACK_CLASS ParseContext : public GenericParseContext
     bool isArrowFunction() const {
         return sc->isFunctionBox() && sc->asFunctionBox()->function()->isArrow();
     }
+    bool isMethod() const {
+        return sc->isFunctionBox() && sc->asFunctionBox()->function()->isMethod();
+    }
 
     uint32_t        blockScopeDepth; /* maximum depth of nested block scopes, in slots */
     Node            blockNode;      /* parse node for a block with let declarations
diff --git a/js/src/jit-test/tests/asm.js/testBasic.js b/js/src/jit-test/tests/asm.js/testBasic.js
index c4054c814d31..e1656d2da41e 100644
--- a/js/src/jit-test/tests/asm.js/testBasic.js
+++ b/js/src/jit-test/tests/asm.js/testBasic.js
@@ -131,6 +131,10 @@ assertTypeFailInEval('function f(global, {imports}) { "use asm"; function g() {}
 assertTypeFailInEval('function f(g = 2) { "use asm"; function g() {} return g }');
 assertTypeFailInEval('function *f() { "use asm"; function g() {} return g }');
 assertTypeFailInEval('f => { "use asm"; function g() {} return g }');
+assertTypeFailInEval('class f { constructor() {"use asm"; return {}} }');
+assertTypeFailInEval('var f = { method() {"use asm"; return {}} }');
+assertAsmTypeFail(USE_ASM + 'class c { constructor() {}}; return c;');
+assertAsmTypeFail(USE_ASM + 'return {m() {}};');
 
 assertAsmTypeFail(USE_ASM + 'function f(i) {i=i|0; (i for (x in [1,2,3])) } return f');
 assertAsmTypeFail(USE_ASM + 'function f(i) {i=i|0; [i for (x in [1,2,3])] } return f');
diff --git a/js/src/jit-test/tests/debug/Object-asEnvironment-01.js b/js/src/jit-test/tests/debug/Object-asEnvironment-01.js
new file mode 100644
index 000000000000..1f5e3be42ff3
--- /dev/null
+++ b/js/src/jit-test/tests/debug/Object-asEnvironment-01.js
@@ -0,0 +1,15 @@
+// Tests D.O.asEnvironment() returning the global lexical scope.
+
+var g = newGlobal();
+var dbg = new Debugger;
+var gw = dbg.addDebuggee(g);
+
+g.evaluate(`
+  var x = 42;
+  let y = "foo"
+`);
+
+var globalLexical = gw.asEnvironment();
+assertEq(globalLexical.names().length, 1);
+assertEq(globalLexical.getVariable("y"), "foo");
+assertEq(globalLexical.parent.getVariable("x"), 42);
diff --git a/js/src/jit-test/tests/ion/bug1106171-sink.js b/js/src/jit-test/tests/ion/bug1106171-sink.js
new file mode 100644
index 000000000000..26fb1e27d21b
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1106171-sink.js
@@ -0,0 +1,19 @@
+// |jit-test| --ion-sink=on
+// Sink Algorithm should not move instruction into merge blocks
+// which have no corresponding pc.
+
+setJitCompilerOption("ion.warmup.trigger", 30);
+
+var o = {
+  a : 40,
+  b : true
+};
+
+function f(a, b) {
+    do {
+        if (a == 0)
+          return;
+        a--;
+    } while (true || this ? o.a-- : true);
+}
+f(200000, 0);
diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
index 579cc473ebb0..9df89bb7ff76 100644
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -7800,7 +7800,7 @@ CodeGenerator::generateAsmJS(AsmJSFunctionLabels* labels)
     if (!generateOutOfLineCode())
         return false;
 
-    masm.bind(&labels->end);
+    masm.bind(&labels->endAfterOOL);
 
     // The only remaining work needed to compile this function is to patch the
     // switch-statement jump tables (the entries of the table need the absolute
@@ -8187,6 +8187,12 @@ CodeGenerator::link(JSContext* cx, CompilerConstraintList* constraints)
 
             entry.firstStub()->toFallbackStub()->fixupICEntry(&entry);
         }
+
+        // for generating inline caches during the execution.
+        if (runtimeData_.length())
+            ionScript->copyRuntimeData(&runtimeData_[0]);
+        if (cacheList_.length())
+            ionScript->copyCacheEntries(&cacheList_[0], masm);
     }
 
     JitSpew(JitSpew_Codegen, "Created IonScript %p (raw %p)",
@@ -8205,12 +8211,6 @@ CodeGenerator::link(JSContext* cx, CompilerConstraintList* constraints)
         perfSpewer_.writeProfile(script, code, masm);
 #endif
 
-    // for generating inline caches during the execution.
-    if (runtimeData_.length())
-        ionScript->copyRuntimeData(&runtimeData_[0]);
-    if (cacheList_.length())
-        ionScript->copyCacheEntries(&cacheList_[0], masm);
-
     // for marking during GC.
     if (safepointIndices_.length())
         ionScript->copySafepointIndices(&safepointIndices_[0], masm);
diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp
index 9aedc9cae348..14f9151d40aa 100644
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@@ -1513,7 +1513,8 @@ OptimizeMIR(MIRGenerator* mir)
 
     {
         AutoTraceLog log(logger, TraceLogger_FoldTests);
-        FoldTests(graph);
+        if (!FoldTests(graph))
+            return false;
         gs.spewPass("Fold Tests");
         AssertBasicGraphCoherency(graph);
 
diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp
index a3d034b54b84..87e4e2639057 100644
--- a/js/src/jit/IonAnalysis.cpp
+++ b/js/src/jit/IonAnalysis.cpp
@@ -265,7 +265,7 @@ UpdateTestSuccessors(TempAllocator& alloc, MBasicBlock* block,
     ifFalse->addPredecessorSameInputsAs(block, existingPred);
 }
 
-static void
+static bool
 MaybeFoldConditionBlock(MIRGraph& graph, MBasicBlock* initialBlock)
 {
     // Optimize the MIR graph to improve the code generated for conditional
@@ -294,44 +294,41 @@ MaybeFoldConditionBlock(MIRGraph& graph, MBasicBlock* initialBlock)
 
     MInstruction* ins = initialBlock->lastIns();
     if (!ins->isTest())
-        return;
+        return true;
     MTest* initialTest = ins->toTest();
 
     MBasicBlock* trueBranch = initialTest->ifTrue();
     if (trueBranch->numPredecessors() != 1 || trueBranch->numSuccessors() != 1)
-        return;
+        return true;
     MBasicBlock* falseBranch = initialTest->ifFalse();
     if (falseBranch->numPredecessors() != 1 || falseBranch->numSuccessors() != 1)
-        return;
+        return true;
     MBasicBlock* phiBlock = trueBranch->getSuccessor(0);
     if (phiBlock != falseBranch->getSuccessor(0))
-        return;
+        return true;
     if (phiBlock->numPredecessors() != 2)
-        return;
+        return true;
 
     if (initialBlock->isLoopBackedge() || trueBranch->isLoopBackedge() || falseBranch->isLoopBackedge())
-        return;
+        return true;
 
     MBasicBlock* testBlock = phiBlock;
     if (testBlock->numSuccessors() == 1) {
         if (testBlock->isLoopBackedge())
-            return;
+            return true;
         testBlock = testBlock->getSuccessor(0);
         if (testBlock->numPredecessors() != 1)
-            return;
+            return true;
     }
 
     // Make sure the test block does not have any outgoing loop backedges.
-    {
-        AutoEnterOOMUnsafeRegion oomUnsafe;
-        if (!SplitCriticalEdgesForBlock(graph, testBlock))
-            oomUnsafe.crash("MaybeFoldConditionBlock");
-    }
+    if (!SplitCriticalEdgesForBlock(graph, testBlock))
+        return false;
 
     MPhi* phi;
     MTest* finalTest;
     if (!BlockIsSingleTest(phiBlock, testBlock, &phi, &finalTest))
-        return;
+        return true;
 
     MDefinition* trueResult = phi->getOperand(phiBlock->indexForPredecessor(trueBranch));
     MDefinition* falseResult = phi->getOperand(phiBlock->indexForPredecessor(falseBranch));
@@ -405,13 +402,18 @@ MaybeFoldConditionBlock(MIRGraph& graph, MBasicBlock* initialBlock)
     finalTest->ifTrue()->removePredecessor(testBlock);
     finalTest->ifFalse()->removePredecessor(testBlock);
     graph.removeBlock(testBlock);
+
+    return true;
 }
 
-void
+bool
 jit::FoldTests(MIRGraph& graph)
 {
-    for (MBasicBlockIterator block(graph.begin()); block != graph.end(); block++)
-        MaybeFoldConditionBlock(graph, *block);
+    for (MBasicBlockIterator block(graph.begin()); block != graph.end(); block++) {
+        if (!MaybeFoldConditionBlock(graph, *block))
+            return false;
+    }
+    return true;
 }
 
 static void
diff --git a/js/src/jit/IonAnalysis.h b/js/src/jit/IonAnalysis.h
index 5204fb7fd40f..c31f710a665d 100644
--- a/js/src/jit/IonAnalysis.h
+++ b/js/src/jit/IonAnalysis.h
@@ -18,7 +18,7 @@ namespace jit {
 class MIRGenerator;
 class MIRGraph;
 
-void
+bool
 FoldTests(MIRGraph& graph);
 
 bool
diff --git a/js/src/jit/IonCaches.cpp b/js/src/jit/IonCaches.cpp
index ca323036a87d..32af8ee1f09c 100644
--- a/js/src/jit/IonCaches.cpp
+++ b/js/src/jit/IonCaches.cpp
@@ -376,7 +376,6 @@ IonCache::linkAndAttachStub(JSContext* cx, MacroAssembler& masm, StubAttacher& a
 void
 IonCache::updateBaseAddress(JitCode* code, MacroAssembler& masm)
 {
-    AutoWritableJitCode awjc(code);
     fallbackLabel_.repoint(code, &masm);
     initialJump_.repoint(code, &masm);
     lastJump_.repoint(code, &masm);
diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp
index 9cb0d41ef8b3..36907cb3809c 100644
--- a/js/src/jit/Lowering.cpp
+++ b/js/src/jit/Lowering.cpp
@@ -479,8 +479,6 @@ LIRGenerator::visitCall(MCall* call)
     } else if (target) {
         // Call known functions.
         if (target->isNative()) {
-            MOZ_ASSERT(!target->isClassConstructor());
-
             Register cxReg, numReg, vpReg, tmpReg;
             GetTempRegForIntArg(0, 0, &cxReg);
             GetTempRegForIntArg(1, 0, &numReg);
diff --git a/js/src/jit/arm/Assembler-arm.cpp b/js/src/jit/arm/Assembler-arm.cpp
index 60857daad6e2..d9c9126c05d0 100644
--- a/js/src/jit/arm/Assembler-arm.cpp
+++ b/js/src/jit/arm/Assembler-arm.cpp
@@ -1371,12 +1371,6 @@ Assembler::oom() const
            preBarriers_.oom();
 }
 
-void
-Assembler::addCodeLabel(CodeLabel label)
-{
-    propagateOOM(codeLabels_.append(label));
-}
-
 // Size of the instruction stream, in bytes. Including pools. This function
 // expects all pools that need to be placed have been placed. If they haven't
 // then we need to go an flush the pools :(
diff --git a/js/src/jit/arm/Assembler-arm.h b/js/src/jit/arm/Assembler-arm.h
index 588f5dcad646..ac3f0b46795d 100644
--- a/js/src/jit/arm/Assembler-arm.h
+++ b/js/src/jit/arm/Assembler-arm.h
@@ -1294,7 +1294,6 @@ class Assembler : public AssemblerShared
 
     // TODO: this should actually be a pool-like object. It is currently a big
     // hack, and probably shouldn't exist.
-    js::Vector<CodeLabel, 0, SystemAllocPolicy> codeLabels_;
     js::Vector<RelativePatch, 8, SystemAllocPolicy> jumps_;
     js::Vector<BufferOffset, 0, SystemAllocPolicy> tmpJumpRelocations_;
     js::Vector<BufferOffset, 0, SystemAllocPolicy> tmpDataRelocations_;
@@ -1424,14 +1423,6 @@ class Assembler : public AssemblerShared
     void copyDataRelocationTable(uint8_t* dest);
     void copyPreBarrierTable(uint8_t* dest);
 
-    void addCodeLabel(CodeLabel label);
-    size_t numCodeLabels() const {
-        return codeLabels_.length();
-    }
-    CodeLabel codeLabel(size_t i) {
-        return codeLabels_[i];
-    }
-
     // Size of the instruction stream, in bytes, after pools are flushed.
     size_t size() const;
     // Size of the jump relocation table, in bytes.
diff --git a/js/src/jit/arm64/Assembler-arm64.h b/js/src/jit/arm64/Assembler-arm64.h
index e2ae4013820b..8c57463ac25d 100644
--- a/js/src/jit/arm64/Assembler-arm64.h
+++ b/js/src/jit/arm64/Assembler-arm64.h
@@ -236,15 +236,6 @@ class Assembler : public vixl::Assembler
             preBarrierTableBytes();
     }
 
-    void addCodeLabel(CodeLabel label) {
-        propagateOOM(codeLabels_.append(label));
-    }
-    size_t numCodeLabels() const {
-        return codeLabels_.length();
-    }
-    CodeLabel codeLabel(size_t i) {
-        return codeLabels_[i];
-    }
     void processCodeLabels(uint8_t* rawCode) {
         for (size_t i = 0; i < codeLabels_.length(); i++) {
             CodeLabel label = codeLabels_[i];
@@ -436,8 +427,6 @@ class Assembler : public vixl::Assembler
         { }
     };
 
-    js::Vector<CodeLabel, 0, SystemAllocPolicy> codeLabels_;
-
     // List of jumps for which the target is either unknown until finalization,
     // or cannot be known due to GC. Each entry here requires a unique entry
     // in the extended jump table, and is patched at finalization.
diff --git a/js/src/jit/mips-shared/Assembler-mips-shared.cpp b/js/src/jit/mips-shared/Assembler-mips-shared.cpp
index 72ef17e6a5d4..a1aebb6175d5 100644
--- a/js/src/jit/mips-shared/Assembler-mips-shared.cpp
+++ b/js/src/jit/mips-shared/Assembler-mips-shared.cpp
@@ -231,12 +231,6 @@ AssemblerMIPSShared::oom() const
            preBarriers_.oom();
 }
 
-void
-AssemblerMIPSShared::addCodeLabel(CodeLabel label)
-{
-    propagateOOM(codeLabels_.append(label));
-}
-
 // Size of the instruction stream, in bytes.
 size_t
 AssemblerMIPSShared::size() const
diff --git a/js/src/jit/mips-shared/Assembler-mips-shared.h b/js/src/jit/mips-shared/Assembler-mips-shared.h
index c1e4a2aa6dd1..4a9d0bb062cd 100644
--- a/js/src/jit/mips-shared/Assembler-mips-shared.h
+++ b/js/src/jit/mips-shared/Assembler-mips-shared.h
@@ -755,7 +755,6 @@ class AssemblerMIPSShared : public AssemblerShared
         { }
     };
 
-    js::Vector<CodeLabel, 0, SystemAllocPolicy> codeLabels_;
     js::Vector<RelativePatch, 8, SystemAllocPolicy> jumps_;
     js::Vector<uint32_t, 8, SystemAllocPolicy> longJumps_;
 
@@ -810,14 +809,6 @@ class AssemblerMIPSShared : public AssemblerShared
     void copyDataRelocationTable(uint8_t* dest);
     void copyPreBarrierTable(uint8_t* dest);
 
-    void addCodeLabel(CodeLabel label);
-    size_t numCodeLabels() const {
-        return codeLabels_.length();
-    }
-    CodeLabel codeLabel(size_t i) {
-        return codeLabels_[i];
-    }
-
     // Size of the instruction stream, in bytes.
     size_t size() const;
     // Size of the jump relocation table, in bytes.
diff --git a/js/src/jit/shared/Assembler-shared.h b/js/src/jit/shared/Assembler-shared.h
index 896a4c95eaff..dadab5082490 100644
--- a/js/src/jit/shared/Assembler-shared.h
+++ b/js/src/jit/shared/Assembler-shared.h
@@ -422,15 +422,18 @@ struct AbsoluteLabel : public LabelBase
     }
 };
 
-// A code label contains an absolute reference to a point in the code
-// Thus, it cannot be patched until after linking
+// A code label contains an absolute reference to a point in the code. Thus, it
+// cannot be patched until after linking.
+// When the source label is resolved into a memory address, this address is
+// patched into the destination address.
 class CodeLabel
 {
-    // The destination position, where the absolute reference should get patched into
+    // The destination position, where the absolute reference should get
+    // patched into.
     AbsoluteLabel dest_;
 
-    // The source label (relative) in the code to where the
-    // the destination should get patched to.
+    // The source label (relative) in the code to where the destination should
+    // get patched to.
     Label src_;
 
   public:
@@ -923,6 +926,8 @@ class AssemblerShared
     Vector<AsmJSAbsoluteLink, 0, SystemAllocPolicy> asmJSAbsoluteLinks_;
 
   protected:
+    Vector<CodeLabel, 0, SystemAllocPolicy> codeLabels_;
+
     bool enoughMemory_;
     bool embedsNurseryPointers_;
 
@@ -968,6 +973,16 @@ class AssemblerShared
     AsmJSAbsoluteLink asmJSAbsoluteLink(size_t i) const { return asmJSAbsoluteLinks_[i]; }
 
     static bool canUseInSingleByteInstruction(Register reg) { return true; }
+
+    void addCodeLabel(CodeLabel label) {
+        propagateOOM(codeLabels_.append(label));
+    }
+    size_t numCodeLabels() const {
+        return codeLabels_.length();
+    }
+    CodeLabel codeLabel(size_t i) {
+        return codeLabels_[i];
+    }
 };
 
 } // namespace jit
diff --git a/js/src/jit/x86-shared/Assembler-x86-shared.h b/js/src/jit/x86-shared/Assembler-x86-shared.h
index 08abcc22ad8e..927ab518263f 100644
--- a/js/src/jit/x86-shared/Assembler-x86-shared.h
+++ b/js/src/jit/x86-shared/Assembler-x86-shared.h
@@ -250,7 +250,6 @@ class AssemblerX86Shared : public AssemblerShared
         { }
     };
 
-    Vector<CodeLabel, 0, SystemAllocPolicy> codeLabels_;
     Vector<RelativePatch, 8, SystemAllocPolicy> jumps_;
     CompactBufferWriter jumpRelocations_;
     CompactBufferWriter dataRelocations_;
@@ -407,16 +406,6 @@ class AssemblerX86Shared : public AssemblerShared
     void copyDataRelocationTable(uint8_t* dest);
     void copyPreBarrierTable(uint8_t* dest);
 
-    void addCodeLabel(CodeLabel label) {
-        propagateOOM(codeLabels_.append(label));
-    }
-    size_t numCodeLabels() const {
-        return codeLabels_.length();
-    }
-    CodeLabel codeLabel(size_t i) {
-        return codeLabels_[i];
-    }
-
     // Size of the instruction stream, in bytes.
     size_t size() const {
         return masm.size();
diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
index 34b70f41d6b9..2b7f1e07eecd 100644
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -3719,11 +3719,15 @@ JSObject::traceChildren(JSTracer* trc)
             GetObjectSlotNameFunctor func(nobj);
             JS::AutoTracingDetails ctx(trc, func);
             JS::AutoTracingIndex index(trc);
-            for (uint32_t i = 0; i < nobj->slotSpan(); ++i) {
+            // Tracing can mutate the target but cannot change the slot count,
+            // but the compiler has no way of knowing this.
+            const uint32_t nslots = nobj->slotSpan();
+            for (uint32_t i = 0; i < nslots; ++i) {
                 TraceManuallyBarrieredEdge(trc, nobj->getSlotRef(i).unsafeUnbarrieredForTracing(),
                                            "object slot");
                 ++index;
             }
+            MOZ_ASSERT(nslots == nobj->slotSpan());
         }
 
         do {
diff --git a/js/src/tests/js1_5/Regress/regress-360969-01.js b/js/src/tests/js1_5/Regress/regress-360969-01.js
index 9f60fc513c4b..b57110d8e999 100644
--- a/js/src/tests/js1_5/Regress/regress-360969-01.js
+++ b/js/src/tests/js1_5/Regress/regress-360969-01.js
@@ -1,3 +1,4 @@
+// |reftest| skip-if(Android&&isDebugBuild) slow -- bug 1216226
 /* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
diff --git a/js/src/tests/js1_5/Regress/regress-360969-02.js b/js/src/tests/js1_5/Regress/regress-360969-02.js
index 1c4f9f6c80ff..7ab7efed1f38 100644
--- a/js/src/tests/js1_5/Regress/regress-360969-02.js
+++ b/js/src/tests/js1_5/Regress/regress-360969-02.js
@@ -1,3 +1,4 @@
+// |reftest| skip-if(Android&&isDebugBuild) slow -- bug 1216226
 /* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
diff --git a/js/src/tests/js1_5/Regress/regress-360969-03.js b/js/src/tests/js1_5/Regress/regress-360969-03.js
index 19f29362260d..312583dd993a 100644
--- a/js/src/tests/js1_5/Regress/regress-360969-03.js
+++ b/js/src/tests/js1_5/Regress/regress-360969-03.js
@@ -1,3 +1,4 @@
+// |reftest| skip-if(Android&&isDebugBuild) slow -- bug 1216226
 /* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
diff --git a/js/src/tests/js1_5/Regress/regress-360969-04.js b/js/src/tests/js1_5/Regress/regress-360969-04.js
index ea53e0ebaf80..d33dbbc21365 100644
--- a/js/src/tests/js1_5/Regress/regress-360969-04.js
+++ b/js/src/tests/js1_5/Regress/regress-360969-04.js
@@ -1,3 +1,4 @@
+// |reftest| skip-if(Android&&isDebugBuild) slow -- bug 1216226
 /* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
diff --git a/js/src/tests/js1_5/Regress/regress-360969-05.js b/js/src/tests/js1_5/Regress/regress-360969-05.js
index f611c2d6100f..54b4d68294a0 100644
--- a/js/src/tests/js1_5/Regress/regress-360969-05.js
+++ b/js/src/tests/js1_5/Regress/regress-360969-05.js
@@ -1,3 +1,4 @@
+// |reftest| skip-if(Android&&isDebugBuild) slow -- bug 1216226
 /* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
diff --git a/js/src/tests/js1_5/Regress/regress-360969-06.js b/js/src/tests/js1_5/Regress/regress-360969-06.js
index d9d1c0e4e498..cd95040fbabb 100644
--- a/js/src/tests/js1_5/Regress/regress-360969-06.js
+++ b/js/src/tests/js1_5/Regress/regress-360969-06.js
@@ -1,3 +1,4 @@
+// |reftest| skip-if(Android&&isDebugBuild) slow -- bug 1216226
 /* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
diff --git a/js/src/vm/Debugger.cpp b/js/src/vm/Debugger.cpp
index 405d66a1f658..f17f9101ddaa 100644
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -7687,6 +7687,24 @@ DebuggerObject_executeInGlobalWithBindings(JSContext* cx, unsigned argc, Value*
                                args.rval(), dbg, globalLexical, nullptr);
 }
 
+static bool
+DebuggerObject_asEnvironment(JSContext* cx, unsigned argc, Value* vp)
+{
+    THIS_DEBUGOBJECT_OWNER_REFERENT(cx, argc, vp, "asEnvironment", args, dbg, referent);
+    if (!RequireGlobalObject(cx, args.thisv(), referent))
+        return false;
+
+    Rooted<Env*> env(cx);
+    {
+        AutoCompartment ac(cx, referent);
+        env = GetDebugScopeForGlobalLexicalScope(cx);
+        if (!env)
+            return false;
+    }
+
+    return dbg->wrapEnvironment(cx, env, args.rval());
+}
+
 static bool
 DebuggerObject_unwrap(JSContext* cx, unsigned argc, Value* vp)
 {
@@ -7764,6 +7782,7 @@ static const JSFunctionSpec DebuggerObject_methods[] = {
     JS_FN("makeDebuggeeValue", DebuggerObject_makeDebuggeeValue, 1, 0),
     JS_FN("executeInGlobal", DebuggerObject_executeInGlobal, 1, 0),
     JS_FN("executeInGlobalWithBindings", DebuggerObject_executeInGlobalWithBindings, 2, 0),
+    JS_FN("asEnvironment", DebuggerObject_asEnvironment, 0, 0),
     JS_FN("unwrap", DebuggerObject_unwrap, 0, 0),
     JS_FN("unsafeDereference", DebuggerObject_unsafeDereference, 0, 0),
     JS_FS_END
diff --git a/js/src/vm/ScopeObject.cpp b/js/src/vm/ScopeObject.cpp
index e926f23baeb8..27296c4409e4 100644
--- a/js/src/vm/ScopeObject.cpp
+++ b/js/src/vm/ScopeObject.cpp
@@ -2859,6 +2859,13 @@ js::GetDebugScopeForFrame(JSContext* cx, AbstractFramePtr frame, jsbytecode* pc)
     return GetDebugScope(cx, si);
 }
 
+JSObject*
+js::GetDebugScopeForGlobalLexicalScope(JSContext* cx)
+{
+    ScopeIter si(cx, &cx->global()->lexicalScope(), &cx->global()->lexicalScope().staticBlock());
+    return GetDebugScope(cx, si);
+}
+
 // See declaration and documentation in jsfriendapi.h
 JS_FRIEND_API(JSObject*)
 js::GetNearestEnclosingWithScopeObjectForFunction(JSFunction* fun)
diff --git a/js/src/vm/ScopeObject.h b/js/src/vm/ScopeObject.h
index b93c15351739..75af4708a239 100644
--- a/js/src/vm/ScopeObject.h
+++ b/js/src/vm/ScopeObject.h
@@ -1109,13 +1109,13 @@ class LiveScopeVal
  * now incomplete: it may not contain all, or any, of the ScopeObjects to
  * represent the current scope.
  *
- * To resolve this, the debugger first calls GetDebugScopeFor(Function|Frame)
- * to synthesize a "debug scope chain". A debug scope chain is just a chain of
- * objects that fill in missing scopes and protect the engine from unexpected
- * access. (The latter means that some debugger operations, like redefining a
- * lexical binding, can fail when a true eval would succeed.) To do both of
- * these things, GetDebugScopeFor* creates a new proxy DebugScopeObject to sit
- * in front of every existing ScopeObject.
+ * To resolve this, the debugger first calls GetDebugScopeFor* to synthesize a
+ * "debug scope chain". A debug scope chain is just a chain of objects that
+ * fill in missing scopes and protect the engine from unexpected access. (The
+ * latter means that some debugger operations, like redefining a lexical
+ * binding, can fail when a true eval would succeed.) To do both of these
+ * things, GetDebugScopeFor* creates a new proxy DebugScopeObject to sit in
+ * front of every existing ScopeObject.
  *
  * GetDebugScopeFor* ensures the invariant that the same DebugScopeObject is
  * always produced for the same underlying scope (optimized or not!). This is
@@ -1128,6 +1128,9 @@ GetDebugScopeForFunction(JSContext* cx, HandleFunction fun);
 extern JSObject*
 GetDebugScopeForFrame(JSContext* cx, AbstractFramePtr frame, jsbytecode* pc);
 
+extern JSObject*
+GetDebugScopeForGlobalLexicalScope(JSContext* cx);
+
 /* Provides debugger access to a scope. */
 class DebugScopeObject : public ProxyObject
 {
diff --git a/layout/base/RestyleManager.cpp b/layout/base/RestyleManager.cpp
index d1336f73fdee..9adf7c9c5a4c 100644
--- a/layout/base/RestyleManager.cpp
+++ b/layout/base/RestyleManager.cpp
@@ -4051,7 +4051,7 @@ ElementRestyler::RestyleSelf(nsIFrame* aSelf,
       for (nsStyleStructID sid = nsStyleStructID(0);
            sid < nsStyleStructID_Length;
            sid = nsStyleStructID(sid + 1)) {
-        if (oldContext->HasCachedInheritedStyleData(sid) &&
+        if (oldContext->HasCachedDependentStyleData(sid) &&
             !(samePointerStructs & nsCachedStyleData::GetBitForSID(sid))) {
           LOG_RESTYLE_CONTINUE("there are different struct pointers");
           result = eRestyleResult_Continue;
diff --git a/layout/base/nsCSSRendering.cpp b/layout/base/nsCSSRendering.cpp
index becad2136e86..9f42c6ba1342 100644
--- a/layout/base/nsCSSRendering.cpp
+++ b/layout/base/nsCSSRendering.cpp
@@ -872,8 +872,8 @@ nsCSSRendering::PaintOutline(nsPresContext* aPresContext,
   RectCornerRadii outlineRadii;
   ComputePixelRadii(twipsRadii, twipsPerPixel, &outlineRadii);
 
-  if (nsLayoutUtils::IsOutlineStyleAutoEnabled()) {
-    if (outlineStyle == NS_STYLE_BORDER_STYLE_AUTO) {
+  if (outlineStyle == NS_STYLE_BORDER_STYLE_AUTO) {
+    if (nsLayoutUtils::IsOutlineStyleAutoEnabled()) {
       nsITheme* theme = aPresContext->GetTheme();
       if (theme && theme->ThemeSupportsWidget(aPresContext, aForFrame,
                                               NS_THEME_FOCUS_OUTLINE)) {
@@ -881,13 +881,14 @@ nsCSSRendering::PaintOutline(nsPresContext* aPresContext,
                                     NS_THEME_FOCUS_OUTLINE, innerRect,
                                     aDirtyRect);
         return;
-      } else if (width == 0) {
-        return; // empty outline
       }
-      // http://dev.w3.org/csswg/css-ui/#outline
-      // "User agents may treat 'auto' as 'solid'."
-      outlineStyle = NS_STYLE_BORDER_STYLE_SOLID;
     }
+    if (width == 0) {
+      return; // empty outline
+    }
+    // http://dev.w3.org/csswg/css-ui/#outline
+    // "User agents may treat 'auto' as 'solid'."
+    outlineStyle = NS_STYLE_BORDER_STYLE_SOLID;
   }
 
   uint8_t outlineStyles[4] = { outlineStyle, outlineStyle,
@@ -1605,11 +1606,15 @@ nsCSSRendering::PaintBoxShadowInner(nsPresContext* aPresContext,
 
     nsContextBoxBlur insetBoxBlur;
     gfxRect destRect = nsLayoutUtils::RectToGfxRect(shadowPaintRect, twipsPerPixel);
+    Point shadowOffset(shadowItem->mXOffset / twipsPerPixel,
+                       shadowItem->mYOffset / twipsPerPixel);
+
     insetBoxBlur.InsetBoxBlur(renderContext, ToRect(destRect),
                               shadowClipGfxRect, shadowColor,
                               blurRadius, spreadDistanceAppUnits,
                               twipsPerPixel, hasBorderRadius,
-                              clipRectRadii, ToRect(skipGfxRect));
+                              clipRectRadii, ToRect(skipGfxRect),
+                              shadowOffset);
     renderContext->Restore();
   }
 }
@@ -5543,7 +5548,7 @@ nsContextBoxBlur::InsetBoxBlur(gfxContext* aDestinationCtx,
                                int32_t aAppUnitsPerDevPixel,
                                bool aHasBorderRadius,
                                RectCornerRadii& aInnerClipRectRadii,
-                               Rect aSkipRect)
+                               Rect aSkipRect, Point aShadowOffset)
 {
   if (aDestinationRect.IsEmpty()) {
     mContext = nullptr;
@@ -5585,9 +5590,9 @@ nsContextBoxBlur::InsetBoxBlur(gfxContext* aDestinationCtx,
     mAlphaBoxBlur.BlurInsetBox(aDestinationCtx, transformedDestRect,
                                transformedShadowClipRect,
                                blurRadius, spreadRadius,
-                               aShadowColor,
-                               aHasBorderRadius,
-                               aInnerClipRectRadii, transformedSkipRect);
+                               aShadowColor, aHasBorderRadius,
+                               aInnerClipRectRadii, transformedSkipRect,
+                               aShadowOffset);
   }
   return true;
 }
diff --git a/layout/base/nsCSSRendering.h b/layout/base/nsCSSRendering.h
index 14aaf171652c..302174d8730e 100644
--- a/layout/base/nsCSSRendering.h
+++ b/layout/base/nsCSSRendering.h
@@ -982,7 +982,8 @@ public:
                     int32_t aAppUnitsPerDevPixel,
                     bool aHasBorderRadius,
                     RectCornerRadii& aInnerClipRectRadii,
-                    mozilla::gfx::Rect aSkipRect);
+                    mozilla::gfx::Rect aSkipRect,
+                    mozilla::gfx::Point aShadowOffset);
 
 protected:
   static void GetBlurAndSpreadRadius(gfxContext* aContext,
diff --git a/layout/base/nsDisplayList.cpp b/layout/base/nsDisplayList.cpp
index c0d35ba30830..ef68579d77c5 100644
--- a/layout/base/nsDisplayList.cpp
+++ b/layout/base/nsDisplayList.cpp
@@ -4680,7 +4680,7 @@ nsDisplayTransform::nsDisplayTransform(nsDisplayListBuilder* aBuilder,
   , mChildrenVisibleRect(aChildrenVisibleRect)
   , mIndex(aIndex)
   , mNoExtendContext(false)
-  , mHasPresetTransform(false)
+  , mIsTransformSeparator(false)
   , mTransformPreserves3DInited(false)
 {
   MOZ_COUNT_CTOR(nsDisplayTransform);
@@ -4701,6 +4701,7 @@ nsDisplayTransform::SetReferenceFrameToAncestor(nsDisplayListBuilder* aBuilder)
 void
 nsDisplayTransform::Init(nsDisplayListBuilder* aBuilder)
 {
+  mHasBounds = false;
   mStoredList.SetClip(aBuilder, DisplayItemClip::NoClip());
   mStoredList.SetVisibleRect(mChildrenVisibleRect);
   mMaybePrerender = ShouldPrerenderTransformedContent(aBuilder, mFrame);
@@ -4727,13 +4728,14 @@ nsDisplayTransform::nsDisplayTransform(nsDisplayListBuilder* aBuilder,
   , mChildrenVisibleRect(aChildrenVisibleRect)
   , mIndex(aIndex)
   , mNoExtendContext(false)
-  , mHasPresetTransform(false)
+  , mIsTransformSeparator(false)
   , mTransformPreserves3DInited(false)
 {
   MOZ_COUNT_CTOR(nsDisplayTransform);
   MOZ_ASSERT(aFrame, "Must have a frame!");
   SetReferenceFrameToAncestor(aBuilder);
   Init(aBuilder);
+  UpdateBoundsFor3D(aBuilder);
 }
 
 nsDisplayTransform::nsDisplayTransform(nsDisplayListBuilder* aBuilder,
@@ -4746,7 +4748,7 @@ nsDisplayTransform::nsDisplayTransform(nsDisplayListBuilder* aBuilder,
   , mChildrenVisibleRect(aChildrenVisibleRect)
   , mIndex(aIndex)
   , mNoExtendContext(false)
-  , mHasPresetTransform(false)
+  , mIsTransformSeparator(false)
   , mTransformPreserves3DInited(false)
 {
   MOZ_COUNT_CTOR(nsDisplayTransform);
@@ -4767,12 +4769,13 @@ nsDisplayTransform::nsDisplayTransform(nsDisplayListBuilder* aBuilder,
   , mChildrenVisibleRect(aChildrenVisibleRect)
   , mIndex(aIndex)
   , mNoExtendContext(false)
-  , mHasPresetTransform(true)
+  , mIsTransformSeparator(true)
   , mTransformPreserves3DInited(false)
 {
   MOZ_COUNT_CTOR(nsDisplayTransform);
   MOZ_ASSERT(aFrame, "Must have a frame!");
   Init(aBuilder);
+  UpdateBoundsFor3D(aBuilder);
 }
 
 /* Returns the delta specified by the transform-origin property.
@@ -5276,7 +5279,7 @@ nsDisplayTransform::GetTransform()
     if (mTransformGetter) {
       mTransform = mTransformGetter(mFrame, scale);
       mTransform.ChangeBasis(newOrigin.x, newOrigin.y, newOrigin.z);
-    } else if (!mHasPresetTransform) {
+    } else if (!mIsTransformSeparator) {
       bool isReference =
         mFrame->IsTransformed() ||
         mFrame->Combines3DTransformWithAncestors() || mFrame->Extend3DContext();
@@ -5538,8 +5541,36 @@ nsDisplayTransform::GetHitDepthAtPoint(nsDisplayListBuilder* aBuilder, const nsP
 /* The bounding rectangle for the object is the overflow rectangle translated
  * by the reference point.
  */
-nsRect nsDisplayTransform::GetBounds(nsDisplayListBuilder *aBuilder, bool* aSnap)
+nsRect
+nsDisplayTransform::GetBounds(nsDisplayListBuilder* aBuilder, bool* aSnap)
 {
+  *aSnap = false;
+
+  if (mHasBounds) {
+    return mBounds;
+  }
+
+  if (mFrame->Extend3DContext()) {
+    return nsRect();
+  }
+
+  nsRect untransformedBounds = MaybePrerender() ?
+    mFrame->GetVisualOverflowRectRelativeToSelf() :
+    mStoredList.GetBounds(aBuilder, aSnap);
+  // GetTransform always operates in dev pixels.
+  float factor = mFrame->PresContext()->AppUnitsPerDevPixel();
+  mBounds = nsLayoutUtils::MatrixTransformRect(untransformedBounds,
+                                               GetTransform(),
+                                               factor);
+  mHasBounds = true;
+  return mBounds;
+}
+
+void
+nsDisplayTransform::ComputeBounds(nsDisplayListBuilder* aBuilder)
+{
+  MOZ_ASSERT(mFrame->Extend3DContext() || IsLeafOf3DContext());
+
   /* For some cases, the transform would make an empty bounds, but it
    * may be turned back again to get a non-empty bounds.  We should
    * not depend on transforming bounds level by level.
@@ -5549,27 +5580,22 @@ nsRect nsDisplayTransform::GetBounds(nsDisplayListBuilder *aBuilder, bool* aSnap
    * nsDisplayListBuilder.
    */
   nsDisplayListBuilder::AutoAccumulateTransform accTransform(aBuilder);
-  Maybe<nsDisplayListBuilder::AutoAccumulateRect> accRect;
-  bool startPreserves3D =
-    mFrame->Extend3DContext() && !mFrame->Combines3DTransformWithAncestors();
-
-  if (!mFrame->Combines3DTransformWithAncestors()) {
-    accTransform.StartRoot();
-  }
 
   accTransform.Accumulate(GetTransform());
-  if (startPreserves3D) {
-    accRect.emplace(aBuilder);
+
+  if (!IsLeafOf3DContext()) {
+    // Do not dive into another 3D context.
+    mStoredList.DoUpdateBoundsPreserves3D(aBuilder);
   }
 
   /* For Preserves3D, it is bounds of only children as leaf frames.
    * For non-leaf frames, their bounds are accumulated and kept at
    * nsDisplayListBuilder.
    */
+  bool snap;
   nsRect untransformedBounds = MaybePrerender() ?
     mFrame->GetVisualOverflowRectRelativeToSelf() :
-    mStoredList.GetBounds(aBuilder, aSnap);
-  *aSnap = false;
+    mStoredList.GetBounds(aBuilder, &snap);
   // GetTransform always operates in dev pixels.
   float factor = mFrame->PresContext()->AppUnitsPerDevPixel();
   nsRect rect =
@@ -5577,22 +5603,7 @@ nsRect nsDisplayTransform::GetBounds(nsDisplayListBuilder *aBuilder, bool* aSnap
                                        accTransform.GetCurrentTransform(),
                                        factor);
 
-  if (mFrame->Combines3DTransformWithAncestors()) {
-    if (!mFrame->Extend3DContext() &&
-        !aBuilder->GetAccumulatedRectLevels()) {
-      // For preserve-3d, only leaf frames and frames start
-      // preserve-3d chain have non-empty bounds.
-      return rect;
-    }
-    aBuilder->AccumulateRect(rect);
-    return nsRect();
-  }
-
-  if (startPreserves3D) {
-    rect.UnionRect(rect, aBuilder->GetAccumulatedRect());
-  }
-
-  return rect;
+  aBuilder->AccumulateRect(rect);
 }
 
 /* The transform is opaque iff the transform consists solely of scales and
diff --git a/layout/base/nsDisplayList.h b/layout/base/nsDisplayList.h
index f415be752b4d..b4f3fc94c9f1 100644
--- a/layout/base/nsDisplayList.h
+++ b/layout/base/nsDisplayList.h
@@ -843,6 +843,10 @@ public:
   const nsRect& GetAccumulatedRect() {
     return mPreserves3DCtx.mAccumulatedRect;
   }
+  /**
+   * The level is increased by one for items establishing 3D rendering
+   * context and starting a new accumulation.
+   */
   int GetAccumulatedRectLevels() {
     return mPreserves3DCtx.mAccumulatedRectLevels;
   }
@@ -1109,7 +1113,7 @@ private:
     }
 
     PLDHashNumber Hash() const {
-      return mozilla::HashBytes(this, sizeof(this));
+      return mozilla::HashBytes(this, sizeof(*this));
     }
 
     bool operator==(const AnimatedGeometryRootLookup& aOther) const {
@@ -1606,6 +1610,21 @@ public:
    */
   virtual nsDisplayList* GetSameCoordinateSystemChildren() { return nullptr; }
   virtual void UpdateBounds(nsDisplayListBuilder* aBuilder) {}
+  /**
+   * Do UpdateBounds() for items with frames establishing or extending
+   * 3D rendering context.
+   *
+   * This function is called by UpdateBoundsFor3D() of
+   * nsDisplayTransform(), and it is called by
+   * BuildDisplayListForStackingContext() on transform items
+   * establishing 3D rendering context.
+   *
+   * The bounds of a transform item with the frame establishing 3D
+   * rendering context should be computed by calling
+   * DoUpdateBoundsPreserves3D() on all descendants that participate
+   * the same 3d rendering context.
+   */
+  virtual void DoUpdateBoundsPreserves3D(nsDisplayListBuilder* aBuilder) {}
 
   /**
    * If this has a child list, return it, even if the children are in
@@ -3617,13 +3636,18 @@ class nsDisplayTransform: public nsDisplayItem
       nsDisplayWrapList(aBuilder, aFrame, aItem) {}
     virtual ~StoreList() {}
 
-    virtual void UpdateBounds(nsDisplayListBuilder* aBuilder) override {}
-    virtual nsRect GetBounds(nsDisplayListBuilder* aBuilder,
-                             bool* aSnap) override {
-      // The bounds should not be computed until now, because we don't
-      // get accmulated transform before.
+    virtual void UpdateBounds(nsDisplayListBuilder* aBuilder) override {
+      // For extending 3d rendering context, the bounds would be
+      // updated by DoUpdateBoundsPreserves3D(), not here.
+      if (!mFrame->Extend3DContext()) {
+        nsDisplayWrapList::UpdateBounds(aBuilder);
+      }
+    }
+    virtual void DoUpdateBoundsPreserves3D(nsDisplayListBuilder* aBuilder) override {
+      for (nsDisplayItem *i = mList.GetBottom(); i; i = i->GetAbove()) {
+        i->DoUpdateBoundsPreserves3D(aBuilder);
+      }
       nsDisplayWrapList::UpdateBounds(aBuilder);
-      return nsDisplayWrapList::GetBounds(aBuilder, aSnap);
     }
   };
 
@@ -3865,7 +3889,54 @@ public:
   // See nsIFrame::BuildDisplayListForStackingContext()
   void SetNoExtendContext() { mNoExtendContext = true; }
 
+  virtual void DoUpdateBoundsPreserves3D(nsDisplayListBuilder* aBuilder) override {
+    MOZ_ASSERT(mFrame->Combines3DTransformWithAncestors() ||
+               IsTransformSeparator());
+    // Updating is not going through to child 3D context.
+    ComputeBounds(aBuilder);
+  }
+
+  /**
+   * This function updates bounds for items with a frame establishing
+   * 3D rendering context.
+   *
+   * \see nsDisplayItem::DoUpdateBoundsPreserves3D()
+   */
+  void UpdateBoundsFor3D(nsDisplayListBuilder* aBuilder) {
+    if (!mFrame->Extend3DContext() ||
+        mFrame->Combines3DTransformWithAncestors() ||
+        IsTransformSeparator()) {
+      // Not an establisher of a 3D rendering context.
+      return;
+    }
+    // Always start updating from an establisher of a 3D rendering context.
+
+    nsDisplayListBuilder::AutoAccumulateRect accRect(aBuilder);
+    nsDisplayListBuilder::AutoAccumulateTransform accTransform(aBuilder);
+    accTransform.StartRoot();
+    ComputeBounds(aBuilder);
+    mBounds = aBuilder->GetAccumulatedRect();
+    mHasBounds = true;
+  }
+
+  /**
+   * This item is an additional item as the boundary between parent
+   * and child 3D rendering context.
+   * \see nsIFrame::BuildDisplayListForStackingContext().
+   */
+  bool IsTransformSeparator() { return mIsTransformSeparator; }
+  /**
+   * This item is the boundary between parent and child 3D rendering
+   * context.
+   */
+  bool IsLeafOf3DContext() {
+    return (IsTransformSeparator() ||
+            (!mFrame->Extend3DContext() &&
+             mFrame->Combines3DTransformWithAncestors()));
+  }
+
 private:
+  void ComputeBounds(nsDisplayListBuilder* aBuilder);
   void SetReferenceFrameToAncestor(nsDisplayListBuilder* aBuilder);
   void Init(nsDisplayListBuilder* aBuilder);
 
@@ -3884,6 +3955,9 @@ private:
   ComputeTransformFunction mTransformGetter;
   nsRect mChildrenVisibleRect;
   uint32_t mIndex;
+  nsRect mBounds;
+  // True for mBounds is valid.
+  bool mHasBounds;
   // We wont know if we pre-render until the layer building phase where we can
   // check layers will-change budget.
   bool mMaybePrerender;
@@ -3894,8 +3968,9 @@ private:
   // the child preserves3d context doesn't create a transform item.
   // With this flags, we force the item not extending 3D context.
   bool mNoExtendContext;
+  // This item is a separator between 3D rendering contexts, and
   // mTransform have been presetted by the constructor.
-  bool mHasPresetTransform;
+  bool mIsTransformSeparator;
   // True if mTransformPreserves3D have been initialized.
   bool mTransformPreserves3DInited;
 };
diff --git a/layout/base/nsDocumentViewer.cpp b/layout/base/nsDocumentViewer.cpp
index d2de23fe9115..605ac73c9fcf 100644
--- a/layout/base/nsDocumentViewer.cpp
+++ b/layout/base/nsDocumentViewer.cpp
@@ -2176,7 +2176,7 @@ static bool
 AppendAgentSheet(nsIStyleSheet *aSheet, void *aData)
 {
   nsStyleSet *styleSet = static_cast<nsStyleSet*>(aData);
-  styleSet->AppendStyleSheet(nsStyleSet::eAgentSheet, aSheet);
+  styleSet->AppendStyleSheet(SheetType::Agent, aSheet);
   return true;
 }
 
@@ -2184,7 +2184,7 @@ static bool
 PrependUserSheet(nsIStyleSheet *aSheet, void *aData)
 {
   nsStyleSet *styleSet = static_cast<nsStyleSet*>(aData);
-  styleSet->PrependStyleSheet(nsStyleSet::eUserSheet, aSheet);
+  styleSet->PrependStyleSheet(SheetType::User, aSheet);
   return true;
 }
 
@@ -2227,7 +2227,7 @@ nsDocumentViewer::CreateStyleSet(nsIDocument* aDocument,
   }
 
   if (sheet)
-    styleSet->AppendStyleSheet(nsStyleSet::eUserSheet, sheet);
+    styleSet->AppendStyleSheet(SheetType::User, sheet);
 
   // Append chrome sheets (scrollbars + forms).
   bool shouldOverride = false;
@@ -2263,7 +2263,7 @@ nsDocumentViewer::CreateStyleSet(nsIDocument* aDocument,
           cssLoader->LoadSheetSync(uri, getter_AddRefs(csssheet));
           if (!csssheet) continue;
 
-          styleSet->PrependStyleSheet(nsStyleSet::eAgentSheet, csssheet);
+          styleSet->PrependStyleSheet(SheetType::Agent, csssheet);
           shouldOverride = true;
         }
         free(str);
@@ -2274,7 +2274,7 @@ nsDocumentViewer::CreateStyleSet(nsIDocument* aDocument,
   if (!shouldOverride) {
     sheet = nsLayoutStylesheetCache::ScrollbarsSheet();
     if (sheet) {
-      styleSet->PrependStyleSheet(nsStyleSet::eAgentSheet, sheet);
+      styleSet->PrependStyleSheet(SheetType::Agent, sheet);
     }
   }
 
@@ -2290,12 +2290,12 @@ nsDocumentViewer::CreateStyleSet(nsIDocument* aDocument,
 
     sheet = nsLayoutStylesheetCache::NumberControlSheet();
     if (sheet) {
-      styleSet->PrependStyleSheet(nsStyleSet::eAgentSheet, sheet);
+      styleSet->PrependStyleSheet(SheetType::Agent, sheet);
     }
 
     sheet = nsLayoutStylesheetCache::FormsSheet();
     if (sheet) {
-      styleSet->PrependStyleSheet(nsStyleSet::eAgentSheet, sheet);
+      styleSet->PrependStyleSheet(SheetType::Agent, sheet);
     }
 
     if (aDocument->LoadsFullXULStyleSheetUpFront()) {
@@ -2303,7 +2303,7 @@ nsDocumentViewer::CreateStyleSet(nsIDocument* aDocument,
       // up-front here.
       sheet = nsLayoutStylesheetCache::XULSheet();
       if (sheet) {
-        styleSet->PrependStyleSheet(nsStyleSet::eAgentSheet, sheet);
+        styleSet->PrependStyleSheet(SheetType::Agent, sheet);
       }
     }
 
@@ -2311,25 +2311,25 @@ nsDocumentViewer::CreateStyleSet(nsIDocument* aDocument,
     if (sheet) {
       // Load the minimal XUL rules for scrollbars and a few other XUL things
       // that non-XUL (typically HTML) documents commonly use.
-      styleSet->PrependStyleSheet(nsStyleSet::eAgentSheet, sheet);
+      styleSet->PrependStyleSheet(SheetType::Agent, sheet);
     }
 
     sheet = nsLayoutStylesheetCache::CounterStylesSheet();
     if (sheet) {
-      styleSet->PrependStyleSheet(nsStyleSet::eAgentSheet, sheet);
+      styleSet->PrependStyleSheet(SheetType::Agent, sheet);
     }
 
     if (nsLayoutUtils::ShouldUseNoScriptSheet(aDocument)) {
       sheet = nsLayoutStylesheetCache::NoScriptSheet();
       if (sheet) {
-        styleSet->PrependStyleSheet(nsStyleSet::eAgentSheet, sheet);
+        styleSet->PrependStyleSheet(SheetType::Agent, sheet);
       }
     }
 
     if (nsLayoutUtils::ShouldUseNoFramesSheet(aDocument)) {
       sheet = nsLayoutStylesheetCache::NoFramesSheet();
       if (sheet) {
-        styleSet->PrependStyleSheet(nsStyleSet::eAgentSheet, sheet);
+        styleSet->PrependStyleSheet(SheetType::Agent, sheet);
       }
     }
 
@@ -2338,16 +2338,16 @@ nsDocumentViewer::CreateStyleSet(nsIDocument* aDocument,
 
     sheet = nsLayoutStylesheetCache::HTMLSheet();
     if (sheet) {
-      styleSet->PrependStyleSheet(nsStyleSet::eAgentSheet, sheet);
+      styleSet->PrependStyleSheet(SheetType::Agent, sheet);
     }
 
-    styleSet->PrependStyleSheet(nsStyleSet::eAgentSheet,
+    styleSet->PrependStyleSheet(SheetType::Agent,
                                 nsLayoutStylesheetCache::UASheet());
   } else {
     // SVG documents may have scrollbars and need the scrollbar styling.
     sheet = nsLayoutStylesheetCache::MinimalXULSheet();
     if (sheet) {
-      styleSet->PrependStyleSheet(nsStyleSet::eAgentSheet, sheet);
+      styleSet->PrependStyleSheet(SheetType::Agent, sheet);
     }
   }
 
diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp
index 6bd0eeb4fd18..d34bc08737d0 100644
--- a/layout/base/nsLayoutUtils.cpp
+++ b/layout/base/nsLayoutUtils.cpp
@@ -932,80 +932,74 @@ GetDisplayPortFromMarginsData(nsIContent* aContent,
   nsRect expandedScrollableRect =
     nsLayoutUtils::CalculateExpandedScrollableRect(frame);
 
-  if (gfxPrefs::LayersTilesEnabled()) {
-    // Note on the correctness of applying the alignment in Screen space:
-    //   The correct space to apply the alignment in would be Layer space, but
-    //   we don't necessarily know the scale to convert to Layer space at this
-    //   point because Layout may not yet have chosen the resolution at which to
-    //   render (it chooses that in FrameLayerBuilder, but this can be called
-    //   during display list building). Therefore, we perform the alignment in
-    //   Screen space, which basically assumes that Layout chose to render at
-    //   screen resolution; since this is what Layout does most of the time,
-    //   this is a good approximation. A proper solution would involve moving
-    //   the choosing of the resolution to display-list building time.
-    int alignmentX = gfxPlatform::GetPlatform()->GetTileWidth();
-    int alignmentY = gfxPlatform::GetPlatform()->GetTileHeight();
 
+  // Note on the correctness of applying the alignment in Screen space:
+  //   The correct space to apply the alignment in would be Layer space, but
+  //   we don't necessarily know the scale to convert to Layer space at this
+  //   point because Layout may not yet have chosen the resolution at which to
+  //   render (it chooses that in FrameLayerBuilder, but this can be called
+  //   during display list building). Therefore, we perform the alignment in
+  //   Screen space, which basically assumes that Layout chose to render at
+  //   screen resolution; since this is what Layout does most of the time,
+  //   this is a good approximation. A proper solution would involve moving
+  //   the choosing of the resolution to display-list building time.
+  ScreenSize alignment;
+
+  if (gfxPrefs::LayersTilesEnabled()) {
+    alignment = ScreenSize(gfxPlatform::GetPlatform()->GetTileWidth(),
+                           gfxPlatform::GetPlatform()->GetTileHeight());
+  } else {
+    // If we're not drawing with tiles then we need to be careful about not
+    // hitting the max texture size and we only need 1 draw call per layer
+    // so we can align to a smaller multiple.
+    alignment = ScreenSize(128, 128);
+  }
+
+  // Avoid division by zero.
+  if (alignment.width == 0) {
+    alignment.width = 128;
+  }
+  if (alignment.height == 0) {
+    alignment.height = 128;
+  }
+
+  if (gfxPrefs::LayersTilesEnabled()) {
     // Expand the rect by the margins
     screenRect.Inflate(aMarginsData->mMargins);
-
-    // Inflate the rectangle by 1 so that we always push to the next tile
-    // boundary. This is desirable to stop from having a rectangle with a
-    // moving origin occasionally being smaller when it coincidentally lines
-    // up to tile boundaries.
-    screenRect.Inflate(1);
-
-    // Avoid division by zero.
-    if (alignmentX == 0) {
-      alignmentX = 1;
-    }
-    if (alignmentY == 0) {
-      alignmentY = 1;
-    }
-
-    ScreenPoint scrollPosScreen = LayoutDevicePoint::FromAppUnits(scrollPos, auPerDevPixel)
-                                * res;
-
-    screenRect += scrollPosScreen;
-    // Round-out the display port to the nearest alignment (tiles)
-    float x = alignmentX * floor(screenRect.x / alignmentX);
-    float y = alignmentY * floor(screenRect.y / alignmentY);
-    float w = alignmentX * ceil(screenRect.width / alignmentX + 1);
-    float h = alignmentY * ceil(screenRect.height / alignmentY + 1);
-    screenRect = ScreenRect(x, y, w, h);
-    screenRect -= scrollPosScreen;
-
-    ScreenRect screenExpScrollableRect =
-      LayoutDeviceRect::FromAppUnits(expandedScrollableRect,
-                                     auPerDevPixel) * res;
-
-    // Make sure the displayport remains within the scrollable rect.
-    screenRect = screenRect.ForceInside(screenExpScrollableRect - scrollPosScreen);
   } else {
-    nscoord maxSizeInAppUnits = GetMaxDisplayPortSize(aContent);
-    if (maxSizeInAppUnits == nscoord_MAX) {
+    // Calculate the displayport to make sure we fit within the max texture size
+    // when not tiling.
+    nscoord maxSizeAppUnits = GetMaxDisplayPortSize(aContent);
+    if (maxSizeAppUnits == nscoord_MAX) {
       // Pick a safe maximum displayport size for sanity purposes. This is the
       // lowest maximum texture size on tileless-platforms (Windows, D3D10).
-      maxSizeInAppUnits = presContext->DevPixelsToAppUnits(8192);
+      maxSizeAppUnits = presContext->DevPixelsToAppUnits(8192);
     }
 
+    // The alignment code can round up to 3 tiles, we want to make sure
+    // that the displayport can grow by up to 3 tiles without going
+    // over the max texture size.
+    const int MAX_ALIGN_ROUNDING = 3;
+
     // Find the maximum size in screen pixels.
-    int32_t maxSizeInDevPixels = presContext->AppUnitsToDevPixels(maxSizeInAppUnits);
-    int32_t maxWidthInScreenPixels = floor(double(maxSizeInDevPixels) * res.xScale);
-    int32_t maxHeightInScreenPixels = floor(double(maxSizeInDevPixels) * res.yScale);
+    int32_t maxSizeDevPx = presContext->AppUnitsToDevPixels(maxSizeAppUnits);
+    int32_t maxWidthScreenPx = floor(double(maxSizeDevPx) * res.xScale) -
+      MAX_ALIGN_ROUNDING * alignment.width;
+    int32_t maxHeightScreenPx = floor(double(maxSizeDevPx) * res.yScale) -
+      MAX_ALIGN_ROUNDING * alignment.height;
 
     // For each axis, inflate the margins up to the maximum size.
     const ScreenMargin& margins = aMarginsData->mMargins;
-    if (screenRect.height < maxHeightInScreenPixels) {
-      int32_t budget = maxHeightInScreenPixels - screenRect.height;
+    if (screenRect.height < maxHeightScreenPx) {
+      int32_t budget = maxHeightScreenPx - screenRect.height;
 
       float top = std::min(margins.top, float(budget));
       float bottom = std::min(margins.bottom, budget - top);
       screenRect.y -= top;
       screenRect.height += top + bottom;
     }
-    if (screenRect.width < maxWidthInScreenPixels) {
-      int32_t budget = maxWidthInScreenPixels - screenRect.width;
+    if (screenRect.width < maxWidthScreenPx) {
+      int32_t budget = maxWidthScreenPx - screenRect.width;
 
       float left = std::min(margins.left, float(budget));
       float right = std::min(margins.right, budget - left);
@@ -1014,6 +1008,31 @@ GetDisplayPortFromMarginsData(nsIContent* aContent,
     }
   }
 
+  // Inflate the rectangle by 1 so that we always push to the next tile
+  // boundary. This is desirable to stop from having a rectangle with a
+  // moving origin occasionally being smaller when it coincidentally lines
+  // up to tile boundaries.
+  screenRect.Inflate(1);
+
+  ScreenPoint scrollPosScreen = LayoutDevicePoint::FromAppUnits(scrollPos, auPerDevPixel)
+                              * res;
+
+  // Round-out the display port to the nearest alignment (tiles)
+  screenRect += scrollPosScreen;
+  float x = alignment.width * floor(screenRect.x / alignment.width);
+  float y = alignment.height * floor(screenRect.y / alignment.height);
+  float w = alignment.width * ceil(screenRect.width / alignment.width + 1);
+  float h = alignment.height * ceil(screenRect.height / alignment.height + 1);
+  screenRect = ScreenRect(x, y, w, h);
+  screenRect -= scrollPosScreen;
+
+  ScreenRect screenExpScrollableRect =
+    LayoutDeviceRect::FromAppUnits(expandedScrollableRect,
+                                   auPerDevPixel) * res;
+
+  // Make sure the displayport remains within the scrollable rect.
+  screenRect = screenRect.ForceInside(screenExpScrollableRect - scrollPosScreen);
+
   // Convert the aligned rect back into app units.
   nsRect result = LayoutDeviceRect::ToAppUnits(screenRect / res, auPerDevPixel);
 
diff --git a/layout/base/nsPresContext.cpp b/layout/base/nsPresContext.cpp
index f23dfc968e63..ab20ab864e75 100644
--- a/layout/base/nsPresContext.cpp
+++ b/layout/base/nsPresContext.cpp
@@ -1381,11 +1381,11 @@ nsPresContext::CompatibilityModeChanged()
   if (needsQuirkSheet) {
     // quirk.css needs to come after html.css; we just keep it at the end.
     DebugOnly<nsresult> rv =
-      styleSet->AppendStyleSheet(nsStyleSet::eAgentSheet, sheet);
+      styleSet->AppendStyleSheet(SheetType::Agent, sheet);
     NS_WARN_IF_FALSE(NS_SUCCEEDED(rv), "failed to insert quirk.css");
   } else {
     DebugOnly<nsresult> rv =
-      styleSet->RemoveStyleSheet(nsStyleSet::eAgentSheet, sheet);
+      styleSet->RemoveStyleSheet(SheetType::Agent, sheet);
     NS_WARN_IF_FALSE(NS_SUCCEEDED(rv), "failed to remove quirk.css");
   }
 
diff --git a/layout/base/nsPresShell.cpp b/layout/base/nsPresShell.cpp
index 32b93a0ae748..3eea5617434d 100644
--- a/layout/base/nsPresShell.cpp
+++ b/layout/base/nsPresShell.cpp
@@ -1409,7 +1409,7 @@ PresShell::UpdatePreferenceStyles()
 
   RemovePreferenceStyles();
 
-  mStyleSet->AppendStyleSheet(nsStyleSet::eUserSheet, newPrefSheet);
+  mStyleSet->AppendStyleSheet(SheetType::User, newPrefSheet);
   mPrefStyleSheet = newPrefSheet;
 
   mStyleSet->EndUpdate();
@@ -1419,7 +1419,7 @@ void
 PresShell::RemovePreferenceStyles()
 {
   if (mPrefStyleSheet) {
-    mStyleSet->RemoveStyleSheet(nsStyleSet::eUserSheet, mPrefStyleSheet);
+    mStyleSet->RemoveStyleSheet(SheetType::User, mPrefStyleSheet);
     mPrefStyleSheet = nullptr;
   }
 }
@@ -1443,13 +1443,13 @@ PresShell::AddUserSheet(nsISupports* aSheet)
   // Iterate forwards when removing so the searches for RemoveStyleSheet are as
   // short as possible.
   for (i = 0; i < userSheets.Count(); ++i) {
-    mStyleSet->RemoveStyleSheet(nsStyleSet::eUserSheet, userSheets[i]);
+    mStyleSet->RemoveStyleSheet(SheetType::User, userSheets[i]);
   }
 
   // Now iterate backwards, so that the order of userSheets will be the same as
   // the order of sheets from it in the style set.
   for (i = userSheets.Count() - 1; i >= 0; --i) {
-    mStyleSet->PrependStyleSheet(nsStyleSet::eUserSheet, userSheets[i]);
+    mStyleSet->PrependStyleSheet(SheetType::User, userSheets[i]);
   }
 
   mStyleSet->EndUpdate();
@@ -1467,7 +1467,7 @@ PresShell::AddAgentSheet(nsISupports* aSheet)
     return;
   }
 
-  mStyleSet->AppendStyleSheet(nsStyleSet::eAgentSheet, sheet);
+  mStyleSet->AppendStyleSheet(SheetType::Agent, sheet);
   ReconstructStyleData();
 }
 
@@ -1483,16 +1483,16 @@ PresShell::AddAuthorSheet(nsISupports* aSheet)
   // added with the StyleSheetService.
   nsIStyleSheet* firstAuthorSheet = mDocument->FirstAdditionalAuthorSheet();
   if (firstAuthorSheet) {
-    mStyleSet->InsertStyleSheetBefore(nsStyleSet::eDocSheet, sheet, firstAuthorSheet);
+    mStyleSet->InsertStyleSheetBefore(SheetType::Doc, sheet, firstAuthorSheet);
   } else {
-    mStyleSet->AppendStyleSheet(nsStyleSet::eDocSheet, sheet);
+    mStyleSet->AppendStyleSheet(SheetType::Doc, sheet);
   }
 
   ReconstructStyleData();
 }
 
 void
-PresShell::RemoveSheet(nsStyleSet::sheetType aType, nsISupports* aSheet)
+PresShell::RemoveSheet(SheetType aType, nsISupports* aSheet)
 {
   nsCOMPtr<nsIStyleSheet> sheet = do_QueryInterface(aSheet);
   if (!sheet) {
@@ -8665,10 +8665,10 @@ nsresult
 PresShell::GetAgentStyleSheets(nsCOMArray<nsIStyleSheet>& aSheets)
 {
   aSheets.Clear();
-  int32_t sheetCount = mStyleSet->SheetCount(nsStyleSet::eAgentSheet);
+  int32_t sheetCount = mStyleSet->SheetCount(SheetType::Agent);
 
   for (int32_t i = 0; i < sheetCount; ++i) {
-    nsIStyleSheet *sheet = mStyleSet->StyleSheetAt(nsStyleSet::eAgentSheet, i);
+    nsIStyleSheet *sheet = mStyleSet->StyleSheetAt(SheetType::Agent, i);
     if (!aSheets.AppendObject(sheet))
       return NS_ERROR_OUT_OF_MEMORY;
   }
@@ -8679,19 +8679,19 @@ PresShell::GetAgentStyleSheets(nsCOMArray<nsIStyleSheet>& aSheets)
 nsresult
 PresShell::SetAgentStyleSheets(const nsCOMArray<nsIStyleSheet>& aSheets)
 {
-  return mStyleSet->ReplaceSheets(nsStyleSet::eAgentSheet, aSheets);
+  return mStyleSet->ReplaceSheets(SheetType::Agent, aSheets);
 }
 
 nsresult
 PresShell::AddOverrideStyleSheet(nsIStyleSheet *aSheet)
 {
-  return mStyleSet->PrependStyleSheet(nsStyleSet::eOverrideSheet, aSheet);
+  return mStyleSet->PrependStyleSheet(SheetType::Override, aSheet);
 }
 
 nsresult
 PresShell::RemoveOverrideStyleSheet(nsIStyleSheet *aSheet)
 {
-  return mStyleSet->RemoveStyleSheet(nsStyleSet::eOverrideSheet, aSheet);
+  return mStyleSet->RemoveStyleSheet(SheetType::Override, aSheet);
 }
 
 static void
@@ -9437,17 +9437,17 @@ PresShell::Observe(nsISupports* aSubject,
   }
 
   if (!nsCRT::strcmp(aTopic, "agent-sheet-removed") && mStyleSet) {
-    RemoveSheet(nsStyleSet::eAgentSheet, aSubject);
+    RemoveSheet(SheetType::Agent, aSubject);
     return NS_OK;
   }
 
   if (!nsCRT::strcmp(aTopic, "user-sheet-removed") && mStyleSet) {
-    RemoveSheet(nsStyleSet::eUserSheet, aSubject);
+    RemoveSheet(SheetType::User, aSubject);
     return NS_OK;
   }
 
   if (!nsCRT::strcmp(aTopic, "author-sheet-removed") && mStyleSet) {
-    RemoveSheet(nsStyleSet::eDocSheet, aSubject);
+    RemoveSheet(SheetType::Doc, aSubject);
     return NS_OK;
   }
 
@@ -9790,35 +9790,35 @@ PresShell::CloneStyleSet(nsStyleSet* aSet)
 {
   nsStyleSet *clone = new nsStyleSet();
 
-  int32_t i, n = aSet->SheetCount(nsStyleSet::eOverrideSheet);
+  int32_t i, n = aSet->SheetCount(SheetType::Override);
   for (i = 0; i < n; i++) {
-    nsIStyleSheet* ss = aSet->StyleSheetAt(nsStyleSet::eOverrideSheet, i);
+    nsIStyleSheet* ss = aSet->StyleSheetAt(SheetType::Override, i);
     if (ss)
-      clone->AppendStyleSheet(nsStyleSet::eOverrideSheet, ss);
+      clone->AppendStyleSheet(SheetType::Override, ss);
   }
 
   // The document expects to insert document stylesheets itself
 #if 0
-  n = aSet->SheetCount(nsStyleSet::eDocSheet);
+  n = aSet->SheetCount(SheetType::Doc);
   for (i = 0; i < n; i++) {
-    nsIStyleSheet* ss = aSet->StyleSheetAt(nsStyleSet::eDocSheet, i);
+    nsIStyleSheet* ss = aSet->StyleSheetAt(SheetType::Doc, i);
     if (ss)
       clone->AddDocStyleSheet(ss, mDocument);
   }
 #endif
 
-  n = aSet->SheetCount(nsStyleSet::eUserSheet);
+  n = aSet->SheetCount(SheetType::User);
   for (i = 0; i < n; i++) {
-    nsIStyleSheet* ss = aSet->StyleSheetAt(nsStyleSet::eUserSheet, i);
+    nsIStyleSheet* ss = aSet->StyleSheetAt(SheetType::User, i);
     if (ss)
-      clone->AppendStyleSheet(nsStyleSet::eUserSheet, ss);
+      clone->AppendStyleSheet(SheetType::User, ss);
   }
 
-  n = aSet->SheetCount(nsStyleSet::eAgentSheet);
+  n = aSet->SheetCount(SheetType::Agent);
   for (i = 0; i < n; i++) {
-    nsIStyleSheet* ss = aSet->StyleSheetAt(nsStyleSet::eAgentSheet, i);
+    nsIStyleSheet* ss = aSet->StyleSheetAt(SheetType::Agent, i);
     if (ss)
-      clone->AppendStyleSheet(nsStyleSet::eAgentSheet, ss);
+      clone->AppendStyleSheet(SheetType::Agent, ss);
   }
   return clone;
 }
@@ -9947,9 +9947,9 @@ PresShell::ListStyleContexts(nsIFrame *aRootFrame, FILE *out, int32_t aIndent)
 void
 PresShell::ListStyleSheets(FILE *out, int32_t aIndent)
 {
-  int32_t sheetCount = mStyleSet->SheetCount(nsStyleSet::eDocSheet);
+  int32_t sheetCount = mStyleSet->SheetCount(SheetType::Doc);
   for (int32_t i = 0; i < sheetCount; ++i) {
-    mStyleSet->StyleSheetAt(nsStyleSet::eDocSheet, i)->List(out, aIndent);
+    mStyleSet->StyleSheetAt(SheetType::Doc, i)->List(out, aIndent);
     fputs("\n", out);
   }
 }
@@ -10930,16 +10930,16 @@ nsresult
 nsIPresShell::HasRuleProcessorUsedByMultipleStyleSets(uint32_t aSheetType,
                                                       bool* aRetVal)
 {
-  nsStyleSet::sheetType type;
+  SheetType type;
   switch (aSheetType) {
     case nsIStyleSheetService::AGENT_SHEET:
-      type = nsStyleSet::eAgentSheet;
+      type = SheetType::Agent;
       break;
     case nsIStyleSheetService::USER_SHEET:
-      type = nsStyleSet::eUserSheet;
+      type = SheetType::User;
       break;
     case nsIStyleSheetService::AUTHOR_SHEET:
-      type = nsStyleSet::eDocSheet;
+      type = SheetType::Doc;
       break;
     default:
       MOZ_ASSERT(false, "unexpected aSheetType value");
diff --git a/layout/base/nsPresShell.h b/layout/base/nsPresShell.h
index 052f1a90f23d..d099d25bd370 100644
--- a/layout/base/nsPresShell.h
+++ b/layout/base/nsPresShell.h
@@ -564,7 +564,7 @@ protected:
   void AddUserSheet(nsISupports* aSheet);
   void AddAgentSheet(nsISupports* aSheet);
   void AddAuthorSheet(nsISupports* aSheet);
-  void RemoveSheet(nsStyleSet::sheetType aType, nsISupports* aSheet);
+  void RemoveSheet(mozilla::SheetType aType, nsISupports* aSheet);
 
   // Hide a view if it is a popup
   void HideViewIfPopup(nsView* aView);
diff --git a/layout/generic/WritingModes.h b/layout/generic/WritingModes.h
index 9b7536743323..dd15b5e521a0 100644
--- a/layout/generic/WritingModes.h
+++ b/layout/generic/WritingModes.h
@@ -469,7 +469,7 @@ public:
         mWritingMode = eBlockFlowMask |
                        eLineOrientMask |
                        eOrientationMask;
-        uint8_t textOrientation = aStyleContext->StyleVisibility()->mTextOrientation;
+        uint8_t textOrientation = styleVisibility->mTextOrientation;
         if (textOrientation == NS_STYLE_TEXT_ORIENTATION_SIDEWAYS) {
           mWritingMode |= eSidewaysMask;
         }
@@ -479,7 +479,7 @@ public:
       case NS_STYLE_WRITING_MODE_VERTICAL_RL:
       {
         mWritingMode = eOrientationMask;
-        uint8_t textOrientation = aStyleContext->StyleVisibility()->mTextOrientation;
+        uint8_t textOrientation = styleVisibility->mTextOrientation;
         if (textOrientation == NS_STYLE_TEXT_ORIENTATION_SIDEWAYS) {
           mWritingMode |= eSidewaysMask;
         }
diff --git a/layout/generic/nsFrame.h b/layout/generic/nsFrame.h
index 51ccfa993241..57bc6f564d12 100644
--- a/layout/generic/nsFrame.h
+++ b/layout/generic/nsFrame.h
@@ -79,7 +79,7 @@
 #endif
 
 // Frame allocation boilerplate macros.  Every subclass of nsFrame
-// must define its own operator new and GetAllocatedSize.  If they do
+// must define its own operator new and GetFrameId.  If they do
 // not, the per-frame recycler lists in nsPresArena will not work
 // correctly, with potentially catastrophic consequences (not enough
 // memory is allocated for a frame object).
diff --git a/layout/generic/nsGfxScrollFrame.cpp b/layout/generic/nsGfxScrollFrame.cpp
index cb5bcdba7806..095e4f535b03 100644
--- a/layout/generic/nsGfxScrollFrame.cpp
+++ b/layout/generic/nsGfxScrollFrame.cpp
@@ -1992,6 +1992,13 @@ NotifyPluginFramesCallback(nsISupports* aSupports, void* aFlag)
     }
   }
 }
+static bool
+NotifyPluginSubframesCallback(nsIDocument* aDocument, void* aFlag)
+{
+  aDocument->EnumerateActivityObservers(NotifyPluginFramesCallback,
+                                        aFlag);
+  return true;
+}
 #endif
 
 void
@@ -2011,6 +2018,9 @@ ScrollFrameHelper::NotifyPluginFrames(AsyncScrollEventType aEvent)
       bool begin = (aEvent == BEGIN_APZ || aEvent == BEGIN_DOM);
       presContext->Document()->EnumerateActivityObservers(NotifyPluginFramesCallback,
                                                           (void*)begin);
+      presContext->Document()->EnumerateSubDocuments(NotifyPluginSubframesCallback,
+                                                     (void*)begin);
+
       mAsyncScrollEvent = aEvent;
     }
   }
diff --git a/layout/inspector/inDOMUtils.cpp b/layout/inspector/inDOMUtils.cpp
index d9b1183fd493..ec5325e08428 100644
--- a/layout/inspector/inDOMUtils.cpp
+++ b/layout/inspector/inDOMUtils.cpp
@@ -83,11 +83,11 @@ inDOMUtils::GetAllStyleSheets(nsIDOMDocument *aDocument, uint32_t *aLength,
   nsIPresShell* presShell = document->GetShell();
   if (presShell) {
     nsStyleSet* styleSet = presShell->StyleSet();
-    nsStyleSet::sheetType sheetType = nsStyleSet::eAgentSheet;
+    SheetType sheetType = SheetType::Agent;
     for (int32_t i = 0; i < styleSet->SheetCount(sheetType); i++) {
       sheets.AppendElement(styleSet->StyleSheetAt(sheetType, i));
     }
-    sheetType = nsStyleSet::eUserSheet;
+    sheetType = SheetType::User;
     for (int32_t i = 0; i < styleSet->SheetCount(sheetType); i++) {
       sheets.AppendElement(styleSet->StyleSheetAt(sheetType, i));
     }
diff --git a/layout/reftests/bugs/1209603-1-ref.html b/layout/reftests/bugs/1209603-1-ref.html
new file mode 100644
index 000000000000..a2eacedbc662
--- /dev/null
+++ b/layout/reftests/bugs/1209603-1-ref.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML>
+<title>Testcase, bug 1209603</title>
+<style>
+
+p {
+  margin: 1em 0;
+}
+
+</style>
+
+<p style="font-size: 40px">Should be 40px font size.</p>
+
+<p style="font-size: 20px">Should be 20px font size.</p>
diff --git a/layout/reftests/bugs/1209603-1.html b/layout/reftests/bugs/1209603-1.html
new file mode 100644
index 000000000000..5bbc45ee407f
--- /dev/null
+++ b/layout/reftests/bugs/1209603-1.html
@@ -0,0 +1,50 @@
+<!DOCTYPE HTML>
+<title>Testcase, bug 1209603</title>
+<style>
+
+p {
+  font-size: 2em;
+
+  /* ensure font-size dependency in the margin struct; this is also in
+     the UA style sheet, but repeated here for clarity */
+  margin: 1em 0;
+}
+
+</style>
+
+<div style="font-size: 20px"><p id="a">Should be 40px font size.</p></div>
+
+<script>
+
+var a = document.getElementById("a");
+
+// force computation of the margin struct on A (caching in rule tree)
+getComputedStyle(a, "").marginTop;
+
+</script>
+
+<!-- will dynamically change font-size to 10px later;
+     also needs to be different from 20px now to avoid sibling-sharing -->
+<div style="font-size: 30px"><p id="b">Should be 20px font size.</p></div>
+
+<script>
+// Note that A and B share rule nodes, and note that the margin struct
+// has been conditionally (on font size) cached on their shared rule node.
+var b = document.getElementById("b");
+
+// force style context construction and computation of the font struct on
+// B's parent
+getComputedStyle(b.parentNode, "").fontSize;
+
+// force style context construction (and computation of the color
+// struct) on B, but not the margin struct or font struct
+getComputedStyle(b, "").color;
+
+// restyle B and flush
+b.parentNode.style.fontSize = "10px";
+getComputedStyle(b, "").marginTop;
+// This flush will call CalcStyleDifference on B, which will find no
+// cached font struct on the old context, but which will find a
+// cached margin struct on the rule node.
+
+</script>
diff --git a/layout/reftests/bugs/reftest.list b/layout/reftests/bugs/reftest.list
index d871baab11e8..298b071a0792 100644
--- a/layout/reftests/bugs/reftest.list
+++ b/layout/reftests/bugs/reftest.list
@@ -1936,3 +1936,4 @@ fuzzy(1,74) fuzzy-if(gtkWidget,6,79) == 1174332-1.html 1174332-1-ref.html
 == 1202512-1.html 1202512-1-ref.html
 == 1202512-2.html 1202512-2-ref.html
 != 1207326-1.html about:blank
+== 1209603-1.html 1209603-1-ref.html
diff --git a/layout/reftests/ogg-video/444-1-ref.html b/layout/reftests/ogg-video/444-1-ref.html
index 287361bfb1fa..b544a4b4da79 100644
--- a/layout/reftests/ogg-video/444-1-ref.html
+++ b/layout/reftests/ogg-video/444-1-ref.html
@@ -1,15 +1,20 @@
 <!DOCTYPE HTML>
 <html class="reftest-wait">
 <body>
-<video id="v1" src="seek420.ogv" style="position:absolute; left:0; top:0"></video>
+<video id="v1" style="position:absolute; left:0; top:0"></video>
 <!-- hide bottom of video -->
 <div style="position:absolute; top:120px; left:0; right:0; bottom:0; background:black"></div>
 <script>
 function doTest() {
+  // Set source now so that the loadeddata event can't fire before
+  // this function runs.
+  v1.src = "seek420.ogv";
   v1.play();
-  setTimeout(function() {
-    document.documentElement.removeAttribute('class');
-  }, 500);
+  v1.addEventListener("loadeddata", function() {
+    setTimeout(function() {
+      document.documentElement.removeAttribute('class');
+    }, 50);
+  });
 }
 document.addEventListener("MozReftestInvalidate", doTest, false);
 </script>
diff --git a/layout/reftests/ogg-video/444-1.html b/layout/reftests/ogg-video/444-1.html
index 24a52ff9882d..2921ea07dc40 100644
--- a/layout/reftests/ogg-video/444-1.html
+++ b/layout/reftests/ogg-video/444-1.html
@@ -1,15 +1,20 @@
 <!DOCTYPE HTML>
 <html class="reftest-wait">
 <body>
-<video id="v1" src="seek444.ogv" style="position:absolute; left:0; top:0"></video>
+<video id="v1" style="position:absolute; left:0; top:0"></video>
 <!-- hide bottom of video -->
 <div style="position:absolute; top:120px; left:0; right:0; bottom:0; background:black"></div>
 <script>
 function doTest() {
+  // Set source now so that the loadeddata event can't fire before
+  // this function runs.
+  v1.src = "seek444.ogv";
   v1.play();
-  setTimeout(function() {
-    document.documentElement.removeAttribute('class');
-  }, 500);
+  v1.addEventListener("loadeddata", function() {
+    setTimeout(function() {
+      document.documentElement.removeAttribute('class');
+    }, 50);
+  });
 }
 document.addEventListener("MozReftestInvalidate", doTest, false);
 </script>
diff --git a/layout/reftests/outline/outline-auto-001-solid-ref.html b/layout/reftests/outline/outline-auto-001-solid-ref.html
new file mode 100644
index 000000000000..d9a0b851c374
--- /dev/null
+++ b/layout/reftests/outline/outline-auto-001-solid-ref.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html><head>
+    <title>Testcase for outline:auto</title>
+    <style type="text/css">
+
+        html,body {
+            color:black; background-color:white; padding:10px; margin:0;
+        }
+
+	div { outline:solid; width:200px; margin:20px; height:20px; background:black; }
+        .b div { border:solid blue; border-width: 1px 3px 5px 7px; }
+    </style>
+</head>
+<body>
+
+<div style="outline-width:0; outline-offset:0;"></div>
+<div style="outline-width:0; outline-offset:5px;"></div>
+<div style="outline-width:0; outline-offset:-5px;"></div>
+<div style="outline-width:5px; outline-offset:1px;"></div>
+<div style="outline-width:5px; outline-offset:-1px;"></div>
+<div style="outline-width:1px; outline-offset:0;"></div>
+<div style="outline-width:1px; outline-offset:5px;"></div>
+<div style="outline-width:1px; outline-offset:-5px;"></div>
+
+</body>
+</html>
diff --git a/layout/reftests/outline/reftest.list b/layout/reftests/outline/reftest.list
index 66e1f6a24b4e..a9c4d6ca4c8d 100644
--- a/layout/reftests/outline/reftest.list
+++ b/layout/reftests/outline/reftest.list
@@ -7,5 +7,6 @@ fuzzy-if(Android,255,356) fuzzy-if(d2d,16,96) fuzzy-if(cocoaWidget,255,120) fuzz
 == outline-overflow-inlineblock-abspos.html outline-overflow-inlineblock-ref.html
 == outline-overflow-inlineblock-float.html outline-overflow-inlineblock-ref.html
 pref(layout.css.outline-style-auto.enabled,true) skip-if((!gtkWidget&&!winWidget&&!cocoaWidget)||Mulet) == outline-auto-001.html outline-auto-001-ref.html # only works on platforms that supports NS_THEME_FOCUS_OUTLINE # bug 1141511:  Disable some gtkWidget-dependant reftests on Mulet
+pref(layout.css.outline-style-auto.enabled,false) == outline-auto-001.html outline-auto-001-solid-ref.html
 == outline-initial-1a.html outline-initial-1-ref.html
 == outline-initial-1b.html outline-initial-1-ref.html
diff --git a/layout/style/FontFaceSet.cpp b/layout/style/FontFaceSet.cpp
index 7362eb87f7e1..8d45b49ce854 100644
--- a/layout/style/FontFaceSet.cpp
+++ b/layout/style/FontFaceSet.cpp
@@ -419,7 +419,7 @@ FontFaceSet::Add(FontFace& aFontFace, ErrorResult& aRv)
 
   FontFaceRecord* rec = mNonRuleFaces.AppendElement();
   rec->mFontFace = &aFontFace;
-  rec->mSheetType = 0;  // unused for mNonRuleFaces
+  rec->mSheetType = SheetType::Unknown;  // unused for mNonRuleFaces
   rec->mLoadEventShouldFire =
     aFontFace.Status() == FontFaceLoadStatus::Unloaded ||
     aFontFace.Status() == FontFaceLoadStatus::Loading;
@@ -828,7 +828,7 @@ FontFaceSet::InsertNonRuleFontFace(FontFace* aFontFace,
     // InsertRuleFontFace does?
     RefPtr<gfxUserFontEntry> entry =
       FindOrCreateUserFontEntryFromFontFace(fontfamily, aFontFace,
-                                            nsStyleSet::eDocSheet);
+                                            SheetType::Doc);
     if (!entry) {
       return;
     }
@@ -840,7 +840,7 @@ FontFaceSet::InsertNonRuleFontFace(FontFace* aFontFace,
 }
 
 void
-FontFaceSet::InsertRuleFontFace(FontFace* aFontFace, uint8_t aSheetType,
+FontFaceSet::InsertRuleFontFace(FontFace* aFontFace, SheetType aSheetType,
                                 nsTArray<FontFaceRecord>& aOldRecords,
                                 bool& aFontSetModified)
 {
@@ -951,13 +951,13 @@ FontFaceSet::FindOrCreateUserFontEntryFromFontFace(FontFace* aFontFace)
   }
 
   return FindOrCreateUserFontEntryFromFontFace(fontfamily, aFontFace,
-                                               nsStyleSet::eDocSheet);
+                                               SheetType::Doc);
 }
 
 already_AddRefed<gfxUserFontEntry>
 FontFaceSet::FindOrCreateUserFontEntryFromFontFace(const nsAString& aFamilyName,
                                                    FontFace* aFontFace,
-                                                   uint8_t aSheetType)
+                                                   SheetType aSheetType)
 {
   nsCSSValue val;
   nsCSSUnit unit;
@@ -1094,8 +1094,8 @@ FontFaceSet::FindOrCreateUserFontEntryFromFontFace(const nsAString& aFamilyName,
           // the same-site origin check and access control headers are
           // enforced against the sheet principal rather than the document
           // principal to allow user stylesheets to include @font-face rules
-          face->mUseOriginPrincipal = (aSheetType == nsStyleSet::eUserSheet ||
-                                       aSheetType == nsStyleSet::eAgentSheet);
+          face->mUseOriginPrincipal = (aSheetType == SheetType::User ||
+                                       aSheetType == SheetType::Agent);
 
           face->mLocalName.Truncate();
           face->mFormatFlags = 0;
diff --git a/layout/style/FontFaceSet.h b/layout/style/FontFaceSet.h
index e2e435a301bf..e00f3a222a5f 100644
--- a/layout/style/FontFaceSet.h
+++ b/layout/style/FontFaceSet.h
@@ -232,7 +232,7 @@ private:
   // accordingly.
   struct FontFaceRecord {
     RefPtr<FontFace> mFontFace;
-    uint8_t mSheetType;  // only relevant for mRuleFaces entries
+    SheetType mSheetType;  // only relevant for mRuleFaces entries
 
     // When true, indicates that when finished loading, the FontFace should be
     // included in the subsequent loadingdone/loadingerror event fired at the
@@ -243,7 +243,7 @@ private:
   already_AddRefed<gfxUserFontEntry> FindOrCreateUserFontEntryFromFontFace(
                                                    const nsAString& aFamilyName,
                                                    FontFace* aFontFace,
-                                                   uint8_t aSheetType);
+                                                   SheetType aSheetType);
 
   // search for @font-face rule that matches a userfont font entry
   nsCSSFontFaceRule* FindRuleForUserFontEntry(gfxUserFontEntry* aUserFontEntry);
@@ -264,7 +264,7 @@ private:
                       nsresult aStatus);
   void RebuildUserFontSet();
 
-  void InsertRuleFontFace(FontFace* aFontFace, uint8_t aSheetType,
+  void InsertRuleFontFace(FontFace* aFontFace, SheetType aSheetType,
                           nsTArray<FontFaceRecord>& aOldRecords,
                           bool& aFontSetModified);
   void InsertNonRuleFontFace(FontFace* aFontFace, bool& aFontSetModified);
diff --git a/layout/style/RuleNodeCacheConditions.h b/layout/style/RuleNodeCacheConditions.h
index e34b6a83817e..044434e29d0a 100644
--- a/layout/style/RuleNodeCacheConditions.h
+++ b/layout/style/RuleNodeCacheConditions.h
@@ -20,6 +20,22 @@ class nsStyleContext;
 
 namespace mozilla {
 
+/**
+ * nsRuleNodeCacheConditions is used to store information about whether
+ * we can store a style struct that we're computing in the rule tree.
+ *
+ * For inherited structs (i.e., structs with inherited properties), we
+ * cache the struct in the rule tree if it does not depend on any data
+ * in the style context tree, and otherwise store it in the style
+ * context tree.  This means that for inherited structs, setting any
+ * conditions is equivalent to making the struct uncacheable.
+ *
+ * For reset structs (i.e., structs with non-inherited properties), we
+ * are also able to cache structs in the rule tree conditionally on
+ * certain common conditions.  For these structs, setting conditions
+ * (SetFontSizeDependency, SetWritingModeDependency) instead causes the
+ * struct to be stored, with the condition, in the rule tree.
+ */
 class RuleNodeCacheConditions
 {
 public:
@@ -45,6 +61,15 @@ public:
 
   bool Matches(nsStyleContext* aStyleContext) const;
 
+  /**
+   * Record that the data being computed depend on the font-size
+   * property of the element for which they are being computed.
+   *
+   * Note that we sometimes actually call this when there is a
+   * dependency on the font-size property of the parent element, but we
+   * only do so while computing inherited structs (nsStyleFont), and we
+   * only store reset structs conditionally.
+   */
   void SetFontSizeDependency(nscoord aCoord)
   {
     MOZ_ASSERT(!(mBits & eHaveFontSize) || mFontSize == aCoord);
@@ -52,6 +77,12 @@ public:
     mBits |= eHaveFontSize;
   }
 
+  /**
+   * Record that the data being computed depend on the writing mode of
+   * the element for which they are being computed, which in turn
+   * depends on its 'writing-mode', 'direction', and 'text-orientation'
+   * properties.
+   */
   void SetWritingModeDependency(uint8_t aWritingMode)
   {
     MOZ_ASSERT(!(mBits & eHaveWritingMode) || GetWritingMode() == aWritingMode);
diff --git a/layout/style/SheetType.h b/layout/style/SheetType.h
new file mode 100644
index 000000000000..855411624766
--- /dev/null
+++ b/layout/style/SheetType.h
@@ -0,0 +1,36 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* enum to represent a level in the cascade */
+
+#ifndef mozilla_SheetType_h
+#define mozilla_SheetType_h
+
+namespace mozilla {
+
+// The "origins" of the CSS cascade, from lowest precedence to
+// highest (for non-!important rules).
+//
+// Be sure to update NS_RULE_NODE_LEVEL_MASK when changing the number
+// of sheet types; static assertions enforce this.
+enum class SheetType : uint8_t {
+  Agent, // CSS
+  User, // CSS
+  PresHint,
+  SVGAttrAnimation,
+  Doc, // CSS
+  ScopedDoc,
+  StyleAttr,
+  Override, // CSS
+  Animation,
+  Transition,
+
+  Count,
+  Unknown = 0xff
+};
+
+} // namespace mozilla
+
+#endif // mozilla_SheetType_h
diff --git a/layout/style/moz.build b/layout/style/moz.build
index 7702dd4903bc..2833d04701a8 100644
--- a/layout/style/moz.build
+++ b/layout/style/moz.build
@@ -88,6 +88,7 @@ EXPORTS.mozilla += [
     'LayerAnimationInfo.h',
     'RuleNodeCacheConditions.h',
     'RuleProcessorCache.h',
+    'SheetType.h',
     'StyleAnimationValue.h',
 ]
 
diff --git a/layout/style/nsCSSDataBlock.cpp b/layout/style/nsCSSDataBlock.cpp
index 602a071eeb8e..d2953eb13109 100644
--- a/layout/style/nsCSSDataBlock.cpp
+++ b/layout/style/nsCSSDataBlock.cpp
@@ -42,8 +42,8 @@ MoveValue(nsCSSValue* aSource, nsCSSValue* aDest)
 static bool
 ShouldIgnoreColors(nsRuleData *aRuleData)
 {
-    return aRuleData->mLevel != nsStyleSet::eAgentSheet &&
-           aRuleData->mLevel != nsStyleSet::eUserSheet &&
+    return aRuleData->mLevel != SheetType::Agent &&
+           aRuleData->mLevel != SheetType::User &&
            !aRuleData->mPresContext->UseDocumentColors();
 }
 
diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp
index 87729778360c..451184ee3134 100644
--- a/layout/style/nsCSSParser.cpp
+++ b/layout/style/nsCSSParser.cpp
@@ -782,21 +782,14 @@ protected:
   bool ParseSingleValuePropertyByFunction(nsCSSValue& aValue,
                                           nsCSSProperty aPropID);
 
-  // These are similar to ParseSingleValueProperty but only work for
+  // This is similar to ParseSingleValueProperty but only works for
   // properties that are parsed with ParseBoxProperties or
-  // ParseGroupedBoxProperty.  Stores in aConsumedTokens whether any tokens
-  // were consumed.
+  // ParseGroupedBoxProperty.
   //
   // Only works with variants with the following flags:
   // A, C, H, K, L, N, P, CALC.
-  bool ParseBoxPropertyVariant(nsCSSValue& aValue,
-                               uint32_t aVariantMask,
-                               const KTableValue aKeywordTable[],
-                               uint32_t aRestrictions,
-                               bool& aConsumedTokens);
-  bool ParseBoxProperty(nsCSSValue& aValue,
-                        nsCSSProperty aPropID,
-                        bool& aConsumedTokens);
+  CSSParseResult ParseBoxProperty(nsCSSValue& aValue,
+                                  nsCSSProperty aPropID);
 
   enum PriorityParsingStatus {
     ePriority_None,
@@ -966,7 +959,6 @@ protected:
   bool ParseListStyle();
   bool ParseListStyleType(nsCSSValue& aValue);
   bool ParseMargin();
-  bool ParseMarks(nsCSSValue& aValue);
   bool ParseClipPath();
   bool ParseTransform(bool aIsPrefixed);
   bool ParseObjectPosition();
@@ -974,7 +966,6 @@ protected:
   bool ParseOverflow();
   bool ParsePadding();
   bool ParseQuotes();
-  bool ParseSize();
   bool ParseTextAlign(nsCSSValue& aValue,
                       const KTableValue aTable[]);
   bool ParseTextAlign(nsCSSValue& aValue);
@@ -9836,14 +9827,14 @@ CSSParserImpl::ParseBoxProperties(const nsCSSProperty aPropIDs[])
   int32_t count = 0;
   nsCSSRect result;
   NS_FOR_CSS_SIDES (index) {
-    bool consumedTokens;
-    if (!ParseBoxProperty(result.*(nsCSSRect::sides[index]),
-                          aPropIDs[index], consumedTokens)) {
-      if (consumedTokens) {
-        return false;
-      }
+    CSSParseResult parseResult =
+      ParseBoxProperty(result.*(nsCSSRect::sides[index]), aPropIDs[index]);
+    if (parseResult == CSSParseResult::NotFound) {
       break;
     }
+    if (parseResult == CSSParseResult::Error) {
+      return false;
+    }
     count++;
   }
   if (count == 0) {
@@ -9887,19 +9878,16 @@ CSSParserImpl::ParseGroupedBoxProperty(int32_t aVariantMask,
 
   int32_t count = 0;
   NS_FOR_CSS_SIDES (index) {
-    bool consumedTokens;
-    if (!ParseBoxPropertyVariant(result.*(nsCSSRect::sides[index]),
-                                 aVariantMask, nullptr,
-                                 CSS_PROPERTY_VALUE_NONNEGATIVE,
-                                 consumedTokens)) {
-      if (consumedTokens) {
-        // we consumed some tokens, which means we failed in the middle
-        // of parsing a multi-token value, and thus we shouldn't just
-        // exit the loop and return true
-        return false;
-      }
+    CSSParseResult parseResult =
+      ParseVariantWithRestrictions(result.*(nsCSSRect::sides[index]),
+                                   aVariantMask, nullptr,
+                                   CSS_PROPERTY_VALUE_NONNEGATIVE);
+    if (parseResult == CSSParseResult::NotFound) {
       break;
     }
+    if (parseResult == CSSParseResult::Error) {
+      return false;
+    }
     count++;
   }
 
@@ -10449,8 +10437,6 @@ CSSParserImpl::ParsePropertyByFunction(nsCSSProperty aPropID)
     return ParsePadding();
   case eCSSProperty_quotes:
     return ParseQuotes();
-  case eCSSProperty_size:
-    return ParseSize();
   case eCSSProperty_text_decoration:
     return ParseTextDecoration();
   case eCSSProperty_will_change:
@@ -10501,42 +10487,13 @@ CSSParserImpl::ParsePropertyByFunction(nsCSSProperty aPropID)
 #define BG_CLR    (BG_CENTER | BG_LEFT | BG_RIGHT)
 #define BG_LR     (BG_LEFT | BG_RIGHT)
 
-bool
-CSSParserImpl::ParseBoxPropertyVariant(nsCSSValue& aValue,
-                                       uint32_t aVariantMask,
-                                       const KTableValue aKeywordTable[],
-                                       uint32_t aRestrictions,
-                                       bool& aConsumedTokens)
-{
-  CSSParseResult result =
-      ParseVariantWithRestrictions(aValue, aVariantMask, aKeywordTable,
-                                   aRestrictions);
-  switch (result) {
-    case CSSParseResult::Ok:
-      aConsumedTokens = true;
-      return true;
-    case CSSParseResult::NotFound:
-      aConsumedTokens = false;
-      return false;
-    default:
-      MOZ_ASSERT_UNREACHABLE("invalid CSSParseResult value");
-      // fall through
-    case CSSParseResult::Error:
-      aConsumedTokens = true;
-      return false;
-  }
-}
-
-bool
+CSSParseResult
 CSSParserImpl::ParseBoxProperty(nsCSSValue& aValue,
-                                nsCSSProperty aPropID,
-                                bool& aConsumedTokens)
+                                nsCSSProperty aPropID)
 {
-  aConsumedTokens = false;
-
   if (aPropID < 0 || aPropID >= eCSSProperty_COUNT_no_shorthands) {
     MOZ_ASSERT(false, "must only be called for longhand properties");
-    return false;
+    return CSSParseResult::NotFound;
   }
 
   MOZ_ASSERT(!nsCSSProps::PropHasFlags(aPropID,
@@ -10546,20 +10503,19 @@ CSSParserImpl::ParseBoxProperty(nsCSSValue& aValue,
   uint32_t variant = nsCSSProps::ParserVariant(aPropID);
   if (variant == 0) {
     MOZ_ASSERT(false, "must only be called for variant-parsed properties");
-    return false;
+    return CSSParseResult::NotFound;
   }
 
   if (variant & ~(VARIANT_AHKLP | VARIANT_COLOR | VARIANT_CALC)) {
     MOZ_ASSERT(false, "must only be called for properties that take certain "
                       "variants");
-    return false;
+    return CSSParseResult::NotFound;
   }
 
   const KTableValue* kwtable = nsCSSProps::kKeywordTableTable[aPropID];
   uint32_t restrictions = nsCSSProps::ValueRestrictions(aPropID);
 
-  return ParseBoxPropertyVariant(aValue, variant, kwtable, restrictions,
-                                 aConsumedTokens);
+  return ParseVariantWithRestrictions(aValue, variant, kwtable, restrictions);
 }
 
 bool
@@ -10587,8 +10543,6 @@ CSSParserImpl::ParseSingleValuePropertyByFunction(nsCSSValue& aValue,
       return ParseImageOrientation(aValue);
     case eCSSProperty_list_style_type:
       return ParseListStyleType(aValue);
-    case eCSSProperty_marks:
-      return ParseMarks(aValue);
     case eCSSProperty_scroll_snap_points_x:
       return ParseScrollSnapPoints(aValue, eCSSProperty_scroll_snap_points_x);
     case eCSSProperty_scroll_snap_points_y:
@@ -13612,31 +13566,6 @@ CSSParserImpl::ParseMargin()
   return ParseBoxProperties(kMarginSideIDs);
 }
 
-bool
-CSSParserImpl::ParseMarks(nsCSSValue& aValue)
-{
-  if (ParseSingleTokenVariant(aValue, VARIANT_HK,
-                              nsCSSProps::kPageMarksKTable)) {
-    if (eCSSUnit_Enumerated == aValue.GetUnit()) {
-      if (NS_STYLE_PAGE_MARKS_NONE != aValue.GetIntValue() &&
-          false == CheckEndProperty()) {
-        nsCSSValue second;
-        if (ParseEnum(second, nsCSSProps::kPageMarksKTable)) {
-          // 'none' keyword in conjuction with others is not allowed
-          if (NS_STYLE_PAGE_MARKS_NONE != second.GetIntValue()) {
-            aValue.SetIntValue(aValue.GetIntValue() | second.GetIntValue(),
-                               eCSSUnit_Enumerated);
-            return true;
-          }
-        }
-        return false;
-      }
-    }
-    return true;
-  }
-  return false;
-}
-
 bool
 CSSParserImpl::ParseObjectPosition()
 {
@@ -13751,28 +13680,6 @@ CSSParserImpl::ParseQuotes()
   return true;
 }
 
-bool
-CSSParserImpl::ParseSize()
-{
-  nsCSSValue width, height;
-  if (!ParseSingleTokenVariant(width, VARIANT_AHKL,
-                               nsCSSProps::kPageSizeKTable)) {
-    return false;
-  }
-  if (width.IsLengthUnit()) {
-    ParseSingleTokenVariant(height, VARIANT_LENGTH, nullptr);
-  }
-
-  if (width == height || height.GetUnit() == eCSSUnit_Null) {
-    AppendValue(eCSSProperty_size, width);
-  } else {
-    nsCSSValue pair;
-    pair.SetPairValue(width, height);
-    AppendValue(eCSSProperty_size, pair);
-  }
-  return true;
-}
-
 bool
 CSSParserImpl::ParseTextDecoration()
 {
diff --git a/layout/style/nsCSSPropList.h b/layout/style/nsCSSPropList.h
index 397b7581d54f..0a1b4b177301 100644
--- a/layout/style/nsCSSPropList.h
+++ b/layout/style/nsCSSPropList.h
@@ -61,13 +61,12 @@
   CSS_PROP_*] gives the name of the style struct.  Can be used to make
   nsStyle##stylestruct_ and eStyleStruct_##stylestruct_
 
-  -. 'stylestructoffset_' [not used for CSS_PROP_BACKENDONLY] gives the
-  result of offsetof(nsStyle*, member).  Ignored (and generally
-  CSS_PROP_NO_OFFSET, or -1) for properties whose animtype_ is
-  eStyleAnimType_None.
+  -. 'stylestructoffset_' gives the result of offsetof(nsStyle*,
+  member).  Ignored (and generally CSS_PROP_NO_OFFSET, or -1) for
+  properties whose animtype_ is eStyleAnimType_None.
 
-  -. 'animtype_' [not used for CSS_PROP_BACKENDONLY] gives the
-  animation type (see nsStyleAnimType) of this property.
+  -. 'animtype_' gives the animation type (see nsStyleAnimType) of this
+  property.
 
   CSS_PROP_SHORTHAND only takes 1-5.
 
@@ -159,14 +158,6 @@
 #define CSS_PROP_SVGRESET(name_, id_, method_, flags_, pref_, parsevariant_, kwtable_, stylestructoffset_, animtype_) CSS_PROP(name_, id_, method_, flags_, pref_, parsevariant_, kwtable_, SVGReset, stylestructoffset_, animtype_)
 #define CSS_PROP_VARIABLES(name_, id_, method_, flags_, pref_, parsevariant_, kwtable_, stylestructoffset_, animtype_) CSS_PROP(name_, id_, method_, flags_, pref_, parsevariant_, kwtable_, Variables, stylestructoffset_, animtype_)
 
-// For properties that are stored in the CSS backend but are not
-// computed.  An includer may define this in addition to CSS_PROP, but
-// otherwise we treat it as the same.
-#ifndef CSS_PROP_BACKENDONLY
-#define CSS_PROP_BACKENDONLY(name_, id_, method_, flags_, pref_, parsevariant_, kwtable_) CSS_PROP(name_, id_, method_, flags_, pref_, parsevariant_, kwtable_, BackendOnly, CSS_PROP_NO_OFFSET, eStyleAnimType_None)
-#define DEFINED_CSS_PROP_BACKENDONLY
-#endif
-
 // And similarly for logical properties.  An includer can define
 // CSS_PROP_LOGICAL to capture all logical properties, but otherwise they
 // are included in CSS_PROP (as long as CSS_PROP_LIST_INCLUDE_LOGICAL is
@@ -294,10 +285,6 @@
 #define DEFINED_CSS_PROP_VARIABLES
 #endif
 
-#ifndef CSS_PROP_BACKENDONLY
-#define CSS_PROP_BACKENDONLY(name_, id_, method_, flags_, pref_, parsevariant_, kwtable_) /* nothing */
-#define DEFINED_CSS_PROP_BACKENDONLY
-#endif
 #ifndef CSS_PROP_LOGICAL
 #define CSS_PROP_LOGICAL(name_, id_, method_, flags_, pref_, parsevariant_, kwtable_, group_, struct_, stylestructoffset_, animtype_) /* nothing */
 #define DEFINED_CSS_PROP_LOGICAL
@@ -2409,15 +2396,6 @@ CSS_PROP_CONTENT(
     nullptr,
     offsetof(nsStyleContent, mMarkerOffset),
     eStyleAnimType_Coord)
-CSS_PROP_BACKENDONLY(
-    marks,
-    marks,
-    Marks,
-    CSS_PROPERTY_PARSE_VALUE |
-        CSS_PROPERTY_VALUE_PARSER_FUNCTION,
-    "",
-    0,
-    kPageMarksKTable)
 CSS_PROP_LOGICAL(
     max-block-size,
     max_block_size,
@@ -2698,15 +2676,6 @@ CSS_PROP_DISPLAY(
     kOrientKTable,
     CSS_PROP_NO_OFFSET,
     eStyleAnimType_None)
-CSS_PROP_BACKENDONLY(
-    orphans,
-    orphans,
-    Orphans,
-    CSS_PROPERTY_PARSE_VALUE |
-        CSS_PROPERTY_VALUE_AT_LEAST_ONE,
-    "",
-    VARIANT_HI,
-    nullptr)
 CSS_PROP_SHORTHAND(
     outline,
     outline,
@@ -2954,14 +2923,6 @@ CSS_PROP_PADDING(
     nullptr,
     offsetof(nsStylePadding, mPadding),
     eStyleAnimType_Sides_Top)
-CSS_PROP_BACKENDONLY(
-    page,
-    page,
-    Page,
-    CSS_PROPERTY_PARSE_VALUE,
-    "",
-    VARIANT_AUTO | VARIANT_IDENTIFIER,
-    nullptr)
 CSS_PROP_DISPLAY(
     page-break-after,
     page_break_after,
@@ -3167,14 +3128,6 @@ CSS_PROP_DISPLAY(
     kScrollSnapTypeKTable,
     CSS_PROP_NO_OFFSET,
     eStyleAnimType_None)
-CSS_PROP_BACKENDONLY(
-    size,
-    size,
-    Size,
-    CSS_PROPERTY_PARSE_FUNCTION,
-    "",
-    0,
-    kPageSizeKTable)
 CSS_PROP_TABLE(
     table-layout,
     table_layout,
@@ -3595,15 +3548,6 @@ CSS_PROP_TEXT(
     kWhitespaceKTable,
     CSS_PROP_NO_OFFSET,
     eStyleAnimType_None)
-CSS_PROP_BACKENDONLY(
-    widows,
-    widows,
-    Widows,
-    CSS_PROPERTY_PARSE_VALUE |
-        CSS_PROPERTY_VALUE_AT_LEAST_ONE,
-    "",
-    VARIANT_HI,
-    nullptr)
 CSS_PROP_POSITION(
     width,
     width,
@@ -4283,10 +4227,6 @@ CSS_PROP_FONT(
 #undef CSS_PROP_SVG
 #undef CSS_PROP_SVGRESET
 #undef CSS_PROP_VARIABLES
-#ifdef DEFINED_CSS_PROP_BACKENDONLY
-#undef CSS_PROP_BACKENDONLY
-#undef DEFINED_CSS_PROP_BACKENDONLY
-#endif
 
 #else /* !defined(USED_CSS_PROP) */
 
@@ -4386,10 +4326,6 @@ CSS_PROP_FONT(
 #undef CSS_PROP_VARIABLES
 #undef DEFINED_CSS_PROP_VARIABLES
 #endif
-#ifdef DEFINED_CSS_PROP_BACKENDONLY
-#undef CSS_PROP_BACKENDONLY
-#undef DEFINED_CSS_PROP_BACKENDONLY
-#endif
 
 #endif /* !defined(USED_CSS_PROP) */
 
diff --git a/layout/style/nsCSSProps.cpp b/layout/style/nsCSSProps.cpp
index 05319f470721..f33ca78bf964 100644
--- a/layout/style/nsCSSProps.cpp
+++ b/layout/style/nsCSSProps.cpp
@@ -2278,9 +2278,6 @@ bool nsCSSProps::GetColorName(int32_t aPropValue, nsCString &aStr)
 }
 
 const nsStyleStructID nsCSSProps::kSIDTable[eCSSProperty_COUNT_no_shorthands] = {
-    // Note that this uses the special BackendOnly style struct ID
-    // (which does need to be valid for storing in the
-    // nsCSSCompressedDataBlock::mStyleBits bitfield).
     #define CSS_PROP(name_, id_, method_, flags_, pref_, parsevariant_,     \
                      kwtable_, stylestruct_, stylestructoffset_, animtype_) \
         eStyleStruct_##stylestruct_,
@@ -2971,9 +2968,6 @@ nsCSSProps::gPropertyCountInStruct[nsStyleStructID_Length] = {
 /* static */ const size_t
 nsCSSProps::gPropertyIndexInStruct[eCSSProperty_COUNT_no_shorthands] = {
 
-  #define CSS_PROP_BACKENDONLY(name_, id_, method_, flags_, pref_, \
-                               parsevariant_, kwtable_)            \
-      size_t(-1),
   #define CSS_PROP_LOGICAL(name_, id_, method_, flags_, pref_, parsevariant_, \
                            kwtable_, group_, stylestruct_,                    \
                            stylestructoffset_, animtype_)                     \
@@ -2984,7 +2978,6 @@ nsCSSProps::gPropertyIndexInStruct[eCSSProperty_COUNT_no_shorthands] = {
   #include "nsCSSPropList.h"
   #undef CSS_PROP
   #undef CSS_PROP_LOGICAL
-  #undef CSS_PROP_BACKENDONLY
 
 };
 
diff --git a/layout/style/nsCSSRuleProcessor.cpp b/layout/style/nsCSSRuleProcessor.cpp
index 910a9dc91115..dd1a8b30776f 100644
--- a/layout/style/nsCSSRuleProcessor.cpp
+++ b/layout/style/nsCSSRuleProcessor.cpp
@@ -1014,7 +1014,7 @@ RuleCascadeData::AttributeListFor(nsIAtom* aAttribute)
 //
 
 nsCSSRuleProcessor::nsCSSRuleProcessor(const sheet_array_type& aSheets,
-                                       uint8_t aSheetType,
+                                       SheetType aSheetType,
                                        Element* aScopeElement,
                                        nsCSSRuleProcessor*
                                          aPreviousCSSRuleProcessor,
@@ -1035,7 +1035,7 @@ nsCSSRuleProcessor::nsCSSRuleProcessor(const sheet_array_type& aSheets,
   , mDocumentRulesAndCacheKeyValid(false)
 #endif
 {
-  NS_ASSERTION(!!mScopeElement == (aSheetType == nsStyleSet::eScopedDocSheet),
+  NS_ASSERTION(!!mScopeElement == (aSheetType == SheetType::ScopedDoc),
                "aScopeElement must be specified iff aSheetType is "
                "eScopedDocSheet");
   for (sheet_array_type::size_type i = mSheets.Length(); i-- != 0; ) {
@@ -3551,7 +3551,7 @@ struct CascadeEnumData {
                   nsTArray<css::DocumentRule*>& aDocumentRules,
                   nsMediaQueryResultCacheKey& aKey,
                   nsDocumentRuleResultCacheKey& aDocumentKey,
-                  uint8_t aSheetType,
+                  SheetType aSheetType,
                   bool aMustGatherDocumentRules)
     : mPresContext(aPresContext),
       mFontFaceRules(aFontFaceRules),
@@ -3589,7 +3589,7 @@ struct CascadeEnumData {
   // Hooray, a manual PLDHashTable since nsClassHashtable doesn't
   // provide a getter that gives me a *reference* to the value.
   PLDHashTable mRulesByWeight; // of PerWeightDataListItem linked lists
-  uint8_t mSheetType;
+  SheetType mSheetType;
   bool mMustGatherDocumentRules;
 };
 
diff --git a/layout/style/nsCSSRuleProcessor.h b/layout/style/nsCSSRuleProcessor.h
index 18d76f1450e6..022c57a7ebe1 100644
--- a/layout/style/nsCSSRuleProcessor.h
+++ b/layout/style/nsCSSRuleProcessor.h
@@ -15,14 +15,15 @@
 #include "mozilla/Attributes.h"
 #include "mozilla/EventStates.h"
 #include "mozilla/MemoryReporting.h"
-#include "nsIStyleRuleProcessor.h"
-#include "nsIMediaList.h"
-#include "nsTArray.h"
+#include "mozilla/RefCountType.h"
+#include "mozilla/SheetType.h"
+#include "mozilla/UniquePtr.h"
 #include "nsAutoPtr.h"
 #include "nsExpirationTracker.h"
+#include "nsIMediaList.h"
+#include "nsIStyleRuleProcessor.h"
 #include "nsRuleWalker.h"
-#include "mozilla/RefCountType.h"
-#include "mozilla/UniquePtr.h"
+#include "nsTArray.h"
 
 struct CascadeEnumData;
 struct ElementDependentRuleProcessorData;
@@ -59,11 +60,11 @@ public:
   typedef nsTArray<RefPtr<mozilla::CSSStyleSheet>> sheet_array_type;
 
   // aScopeElement must be non-null iff aSheetType is
-  // nsStyleSet::eScopedDocSheet.
+  // SheetType::ScopedDoc.
   // aPreviousCSSRuleProcessor is the rule processor (if any) that this
   // one is replacing.
   nsCSSRuleProcessor(const sheet_array_type& aSheets,
-                     uint8_t aSheetType,
+                     mozilla::SheetType aSheetType,
                      mozilla::dom::Element* aScopeElement,
                      nsCSSRuleProcessor* aPreviousCSSRuleProcessor,
                      bool aIsShared = false);
@@ -262,7 +263,7 @@ private:
   MozRefCountType mStyleSetRefCnt;
 
   // type of stylesheet using this processor
-  uint8_t mSheetType;  // == nsStyleSet::sheetType
+  mozilla::SheetType mSheetType;
 
   const bool mIsShared;
 
diff --git a/layout/style/nsCSSRules.h b/layout/style/nsCSSRules.h
index 93208942fce9..9b2c806dd02e 100644
--- a/layout/style/nsCSSRules.h
+++ b/layout/style/nsCSSRules.h
@@ -9,12 +9,19 @@
 #ifndef nsCSSRules_h_
 #define nsCSSRules_h_
 
+#include "Declaration.h"
+#include "StyleRule.h"
+#include "gfxFontFeatures.h"
 #include "mozilla/Attributes.h"
-#include "mozilla/Move.h"
-
 #include "mozilla/MemoryReporting.h"
+#include "mozilla/Move.h"
+#include "mozilla/SheetType.h"
 #include "mozilla/css/GroupRule.h"
 #include "mozilla/dom/FontFace.h"
+#include "nsAutoPtr.h"
+#include "nsCSSProperty.h"
+#include "nsCSSValue.h"
+#include "nsDOMCSSDeclaration.h"
 #include "nsIDOMCSSConditionRule.h"
 #include "nsIDOMCSSCounterStyleRule.h"
 #include "nsIDOMCSSFontFaceRule.h"
@@ -22,18 +29,11 @@
 #include "nsIDOMCSSGroupingRule.h"
 #include "nsIDOMCSSMediaRule.h"
 #include "nsIDOMCSSMozDocumentRule.h"
+#include "nsIDOMCSSPageRule.h"
 #include "nsIDOMCSSSupportsRule.h"
 #include "nsIDOMMozCSSKeyframeRule.h"
 #include "nsIDOMMozCSSKeyframesRule.h"
-#include "nsAutoPtr.h"
-#include "nsCSSProperty.h"
-#include "nsCSSValue.h"
 #include "nsTArray.h"
-#include "nsDOMCSSDeclaration.h"
-#include "Declaration.h"
-#include "nsIDOMCSSPageRule.h"
-#include "StyleRule.h"
-#include "gfxFontFeatures.h"
 
 class nsMediaList;
 
@@ -287,7 +287,7 @@ protected:
 // specific @font-face rules
 struct nsFontFaceRuleContainer {
   RefPtr<nsCSSFontFaceRule> mRule;
-  uint8_t mSheetType;
+  mozilla::SheetType mSheetType;
 };
 
 inline nsCSSFontFaceRule*
diff --git a/layout/style/nsCSSValue.cpp b/layout/style/nsCSSValue.cpp
index 644a54da414a..42795358f5e3 100644
--- a/layout/style/nsCSSValue.cpp
+++ b/layout/style/nsCSSValue.cpp
@@ -1217,18 +1217,6 @@ nsCSSValue::AppendToString(nsCSSProperty aProperty, nsAString& aResult,
       }
       break;
 
-    case eCSSProperty_marks:
-      if (intValue == NS_STYLE_PAGE_MARKS_NONE) {
-        AppendASCIItoUTF16(nsCSSProps::LookupPropertyValue(aProperty, intValue),
-                           aResult);
-      } else {
-        nsStyleUtil::AppendBitmaskCSSValue(aProperty, intValue,
-                                           NS_STYLE_PAGE_MARKS_CROP,
-                                           NS_STYLE_PAGE_MARKS_REGISTER,
-                                           aResult);
-      }
-      break;
-
     case eCSSProperty_paint_order:
       static_assert
         (NS_STYLE_PAINT_ORDER_BITWIDTH * NS_STYLE_PAINT_ORDER_LAST_VALUE <= 8,
@@ -2538,7 +2526,7 @@ nsCSSValueGradient::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) con
 nsCSSValueTokenStream::nsCSSValueTokenStream()
   : mPropertyID(eCSSProperty_UNKNOWN)
   , mShorthandPropertyID(eCSSProperty_UNKNOWN)
-  , mLevel(nsStyleSet::eSheetTypeCount)
+  , mLevel(SheetType::Count)
 {
   MOZ_COUNT_CTOR(nsCSSValueTokenStream);
 }
diff --git a/layout/style/nsCSSValue.h b/layout/style/nsCSSValue.h
index 1566855564d7..31b0928679ba 100644
--- a/layout/style/nsCSSValue.h
+++ b/layout/style/nsCSSValue.h
@@ -10,6 +10,7 @@
 
 #include "mozilla/Attributes.h"
 #include "mozilla/MemoryReporting.h"
+#include "mozilla/SheetType.h"
 
 #include "nsIPrincipal.h"
 #include "nsIURI.h"
@@ -1542,7 +1543,7 @@ public:
   // mozilla::CSSStyleSheet* mSheet;
   uint32_t mLineNumber;
   uint32_t mLineOffset;
-  uint16_t mLevel; // an nsStyleSet::sheetType
+  mozilla::SheetType mLevel;
 
 private:
   nsCSSValueTokenStream(const nsCSSValueTokenStream& aOther) = delete;
diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp
index 86a7d80e9359..ee8b1ce4631a 100644
--- a/layout/style/nsComputedDOMStyle.cpp
+++ b/layout/style/nsComputedDOMStyle.cpp
@@ -503,8 +503,8 @@ nsComputedDOMStyle::GetStyleContextForElementNoFlush(Element* aElement,
     for (nsRuleNode* ruleNode = sc->RuleNode();
          !ruleNode->IsRoot();
          ruleNode = ruleNode->GetParent()) {
-      if (ruleNode->GetLevel() == nsStyleSet::eAgentSheet ||
-          ruleNode->GetLevel() == nsStyleSet::eUserSheet) {
+      if (ruleNode->GetLevel() == SheetType::Agent ||
+          ruleNode->GetLevel() == SheetType::User) {
         rules.AppendElement(ruleNode->GetRule());
       }
     }
diff --git a/layout/style/nsRuleData.h b/layout/style/nsRuleData.h
index 3fed3a556ceb..c7971d42c1f9 100644
--- a/layout/style/nsRuleData.h
+++ b/layout/style/nsRuleData.h
@@ -13,6 +13,7 @@
 
 #include "mozilla/CSSVariableDeclarations.h"
 #include "mozilla/RuleNodeCacheConditions.h"
+#include "mozilla/SheetType.h"
 #include "nsCSSProps.h"
 #include "nsCSSValue.h"
 #include "nsStyleStructFwd.h"
@@ -28,7 +29,7 @@ struct nsRuleData
   const uint32_t mSIDs;
   mozilla::RuleNodeCacheConditions mConditions;
   bool mIsImportantRule;
-  uint16_t mLevel; // an nsStyleSet::sheetType
+  mozilla::SheetType mLevel;
   nsPresContext* const mPresContext;
   nsStyleContext* const mStyleContext;
 
@@ -76,8 +77,8 @@ struct nsRuleData
     // include that here since it includes us.
     MOZ_ASSERT(mSIDs & (1 << sid),
                "calling nsRuleData::ValueFor on property not in mSIDs");
-    MOZ_ASSERT(sid != eStyleStruct_BackendOnly && indexInStruct != size_t(-1),
-               "backend-only or logical property");
+    MOZ_ASSERT(indexInStruct != size_t(-1),
+               "logical property");
 
     return mValueStorage + mValueOffsets[sid] + indexInStruct;
   }
@@ -105,23 +106,18 @@ struct nsRuleData
       nsStyleStructID sid = eStyleStruct_##stylestruct_;                     \
       size_t indexInStruct =                                                 \
         nsCSSProps::PropertyIndexInStruct(eCSSProperty_##id_);               \
-      MOZ_ASSERT(sid != eStyleStruct_BackendOnly &&                          \
-                 indexInStruct != size_t(-1),                                \
-                 "backend-only property");                                   \
+      MOZ_ASSERT(indexInStruct != size_t(-1),                                \
+                 "logical property");                                        \
       return mValueStorage + mValueOffsets[sid] + indexInStruct;             \
     }                                                                        \
     const nsCSSValue* ValueFor##method_() const {                            \
       return const_cast<nsRuleData*>(this)->ValueFor##method_();             \
     }
-  #define CSS_PROP_BACKENDONLY(name_, id_, method_, flags_, pref_,           \
-                             parsevariant_, kwtable_)                        \
-    /* empty; backend-only structs are not in nsRuleData  */
   #define CSS_PROP_LIST_EXCLUDE_LOGICAL
   #include "nsCSSPropList.h"
   #undef CSS_PROP_LIST_EXCLUDE_LOGICAL
   #undef CSS_PROP
   #undef CSS_PROP_PUBLIC_OR_PRIVATE
-  #undef CSS_PROP_BACKENDONLY
 
 private:
   inline size_t GetPoisonOffset();
diff --git a/layout/style/nsRuleNode.cpp b/layout/style/nsRuleNode.cpp
index 7e665e77211a..70bc08f4c0c0 100644
--- a/layout/style/nsRuleNode.cpp
+++ b/layout/style/nsRuleNode.cpp
@@ -505,6 +505,10 @@ static nscoord CalcLengthWith(const nsCSSValue& aValue,
   }
   switch (aValue.GetUnit()) {
     case eCSSUnit_EM: {
+      if (aValue.GetFloatValue() == 0.0f) {
+        // Don't call SetFontSizeDependency for '0em'.
+        return 0;
+      }
       // CSS2.1 specifies that this unit scales to the computed font
       // size, not the em-width in the font metrics, despite the name.
       aConditions.SetFontSizeDependency(aFontSize);
@@ -1466,11 +1470,11 @@ nsRuleNode::DestroyInternal(nsRuleNode ***aDestroyQueueTail)
 nsRuleNode* nsRuleNode::CreateRootNode(nsPresContext* aPresContext)
 {
   return new (aPresContext)
-    nsRuleNode(aPresContext, nullptr, nullptr, 0xff, false);
+    nsRuleNode(aPresContext, nullptr, nullptr, SheetType::Unknown, false);
 }
 
 nsRuleNode::nsRuleNode(nsPresContext* aContext, nsRuleNode* aParent,
-                       nsIStyleRule* aRule, uint8_t aLevel,
+                       nsIStyleRule* aRule, SheetType aLevel,
                        bool aIsImportant)
   : mPresContext(aContext),
     mParent(aParent),
@@ -1505,9 +1509,9 @@ nsRuleNode::nsRuleNode(nsPresContext* aContext, nsRuleNode* aParent,
 
   // nsStyleSet::GetContext depends on there being only one animation
   // rule.
-  MOZ_ASSERT(IsRoot() || GetLevel() != nsStyleSet::eAnimationSheet ||
+  MOZ_ASSERT(IsRoot() || GetLevel() != SheetType::Animation ||
              mParent->IsRoot() ||
-             mParent->GetLevel() != nsStyleSet::eAnimationSheet,
+             mParent->GetLevel() != SheetType::Animation,
              "must be only one rule at animation level");
 }
 
@@ -1522,7 +1526,7 @@ nsRuleNode::~nsRuleNode()
 }
 
 nsRuleNode*
-nsRuleNode::Transition(nsIStyleRule* aRule, uint8_t aLevel,
+nsRuleNode::Transition(nsIStyleRule* aRule, SheetType aLevel,
                        bool aIsImportantRule)
 {
   nsRuleNode* next = nullptr;
@@ -2180,10 +2184,10 @@ nsRuleNode::ResolveVariableReferences(const nsStyleStructID aSID,
       &aContext->StyleVariables()->mVariables;
     nsCSSValueTokenStream* tokenStream = value->GetTokenStreamValue();
 
-    MOZ_ASSERT(tokenStream->mLevel != nsStyleSet::eSheetTypeCount,
+    MOZ_ASSERT(tokenStream->mLevel != SheetType::Count,
                "Token stream should have a defined level");
 
-    AutoRestore<uint16_t> saveLevel(aRuleData->mLevel);
+    AutoRestore<SheetType> saveLevel(aRuleData->mLevel);
     aRuleData->mLevel = tokenStream->mLevel;
 
     // Note that ParsePropertyWithVariableReferences relies on the fact
@@ -2344,6 +2348,12 @@ nsRuleNode::WalkRuleTree(const nsStyleStructID aSID,
     // branch that they never need to examine their rules for this particular struct type
     // ever again.
     PropagateDependentBit(aSID, ruleNode, startStruct);
+    // With this same bit set, we do two different things:
+    // For reset structs, record that we have asked for this struct on
+    // this context, but it is not cached on the context.
+    // For inherited structs, mark the struct (which will be set on
+    // the context by our caller) as not being owned by the context.
+    aContext->AddStyleBit(nsCachedStyleData::GetBitForSID(aSID));
     return startStruct;
   }
   if ((!startStruct && !isReset &&
@@ -2713,11 +2723,10 @@ nsRuleNode::SetDefaultOnRoot(const nsStyleStructID aSID, nsStyleContext* aContex
     /* Propagate the bit down. */                                             \
     PropagateDependentBit(eStyleStruct_##type_, aHighestNode, data_);         \
     /* Tell the style context that it doesn't own the data */                 \
-    aContext->                                                                \
-      AddStyleBit(nsCachedStyleData::GetBitForSID(eStyleStruct_##type_));     \
+    aContext->AddStyleBit(NS_STYLE_INHERIT_BIT(type_));                       \
   }                                                                           \
-  /* Always cache inherited data on the style context */                      \
-  aContext->SetStyle##type_(data_);                                           \
+  /* For inherited structs, our caller will cache the data on the */          \
+  /* style context */                                                         \
                                                                               \
   return data_;
 
@@ -2749,6 +2758,9 @@ nsRuleNode::SetDefaultOnRoot(const nsStyleStructID aSID, nsStyleContext* aContex
       SetStyleData(eStyleStruct_##type_, data_);                              \
     /* Propagate the bit down. */                                             \
     PropagateDependentBit(eStyleStruct_##type_, aHighestNode, data_);         \
+    /* Tell the context that we've gotten the data (separate meaning */       \
+    /* of mBits when the cached data pointer is null) */                      \
+    aContext->AddStyleBit(NS_STYLE_INHERIT_BIT(type_));                       \
   } else if (conditions.Cacheable()) {                                        \
     if (!mStyleData.mResetData) {                                             \
       mStyleData.mResetData = new (mPresContext) nsConditionalResetStyleData; \
@@ -2756,8 +2768,7 @@ nsRuleNode::SetDefaultOnRoot(const nsStyleStructID aSID, nsStyleContext* aContex
     mStyleData.mResetData->                                                   \
       SetStyleData(eStyleStruct_##type_, mPresContext, data_, conditions);    \
     /* Tell the style context that it doesn't own the data */                 \
-    aContext->                                                                \
-      AddStyleBit(nsCachedStyleData::GetBitForSID(eStyleStruct_##type_));     \
+    aContext->AddStyleBit(NS_STYLE_INHERIT_BIT(type_));                       \
     aContext->SetStyle(eStyleStruct_##type_, data_);                          \
   } else {                                                                    \
     /* We can't be cached in the rule node.  We have to be put right */       \
@@ -9393,6 +9404,8 @@ nsRuleNode::GetStyleData(nsStyleStructID aSID,
                "if we ever call this on rule nodes that aren't used "
                "directly, we should adjust handling of mDependentBits "
                "in some way.");
+  MOZ_ASSERT(!aContext->GetCachedStyleData(aSID),
+             "style context should not have cached data for struct");
 
   const void *data;
 
@@ -9400,8 +9413,15 @@ nsRuleNode::GetStyleData(nsStyleStructID aSID,
   // see comment on cacheability in AnimValuesStyleRule::MapRuleInfoInto.
   if (!(HasAnimationData() && ParentHasPseudoElementData(aContext))) {
     data = mStyleData.GetStyleData(aSID, aContext);
-    if (MOZ_LIKELY(data != nullptr))
+    if (MOZ_LIKELY(data != nullptr)) {
+      // With this same bit set, we do two different things:
+      // For reset structs, mark the struct as having been retrieved for
+      // this context.
+      // For inherited structs, mark the struct (which will be set on
+      // the context by our caller) as not being owned by the context.
+      aContext->AddStyleBit(nsCachedStyleData::GetBitForSID(aSID));
       return data; // We have a fully specified struct. Just return it.
+    }
   }
 
   if (MOZ_UNLIKELY(!aComputeData))
@@ -9692,8 +9712,8 @@ nsRuleNode::HasAuthorSpecifiedRules(nsStyleContext* aStyleContext,
 
         rule->MapRuleInfoInto(&ruleData);
 
-        if (ruleData.mLevel == nsStyleSet::eAgentSheet ||
-            ruleData.mLevel == nsStyleSet::eUserSheet) {
+        if (ruleData.mLevel == SheetType::Agent ||
+            ruleData.mLevel == SheetType::User) {
           // This is a rule whose effect we want to ignore, so if any of
           // the properties we care about were set, set them to the dummy
           // value that they'll never otherwise get.
@@ -9815,7 +9835,7 @@ nsRuleNode::ComputePropertiesOverridingAnimation(
       // property) for transitions yet (which will make their
       // MapRuleInfoInto skip the properties that are currently
       // animating), we should skip them explicitly.
-      if (ruleData.mLevel == nsStyleSet::eTransitionSheet) {
+      if (ruleData.mLevel == SheetType::Transition) {
         continue;
       }
 
@@ -9865,3 +9885,12 @@ nsRuleNode::ParentHasPseudoElementData(nsStyleContext* aContext)
   nsStyleContext* parent = aContext->GetParent();
   return parent && parent->HasPseudoElementData();
 }
+
+#ifdef DEBUG
+bool
+nsRuleNode::ContextHasCachedData(nsStyleContext* aContext,
+                                 nsStyleStructID aSID)
+{
+  return !!aContext->GetCachedStyleData(aSID);
+}
+#endif
diff --git a/layout/style/nsRuleNode.h b/layout/style/nsRuleNode.h
index 3e8014e5bf8f..632e3ecd9cd3 100644
--- a/layout/style/nsRuleNode.h
+++ b/layout/style/nsRuleNode.h
@@ -15,6 +15,7 @@
 #include "mozilla/PodOperations.h"
 #include "mozilla/RangedArray.h"
 #include "mozilla/RuleNodeCacheConditions.h"
+#include "mozilla/SheetType.h"
 #include "nsPresContext.h"
 #include "nsStyleStruct.h"
 
@@ -418,10 +419,10 @@ private:
 
   struct Key {
     nsIStyleRule* mRule;
-    uint8_t mLevel;
+    mozilla::SheetType mLevel;
     bool mIsImportantRule;
 
-    Key(nsIStyleRule* aRule, uint8_t aLevel, bool aIsImportantRule)
+    Key(nsIStyleRule* aRule, mozilla::SheetType aLevel, bool aIsImportantRule)
       : mRule(aRule), mLevel(aLevel), mIsImportantRule(aIsImportantRule)
     {}
 
@@ -800,7 +801,7 @@ protected:
 
 private:
   nsRuleNode(nsPresContext* aPresContext, nsRuleNode* aParent,
-             nsIStyleRule* aRule, uint8_t aLevel, bool aIsImportant);
+             nsIStyleRule* aRule, mozilla::SheetType aLevel, bool aIsImportant);
   ~nsRuleNode();
 
 public:
@@ -812,7 +813,7 @@ public:
   static void EnsureInlineDisplay(uint8_t& display);
 
   // Transition never returns null; on out of memory it'll just return |this|.
-  nsRuleNode* Transition(nsIStyleRule* aRule, uint8_t aLevel,
+  nsRuleNode* Transition(nsIStyleRule* aRule, mozilla::SheetType aLevel,
                          bool aIsImportantRule);
   nsRuleNode* GetParent() const { return mParent; }
   bool IsRoot() const { return mParent == nullptr; }
@@ -823,11 +824,11 @@ public:
     return const_cast<nsRuleNode*>(this)->RuleTree();
   }
 
-  // These uint8_ts are really nsStyleSet::sheetType values.
-  uint8_t GetLevel() const {
+  mozilla::SheetType GetLevel() const {
     NS_ASSERTION(!IsRoot(), "can't call on root");
-    return (mDependentBits & NS_RULE_NODE_LEVEL_MASK) >>
-             NS_RULE_NODE_LEVEL_SHIFT;
+    return mozilla::SheetType(
+        (mDependentBits & NS_RULE_NODE_LEVEL_MASK) >>
+          NS_RULE_NODE_LEVEL_SHIFT);
   }
   bool IsImportantRule() const {
     NS_ASSERTION(!IsRoot(), "can't call on root");
@@ -882,12 +883,14 @@ public:
   #define STYLE_STRUCT_INHERITED(name_, checkdata_cb_)                        \
   template<bool aComputeData>                                                 \
   const nsStyle##name_*                                                       \
-  GetStyle##name_(nsStyleContext* aContext)                                   \
+  GetStyle##name_(nsStyleContext* aContext, uint64_t& aContextStyleBits)      \
   {                                                                           \
     NS_ASSERTION(IsUsedDirectly(),                                            \
                  "if we ever call this on rule nodes that aren't used "       \
                  "directly, we should adjust handling of mDependentBits "     \
                  "in some way.");                                             \
+    MOZ_ASSERT(!ContextHasCachedData(aContext, eStyleStruct_##name_),         \
+               "style context should not have cached data for struct");       \
                                                                               \
     const nsStyle##name_ *data;                                               \
                                                                               \
@@ -895,8 +898,15 @@ public:
     /* see comment on cacheability in AnimValuesStyleRule::MapRuleInfoInto */ \
     if (!(HasAnimationData() && ParentHasPseudoElementData(aContext))) {      \
       data = mStyleData.GetStyle##name_();                                    \
-      if (MOZ_LIKELY(data != nullptr))                                        \
+      if (data != nullptr) {                                                  \
+        /* For inherited structs, mark the struct (which will be set on */    \
+        /* the context by our caller) as not being owned by the context. */   \
+        /* Normally this would be aContext->AddStyleBit(), but aContext is */ \
+        /* an incomplete type here, so we work around that with a param. */   \
+        aContextStyleBits |= NS_STYLE_INHERIT_BIT(name_);                     \
+        /* Our caller will cache the data on the style context. */            \
         return data;                                                          \
+      }                                                                       \
     }                                                                         \
                                                                               \
     if (!aComputeData)                                                        \
@@ -912,12 +922,14 @@ public:
   #define STYLE_STRUCT_RESET(name_, checkdata_cb_)                            \
   template<bool aComputeData>                                                 \
   const nsStyle##name_*                                                       \
-  GetStyle##name_(nsStyleContext* aContext)                                   \
+  GetStyle##name_(nsStyleContext* aContext, uint64_t& aContextStyleBits)      \
   {                                                                           \
     NS_ASSERTION(IsUsedDirectly(),                                            \
                  "if we ever call this on rule nodes that aren't used "       \
                  "directly, we should adjust handling of mDependentBits "     \
                  "in some way.");                                             \
+    MOZ_ASSERT(!ContextHasCachedData(aContext, eStyleStruct_##name_),         \
+               "style context should not have cached data for struct");       \
                                                                               \
     const nsStyle##name_ *data;                                               \
                                                                               \
@@ -925,8 +937,13 @@ public:
     /* see comment on cacheability in AnimValuesStyleRule::MapRuleInfoInto */ \
     if (!(HasAnimationData() && ParentHasPseudoElementData(aContext))) {      \
       data = mStyleData.GetStyle##name_(aContext);                            \
-      if (MOZ_LIKELY(data != nullptr))                                        \
+      if (MOZ_LIKELY(data != nullptr)) {                                      \
+        /* Mark the struct as having been retrieved for this context. */      \
+        /* Normally this would be aContext->AddStyleBit(), but aContext is */ \
+        /* an incomplete type here, so we work around that with a param. */   \
+        aContextStyleBits |= NS_STYLE_INHERIT_BIT(name_);                     \
         return data;                                                          \
+      }                                                                       \
     }                                                                         \
                                                                               \
     if (!aComputeData)                                                        \
@@ -1053,6 +1070,14 @@ public:
                            nscolor& aResult);
 
   static bool ParentHasPseudoElementData(nsStyleContext* aContext);
+
+private:
+#ifdef DEBUG
+  // non-inline helper function to allow assertions without incomplete
+  // type errors
+  bool ContextHasCachedData(nsStyleContext* aContext, nsStyleStructID aSID);
+#endif
+
 };
 
 #endif
diff --git a/layout/style/nsRuleWalker.h b/layout/style/nsRuleWalker.h
index f2c4a7de7e56..51e2228a7e19 100644
--- a/layout/style/nsRuleWalker.h
+++ b/layout/style/nsRuleWalker.h
@@ -54,7 +54,7 @@ public:
 
   bool AtRoot() { return mCurrent == mRoot; }
 
-  void SetLevel(uint8_t aLevel, bool aImportance,
+  void SetLevel(mozilla::SheetType aLevel, bool aImportance,
                 bool aCheckForImportantRules) {
     NS_ASSERTION(!aCheckForImportantRules || !aImportance,
                  "Shouldn't be checking for important rules while walking "
@@ -63,7 +63,7 @@ public:
     mImportance = aImportance;
     mCheckForImportantRules = aCheckForImportantRules;
   }
-  uint8_t GetLevel() const { return mLevel; }
+  mozilla::SheetType GetLevel() const { return mLevel; }
   bool GetImportance() const { return mImportance; }
   bool GetCheckForImportantRules() const { return mCheckForImportantRules; }
 
@@ -86,7 +86,7 @@ public:
 private:
   nsRuleNode* mCurrent; // Our current position.  Never null.
   nsRuleNode* mRoot; // The root of the tree we're walking.
-  uint8_t mLevel; // an nsStyleSet::sheetType
+  mozilla::SheetType mLevel;
   bool mImportance;
   bool mCheckForImportantRules; // If true, check for important rules as
                                 // we walk and set to false if we find
diff --git a/layout/style/nsStyleContext.cpp b/layout/style/nsStyleContext.cpp
index 7fb784cbdcd3..855dd7a39970 100644
--- a/layout/style/nsStyleContext.cpp
+++ b/layout/style/nsStyleContext.cpp
@@ -412,27 +412,19 @@ nsStyleContext::HasChildThatUsesGrandancestorStyle() const
          ListContainsStyleContextThatUsesGrandancestorStyle(mChild);
 }
 
-const void* nsStyleContext::GetCachedStyleData(nsStyleStructID aSID)
-{
-  const void* cachedData;
-  if (nsCachedStyleData::IsReset(aSID)) {
-    if (mCachedResetData) {
-      cachedData = mCachedResetData->mStyleStructs[aSID];
-    } else {
-      cachedData = nullptr;
-    }
-  } else {
-    cachedData = mCachedInheritedData.mStyleStructs[aSID];
-  }
-  return cachedData;
-}
-
 const void* nsStyleContext::StyleData(nsStyleStructID aSID)
 {
   const void* cachedData = GetCachedStyleData(aSID);
   if (cachedData)
     return cachedData; // We have computed data stored on this node in the context tree.
-  return mRuleNode->GetStyleData(aSID, this, true); // Our rule node will take care of it for us.
+  // Our rule node will take care of it for us.
+  const void* newData = mRuleNode->GetStyleData(aSID, this, true);
+  if (!nsCachedStyleData::IsReset(aSID)) {
+    // always cache inherited data on the style context; the rule
+    // node set the bit in mBits for us if needed.
+    mCachedInheritedData.mStyleStructs[aSID] = const_cast<void*>(newData);
+  }
+  return newData;
 }
 
 // This is an evil evil function, since it forces you to alloc your own separate copy of
@@ -844,19 +836,22 @@ nsStyleContext::CalcStyleDifference(nsStyleContext* aOther,
   // we worry about 'inherit' values.)
   bool compare = mRuleNode != aOther->mRuleNode;
 
+  DebugOnly<uint32_t> structsFound = 0;
+
   // If we had any change in variable values, then we'll need to examine
   // all of the other style structs too, even if the new style context has
   // the same rule node as the old one.
   const nsStyleVariables* thisVariables = PeekStyleVariables();
   if (thisVariables) {
+    structsFound |= NS_STYLE_INHERIT_BIT(Variables);
     const nsStyleVariables* otherVariables = aOther->StyleVariables();
     if (thisVariables->mVariables == otherVariables->mVariables) {
-      *aEqualStructs |= nsCachedStyleData::GetBitForSID(eStyleStruct_Variables);
+      *aEqualStructs |= NS_STYLE_INHERIT_BIT(Variables);
     } else {
       compare = true;
     }
   } else {
-    *aEqualStructs |= nsCachedStyleData::GetBitForSID(eStyleStruct_Variables);
+    *aEqualStructs |= NS_STYLE_INHERIT_BIT(Variables);
   }
 
   DebugOnly<int> styleStructCount = 1;  // count Variables already
@@ -865,6 +860,7 @@ nsStyleContext::CalcStyleDifference(nsStyleContext* aOther,
   PR_BEGIN_MACRO                                                              \
     const nsStyle##struct_* this##struct_ = PeekStyle##struct_();             \
     if (this##struct_) {                                                      \
+      structsFound |= NS_STYLE_INHERIT_BIT(struct_);                          \
       const nsStyle##struct_* other##struct_ = aOther->Style##struct_();      \
       nsChangeHint maxDifference = nsStyle##struct_::MaxDifference();         \
       nsChangeHint differenceAlwaysHandledForDescendants =                    \
@@ -944,6 +940,16 @@ nsStyleContext::CalcStyleDifference(nsStyleContext* aOther,
   MOZ_ASSERT(styleStructCount == nsStyleStructID_Length,
              "missing a call to DO_STRUCT_DIFFERENCE");
 
+#ifdef DEBUG
+  #define STYLE_STRUCT(name_, callback_)                                      \
+    MOZ_ASSERT(!!(structsFound & NS_STYLE_INHERIT_BIT(name_)) ==              \
+               !!PeekStyle##name_(),                                          \
+               "PeekStyleData results must not change in the middle of "      \
+               "difference calculation.");
+  #include "nsStyleStructList.h"
+  #undef STYLE_STRUCT
+#endif
+
   // We check for struct pointer equality here rather than as part of the
   // DO_STRUCT_DIFFERENCE calls, since those calls can result in structs
   // we previously examined and found to be null on this style context
@@ -1371,7 +1377,7 @@ nsStyleContext::SwapStyleData(nsStyleContext* aNewContext, uint32_t aStructs)
     }
     void*& thisData = mCachedInheritedData.mStyleStructs[i];
     void*& otherData = aNewContext->mCachedInheritedData.mStyleStructs[i];
-    if (mBits & bit) {
+    if ((mBits & bit) && thisData) {
       if (thisData == otherData) {
         thisData = nullptr;
       }
@@ -1396,7 +1402,7 @@ nsStyleContext::SwapStyleData(nsStyleContext* aNewContext, uint32_t aStructs)
     }
     void*& thisData = mCachedResetData->mStyleStructs[i];
     void*& otherData = aNewContext->mCachedResetData->mStyleStructs[i];
-    if (mBits & bit) {
+    if ((mBits & bit) && thisData) {
       if (thisData == otherData) {
         thisData = nullptr;
       }
@@ -1501,7 +1507,7 @@ nsStyleContext::GetCachedStyleDataAsString(uint32_t aStructs)
         structs.Append(' ');
       }
       structs.AppendPrintf("%s=%p", StructName(i), data);
-      if (HasCachedInheritedStyleData(i)) {
+      if (HasCachedDependentStyleData(i)) {
         structs.AppendLiteral("(dependent)");
       } else {
         structs.AppendLiteral("(owned)");
diff --git a/layout/style/nsStyleContext.h b/layout/style/nsStyleContext.h
index d8ab5cec49b3..6f5423b08513 100644
--- a/layout/style/nsStyleContext.h
+++ b/layout/style/nsStyleContext.h
@@ -282,11 +282,15 @@ public:
   #undef STYLE_STRUCT_INHERITED
 
   /**
-   * Returns whether this style context has cached, inherited style data for a
-   * given style struct.
+   * Returns whether this style context has cached style data for a
+   * given style struct and it does NOT own that struct.  This can
+   * happen because it was inherited from the parent style context, or
+   * because it was stored conditionally on the rule node.
    */
-  bool HasCachedInheritedStyleData(nsStyleStructID aSID)
-    { return mBits & nsCachedStyleData::GetBitForSID(aSID); }
+  bool HasCachedDependentStyleData(nsStyleStructID aSID) {
+    return (mBits & nsCachedStyleData::GetBitForSID(aSID)) &&
+           GetCachedStyleData(aSID);
+  }
 
   nsRuleNode* RuleNode() { return mRuleNode; }
   void AddStyleBit(const uint64_t& aBit) { mBits |= aBit; }
@@ -453,6 +457,28 @@ public:
   int32_t& LoggingDepth();
 #endif
 
+  /**
+   * Return style data that is currently cached on the style context.
+   * Only returns the structs we cache ourselves; never consults the
+   * rule tree.
+   *
+   * For "internal" use only in nsStyleContext and nsRuleNode.
+   */
+  const void* GetCachedStyleData(nsStyleStructID aSID)
+  {
+    const void* cachedData;
+    if (nsCachedStyleData::IsReset(aSID)) {
+      if (mCachedResetData) {
+        cachedData = mCachedResetData->mStyleStructs[aSID];
+      } else {
+        cachedData = nullptr;
+      }
+    } else {
+      cachedData = mCachedInheritedData.mStyleStructs[aSID];
+    }
+    return cachedData;
+  }
+
 private:
   // Private destructor, to discourage deletion outside of Release():
   ~nsStyleContext();
@@ -469,10 +495,6 @@ private:
   static bool ListContainsStyleContextThatUsesGrandancestorStyle(
                                                    const nsStyleContext* aHead);
 
-  // Helper function that GetStyleData and GetUniqueStyleData use.  Only
-  // returns the structs we cache ourselves; never consults the ruletree.
-  inline const void* GetCachedStyleData(nsStyleStructID aSID);
-
 #ifdef DEBUG
   struct AutoCheckDependency {
 
@@ -511,9 +533,20 @@ private:
           mCachedInheritedData.mStyleStructs[eStyleStruct_##name_]);    \
       if (cachedData) /* Have it cached already, yay */                 \
         return cachedData;                                              \
+      if (!aComputeData) {                                              \
+        /* We always cache inherited structs on the context when we */  \
+        /* compute them. */                                             \
+        return nullptr;                                                 \
+      }                                                                 \
       /* Have the rulenode deal */                                      \
       AUTO_CHECK_DEPENDENCY(eStyleStruct_##name_);                      \
-      return mRuleNode->GetStyle##name_<aComputeData>(this);            \
+      const nsStyle##name_ * newData =                                  \
+        mRuleNode->GetStyle##name_<aComputeData>(this, mBits);          \
+      /* always cache inherited data on the style context; the rule */  \
+      /* node set the bit in mBits for us if needed. */                 \
+      mCachedInheritedData.mStyleStructs[eStyleStruct_##name_] =        \
+        const_cast<nsStyle##name_ *>(newData);                          \
+      return newData;                                                   \
     }
   #define STYLE_STRUCT_RESET(name_, checkdata_cb_)                      \
     template<bool aComputeData>                                         \
@@ -525,9 +558,14 @@ private:
         if (cachedData) /* Have it cached already, yay */               \
           return cachedData;                                            \
       }                                                                 \
+      if (!aComputeData && !(mBits & NS_STYLE_INHERIT_BIT(name_))) {    \
+        /* When we compute reset structs, we either cache them on */    \
+        /* the style context or set the bit in mBits. */                \
+        return nullptr;                                                 \
+      }                                                                 \
       /* Have the rulenode deal */                                      \
       AUTO_CHECK_DEPENDENCY(eStyleStruct_##name_);                      \
-      return mRuleNode->GetStyle##name_<aComputeData>(this);            \
+      return mRuleNode->GetStyle##name_<aComputeData>(this, mBits);     \
     }
   #include "nsStyleStructList.h"
   #undef STYLE_STRUCT_RESET
@@ -584,15 +622,27 @@ private:
   // are owned by this style context and structs that are owned by one of
   // this style context's ancestors (which are indirectly owned since this
   // style context owns a reference to its parent).  If the bit in |mBits|
-  // is set for a struct, that means that the pointer for that struct is
-  // owned by an ancestor or by mRuleNode rather than by this style context.
-  // Since style contexts typically have some inherited data but only sometimes
-  // have reset data, we always allocate the mCachedInheritedData, but only
-  // sometimes allocate the mCachedResetData.
+  // is set for a non-null struct, that means that the pointer for that
+  // struct is owned by an ancestor or by mRuleNode rather than by this
+  // style context.  Since style contexts typically have some inherited
+  // data but only sometimes have reset data, we always allocate the
+  // mCachedInheritedData, but only sometimes allocate the
+  // mCachedResetData.
   nsResetStyleData*       mCachedResetData; // Cached reset style data.
   nsInheritedStyleData    mCachedInheritedData; // Cached inherited style data
-  uint64_t                mBits; // Which structs are inherited from the
-                                 // parent context or owned by mRuleNode.
+
+  // mBits stores a number of things:
+  //  - For all structs, when they are non-null in the style context's
+  //    storage, it records (using the style struct bits) which structs
+  //    are inherited from the parent context or owned by mRuleNode.
+  //  - For reset (non-inherited) style structs, when they are null in
+  //    the style context's storage, it records that we have been asked
+  //    for that struct.  (We don't need this for inherited structs
+  //    since we always cache them in mCachedInheritedData.)
+  //  - It also stores the additional bits listed at the top of
+  //    nsStyleStruct.h.
+  uint64_t                mBits;
+
   uint32_t                mRefCnt;
 
 #ifdef DEBUG
diff --git a/layout/style/nsStyleSet.cpp b/layout/style/nsStyleSet.cpp
index e56e31b33d3c..026a79b24dd1 100644
--- a/layout/style/nsStyleSet.cpp
+++ b/layout/style/nsStyleSet.cpp
@@ -13,6 +13,7 @@
 
 #include "mozilla/ArrayUtils.h"
 #include "mozilla/CSSStyleSheet.h"
+#include "mozilla/EnumeratedRange.h"
 #include "mozilla/EventStates.h"
 #include "mozilla/MemoryReporting.h"
 #include "mozilla/RuleProcessorCache.h"
@@ -143,18 +144,18 @@ nsDisableTextZoomStyleRule::List(FILE* out, int32_t aIndent) const
 }
 #endif
 
-static const nsStyleSet::sheetType gCSSSheetTypes[] = {
+static const SheetType gCSSSheetTypes[] = {
   // From lowest to highest in cascading order.
-  nsStyleSet::eAgentSheet,
-  nsStyleSet::eUserSheet,
-  nsStyleSet::eDocSheet,
-  nsStyleSet::eScopedDocSheet,
-  nsStyleSet::eOverrideSheet
+  SheetType::Agent,
+  SheetType::User,
+  SheetType::Doc,
+  SheetType::ScopedDoc,
+  SheetType::Override
 };
 
-static bool IsCSSSheetType(nsStyleSet::sheetType aSheetType)
+static bool IsCSSSheetType(SheetType aSheetType)
 {
-  for (nsStyleSet::sheetType type : gCSSSheetTypes) {
+  for (SheetType type : gCSSSheetTypes) {
     if (type == aSheetType) {
       return true;
     }
@@ -177,7 +178,7 @@ nsStyleSet::nsStyleSet()
 
 nsStyleSet::~nsStyleSet()
 {
-  for (sheetType type : gCSSSheetTypes) {
+  for (SheetType type : gCSSSheetTypes) {
     for (uint32_t i = 0, n = mSheets[type].Length(); i < n; i++) {
       static_cast<CSSStyleSheet*>(mSheets[type][i])->DropStyleSet(this);
     }
@@ -185,12 +186,12 @@ nsStyleSet::~nsStyleSet()
 
   // drop reference to cached rule processors
   nsCSSRuleProcessor* rp;
-  rp = static_cast<nsCSSRuleProcessor*>(mRuleProcessors[eAgentSheet].get());
+  rp = static_cast<nsCSSRuleProcessor*>(mRuleProcessors[SheetType::Agent].get());
   if (rp) {
     MOZ_ASSERT(rp->IsShared());
     rp->ReleaseStyleSetRef();
   }
-  rp = static_cast<nsCSSRuleProcessor*>(mRuleProcessors[eUserSheet].get());
+  rp = static_cast<nsCSSRuleProcessor*>(mRuleProcessors[SheetType::User].get());
   if (rp) {
     MOZ_ASSERT(rp->IsShared());
     rp->ReleaseStyleSetRef();
@@ -202,17 +203,17 @@ nsStyleSet::SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const
 {
   size_t n = aMallocSizeOf(this);
 
-  for (int i = 0; i < eSheetTypeCount; i++) {
-    if (mRuleProcessors[i]) {
+  for (SheetType type : MakeEnumeratedRange(SheetType::Count)) {
+    if (mRuleProcessors[type]) {
       bool shared = false;
-      if (i == eAgentSheet || i == eUserSheet) {
+      if (type == SheetType::Agent || type == SheetType::User) {
         // The only two origins we consider caching rule processors for.
         nsCSSRuleProcessor* rp =
-          static_cast<nsCSSRuleProcessor*>(mRuleProcessors[i].get());
+          static_cast<nsCSSRuleProcessor*>(mRuleProcessors[type].get());
         shared = rp->IsShared();
       }
       if (!shared) {
-        n += mRuleProcessors[i]->SizeOfIncludingThis(aMallocSizeOf);
+        n += mRuleProcessors[type]->SizeOfIncludingThis(aMallocSizeOf);
       }
     }
     // mSheets is a C-style array of nsCOMArrays.  We do not own the sheets in
@@ -220,7 +221,7 @@ nsStyleSet::SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const
     // document owns them) so we do not count the sheets here (we pass nullptr
     // as the aSizeOfElementIncludingThis argument).  All we're doing here is
     // counting the size of the nsCOMArrays' buffers.
-    n += mSheets[i].SizeOfExcludingThis(nullptr, aMallocSizeOf);
+    n += mSheets[type].SizeOfExcludingThis(nullptr, aMallocSizeOf);
   }
 
   for (uint32_t i = 0; i < mScopedDocSheetRuleProcessors.Length(); i++) {
@@ -247,11 +248,11 @@ nsStyleSet::Init(nsPresContext *aPresContext)
   // Make an explicit GatherRuleProcessors call for the levels that
   // don't have style sheets.  The other levels will have their calls
   // triggered by DirtyRuleProcessors.  (We should probably convert the
-  // ePresHintSheet and eStyleAttrSheet levels to work like this as
-  // well, and not implement nsIStyleSheet.)
-  GatherRuleProcessors(eAnimationSheet);
-  GatherRuleProcessors(eTransitionSheet);
-  GatherRuleProcessors(eSVGAttrAnimationSheet);
+  // SheetType::PresHint and SheetType::StyleAttr levels to work like
+  // this as well, and not implement nsIStyleSheet.)
+  GatherRuleProcessors(SheetType::Animation);
+  GatherRuleProcessors(SheetType::Transition);
+  GatherRuleProcessors(SheetType::SVGAttrAnimation);
 }
 
 nsresult
@@ -387,7 +388,7 @@ SortStyleSheetsByScope(nsTArray<CSSStyleSheet*>& aSheets)
 }
 
 nsresult
-nsStyleSet::GatherRuleProcessors(sheetType aType)
+nsStyleSet::GatherRuleProcessors(SheetType aType)
 {
   NS_ENSURE_FALSE(mInShutdown, NS_ERROR_FAILURE);
 
@@ -401,7 +402,7 @@ nsStyleSet::GatherRuleProcessors(sheetType aType)
   }
   nsCOMPtr<nsIStyleRuleProcessor> oldRuleProcessor(mRuleProcessors[aType]);
   nsTArray<nsCOMPtr<nsIStyleRuleProcessor>> oldScopedDocRuleProcessors;
-  if (aType == eAgentSheet || aType == eUserSheet) {
+  if (aType == SheetType::Agent || aType == SheetType::User) {
     // drop reference to cached rule processor
     nsCSSRuleProcessor* rp =
       static_cast<nsCSSRuleProcessor*>(mRuleProcessors[aType].get());
@@ -411,7 +412,7 @@ nsStyleSet::GatherRuleProcessors(sheetType aType)
     }
   }
   mRuleProcessors[aType] = nullptr;
-  if (aType == eScopedDocSheet) {
+  if (aType == SheetType::ScopedDoc) {
     for (uint32_t i = 0; i < mScopedDocSheetRuleProcessors.Length(); i++) {
       nsIStyleRuleProcessor* processor = mScopedDocSheetRuleProcessors[i].get();
       Element* scope =
@@ -422,9 +423,9 @@ nsStyleSet::GatherRuleProcessors(sheetType aType)
     // Clear mScopedDocSheetRuleProcessors, but save it.
     oldScopedDocRuleProcessors.SwapElements(mScopedDocSheetRuleProcessors);
   }
-  if (mAuthorStyleDisabled && (aType == eDocSheet || 
-                               aType == eScopedDocSheet ||
-                               aType == eStyleAttrSheet)) {
+  if (mAuthorStyleDisabled && (aType == SheetType::Doc || 
+                               aType == SheetType::ScopedDoc ||
+                               aType == SheetType::StyleAttr)) {
     // Don't regather if this level is disabled.  Note that we gather
     // preshint sheets no matter what, but then skip them for some
     // elements later if mAuthorStyleDisabled.
@@ -433,24 +434,24 @@ nsStyleSet::GatherRuleProcessors(sheetType aType)
   switch (aType) {
     // handle the types for which have a rule processor that does not
     // implement the style sheet interface.
-    case eAnimationSheet:
+    case SheetType::Animation:
       MOZ_ASSERT(mSheets[aType].IsEmpty());
       mRuleProcessors[aType] = PresContext()->AnimationManager();
       return NS_OK;
-    case eTransitionSheet:
+    case SheetType::Transition:
       MOZ_ASSERT(mSheets[aType].IsEmpty());
       mRuleProcessors[aType] = PresContext()->TransitionManager();
       return NS_OK;
-    case eStyleAttrSheet:
+    case SheetType::StyleAttr:
       MOZ_ASSERT(mSheets[aType].IsEmpty());
       mRuleProcessors[aType] = PresContext()->Document()->GetInlineStyleSheet();
       return NS_OK;
-    case ePresHintSheet:
+    case SheetType::PresHint:
       MOZ_ASSERT(mSheets[aType].IsEmpty());
       mRuleProcessors[aType] =
         PresContext()->Document()->GetAttributeStyleSheet();
       return NS_OK;
-    case eSVGAttrAnimationSheet:
+    case SheetType::SVGAttrAnimation:
       MOZ_ASSERT(mSheets[aType].IsEmpty());
       mRuleProcessors[aType] =
         PresContext()->Document()->GetSVGAttrAnimationRuleProcessor();
@@ -459,9 +460,9 @@ nsStyleSet::GatherRuleProcessors(sheetType aType)
       // keep going
       break;
   }
-  if (aType == eScopedDocSheet) {
+  if (aType == SheetType::ScopedDoc) {
     // Create a rule processor for each scope.
-    uint32_t count = mSheets[eScopedDocSheet].Count();
+    uint32_t count = mSheets[SheetType::ScopedDoc].Count();
     if (count) {
       // Gather the scoped style sheets into an array as
       // CSSStyleSheets, and mark all of their scope elements
@@ -469,7 +470,7 @@ nsStyleSet::GatherRuleProcessors(sheetType aType)
       nsTArray<CSSStyleSheet*> sheets(count);
       for (uint32_t i = 0; i < count; i++) {
         RefPtr<CSSStyleSheet> sheet =
-          do_QueryObject(mSheets[eScopedDocSheet].ObjectAt(i));
+          do_QueryObject(mSheets[SheetType::ScopedDoc].ObjectAt(i));
         sheets.AppendElement(sheet);
 
         Element* scope = sheet->GetScopeElement();
@@ -511,8 +512,7 @@ nsStyleSet::GatherRuleProcessors(sheetType aType)
         sheetsForScope.AppendElements(sheets.Elements() + start, end - start);
         nsCSSRuleProcessor* oldRP = oldScopedRuleProcessorHash.Get(scope);
         mScopedDocSheetRuleProcessors.AppendElement
-          (new nsCSSRuleProcessor(sheetsForScope, uint8_t(aType), scope,
-                                  oldRP));
+          (new nsCSSRuleProcessor(sheetsForScope, aType, scope, oldRP));
 
         start = end;
       } while (start < count);
@@ -521,8 +521,8 @@ nsStyleSet::GatherRuleProcessors(sheetType aType)
   }
   if (mSheets[aType].Count()) {
     switch (aType) {
-      case eAgentSheet:
-      case eUserSheet: {
+      case SheetType::Agent:
+      case SheetType::User: {
         // levels containing non-scoped CSS style sheets whose rule processors
         // we want to re-use
         nsCOMArray<nsIStyleSheet>& sheets = mSheets[aType];
@@ -539,7 +539,7 @@ nsStyleSet::GatherRuleProcessors(sheetType aType)
         nsCSSRuleProcessor* rp =
           RuleProcessorCache::GetRuleProcessor(cssSheetsRaw, PresContext());
         if (!rp) {
-          rp = new nsCSSRuleProcessor(cssSheets, uint8_t(aType), nullptr,
+          rp = new nsCSSRuleProcessor(cssSheets, aType, nullptr,
                                       static_cast<nsCSSRuleProcessor*>(
                                        oldRuleProcessor.get()),
                                       true /* aIsShared */);
@@ -555,8 +555,8 @@ nsStyleSet::GatherRuleProcessors(sheetType aType)
         rp->AddStyleSetRef();
         break;
       }
-      case eDocSheet:
-      case eOverrideSheet: {
+      case SheetType::Doc:
+      case SheetType::Override: {
         // levels containing non-scoped CSS stylesheets whose rule processors
         // we don't want to re-use
         nsCOMArray<nsIStyleSheet>& sheets = mSheets[aType];
@@ -567,7 +567,7 @@ nsStyleSet::GatherRuleProcessors(sheetType aType)
           cssSheets.AppendElement(cssSheet);
         }
         mRuleProcessors[aType] =
-          new nsCSSRuleProcessor(cssSheets, uint8_t(aType), nullptr,
+          new nsCSSRuleProcessor(cssSheets, aType, nullptr,
                                  static_cast<nsCSSRuleProcessor*>(
                                    oldRuleProcessor.get()));
       } break;
@@ -593,7 +593,7 @@ IsScopedStyleSheet(nsIStyleSheet* aSheet)
 }
 
 nsresult
-nsStyleSet::AppendStyleSheet(sheetType aType, nsIStyleSheet *aSheet)
+nsStyleSet::AppendStyleSheet(SheetType aType, nsIStyleSheet *aSheet)
 {
   NS_PRECONDITION(aSheet, "null arg");
   NS_ASSERTION(aSheet->IsApplicable(),
@@ -610,7 +610,7 @@ nsStyleSet::AppendStyleSheet(sheetType aType, nsIStyleSheet *aSheet)
 }
 
 nsresult
-nsStyleSet::PrependStyleSheet(sheetType aType, nsIStyleSheet *aSheet)
+nsStyleSet::PrependStyleSheet(SheetType aType, nsIStyleSheet *aSheet)
 {
   NS_PRECONDITION(aSheet, "null arg");
   NS_ASSERTION(aSheet->IsApplicable(),
@@ -627,7 +627,7 @@ nsStyleSet::PrependStyleSheet(sheetType aType, nsIStyleSheet *aSheet)
 }
 
 nsresult
-nsStyleSet::RemoveStyleSheet(sheetType aType, nsIStyleSheet *aSheet)
+nsStyleSet::RemoveStyleSheet(SheetType aType, nsIStyleSheet *aSheet)
 {
   NS_PRECONDITION(aSheet, "null arg");
   NS_ASSERTION(aSheet->IsComplete(),
@@ -642,7 +642,7 @@ nsStyleSet::RemoveStyleSheet(sheetType aType, nsIStyleSheet *aSheet)
 }
 
 nsresult
-nsStyleSet::ReplaceSheets(sheetType aType,
+nsStyleSet::ReplaceSheets(SheetType aType,
                           const nsCOMArray<nsIStyleSheet> &aNewSheets)
 {
   bool cssSheetType = IsCSSSheetType(aType);
@@ -666,7 +666,7 @@ nsStyleSet::ReplaceSheets(sheetType aType,
 }
 
 nsresult
-nsStyleSet::InsertStyleSheetBefore(sheetType aType, nsIStyleSheet *aNewSheet,
+nsStyleSet::InsertStyleSheetBefore(SheetType aType, nsIStyleSheet *aNewSheet,
                                    nsIStyleSheet *aReferenceSheet)
 {
   NS_PRECONDITION(aNewSheet && aReferenceSheet, "null arg");
@@ -688,13 +688,19 @@ nsStyleSet::InsertStyleSheetBefore(sheetType aType, nsIStyleSheet *aNewSheet,
   return DirtyRuleProcessors(aType);
 }
 
+static inline uint32_t
+DirtyBit(SheetType aType)
+{
+  return 1 << uint32_t(aType);
+}
+
 nsresult
-nsStyleSet::DirtyRuleProcessors(sheetType aType)
+nsStyleSet::DirtyRuleProcessors(SheetType aType)
 {
   if (!mBatching)
     return GatherRuleProcessors(aType);
 
-  mDirty |= 1 << aType;
+  mDirty |= DirtyBit(aType);
   return NS_OK;
 }
 
@@ -710,9 +716,9 @@ nsStyleSet::SetAuthorStyleDisabled(bool aStyleDisabled)
   if (aStyleDisabled == !mAuthorStyleDisabled) {
     mAuthorStyleDisabled = aStyleDisabled;
     BeginUpdate();
-    mDirty |= 1 << eDocSheet |
-              1 << eScopedDocSheet |
-              1 << eStyleAttrSheet;
+    mDirty |= DirtyBit(SheetType::Doc) |
+              DirtyBit(SheetType::ScopedDoc) |
+              DirtyBit(SheetType::StyleAttr);
     return EndUpdate();
   }
   return NS_OK;
@@ -727,9 +733,9 @@ nsStyleSet::AddDocStyleSheet(nsIStyleSheet* aSheet, nsIDocument* aDocument)
   NS_ASSERTION(aSheet->IsApplicable(),
                "Inapplicable sheet being placed in style set");
 
-  sheetType type = IsScopedStyleSheet(aSheet) ?
-                     eScopedDocSheet :
-                     eDocSheet;
+  SheetType type = IsScopedStyleSheet(aSheet) ?
+                     SheetType::ScopedDoc :
+                     SheetType::Doc;
   nsCOMArray<nsIStyleSheet>& sheets = mSheets[type];
 
   bool present = sheets.RemoveObject(aSheet);
@@ -771,7 +777,8 @@ nsStyleSet::RemoveDocStyleSheet(nsIStyleSheet *aSheet)
 {
   RefPtr<CSSStyleSheet> cssSheet = do_QueryObject(aSheet);
   bool isScoped = cssSheet && cssSheet->GetScopeElement();
-  return RemoveStyleSheet(isScoped ? eScopedDocSheet : eDocSheet, aSheet);
+  return RemoveStyleSheet(isScoped ? SheetType::ScopedDoc : SheetType::Doc,
+                          aSheet);
 }
 
 // Batching
@@ -790,9 +797,9 @@ nsStyleSet::EndUpdate()
     return NS_OK;
   }
 
-  for (int i = 0; i < eSheetTypeCount; ++i) {
-    if (mDirty & (1 << i)) {
-      nsresult rv = GatherRuleProcessors(sheetType(i));
+  for (SheetType type : MakeEnumeratedRange(SheetType::Count)) {
+    if (mDirty & DirtyBit(type)) {
+      nsresult rv = GatherRuleProcessors(type);
       NS_ENSURE_SUCCESS(rv, rv);
     }
   }
@@ -814,7 +821,7 @@ static inline bool
 IsMoreSpecificThanAnimation(nsRuleNode *aRuleNode)
 {
   return !aRuleNode->IsRoot() &&
-         (aRuleNode->GetLevel() == nsStyleSet::eTransitionSheet ||
+         (aRuleNode->GetLevel() == SheetType::Transition ||
           aRuleNode->IsImportantRule());
 }
 
@@ -826,7 +833,7 @@ GetAnimationRule(nsRuleNode *aRuleNode)
     n = n->GetParent();
   }
 
-  if (n->IsRoot() || n->GetLevel() != nsStyleSet::eAnimationSheet) {
+  if (n->IsRoot() || n->GetLevel() != SheetType::Animation) {
     return nullptr;
   }
 
@@ -848,17 +855,17 @@ ReplaceAnimationRule(nsRuleNode *aOldRuleNode,
 
   if (aOldAnimRule) {
     MOZ_ASSERT(n->GetRule() == aOldAnimRule, "wrong rule");
-    MOZ_ASSERT(n->GetLevel() == nsStyleSet::eAnimationSheet,
+    MOZ_ASSERT(n->GetLevel() == SheetType::Animation,
                "wrong level");
     n = n->GetParent();
   }
 
   MOZ_ASSERT(!IsMoreSpecificThanAnimation(n) &&
-             (n->IsRoot() || n->GetLevel() != nsStyleSet::eAnimationSheet),
+             (n->IsRoot() || n->GetLevel() != SheetType::Animation),
              "wrong level");
 
   if (aNewAnimRule) {
-    n = n->Transition(aNewAnimRule, nsStyleSet::eAnimationSheet, false);
+    n = n->Transition(aNewAnimRule, SheetType::Animation, false);
     n->SetIsAnimationRule();
   }
 
@@ -1113,30 +1120,30 @@ nsStyleSet::FileRules(nsIStyleRuleProcessor::EnumFunc aCollectorFunc,
   // this will be either the root or one of the restriction rules.
   nsRuleNode* lastRestrictionRN = aRuleWalker->CurrentNode();
 
-  aRuleWalker->SetLevel(eAgentSheet, false, true);
-  if (mRuleProcessors[eAgentSheet])
-    (*aCollectorFunc)(mRuleProcessors[eAgentSheet], aData);
+  aRuleWalker->SetLevel(SheetType::Agent, false, true);
+  if (mRuleProcessors[SheetType::Agent])
+    (*aCollectorFunc)(mRuleProcessors[SheetType::Agent], aData);
   nsRuleNode* lastAgentRN = aRuleWalker->CurrentNode();
   bool haveImportantUARules = !aRuleWalker->GetCheckForImportantRules();
 
-  aRuleWalker->SetLevel(eUserSheet, false, true);
+  aRuleWalker->SetLevel(SheetType::User, false, true);
   bool skipUserStyles =
     aElement && aElement->IsInNativeAnonymousSubtree();
-  if (!skipUserStyles && mRuleProcessors[eUserSheet]) // NOTE: different
-    (*aCollectorFunc)(mRuleProcessors[eUserSheet], aData);
+  if (!skipUserStyles && mRuleProcessors[SheetType::User]) // NOTE: different
+    (*aCollectorFunc)(mRuleProcessors[SheetType::User], aData);
   nsRuleNode* lastUserRN = aRuleWalker->CurrentNode();
   bool haveImportantUserRules = !aRuleWalker->GetCheckForImportantRules();
 
-  aRuleWalker->SetLevel(ePresHintSheet, false, false);
-  if (mRuleProcessors[ePresHintSheet])
-    (*aCollectorFunc)(mRuleProcessors[ePresHintSheet], aData);
+  aRuleWalker->SetLevel(SheetType::PresHint, false, false);
+  if (mRuleProcessors[SheetType::PresHint])
+    (*aCollectorFunc)(mRuleProcessors[SheetType::PresHint], aData);
 
-  aRuleWalker->SetLevel(eSVGAttrAnimationSheet, false, false);
-  if (mRuleProcessors[eSVGAttrAnimationSheet])
-    (*aCollectorFunc)(mRuleProcessors[eSVGAttrAnimationSheet], aData);
+  aRuleWalker->SetLevel(SheetType::SVGAttrAnimation, false, false);
+  if (mRuleProcessors[SheetType::SVGAttrAnimation])
+    (*aCollectorFunc)(mRuleProcessors[SheetType::SVGAttrAnimation], aData);
   nsRuleNode* lastSVGAttrAnimationRN = aRuleWalker->CurrentNode();
 
-  aRuleWalker->SetLevel(eDocSheet, false, true);
+  aRuleWalker->SetLevel(SheetType::Doc, false, true);
   bool cutOffInheritance = false;
   if (mBindingManager && aElement) {
     // We can supply additional document-level sheets that should be walked.
@@ -1145,8 +1152,8 @@ nsStyleSet::FileRules(nsIStyleRuleProcessor::EnumFunc aCollectorFunc,
                                &cutOffInheritance);
   }
   if (!skipUserStyles && !cutOffInheritance && // NOTE: different
-      mRuleProcessors[eDocSheet])
-    (*aCollectorFunc)(mRuleProcessors[eDocSheet], aData);
+      mRuleProcessors[SheetType::Doc])
+    (*aCollectorFunc)(mRuleProcessors[SheetType::Doc], aData);
   nsRuleNode* lastDocRN = aRuleWalker->CurrentNode();
   bool haveImportantDocRules = !aRuleWalker->GetCheckForImportantRules();
   nsTArray<nsRuleNode*> lastScopedRNs;
@@ -1157,7 +1164,7 @@ nsStyleSet::FileRules(nsIStyleRuleProcessor::EnumFunc aCollectorFunc,
     lastScopedRNs.SetLength(mScopedDocSheetRuleProcessors.Length());
     haveImportantScopedRules.SetLength(mScopedDocSheetRuleProcessors.Length());
     for (uint32_t i = 0; i < mScopedDocSheetRuleProcessors.Length(); i++) {
-      aRuleWalker->SetLevel(eScopedDocSheet, false, true);
+      aRuleWalker->SetLevel(SheetType::ScopedDoc, false, true);
       nsCSSRuleProcessor* processor =
         static_cast<nsCSSRuleProcessor*>(mScopedDocSheetRuleProcessors[i].get());
       aData->mScope = processor->GetScopeElement();
@@ -1169,25 +1176,25 @@ nsStyleSet::FileRules(nsIStyleRuleProcessor::EnumFunc aCollectorFunc,
     aData->mScope = nullptr;
   }
   nsRuleNode* lastScopedRN = aRuleWalker->CurrentNode();
-  aRuleWalker->SetLevel(eStyleAttrSheet, false, true);
-  if (mRuleProcessors[eStyleAttrSheet])
-    (*aCollectorFunc)(mRuleProcessors[eStyleAttrSheet], aData);
+  aRuleWalker->SetLevel(SheetType::StyleAttr, false, true);
+  if (mRuleProcessors[SheetType::StyleAttr])
+    (*aCollectorFunc)(mRuleProcessors[SheetType::StyleAttr], aData);
   nsRuleNode* lastStyleAttrRN = aRuleWalker->CurrentNode();
   bool haveImportantStyleAttrRules = !aRuleWalker->GetCheckForImportantRules();
 
-  aRuleWalker->SetLevel(eOverrideSheet, false, true);
-  if (mRuleProcessors[eOverrideSheet])
-    (*aCollectorFunc)(mRuleProcessors[eOverrideSheet], aData);
+  aRuleWalker->SetLevel(SheetType::Override, false, true);
+  if (mRuleProcessors[SheetType::Override])
+    (*aCollectorFunc)(mRuleProcessors[SheetType::Override], aData);
   nsRuleNode* lastOvrRN = aRuleWalker->CurrentNode();
   bool haveImportantOverrideRules = !aRuleWalker->GetCheckForImportantRules();
 
   // This needs to match IsMoreSpecificThanAnimation() above.
-  aRuleWalker->SetLevel(eAnimationSheet, false, false);
-  (*aCollectorFunc)(mRuleProcessors[eAnimationSheet], aData);
+  aRuleWalker->SetLevel(SheetType::Animation, false, false);
+  (*aCollectorFunc)(mRuleProcessors[SheetType::Animation], aData);
 
   if (haveAnyImportantScopedRules) {
     for (uint32_t i = lastScopedRNs.Length(); i-- != 0; ) {
-      aRuleWalker->SetLevel(eScopedDocSheet, true, false);
+      aRuleWalker->SetLevel(SheetType::ScopedDoc, true, false);
       nsRuleNode* startRN = lastScopedRNs[i];
       nsRuleNode* endRN = i == 0 ? lastDocRN : lastScopedRNs[i - 1];
       if (haveImportantScopedRules[i]) {
@@ -1207,7 +1214,7 @@ nsStyleSet::FileRules(nsIStyleRuleProcessor::EnumFunc aCollectorFunc,
 #endif
 
   if (haveImportantDocRules) {
-    aRuleWalker->SetLevel(eDocSheet, true, false);
+    aRuleWalker->SetLevel(SheetType::Doc, true, false);
     AddImportantRules(lastDocRN, lastSVGAttrAnimationRN, aRuleWalker);  // doc
   }
 #ifdef DEBUG
@@ -1217,7 +1224,7 @@ nsStyleSet::FileRules(nsIStyleRuleProcessor::EnumFunc aCollectorFunc,
 #endif
 
   if (haveImportantStyleAttrRules) {
-    aRuleWalker->SetLevel(eStyleAttrSheet, true, false);
+    aRuleWalker->SetLevel(SheetType::StyleAttr, true, false);
     AddImportantRules(lastStyleAttrRN, lastScopedRN, aRuleWalker);  // style attr
   }
 #ifdef DEBUG
@@ -1227,7 +1234,7 @@ nsStyleSet::FileRules(nsIStyleRuleProcessor::EnumFunc aCollectorFunc,
 #endif
 
   if (haveImportantOverrideRules) {
-    aRuleWalker->SetLevel(eOverrideSheet, true, false);
+    aRuleWalker->SetLevel(SheetType::Override, true, false);
     AddImportantRules(lastOvrRN, lastStyleAttrRN, aRuleWalker);  // override
   }
 #ifdef DEBUG
@@ -1241,7 +1248,7 @@ nsStyleSet::FileRules(nsIStyleRuleProcessor::EnumFunc aCollectorFunc,
 #endif
 
   if (haveImportantUserRules) {
-    aRuleWalker->SetLevel(eUserSheet, true, false);
+    aRuleWalker->SetLevel(SheetType::User, true, false);
     AddImportantRules(lastUserRN, lastAgentRN, aRuleWalker); //user
   }
 #ifdef DEBUG
@@ -1251,7 +1258,7 @@ nsStyleSet::FileRules(nsIStyleRuleProcessor::EnumFunc aCollectorFunc,
 #endif
 
   if (haveImportantUARules) {
-    aRuleWalker->SetLevel(eAgentSheet, true, false);
+    aRuleWalker->SetLevel(SheetType::Agent, true, false);
     AddImportantRules(lastAgentRN, lastRestrictionRN, aRuleWalker); //agent
   }
 #ifdef DEBUG
@@ -1267,8 +1274,8 @@ nsStyleSet::FileRules(nsIStyleRuleProcessor::EnumFunc aCollectorFunc,
 #ifdef DEBUG
   nsRuleNode *lastImportantRN = aRuleWalker->CurrentNode();
 #endif
-  aRuleWalker->SetLevel(eTransitionSheet, false, false);
-  (*aCollectorFunc)(mRuleProcessors[eTransitionSheet], aData);
+  aRuleWalker->SetLevel(SheetType::Transition, false, false);
+  (*aCollectorFunc)(mRuleProcessors[SheetType::Transition], aData);
 #ifdef DEBUG
   AssertNoCSSRules(aRuleWalker->CurrentNode(), lastImportantRN);
 #endif
@@ -1284,18 +1291,18 @@ nsStyleSet::WalkRuleProcessors(nsIStyleRuleProcessor::EnumFunc aFunc,
 {
   NS_ASSERTION(mBatching == 0, "rule processors out of date");
 
-  if (mRuleProcessors[eAgentSheet])
-    (*aFunc)(mRuleProcessors[eAgentSheet], aData);
+  if (mRuleProcessors[SheetType::Agent])
+    (*aFunc)(mRuleProcessors[SheetType::Agent], aData);
 
   bool skipUserStyles = aData->mElement->IsInNativeAnonymousSubtree();
-  if (!skipUserStyles && mRuleProcessors[eUserSheet]) // NOTE: different
-    (*aFunc)(mRuleProcessors[eUserSheet], aData);
+  if (!skipUserStyles && mRuleProcessors[SheetType::User]) // NOTE: different
+    (*aFunc)(mRuleProcessors[SheetType::User], aData);
 
-  if (mRuleProcessors[ePresHintSheet])
-    (*aFunc)(mRuleProcessors[ePresHintSheet], aData);
+  if (mRuleProcessors[SheetType::PresHint])
+    (*aFunc)(mRuleProcessors[SheetType::PresHint], aData);
 
-  if (mRuleProcessors[eSVGAttrAnimationSheet])
-    (*aFunc)(mRuleProcessors[eSVGAttrAnimationSheet], aData);
+  if (mRuleProcessors[SheetType::SVGAttrAnimation])
+    (*aFunc)(mRuleProcessors[SheetType::SVGAttrAnimation], aData);
 
   bool cutOffInheritance = false;
   if (mBindingManager) {
@@ -1307,19 +1314,19 @@ nsStyleSet::WalkRuleProcessors(nsIStyleRuleProcessor::EnumFunc aFunc,
     }
   }
   if (!skipUserStyles && !cutOffInheritance) {
-    if (mRuleProcessors[eDocSheet]) // NOTE: different
-      (*aFunc)(mRuleProcessors[eDocSheet], aData);
+    if (mRuleProcessors[SheetType::Doc]) // NOTE: different
+      (*aFunc)(mRuleProcessors[SheetType::Doc], aData);
     if (aData->mElement->IsElementInStyleScope()) {
       for (uint32_t i = 0; i < mScopedDocSheetRuleProcessors.Length(); i++)
         (*aFunc)(mScopedDocSheetRuleProcessors[i], aData);
     }
   }
-  if (mRuleProcessors[eStyleAttrSheet])
-    (*aFunc)(mRuleProcessors[eStyleAttrSheet], aData);
-  if (mRuleProcessors[eOverrideSheet])
-    (*aFunc)(mRuleProcessors[eOverrideSheet], aData);
-  (*aFunc)(mRuleProcessors[eAnimationSheet], aData);
-  (*aFunc)(mRuleProcessors[eTransitionSheet], aData);
+  if (mRuleProcessors[SheetType::StyleAttr])
+    (*aFunc)(mRuleProcessors[SheetType::StyleAttr], aData);
+  if (mRuleProcessors[SheetType::Override])
+    (*aFunc)(mRuleProcessors[SheetType::Override], aData);
+  (*aFunc)(mRuleProcessors[SheetType::Animation], aData);
+  (*aFunc)(mRuleProcessors[SheetType::Transition], aData);
 }
 
 static void
@@ -1393,7 +1400,7 @@ nsStyleSet::ResolveStyleForRules(nsStyleContext* aParentContext,
   nsRuleWalker ruleWalker(mRuleTree, mAuthorStyleDisabled);
   // FIXME: Perhaps this should be passed in, but it probably doesn't
   // matter.
-  ruleWalker.SetLevel(eDocSheet, false, false);
+  ruleWalker.SetLevel(SheetType::Doc, false, false);
   for (uint32_t i = 0; i < aRules.Length(); i++) {
     ruleWalker.ForwardOnPossiblyCSSRule(aRules.ElementAt(i));
   }
@@ -1417,7 +1424,7 @@ nsStyleSet::ResolveStyleByAddingRules(nsStyleContext* aBaseContext,
   // resulting context.  It's also the right thing for the one case (the
   // transition manager's cover rule) where we put the result of this
   // function in the style context tree.
-  ruleWalker.SetLevel(eTransitionSheet, false, false);
+  ruleWalker.SetLevel(SheetType::Transition, false, false);
   for (int32_t i = 0; i < aRules.Count(); i++) {
     ruleWalker.ForwardOnPossiblyCSSRule(aRules.ObjectAt(i));
   }
@@ -1452,37 +1459,37 @@ nsStyleSet::ResolveStyleByAddingRules(nsStyleContext* aBaseContext,
 
 struct RuleNodeInfo {
   nsIStyleRule* mRule;
-  uint8_t mLevel;
+  SheetType mLevel;
   bool mIsImportant;
   bool mIsAnimationRule;
 };
 
 struct CascadeLevel {
-  uint8_t mLevel;
+  SheetType mLevel;
   bool mIsImportant;
   bool mCheckForImportantRules;
   nsRestyleHint mLevelReplacementHint;
 };
 
 static const CascadeLevel gCascadeLevels[] = {
-  { nsStyleSet::eAgentSheet,            false, false, nsRestyleHint(0) },
-  { nsStyleSet::eUserSheet,             false, false, nsRestyleHint(0) },
-  { nsStyleSet::ePresHintSheet,         false, false, nsRestyleHint(0) },
-  { nsStyleSet::eSVGAttrAnimationSheet, false, false, eRestyle_SVGAttrAnimations },
-  { nsStyleSet::eDocSheet,              false, false, nsRestyleHint(0) },
-  { nsStyleSet::eScopedDocSheet,        false, false, nsRestyleHint(0) },
-  { nsStyleSet::eStyleAttrSheet,        false, true,  eRestyle_StyleAttribute |
-                                                      eRestyle_StyleAttribute_Animations },
-  { nsStyleSet::eOverrideSheet,         false, false, nsRestyleHint(0) },
-  { nsStyleSet::eAnimationSheet,        false, false, eRestyle_CSSAnimations },
-  { nsStyleSet::eScopedDocSheet,        true,  false, nsRestyleHint(0) },
-  { nsStyleSet::eDocSheet,              true,  false, nsRestyleHint(0) },
-  { nsStyleSet::eStyleAttrSheet,        true,  false, eRestyle_StyleAttribute |
-                                                      eRestyle_StyleAttribute_Animations },
-  { nsStyleSet::eOverrideSheet,         true,  false, nsRestyleHint(0) },
-  { nsStyleSet::eUserSheet,             true,  false, nsRestyleHint(0) },
-  { nsStyleSet::eAgentSheet,            true,  false, nsRestyleHint(0) },
-  { nsStyleSet::eTransitionSheet,       false, false, eRestyle_CSSTransitions },
+  { SheetType::Agent,            false, false, nsRestyleHint(0) },
+  { SheetType::User,             false, false, nsRestyleHint(0) },
+  { SheetType::PresHint,         false, false, nsRestyleHint(0) },
+  { SheetType::SVGAttrAnimation, false, false, eRestyle_SVGAttrAnimations },
+  { SheetType::Doc,              false, false, nsRestyleHint(0) },
+  { SheetType::ScopedDoc,        false, false, nsRestyleHint(0) },
+  { SheetType::StyleAttr,        false, true,  eRestyle_StyleAttribute |
+                                               eRestyle_StyleAttribute_Animations },
+  { SheetType::Override,         false, false, nsRestyleHint(0) },
+  { SheetType::Animation,        false, false, eRestyle_CSSAnimations },
+  { SheetType::ScopedDoc,        true,  false, nsRestyleHint(0) },
+  { SheetType::Doc,              true,  false, nsRestyleHint(0) },
+  { SheetType::StyleAttr,        true,  false, eRestyle_StyleAttribute |
+                                               eRestyle_StyleAttribute_Animations },
+  { SheetType::Override,         true,  false, nsRestyleHint(0) },
+  { SheetType::User,             true,  false, nsRestyleHint(0) },
+  { SheetType::Agent,            true,  false, nsRestyleHint(0) },
+  { SheetType::Transition,       false, false, eRestyle_CSSTransitions },
 };
 
 nsRuleNode*
@@ -1547,7 +1554,7 @@ nsStyleSet::RuleNodeWithReplacement(Element* aElement,
 
     if (doReplace) {
       switch (level->mLevel) {
-        case nsStyleSet::eAnimationSheet: {
+        case SheetType::Animation: {
           if (aPseudoType == nsCSSPseudoElements::ePseudo_NotPseudoElement ||
               aPseudoType == nsCSSPseudoElements::ePseudo_before ||
               aPseudoType == nsCSSPseudoElements::ePseudo_after) {
@@ -1560,7 +1567,7 @@ nsStyleSet::RuleNodeWithReplacement(Element* aElement,
           }
           break;
         }
-        case nsStyleSet::eTransitionSheet: {
+        case SheetType::Transition: {
           if (aPseudoType == nsCSSPseudoElements::ePseudo_NotPseudoElement ||
               aPseudoType == nsCSSPseudoElements::ePseudo_before ||
               aPseudoType == nsCSSPseudoElements::ePseudo_after) {
@@ -1573,22 +1580,22 @@ nsStyleSet::RuleNodeWithReplacement(Element* aElement,
           }
           break;
         }
-        case nsStyleSet::eSVGAttrAnimationSheet: {
+        case SheetType::SVGAttrAnimation: {
           SVGAttrAnimationRuleProcessor* ruleProcessor =
             static_cast<SVGAttrAnimationRuleProcessor*>(
-              mRuleProcessors[eSVGAttrAnimationSheet].get());
+              mRuleProcessors[SheetType::SVGAttrAnimation].get());
           if (ruleProcessor &&
               aPseudoType == nsCSSPseudoElements::ePseudo_NotPseudoElement) {
             ruleProcessor->ElementRulesMatching(aElement, &ruleWalker);
           }
           break;
         }
-        case nsStyleSet::eStyleAttrSheet: {
+        case SheetType::StyleAttr: {
           if (!level->mIsImportant) {
             // First time through, we handle the non-!important rule.
             nsHTMLCSSStyleSheet* ruleProcessor =
               static_cast<nsHTMLCSSStyleSheet*>(
-                mRuleProcessors[eStyleAttrSheet].get());
+                mRuleProcessors[SheetType::StyleAttr].get());
             if (ruleProcessor) {
               lastScopedRN = ruleWalker.CurrentNode();
               if (aPseudoType ==
@@ -1768,7 +1775,7 @@ nsStyleSet::WalkRestrictionRule(nsCSSPseudoElements::Type aPseudoType,
                                 nsRuleWalker* aRuleWalker)
 {
   // This needs to match GetPseudoRestriction in nsRuleNode.cpp.
-  aRuleWalker->SetLevel(eAgentSheet, false, false);
+  aRuleWalker->SetLevel(SheetType::Agent, false, false);
   if (aPseudoType == nsCSSPseudoElements::ePseudo_firstLetter)
     aRuleWalker->Forward(mFirstLetterRule);
   else if (aPseudoType == nsCSSPseudoElements::ePseudo_firstLine)
@@ -1780,7 +1787,7 @@ nsStyleSet::WalkRestrictionRule(nsCSSPseudoElements::Type aPseudoType,
 void
 nsStyleSet::WalkDisableTextZoomRule(Element* aElement, nsRuleWalker* aRuleWalker)
 {
-  aRuleWalker->SetLevel(eAgentSheet, false, false);
+  aRuleWalker->SetLevel(SheetType::Agent, false, false);
   if (aElement->IsSVGElement(nsGkAtoms::text))
     aRuleWalker->Forward(mDisableTextZoomStyleRule);
 }
@@ -2021,7 +2028,7 @@ nsStyleSet::AppendFontFaceRules(nsTArray<nsFontFaceRuleContainer>& aArray)
 
   nsPresContext* presContext = PresContext();
   for (uint32_t i = 0; i < ArrayLength(gCSSSheetTypes); ++i) {
-    if (gCSSSheetTypes[i] == eScopedDocSheet)
+    if (gCSSSheetTypes[i] == SheetType::ScopedDoc)
       continue;
     nsCSSRuleProcessor *ruleProc = static_cast<nsCSSRuleProcessor*>
                                     (mRuleProcessors[gCSSSheetTypes[i]].get());
@@ -2039,7 +2046,7 @@ nsStyleSet::KeyframesRuleForName(const nsString& aName)
 
   nsPresContext* presContext = PresContext();
   for (uint32_t i = ArrayLength(gCSSSheetTypes); i-- != 0; ) {
-    if (gCSSSheetTypes[i] == eScopedDocSheet)
+    if (gCSSSheetTypes[i] == SheetType::ScopedDoc)
       continue;
     nsCSSRuleProcessor *ruleProc = static_cast<nsCSSRuleProcessor*>
                                     (mRuleProcessors[gCSSSheetTypes[i]].get());
@@ -2061,7 +2068,7 @@ nsStyleSet::CounterStyleRuleForName(const nsAString& aName)
 
   nsPresContext* presContext = PresContext();
   for (uint32_t i = ArrayLength(gCSSSheetTypes); i-- != 0; ) {
-    if (gCSSSheetTypes[i] == eScopedDocSheet)
+    if (gCSSSheetTypes[i] == SheetType::ScopedDoc)
       continue;
     nsCSSRuleProcessor *ruleProc = static_cast<nsCSSRuleProcessor*>
                                     (mRuleProcessors[gCSSSheetTypes[i]].get());
@@ -2137,7 +2144,7 @@ nsStyleSet::AppendPageRules(nsTArray<nsCSSPageRule*>& aArray)
 
   nsPresContext* presContext = PresContext();
   for (uint32_t i = 0; i < ArrayLength(gCSSSheetTypes); ++i) {
-    if (gCSSSheetTypes[i] == eScopedDocSheet)
+    if (gCSSSheetTypes[i] == SheetType::ScopedDoc)
       continue;
     nsCSSRuleProcessor* ruleProc = static_cast<nsCSSRuleProcessor*>
                                     (mRuleProcessors[gCSSSheetTypes[i]].get());
@@ -2437,16 +2444,14 @@ nsStyleSet::MediumFeaturesChanged()
   // We can't use WalkRuleProcessors without a content node.
   nsPresContext* presContext = PresContext();
   bool stylesChanged = false;
-  for (uint32_t i = 0; i < ArrayLength(mRuleProcessors); ++i) {
-    nsIStyleRuleProcessor *processor = mRuleProcessors[i];
+  for (nsIStyleRuleProcessor* processor : mRuleProcessors) {
     if (!processor) {
       continue;
     }
     bool thisChanged = processor->MediumFeaturesChanged(presContext);
     stylesChanged = stylesChanged || thisChanged;
   }
-  for (uint32_t i = 0; i < mScopedDocSheetRuleProcessors.Length(); ++i) {
-    nsIStyleRuleProcessor *processor = mScopedDocSheetRuleProcessors[i];
+  for (nsIStyleRuleProcessor* processor : mScopedDocSheetRuleProcessors) {
     bool thisChanged = processor->MediumFeaturesChanged(presContext);
     stylesChanged = stylesChanged || thisChanged;
   }
@@ -2502,7 +2507,7 @@ nsStyleSet::InitialStyleRule()
 }
 
 bool
-nsStyleSet::HasRuleProcessorUsedByMultipleStyleSets(sheetType aSheetType)
+nsStyleSet::HasRuleProcessorUsedByMultipleStyleSets(SheetType aSheetType)
 {
   MOZ_ASSERT(size_t(aSheetType) < ArrayLength(mRuleProcessors));
   if (!IsCSSSheetType(aSheetType) || !mRuleProcessors[aSheetType]) {
diff --git a/layout/style/nsStyleSet.h b/layout/style/nsStyleSet.h
index eb463d4c123c..954935f0be58 100644
--- a/layout/style/nsStyleSet.h
+++ b/layout/style/nsStyleSet.h
@@ -14,7 +14,9 @@
 
 #include "mozilla/Attributes.h"
 #include "mozilla/CSSStyleSheet.h"
+#include "mozilla/EnumeratedArray.h"
 #include "mozilla/MemoryReporting.h"
+#include "mozilla/SheetType.h"
 
 #include "nsIStyleRuleProcessor.h"
 #include "nsBindingManager.h"
@@ -304,46 +306,28 @@ class nsStyleSet final
     mBindingManager = aBindingManager;
   }
 
-  // The "origins" of the CSS cascade, from lowest precedence to
-  // highest (for non-!important rules).
-  enum sheetType {
-    eAgentSheet, // CSS
-    eUserSheet, // CSS
-    ePresHintSheet,
-    eSVGAttrAnimationSheet,
-    eDocSheet, // CSS
-    eScopedDocSheet,
-    eStyleAttrSheet,
-    eOverrideSheet, // CSS
-    eAnimationSheet,
-    eTransitionSheet,
-    eSheetTypeCount
-    // be sure to keep the number of bits in |mDirty| below and in
-    // NS_RULE_NODE_LEVEL_MASK updated when changing the number of sheet
-    // types
-  };
-
   // APIs to manipulate the style sheet lists.  The sheets in each
   // list are stored with the most significant sheet last.
-  nsresult AppendStyleSheet(sheetType aType, nsIStyleSheet *aSheet);
-  nsresult PrependStyleSheet(sheetType aType, nsIStyleSheet *aSheet);
-  nsresult RemoveStyleSheet(sheetType aType, nsIStyleSheet *aSheet);
-  nsresult ReplaceSheets(sheetType aType,
+  nsresult AppendStyleSheet(mozilla::SheetType aType, nsIStyleSheet *aSheet);
+  nsresult PrependStyleSheet(mozilla::SheetType aType, nsIStyleSheet *aSheet);
+  nsresult RemoveStyleSheet(mozilla::SheetType aType, nsIStyleSheet *aSheet);
+  nsresult ReplaceSheets(mozilla::SheetType aType,
                          const nsCOMArray<nsIStyleSheet> &aNewSheets);
-  nsresult InsertStyleSheetBefore(sheetType aType, nsIStyleSheet *aNewSheet,
+  nsresult InsertStyleSheetBefore(mozilla::SheetType aType,
+                                  nsIStyleSheet *aNewSheet,
                                   nsIStyleSheet *aReferenceSheet);
 
-  nsresult DirtyRuleProcessors(sheetType aType);
+  nsresult DirtyRuleProcessors(mozilla::SheetType aType);
 
   // Enable/Disable entire author style level (Doc, ScopedDoc & PresHint levels)
   bool GetAuthorStyleDisabled();
   nsresult SetAuthorStyleDisabled(bool aStyleDisabled);
 
-  int32_t SheetCount(sheetType aType) const {
+  int32_t SheetCount(mozilla::SheetType aType) const {
     return mSheets[aType].Count();
   }
 
-  nsIStyleSheet* StyleSheetAt(sheetType aType, int32_t aIndex) const {
+  nsIStyleSheet* StyleSheetAt(mozilla::SheetType aType, int32_t aIndex) const {
     return mSheets[aType].ObjectAt(aIndex);
   }
 
@@ -403,7 +387,7 @@ class nsStyleSet final
 
   nsIStyleRule* InitialStyleRule();
 
-  bool HasRuleProcessorUsedByMultipleStyleSets(sheetType aSheetType);
+  bool HasRuleProcessorUsedByMultipleStyleSets(mozilla::SheetType aSheetType);
 
   // Tells the RestyleManager for the document using this style set
   // to drop any nsCSSSelector pointers it has.
@@ -417,7 +401,7 @@ class nsStyleSet final
   void GCRuleTrees();
 
   // Update the rule processor list after a change to the style sheet list.
-  nsresult GatherRuleProcessors(sheetType aType);
+  nsresult GatherRuleProcessors(mozilla::SheetType aType);
 
   void AddImportantRules(nsRuleNode* aCurrLevelNode,
                          nsRuleNode* aLastPrevLevelNode,
@@ -485,11 +469,13 @@ class nsStyleSet final
   // The arrays for ePresHintSheet, eStyleAttrSheet, eTransitionSheet,
   // eAnimationSheet and eSVGAttrAnimationSheet are always empty.
   // (FIXME:  We should reduce the storage needed for them.)
-  nsCOMArray<nsIStyleSheet> mSheets[eSheetTypeCount];
+  mozilla::EnumeratedArray<mozilla::SheetType, mozilla::SheetType::Count,
+                           nsCOMArray<nsIStyleSheet>> mSheets;
 
   // mRuleProcessors[eScopedDocSheet] is always null; rule processors
   // for scoped style sheets are stored in mScopedDocSheetRuleProcessors.
-  nsCOMPtr<nsIStyleRuleProcessor> mRuleProcessors[eSheetTypeCount];
+  mozilla::EnumeratedArray<mozilla::SheetType, mozilla::SheetType::Count,
+                           nsCOMPtr<nsIStyleRuleProcessor>> mRuleProcessors;
 
   // Rule processors for HTML5 scoped style sheets, one per scope.
   nsTArray<nsCOMPtr<nsIStyleRuleProcessor> > mScopedDocSheetRuleProcessors;
@@ -507,7 +493,7 @@ class nsStyleSet final
   unsigned mInReconstruct : 1;
   unsigned mInitFontFeatureValuesLookup : 1;
   unsigned mNeedsRestyleAfterEnsureUniqueInner : 1;
-  unsigned mDirty : 10;  // one dirty bit is used per sheet type
+  unsigned mDirty : int(mozilla::SheetType::Count);  // one bit per sheet type
 
   uint32_t mUnusedRuleNodeCount; // used to batch rule node GC
   nsTArray<nsStyleContext*> mRoots; // style contexts with no parent
diff --git a/layout/style/nsStyleStruct.h b/layout/style/nsStyleStruct.h
index a33ea7e4a15a..cf5c141c90d7 100644
--- a/layout/style/nsStyleStruct.h
+++ b/layout/style/nsStyleStruct.h
@@ -14,6 +14,7 @@
 #include "mozilla/ArenaObjectID.h"
 #include "mozilla/Attributes.h"
 #include "mozilla/CSSVariableValues.h"
+#include "mozilla/SheetType.h"
 #include "nsColor.h"
 #include "nsCoord.h"
 #include "nsMargin.h"
@@ -89,6 +90,10 @@ class imgIContainer;
 // Additional bits for nsRuleNode's mNoneBits:
 #define NS_RULE_NODE_HAS_ANIMATION_DATA     0x80000000
 
+static_assert(int(mozilla::SheetType::Count) - 1 <=
+                (NS_RULE_NODE_LEVEL_MASK >> NS_RULE_NODE_LEVEL_SHIFT),
+              "NS_RULE_NODE_LEVEL_MASK cannot fit SheetType");
+
 // The lifetime of these objects is managed by the presshell's arena.
 
 struct nsStyleFont {
diff --git a/layout/style/nsStyleStructFwd.h b/layout/style/nsStyleStructFwd.h
index c9e7a68914e5..4156013bf568 100644
--- a/layout/style/nsStyleStructFwd.h
+++ b/layout/style/nsStyleStructFwd.h
@@ -54,12 +54,6 @@ nsStyleStructID_Inherited_Count =
 nsStyleStructID_Reset_Count =
   nsStyleStructID_Length - nsStyleStructID_Reset_Start,
 
-// An ID used for properties that are not in style structs.  This is
-// used only in some users of nsStyleStructID, such as
-// nsCSSProps::kSIDTable, including some that store SIDs in a bitfield,
-// such as nsCSSCompressedDataBlock::mStyleBits.
-eStyleStruct_BackendOnly = nsStyleStructID_Length
-
 };
 
 // A bit corresponding to each struct ID
diff --git a/layout/style/test/property_database.js b/layout/style/test/property_database.js
index a41605c4cf8d..b95324af0d79 100644
--- a/layout/style/test/property_database.js
+++ b/layout/style/test/property_database.js
@@ -3001,16 +3001,6 @@ var gCSSProperties = {
     other_values: [ "6em", "-1px", "calc(0px)", "calc(3em + 2px - 4px)", "calc(-2em)" ],
     invalid_values: []
   },
-  "marks": {
-    /* XXX not a real property; applies only to page context */
-    domProp: "marks",
-    inherited: false,
-    backend_only: true,
-    type: CSS_TYPE_LONGHAND,
-    initial_values: [ "none" ],
-    other_values: [ "crop", "cross", "crop cross", "cross crop" ],
-    invalid_values: [ "none none", "crop none", "none crop", "cross none", "none cross" ]
-  },
   "max-height": {
     domProp: "maxHeight",
     inherited: false,
@@ -3112,16 +3102,6 @@ var gCSSProperties = {
     other_values: [ "horizontal", "vertical", "block" ],
     invalid_values: [ "none" ]
   },
-  "orphans": {
-    domProp: "orphans",
-    inherited: true,
-    backend_only: true,
-    type: CSS_TYPE_LONGHAND,
-    // XXX requires display:block
-    initial_values: [ "2" ],
-    other_values: [ "1", "7" ],
-    invalid_values: [ "0", "-1", "0px", "3px", "3e1" ]
-  },
   "outline": {
     domProp: "outline",
     inherited: false,
@@ -3279,15 +3259,6 @@ var gCSSProperties = {
     invalid_values: [ ],
     quirks_values: { "5": "5px" },
   },
-  "page": {
-    domProp: "page",
-    inherited: true,
-    backend_only: true,
-    type: CSS_TYPE_LONGHAND,
-    initial_values: [ "auto" ],
-    other_values: [ "foo", "bar" ],
-    invalid_values: [ "3px" ]
-  },
   "page-break-after": {
     domProp: "pageBreakAfter",
     inherited: false,
@@ -3357,19 +3328,6 @@ var gCSSProperties = {
     invalid_values: [],
     quirks_values: { "5": "5px" },
   },
-  "size": {
-    /* XXX not a real property; applies only to page context */
-    domProp: "size",
-    inherited: false,
-    backend_only: true,
-    type: CSS_TYPE_LONGHAND,
-    initial_values: [ "auto" ],
-    other_values: [ "landscape", "portrait", "8.5in 11in", "14in 11in", "297mm 210mm", "21cm 29.7cm", "100mm" ],
-    invalid_values: [
-      // XXX spec unclear on 0s and negatives
-      "100mm 100mm 100mm"
-    ]
-  },
   "table-layout": {
     domProp: "tableLayout",
     inherited: false,
@@ -3585,16 +3543,6 @@ var gCSSProperties = {
     other_values: [ "pre", "nowrap", "pre-wrap", "pre-line", "-moz-pre-space" ],
     invalid_values: []
   },
-  "widows": {
-    domProp: "widows",
-    inherited: true,
-    backend_only: true,
-    type: CSS_TYPE_LONGHAND,
-    // XXX requires display:block
-    initial_values: [ "2" ],
-    other_values: [ "1", "7" ],
-    invalid_values: [ "0", "-1", "0px", "3px", "3e1" ]
-  },
   "width": {
     domProp: "width",
     inherited: false,
diff --git a/layout/style/test/test_bug1112014.html b/layout/style/test/test_bug1112014.html
index 27461f016e7b..d0f66aa46589 100644
--- a/layout/style/test/test_bug1112014.html
+++ b/layout/style/test/test_bug1112014.html
@@ -92,10 +92,6 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1112014
 
   for (let propertyName in gCSSProperties) {
     let prop = gCSSProperties[propertyName];
-    if (prop.backend_only) {
-      // These aren't interesting to us.
-      continue;
-    }
 
     for (let iter in testValues) {
       let testValue = testValues[iter];
diff --git a/layout/style/test/test_ch_ex_no_infloops.html b/layout/style/test/test_ch_ex_no_infloops.html
index 0bedcd6c45e3..e8684e9353e5 100644
--- a/layout/style/test/test_ch_ex_no_infloops.html
+++ b/layout/style/test/test_ch_ex_no_infloops.html
@@ -28,9 +28,6 @@ var cs = getComputedStyle(content, "");
 
 for (var prop in gCSSProperties) {
   var info = gCSSProperties[prop];
-  if (info.backend_only) {
-    continue;
-  }
   function test_val(v) {
     content.style.setProperty(prop, v, "");
     isnot(get_computed_value(cs, prop), "",
diff --git a/layout/style/test/test_compute_data_with_start_struct.html b/layout/style/test/test_compute_data_with_start_struct.html
index 247c044d3d28..fab111e344d4 100644
--- a/layout/style/test/test_compute_data_with_start_struct.html
+++ b/layout/style/test/test_compute_data_with_start_struct.html
@@ -66,7 +66,7 @@ function round(lower_set, higher_set, roundnum) {
 
   for (var prop in gCSSProperties) {
     var info = gCSSProperties[prop];
-    if (info.backend_only || info.subproperties || info.get_computed)
+    if (info.subproperties || info.get_computed)
       continue;
     gRule1.style.setProperty(prop, info[lower_set][0], "");
     gRule2.style.setProperty(prop, info[higher_set][0], "");
@@ -74,7 +74,7 @@ function round(lower_set, higher_set, roundnum) {
 
   for (var prop in gCSSProperties) {
     var info = gCSSProperties[prop];
-    if (info.backend_only || info.subproperties || info.get_computed)
+    if (info.subproperties || info.get_computed)
       continue;
 
     if ("prerequisites" in info) {
diff --git a/layout/style/test/test_inherit_computation.html b/layout/style/test/test_inherit_computation.html
index 88394c5ee595..a4407418cac2 100644
--- a/layout/style/test/test_inherit_computation.html
+++ b/layout/style/test/test_inherit_computation.html
@@ -47,8 +47,6 @@ function get_computed_value_node(node, property)
 function test_property(property)
 {
   var info = gCSSProperties[property];
-  if (info.backend_only)
-    return;
 
   var keywords = ["inherit"];
   if (info.inherited && gTestUnset)
diff --git a/layout/style/test/test_initial_computation.html b/layout/style/test/test_initial_computation.html
index b236122ba477..8da53ed45310 100644
--- a/layout/style/test/test_initial_computation.html
+++ b/layout/style/test/test_initial_computation.html
@@ -73,8 +73,6 @@ function setup_initial_values(id, ivalprop, prereqprop) {
 function test_property(property)
 {
   var info = gCSSProperties[property];
-  if (info.backend_only)
-    return;
 
   var keywords = ["initial"];
   if (!info.inherited && gTestUnset)
diff --git a/layout/style/test/test_value_cloning.html b/layout/style/test/test_value_cloning.html
index 060047ff88c6..5582b83034de 100644
--- a/layout/style/test/test_value_cloning.html
+++ b/layout/style/test/test_value_cloning.html
@@ -128,16 +128,11 @@ function iframe_loaded(event)
     }
     start_ser.push(cur_ser);
 
-    var cur_compute;
-    if (!("backend_only" in info)) {
-      cur_compute = get_computed_value(cur_cs, current_item.prop);
-      if (cur_compute == "") {
-	isnot(cur_compute, "",
-	      "computed value should be nonempty for " +
-	      current_item.prop + ": " + current_item.value);
-      }
-    } else {
-      cur_compute = undefined;
+    var cur_compute = get_computed_value(cur_cs, current_item.prop);
+    if (cur_compute == "") {
+      isnot(cur_compute, "",
+            "computed value should be nonempty for " +
+            current_item.prop + ": " + current_item.value);
     }
     start_compute.push(cur_compute);
   }
@@ -164,19 +159,17 @@ function iframe_loaded(event)
        "serialization should match when cloning " +
        current_item.prop + ": " + current_item.value);
 
-    if (!("backend_only" in info)) {
-      var end_compute = get_computed_value(test_cs[idx], current_item.prop);
-      // Output computed values only when the test failed.
-      // Computed values may be very long.
-      if (end_compute == start_compute[idx]) {
-        ok(true,
-           "computed values should match when cloning " +
-           current_item.prop + ": " + current_item.value);
-      } else {
-        is(end_compute, start_compute[idx],
-           "computed values should match when cloning " +
-           current_item.prop + ": " + current_item.value);
-      }
+    var end_compute = get_computed_value(test_cs[idx], current_item.prop);
+    // Output computed values only when the test failed.
+    // Computed values may be very long.
+    if (end_compute == start_compute[idx]) {
+      ok(true,
+         "computed values should match when cloning " +
+         current_item.prop + ": " + current_item.value);
+    } else {
+      is(end_compute, start_compute[idx],
+         "computed values should match when cloning " +
+         current_item.prop + ": " + current_item.value);
     }
   }
 
diff --git a/layout/style/test/test_value_computation.html b/layout/style/test/test_value_computation.html
index 17a59ca731e7..6ca03e286b9d 100644
--- a/layout/style/test/test_value_computation.html
+++ b/layout/style/test/test_value_computation.html
@@ -148,8 +148,6 @@ function setup_initial_values(id, ivalprop, prereqprop) {
 function test_value(property, val, is_initial)
 {
   var info = gCSSProperties[property];
-  if (info.backend_only)
-    return;
 
   if ("prerequisites" in info) {
     var prereqs = info.prerequisites;
diff --git a/layout/style/test/test_value_storage.html b/layout/style/test/test_value_storage.html
index 16f15f1d570d..0d7864e44e69 100644
--- a/layout/style/test/test_value_storage.html
+++ b/layout/style/test/test_value_storage.html
@@ -111,8 +111,6 @@ function test_property(property)
 {
   var info = gCSSProperties[property];
 
-  var test_computed = !("backend_only" in info);
-
   // can all properties be removed from the style?
   function test_remove_all_properties(property, value) {
     var i, p = [];
@@ -151,9 +149,9 @@ function test_property(property)
         step1vals.push(gDeclaration.getPropertyValue(info.subproperties[idx]));
     var step1comp;
     var step1comps = [];
-    if (test_computed && info.type != CSS_TYPE_TRUE_SHORTHAND)
+    if (info.type != CSS_TYPE_TRUE_SHORTHAND)
       step1comp = gComputedStyle.getPropertyValue(property);
-    if (test_computed && "subproperties" in info)
+    if ("subproperties" in info)
       for (idx in info.subproperties)
         step1comps.push(gComputedStyle.getPropertyValue(info.subproperties[idx]));
 
@@ -191,7 +189,7 @@ function test_property(property)
     is(gDeclaration.getPropertyValue(property), step1val,
        "parse+serialize should be idempotent for '" +
          property + ": " + value + "'");
-    if (test_computed && info.type != CSS_TYPE_TRUE_SHORTHAND) {
+    if (info.type != CSS_TYPE_TRUE_SHORTHAND) {
       is(gComputedStyle.getPropertyValue(property), step1comp,
          "serialize+parse should be identity transform for '" +
          property + ": " + value + "'");
@@ -215,18 +213,16 @@ function test_property(property)
       // the computed values of other parts.
       for (idx in info.subproperties) {
         var subprop = info.subproperties[idx];
-        if (test_computed && !("backend_only" in gCSSProperties[subprop])) {
-          is(gComputedStyle.getPropertyValue(subprop), step1comps[idx],
-             "serialize(" + subprop + ")+parse should be the identity " +
-             "transform for '" + property + ": " + value + "'");
-        }
+        is(gComputedStyle.getPropertyValue(subprop), step1comps[idx],
+           "serialize(" + subprop + ")+parse should be the identity " +
+           "transform for '" + property + ": " + value + "'");
       }
       is(gDeclaration.getPropertyValue(property), step1val,
          "parse+split+serialize should be idempotent for '" +
          property + ": " + value + "'");
     }
 
-    if (test_computed && info.type != CSS_TYPE_TRUE_SHORTHAND) {
+    if (info.type != CSS_TYPE_TRUE_SHORTHAND) {
       gDeclaration.removeProperty(property);
       gDeclaration.setProperty(property, step1comp, "");
       var func = xfail_compute(property, value) ? todo_is : is;
@@ -234,12 +230,10 @@ function test_property(property)
            "parse+compute+serialize should be idempotent for '" +
            property + ": " + value + "'");
     }
-    if (test_computed && "subproperties" in info) {
+    if ("subproperties" in info) {
       gDeclaration.removeProperty(property);
       for (idx in info.subproperties) {
         var subprop = info.subproperties[idx];
-        if ("backend_only" in gCSSProperties[subprop])
-          continue;
         gDeclaration.setProperty(subprop, step1comps[idx], "");
       }
 
@@ -248,8 +242,6 @@ function test_property(property)
       // the computed values of other parts.
       for (idx in info.subproperties) {
         var subprop = info.subproperties[idx];
-        if ("backend_only" in gCSSProperties[subprop])
-          continue;
         is(gComputedStyle.getPropertyValue(subprop), step1comps[idx],
            "parse+compute+serialize(" + subprop + ") should be idempotent for '" +
            property + ": " + value + "'");
diff --git a/layout/tools/reftest/runreftest.py b/layout/tools/reftest/runreftest.py
index 95845ad84200..d7af861c6fd5 100644
--- a/layout/tools/reftest/runreftest.py
+++ b/layout/tools/reftest/runreftest.py
@@ -335,6 +335,13 @@ class RefTest(object):
             xrePath=options.xrePath, debugger=options.debugger)
         browserEnv["XPCOM_DEBUG_BREAK"] = "stack"
 
+        if mozinfo.info["asan"]:
+            # Disable leak checking for reftests for now
+            if "ASAN_OPTIONS" in browserEnv:
+                browserEnv["ASAN_OPTIONS"] += ":detect_leaks=0"
+            else:
+                browserEnv["ASAN_OPTIONS"] = "detect_leaks=0"
+
         for v in options.environment:
             ix = v.find("=")
             if ix <= 0:
diff --git a/media/libav/moz.build b/media/libav/moz.build
index 44810a7f75f0..a825810e572f 100644
--- a/media/libav/moz.build
+++ b/media/libav/moz.build
@@ -63,6 +63,7 @@ if CONFIG['_MSC_VER']:
 if CONFIG['OS_ARCH'] != 'WINNT':
     SOURCES['libavcodec/avfft.c'].flags += ['-include', 'avfft_perms.h']
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 include("libavcommon.mozbuild")
diff --git a/media/libjpeg/moz.build b/media/libjpeg/moz.build
index 46f4948da0d4..80b81c2d2144 100644
--- a/media/libjpeg/moz.build
+++ b/media/libjpeg/moz.build
@@ -149,6 +149,7 @@ ASFLAGS += ['-I%s/media/libjpeg/simd/' % TOPSRCDIR]
 if CONFIG['GKMEDIAS_SHARED_LIBRARY']:
     NO_VISIBILITY_FLAGS = True
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/media/libopus/moz.build b/media/libopus/moz.build
index 90a6fa59275a..153ef9cb7b80 100644
--- a/media/libopus/moz.build
+++ b/media/libopus/moz.build
@@ -14,6 +14,7 @@ EXPORTS.opus += [
     'include/opus_types.h',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/media/libsoundtouch/src/moz.build b/media/libsoundtouch/src/moz.build
index 26a0c46d5060..2ecf1ef487a5 100644
--- a/media/libsoundtouch/src/moz.build
+++ b/media/libsoundtouch/src/moz.build
@@ -42,6 +42,7 @@ else:
     # Windows need alloca renamed to _alloca
     DEFINES['alloca'] = '_alloca'
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 if CONFIG['CLANG_CXX']:
diff --git a/media/libspeex_resampler/src/moz.build b/media/libspeex_resampler/src/moz.build
index 2bd72dd2c7b4..50c3c4c188c5 100644
--- a/media/libspeex_resampler/src/moz.build
+++ b/media/libspeex_resampler/src/moz.build
@@ -15,6 +15,7 @@ SOURCES += [
     'simd_detect.cpp',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/media/libstagefright/binding/MP4Metadata.rs b/media/libstagefright/binding/MP4Metadata.rs
index 24b0f17c0215..7d708ce14dda 100644
--- a/media/libstagefright/binding/MP4Metadata.rs
+++ b/media/libstagefright/binding/MP4Metadata.rs
@@ -266,8 +266,7 @@ fn recurse<T: Read>(f: &mut T, h: &BoxHeader, context: &mut MediaContext) -> byt
 }
 
 /// Read the contents of a box, including sub boxes.
-/// Right now it just prints the box value rather than
-/// returning anything.
+/// Metadata is accumulated in the passed-through MediaContext struct.
 pub fn read_box<T: BufRead>(f: &mut T, context: &mut MediaContext) -> byteorder::Result<()> {
     read_box_header(f).and_then(|h| {
         let mut content = limit(f, &h);
@@ -329,11 +328,12 @@ pub fn read_box<T: BufRead>(f: &mut T, context: &mut MediaContext) -> byteorder:
                     "soun" => Some(TrackType::Audio),
                     _ => None
                 };
-                // Ignore unrecognized track types.
-                track_type.map(|track_type|
-                               context.tracks.push(Track { track_type: track_type }))
-                    .or_else(|| { println!("unknown track type!"); None } );
-                println!("  {}", hdlr);
+                // Save track types with recognized types.
+                match track_type {
+                    Some(track_type) =>
+                         context.tracks.push(Track { track_type: track_type }),
+                    None => println!("unknown track type!"),
+                };
             },
             "stsd" => {
                 let track = &context.tracks[context.tracks.len() - 1];
@@ -343,11 +343,11 @@ pub fn read_box<T: BufRead>(f: &mut T, context: &mut MediaContext) -> byteorder:
             _ => {
                 // Skip the contents of unknown chunks.
                 println!("{} (skipped)", h);
-                try!(skip_box_content(&mut content, &h).and(Ok(())));
+                try!(skip_box_content(&mut content, &h));
             },
         };
         assert!(content.limit() == 0);
-        println!("Parse result: {}", context);
+        println!("read_box context: {}", context);
         Ok(()) // and_then needs a Result to return.
     })
 }
@@ -373,14 +373,13 @@ pub extern fn read_box_from_buffer(buffer: *const u8, size: usize) -> i32 {
     // Parse in a subthread.
     let task = thread::spawn(move || {
         let mut context = MediaContext { tracks: Vec::new() };
-        read_box(&mut c, &mut context)
-        .or_else(|e| { match e {
-            // TODO: Catch EOF earlier so we can get the return value.
-            // Catch EOF. We naturally hit it at end-of-input.
-            byteorder::Error::UnexpectedEOF => { Ok(()) },
-            e => { Err(e) },
-        }})
-        .unwrap();
+        loop {
+            match read_box(&mut c, &mut context) {
+                Ok(_) => {},
+                Err(byteorder::Error::UnexpectedEOF) => { break },
+                Err(e) => { panic!(e) },
+            }
+        }
         // Make sure the track count fits in an i32 so we can use
         // negative values for failure.
         assert!(context.tracks.len() < i32::MAX as usize);
diff --git a/media/libstagefright/binding/include/mp4_demuxer/Index.h b/media/libstagefright/binding/include/mp4_demuxer/Index.h
index e6534a997c0a..c2e4b878b808 100644
--- a/media/libstagefright/binding/include/mp4_demuxer/Index.h
+++ b/media/libstagefright/binding/include/mp4_demuxer/Index.h
@@ -12,7 +12,6 @@
 #include "mp4_demuxer/Stream.h"
 #include "nsISupportsImpl.h"
 
-template<class T> class nsRefPtr;
 template<class T> class nsAutoPtr;
 
 namespace mp4_demuxer
diff --git a/media/libstagefright/gtest/TestMP4Rust.cpp b/media/libstagefright/gtest/TestMP4Rust.cpp
index 979b7f5f4b66..bdebd4443478 100644
--- a/media/libstagefright/gtest/TestMP4Rust.cpp
+++ b/media/libstagefright/gtest/TestMP4Rust.cpp
@@ -45,6 +45,6 @@ TEST(rust, MP4Metadata)
   buf.resize(read);
   fclose(f);
 
-  bool rv = read_box_from_buffer(buf.data(), buf.size());
-  EXPECT_EQ(rv, 0); // XFAIL: Should find 2 tracks in the first 4K.
+  int32_t rv = read_box_from_buffer(buf.data(), buf.size());
+  EXPECT_EQ(rv, 2);
 }
diff --git a/media/libstagefright/moz.build b/media/libstagefright/moz.build
index 1c934c014720..11ca4608d6b6 100644
--- a/media/libstagefright/moz.build
+++ b/media/libstagefright/moz.build
@@ -129,6 +129,7 @@ TEST_DIRS += [
     'gtest',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
diff --git a/media/libtheora/moz.build b/media/libtheora/moz.build
index 624fc35082f3..28ce508b6033 100644
--- a/media/libtheora/moz.build
+++ b/media/libtheora/moz.build
@@ -13,6 +13,7 @@ EXPORTS.theora += [
     'include/theora/theoraenc.h',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/media/libvorbis/moz.build b/media/libvorbis/moz.build
index 4ed26b3ca0d9..a6fea12b490f 100644
--- a/media/libvorbis/moz.build
+++ b/media/libvorbis/moz.build
@@ -51,6 +51,7 @@ if CONFIG['OS_ARCH'] == 'SunOS':
 if CONFIG['GKMEDIAS_SHARED_LIBRARY']:
     NO_VISIBILITY_FLAGS = True
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/media/libvpx/moz.build b/media/libvpx/moz.build
index d35d65b107b8..4ff334200072 100644
--- a/media/libvpx/moz.build
+++ b/media/libvpx/moz.build
@@ -55,6 +55,7 @@ if 'vp8/encoder/arm/armv5te/boolhuff_armv5te.asm' not in arm_asm_files:
 if CONFIG['GKMEDIAS_SHARED_LIBRARY']:
     NO_VISIBILITY_FLAGS = True
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/media/mtransport/third_party/moz.build b/media/mtransport/third_party/moz.build
index d536ef83a8be..a38c33abdb40 100644
--- a/media/mtransport/third_party/moz.build
+++ b/media/mtransport/third_party/moz.build
@@ -63,12 +63,14 @@ nrappkit_non_unified_sources = [
 
 GYP_DIRS['nICEr'].input = 'nICEr/nicer.gyp'
 GYP_DIRS['nICEr'].variables = gyp_vars
+# We allow warnings for third-party code that can be updated from upstream.
 GYP_DIRS['nICEr'].sandbox_vars['ALLOW_COMPILER_WARNINGS'] = True
 GYP_DIRS['nICEr'].sandbox_vars['FINAL_LIBRARY'] = 'webrtc'
 GYP_DIRS['nICEr'].non_unified_sources += nICEr_non_unified_sources
 
 GYP_DIRS['nrappkit'].input = 'nrappkit/nrappkit.gyp'
 GYP_DIRS['nrappkit'].variables = gyp_vars
+# We allow warnings for third-party code that can be updated from upstream.
 GYP_DIRS['nrappkit'].sandbox_vars['ALLOW_COMPILER_WARNINGS'] = True
 GYP_DIRS['nrappkit'].sandbox_vars['FINAL_LIBRARY'] = 'webrtc'
 GYP_DIRS['nrappkit'].non_unified_sources += nrappkit_non_unified_sources
diff --git a/media/pocketsphinx/moz.build b/media/pocketsphinx/moz.build
index 9bf56e7b79d5..05438daedbf9 100644
--- a/media/pocketsphinx/moz.build
+++ b/media/pocketsphinx/moz.build
@@ -58,6 +58,7 @@ if CONFIG['GNU_CC']:
 if CONFIG['GKMEDIAS_SHARED_LIBRARY']:
     NO_VISIBILITY_FLAGS = True,
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/media/sphinxbase/moz.build b/media/sphinxbase/moz.build
index ab16dab0f5eb..5c093054482b 100644
--- a/media/sphinxbase/moz.build
+++ b/media/sphinxbase/moz.build
@@ -79,6 +79,7 @@ if CONFIG['GNU_CC']:
 if CONFIG['GKMEDIAS_SHARED_LIBRARY']:
     NO_VISIBILITY_FLAGS = True,
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'gkmedias'
diff --git a/media/webrtc/moz.build b/media/webrtc/moz.build
index efe41cf1b224..555b3eedcdc7 100644
--- a/media/webrtc/moz.build
+++ b/media/webrtc/moz.build
@@ -40,6 +40,7 @@ GYP_DIRS += ['trunk']
 
 GYP_DIRS['trunk'].input = 'trunk/peerconnection.gyp'
 GYP_DIRS['trunk'].variables = gyp_vars
+# We allow warnings for third-party code that can be updated from upstream.
 GYP_DIRS['trunk'].sandbox_vars['ALLOW_COMPILER_WARNINGS'] = True
 GYP_DIRS['trunk'].sandbox_vars['FINAL_LIBRARY'] = 'webrtc'
 GYP_DIRS['trunk'].non_unified_sources += webrtc_non_unified_sources
@@ -89,6 +90,7 @@ if CONFIG['MOZ_WIDGET_TOOLKIT'] != 'gonk':
     GYP_DIRS += ['trunk/testing']
     GYP_DIRS['trunk/testing'].input = 'trunk/testing/gtest.gyp'
     GYP_DIRS['trunk/testing'].variables = gyp_vars
+    # We allow warnings for third-party code that can be updated from upstream.
     GYP_DIRS['trunk/testing'].sandbox_vars['ALLOW_COMPILER_WARNINGS'] = True
     GYP_DIRS['trunk/testing'].non_unified_sources += webrtc_non_unified_sources
 
diff --git a/media/webrtc/signaling/src/sdp/SdpAttribute.cpp b/media/webrtc/signaling/src/sdp/SdpAttribute.cpp
index 30690298863d..57c60124c91b 100644
--- a/media/webrtc/signaling/src/sdp/SdpAttribute.cpp
+++ b/media/webrtc/signaling/src/sdp/SdpAttribute.cpp
@@ -147,6 +147,34 @@ void SdpIdentityAttribute::Serialize(std::ostream& os) const
 }
 #endif
 
+// Class to help with omitting a leading delimiter for the first item in a list
+class SkipFirstDelimiter
+{
+  public:
+    explicit SkipFirstDelimiter(const std::string& delim) :
+      mDelim(delim),
+      mFirst(true)
+    {}
+
+    std::ostream& print(std::ostream& os)
+    {
+      if (!mFirst) {
+        os << mDelim;
+      }
+      mFirst = false;
+      return os;
+    }
+
+  private:
+    std::string mDelim;
+    bool mFirst;
+};
+
+static std::ostream& operator<<(std::ostream& os, SkipFirstDelimiter& delim)
+{
+  return delim.print(os);
+}
+
 void
 SdpImageattrAttributeList::XYRange::Serialize(std::ostream& os) const
 {
@@ -160,13 +188,9 @@ SdpImageattrAttributeList::XYRange::Serialize(std::ostream& os) const
     os << discreteValues.front();
   } else {
     os << "[";
-    bool first = true;
+    SkipFirstDelimiter comma(",");
     for (auto value : discreteValues) {
-      if (!first) {
-        os << ",";
-      }
-      first = false;
-      os << value;
+      os << comma << value;
     }
     os << "]";
   }
@@ -442,13 +466,9 @@ SdpImageattrAttributeList::SRange::Serialize(std::ostream& os) const
     os << discreteValues.front();
   } else {
     os << "[";
-    bool first = true;
+    SkipFirstDelimiter comma(",");
     for (auto value : discreteValues) {
-      if (!first) {
-        os << ",";
-      }
-      first = false;
-      os << value;
+      os << comma << value;
     }
     os << "]";
   }
@@ -461,19 +481,29 @@ SdpImageattrAttributeList::PRange::Serialize(std::ostream& os) const
   os << "[" << min << "-" << max << "]";
 }
 
-static std::string ParseKey(std::istream& is, std::string* error)
+static std::string ParseToken(std::istream& is,
+                              const std::string& delims,
+                              std::string* error)
 {
   is >> std::ws;
-  std::string key;
-  while (is && PeekChar(is, error) != '=') {
-    key.push_back(std::tolower(is.get()));
+  std::string token;
+  while (is) {
+    unsigned char c = PeekChar(is, error);
+    if (!c || (delims.find(c) != std::string::npos)) {
+      break;
+    }
+    token.push_back(std::tolower(is.get()));
   }
+  return token;
+}
 
+static std::string ParseKey(std::istream& is, std::string* error)
+{
+  std::string token = ParseToken(is, "=", error);
   if (!SkipChar(is, '=', error)) {
     return "";
   }
-
-  return key;
+  return token;
 }
 
 static bool SkipBraces(std::istream& is, std::string* error)
@@ -630,31 +660,11 @@ SdpImageattrAttributeList::Set::Serialize(std::ostream& os) const
   os << "]";
 }
 
-static std::string
-GetLowercaseToken(std::istream& is, std::string* error)
-{
-  is >> std::ws;
-  std::string token;
-  while (true) {
-    switch (PeekChar(is, error)) {
-      case '\0':
-      case ' ':
-      case '\t':
-        return token;
-      default:
-        token.push_back(std::tolower(is.get()));
-    }
-  }
-
-  MOZ_ASSERT_UNREACHABLE("Unexpected break in loop");
-  return "";
-}
-
 bool
 SdpImageattrAttributeList::Imageattr::ParseSets(std::istream& is,
                                                 std::string* error)
 {
-  std::string type = GetLowercaseToken(is, error);
+  std::string type = ParseToken(is, " \t", error);
 
   bool* isAll = nullptr;
   std::vector<Set>* sets = nullptr;
@@ -827,6 +837,201 @@ SdpRemoteCandidatesAttribute::Serialize(std::ostream& os) const
   os << CRLF;
 }
 
+bool
+SdpRidAttributeList::Constraints::Parse(std::istream& is, std::string* error)
+{
+  if (!PeekChar(is, error)) {
+    // No constraints
+    return true;
+  }
+
+  do {
+    std::string key = ParseKey(is, error);
+    if (key.empty()) {
+      return false; // Illegal trailing cruft
+    }
+
+    // This allows pt= to appear anywhere, instead of only at the beginning, but
+    // this ends up being significantly less code.
+    if (key == "pt") {
+      if (!ParseFormats(is, error)) {
+        return false;
+      }
+    } else if (key == "max-width") {
+      if (!GetUnsigned<uint32_t>(is, 0, UINT32_MAX, &maxWidth, error)) {
+        return false;
+      }
+    } else if (key == "max-height") {
+      if (!GetUnsigned<uint32_t>(is, 0, UINT32_MAX, &maxHeight, error)) {
+        return false;
+      }
+    } else if (key == "max-fps") {
+      if (!GetUnsigned<uint32_t>(is, 0, UINT32_MAX, &maxFps, error)) {
+        return false;
+      }
+    } else if (key == "max-fs") {
+      if (!GetUnsigned<uint32_t>(is, 0, UINT32_MAX, &maxFs, error)) {
+        return false;
+      }
+    } else if (key == "max-br") {
+      if (!GetUnsigned<uint32_t>(is, 0, UINT32_MAX, &maxBr, error)) {
+        return false;
+      }
+    } else if (key == "max-pps") {
+      if (!GetUnsigned<uint32_t>(is, 0, UINT32_MAX, &maxPps, error)) {
+        return false;
+      }
+    } else if (key == "depend") {
+      if (!ParseDepend(is, error)) {
+        return false;
+      }
+    } else {
+      (void) ParseToken(is, ";", error);
+    }
+  } while (SkipChar(is, ';', error));
+  return true;
+}
+
+bool
+SdpRidAttributeList::Constraints::ParseDepend(
+    std::istream& is,
+    std::string* error)
+{
+  do {
+    std::string id = ParseToken(is, ",;", error);
+    if (id.empty()) {
+      return false;
+    }
+    dependIds.push_back(id);
+  } while(SkipChar(is, ',', error));
+
+  return true;
+}
+
+bool
+SdpRidAttributeList::Constraints::ParseFormats(
+    std::istream& is,
+    std::string* error)
+{
+  do {
+    uint16_t fmt;
+    if (!GetUnsigned<uint16_t>(is, 0, 127, &fmt, error)) {
+      return false;
+    }
+    formats.push_back(fmt);
+  } while (SkipChar(is, ',', error));
+
+  return true;
+}
+
+void
+SdpRidAttributeList::Constraints::Serialize(std::ostream& os) const
+{
+  if (!IsSet()) {
+    return;
+  }
+
+  os << " ";
+
+  SkipFirstDelimiter semic(";");
+
+  if (!formats.empty()) {
+    os << semic << "pt=";
+    SkipFirstDelimiter comma(",");
+    for (uint16_t fmt : formats) {
+      os << comma << fmt;
+    }
+  }
+
+  if (maxWidth) {
+    os << semic << "max-width=" << maxWidth;
+  }
+
+  if (maxHeight) {
+    os << semic << "max-height=" << maxHeight;
+  }
+
+  if (maxFps) {
+    os << semic << "max-fps=" << maxFps;
+  }
+
+  if (maxFs) {
+    os << semic << "max-fs=" << maxFs;
+  }
+
+  if (maxBr) {
+    os << semic << "max-br=" << maxBr;
+  }
+
+  if (maxPps) {
+    os << semic << "max-pps=" << maxPps;
+  }
+
+  if (!dependIds.empty()) {
+    os << semic << "depend=";
+    SkipFirstDelimiter comma(",");
+    for (const std::string& id : dependIds) {
+      os << comma << id;
+    }
+  }
+}
+
+bool
+SdpRidAttributeList::Rid::Parse(std::istream& is, std::string* error)
+{
+  id = ParseToken(is, " ", error);
+  if (id.empty()) {
+    return false;
+  }
+
+  std::string directionToken = ParseToken(is, " ", error);
+  if (directionToken == "send") {
+    direction = sdp::kSend;
+  } else if (directionToken == "recv") {
+    direction = sdp::kRecv;
+  } else {
+    *error = "Invalid direction, must be either send or recv";
+    return false;
+  }
+
+  return constraints.Parse(is, error);
+}
+
+void
+SdpRidAttributeList::Rid::Serialize(std::ostream& os) const
+{
+  os << id << " " << direction;
+  constraints.Serialize(os);
+}
+
+void
+SdpRidAttributeList::Serialize(std::ostream& os) const
+{
+  for (const Rid& rid : mRids) {
+    os << "a=" << mType << ":";
+    rid.Serialize(os);
+    os << CRLF;
+  }
+}
+
+bool
+SdpRidAttributeList::PushEntry(const std::string& raw,
+                               std::string* error,
+                               size_t* errorPos)
+{
+  std::istringstream is(raw);
+
+  Rid rid;
+  if (!rid.Parse(is, error)) {
+    is.clear();
+    *errorPos = is.tellg();
+    return false;
+  }
+
+  mRids.push_back(rid);
+  return true;
+}
+
 void
 SdpRtcpAttribute::Serialize(std::ostream& os) const
 {
@@ -913,15 +1118,9 @@ SdpSetupAttribute::Serialize(std::ostream& os) const
 void
 SdpSimulcastAttribute::Version::Serialize(std::ostream& os) const
 {
-  bool first = true;
+  SkipFirstDelimiter comma(",");
   for (uint16_t format : choices) {
-    if (first) {
-      first = false;
-    } else {
-      os << ",";
-    }
-
-    os << format;
+    os << comma << format;
   }
 }
 
@@ -965,18 +1164,12 @@ SdpSimulcastAttribute::Version::AddChoice(const std::string& pt)
 void
 SdpSimulcastAttribute::Versions::Serialize(std::ostream& os) const
 {
-  bool first = true;
+  SkipFirstDelimiter semic(";");
   for (const Version& version : *this) {
     if (!version.IsSet()) {
       continue;
     }
-
-    if (first) {
-      first = false;
-    } else {
-      os << ";";
-    }
-
+    os << semic;
     version.Serialize(os);
   }
 }
@@ -1030,7 +1223,7 @@ SdpSimulcastAttribute::Parse(std::istream& is, std::string* error)
   bool gotSendrecv = false;
 
   while (true) {
-    std::string token = GetLowercaseToken(is, error);
+    std::string token = ParseToken(is, " \t", error);
     if (token.empty()) {
       break;
     }
@@ -1216,6 +1409,8 @@ SdpAttribute::IsAllowedAtMediaLevel(AttributeType type)
       return true;
     case kRemoteCandidatesAttribute:
       return true;
+    case kRidAttribute:
+      return true;
     case kRtcpAttribute:
       return true;
     case kRtcpFbAttribute:
@@ -1298,6 +1493,8 @@ SdpAttribute::IsAllowedAtSessionLevel(AttributeType type)
       return true;
     case kRemoteCandidatesAttribute:
       return false;
+    case kRidAttribute:
+      return false;
     case kRtcpAttribute:
       return false;
     case kRtcpFbAttribute:
@@ -1378,6 +1575,8 @@ SdpAttribute::GetAttributeTypeString(AttributeType type)
       return "recvonly";
     case kRemoteCandidatesAttribute:
       return "remote-candidates";
+    case kRidAttribute:
+      return "rid";
     case kRtcpAttribute:
       return "rtcp";
     case kRtcpFbAttribute:
diff --git a/media/webrtc/signaling/src/sdp/SdpAttribute.h b/media/webrtc/signaling/src/sdp/SdpAttribute.h
index 7d7eea141602..8eec95552456 100644
--- a/media/webrtc/signaling/src/sdp/SdpAttribute.h
+++ b/media/webrtc/signaling/src/sdp/SdpAttribute.h
@@ -59,6 +59,7 @@ public:
     kPtimeAttribute,
     kRecvonlyAttribute,
     kRemoteCandidatesAttribute,
+    kRidAttribute,
     kRtcpAttribute,
     kRtcpFbAttribute,
     kRtcpMuxAttribute,
@@ -771,6 +772,114 @@ public:
   std::vector<Candidate> mCandidates;
 };
 
+/*
+a=rid, draft-pthatcher-mmusic-rid-01
+
+   rid-syntax        = "a=rid:" rid-identifier SP rid-dir
+                       [ rid-pt-param-list / rid-param-list ]
+
+   rid-identifier    = 1*(alpha-numeric / "-" / "_")
+
+   rid-dir           = "send" / "recv"
+
+   rid-pt-param-list = SP rid-fmt-list *(";" rid-param)
+
+   rid-param-list    = SP rid-param *(";" rid-param)
+
+   rid-fmt-list      = "pt=" fmt *( "," fmt )
+                        ; fmt defined in {{RFC4566}}
+
+   rid-param         = rid-width-param
+                       / rid-height-param
+                       / rid-fps-param
+                       / rid-fs-param
+                       / rid-br-param
+                       / rid-pps-param
+                       / rid-depend-param
+                       / rid-param-other
+
+   rid-width-param   = "max-width" [ "=" int-param-val ]
+
+   rid-height-param  = "max-height" [ "=" int-param-val ]
+
+   rid-fps-param     = "max-fps" [ "=" int-param-val ]
+
+   rid-fs-param      = "max-fs" [ "=" int-param-val ]
+
+   rid-br-param      = "max-br" [ "=" int-param-val ]
+
+   rid-pps-param     = "max-pps" [ "=" int-param-val ]
+
+   rid-depend-param  = "depend=" rid-list
+
+   rid-param-other   = 1*(alpha-numeric / "-") [ "=" param-val ]
+
+   rid-list          = rid-identifier *( "," rid-identifier )
+
+   int-param-val     = 1*DIGIT
+
+   param-val         = *( %x20-58 / %x60-7E )
+                       ; Any printable character except semicolon
+*/
+class SdpRidAttributeList : public SdpAttribute
+{
+public:
+  explicit SdpRidAttributeList()
+    : SdpAttribute(kRidAttribute)
+  {}
+
+  struct Constraints
+  {
+    Constraints() :
+      maxWidth(0),
+      maxHeight(0),
+      maxFps(0),
+      maxFs(0),
+      maxBr(0),
+      maxPps(0)
+    {}
+
+    bool Parse(std::istream& is, std::string* error);
+    bool ParseDepend(std::istream& is, std::string* error);
+    bool ParseFormats(std::istream& is, std::string* error);
+    void Serialize(std::ostream& os) const;
+    bool IsSet() const
+    {
+      return !formats.empty() || maxWidth || maxHeight || maxFps || maxFs ||
+             maxBr || maxPps || !dependIds.empty();
+    }
+
+    std::vector<uint16_t> formats; // Empty implies all
+    uint32_t maxWidth;
+    uint32_t maxHeight;
+    uint32_t maxFps;
+    uint32_t maxFs;
+    uint32_t maxBr;
+    uint32_t maxPps;
+    std::vector<std::string> dependIds;
+    // We do not bother trying to store constraints we don't understand.
+  };
+
+  struct Rid
+  {
+    Rid() :
+      direction(sdp::kSend)
+    {}
+
+    bool Parse(std::istream& is, std::string* error);
+    void Serialize(std::ostream& os) const;
+
+    std::string id;
+    sdp::Direction direction;
+    Constraints constraints;
+  };
+
+  virtual void Serialize(std::ostream& os) const override;
+  bool PushEntry(const std::string& raw, std::string* error, size_t* errorPos);
+
+  std::vector<Rid> mRids;
+};
+
 ///////////////////////////////////////////////////////////////////////////
 // a=rtcp, RFC3605
 //-------------------------------------------------------------------------
diff --git a/media/webrtc/signaling/src/sdp/SdpAttributeList.h b/media/webrtc/signaling/src/sdp/SdpAttributeList.h
index 88e677c609c2..7dc2b8effd25 100644
--- a/media/webrtc/signaling/src/sdp/SdpAttributeList.h
+++ b/media/webrtc/signaling/src/sdp/SdpAttributeList.h
@@ -58,6 +58,8 @@ public:
   virtual const SdpImageattrAttributeList& GetImageattr() const = 0;
   virtual const SdpSimulcastAttribute& GetSimulcast() const = 0;
   virtual const SdpMsidAttributeList& GetMsid() const = 0;
+  virtual const SdpMsidSemanticAttributeList& GetMsidSemantic() const = 0;
+  virtual const SdpRidAttributeList& GetRid() const = 0;
   virtual const SdpRtcpFbAttributeList& GetRtcpFb() const = 0;
   virtual const SdpRtpmapAttributeList& GetRtpmap() const = 0;
   virtual const SdpSctpmapAttributeList& GetSctpmap() const = 0;
@@ -72,7 +74,6 @@ public:
   virtual const std::string& GetLabel() const = 0;
   virtual unsigned int GetMaxptime() const = 0;
   virtual const std::string& GetMid() const = 0;
-  virtual const SdpMsidSemanticAttributeList& GetMsidSemantic() const = 0;
   virtual unsigned int GetPtime() const = 0;
 
   // This is "special", because it's multiple things
diff --git a/media/webrtc/signaling/src/sdp/SdpEnum.h b/media/webrtc/signaling/src/sdp/SdpEnum.h
index 2c7419b1ffae..b4a0d16b3822 100644
--- a/media/webrtc/signaling/src/sdp/SdpEnum.h
+++ b/media/webrtc/signaling/src/sdp/SdpEnum.h
@@ -52,6 +52,17 @@ enum Direction {
   kRecv = 2
 };
 
+inline std::ostream& operator<<(std::ostream& os, sdp::Direction d)
+{
+  switch (d) {
+    case sdp::kSend:
+      return os << "send";
+    case sdp::kRecv:
+      return os << "recv";
+  }
+  MOZ_CRASH("Unknown Direction");
+}
+
 } // namespace sdp
 
 } // namespace mozilla
diff --git a/media/webrtc/signaling/src/sdp/SipccSdpAttributeList.cpp b/media/webrtc/signaling/src/sdp/SipccSdpAttributeList.cpp
index 72c8b6fcae2a..50fb345d4588 100644
--- a/media/webrtc/signaling/src/sdp/SipccSdpAttributeList.cpp
+++ b/media/webrtc/signaling/src/sdp/SipccSdpAttributeList.cpp
@@ -513,8 +513,8 @@ SipccSdpAttributeList::LoadImageattr(sdp_t* sdp,
     std::string error;
     size_t errorPos;
     if (!imageattrs->PushEntry(imageattrRaw, &error, &errorPos)) {
-      std::ostringstream fullError(error + " at column ");
-      fullError << errorPos;
+      std::ostringstream fullError;
+      fullError << error << " at column " << errorPos;
       errorHolder.AddParseError(
         sdp_attr_line_number(sdp, SDP_ATTR_IMAGEATTR, level, 0, i),
         fullError.str());
@@ -548,9 +548,8 @@ SipccSdpAttributeList::LoadSimulcast(sdp_t* sdp,
   std::istringstream is(simulcastRaw);
   std::string error;
   if (!simulcast->Parse(is, &error)) {
-    is.clear();
-    std::ostringstream fullError(error + " at column ");
-    fullError << is.tellg();
+    std::ostringstream fullError;
+    fullError << error << " at column " << is.tellg();
     errorHolder.AddParseError(
       sdp_attr_line_number(sdp, SDP_ATTR_SIMULCAST, level, 0, 1),
       fullError.str());
@@ -783,6 +782,41 @@ SipccSdpAttributeList::LoadMsids(sdp_t* sdp, uint16_t level,
   }
 }
 
+bool
+SipccSdpAttributeList::LoadRid(sdp_t* sdp,
+                                     uint16_t level,
+                                     SdpErrorHolder& errorHolder)
+{
+  UniquePtr<SdpRidAttributeList> rids(new SdpRidAttributeList);
+
+  for (uint16_t i = 1; i < UINT16_MAX; ++i) {
+    const char* ridRaw = sdp_attr_get_simple_string(sdp,
+                                                    SDP_ATTR_RID,
+                                                    level,
+                                                    0,
+                                                    i);
+    if (!ridRaw) {
+      break;
+    }
+
+    std::string error;
+    size_t errorPos;
+    if (!rids->PushEntry(ridRaw, &error, &errorPos)) {
+      std::ostringstream fullError;
+      fullError << error << " at column " << errorPos;
+      errorHolder.AddParseError(
+        sdp_attr_line_number(sdp, SDP_ATTR_RID, level, 0, i),
+        fullError.str());
+      return false;
+    }
+  }
+
+  if (!rids->mRids.empty()) {
+    SetAttribute(rids.release());
+  }
+  return true;
+}
+
 void
 SipccSdpAttributeList::LoadExtmap(sdp_t* sdp, uint16_t level,
                                   SdpErrorHolder& errorHolder)
@@ -1000,6 +1034,9 @@ SipccSdpAttributeList::Load(sdp_t* sdp, uint16_t level,
     if (!LoadSimulcast(sdp, level, errorHolder)) {
       return false;
     }
+    if (!LoadRid(sdp, level, errorHolder)) {
+      return false;
+    }
   }
 
   LoadIceAttributes(sdp, level);
@@ -1224,6 +1261,16 @@ SipccSdpAttributeList::GetMsidSemantic() const
   return *static_cast<const SdpMsidSemanticAttributeList*>(attr);
 }
 
+const SdpRidAttributeList&
+SipccSdpAttributeList::GetRid() const
+{
+  if (!HasAttribute(SdpAttribute::kRidAttribute)) {
+    MOZ_CRASH();
+  }
+  const SdpAttribute* attr = GetAttribute(SdpAttribute::kRidAttribute);
+  return *static_cast<const SdpRidAttributeList*>(attr);
+}
+
 uint32_t
 SipccSdpAttributeList::GetPtime() const
 {
diff --git a/media/webrtc/signaling/src/sdp/SipccSdpAttributeList.h b/media/webrtc/signaling/src/sdp/SipccSdpAttributeList.h
index 268d18c3196f..0c092f68c2a7 100644
--- a/media/webrtc/signaling/src/sdp/SipccSdpAttributeList.h
+++ b/media/webrtc/signaling/src/sdp/SipccSdpAttributeList.h
@@ -58,6 +58,9 @@ public:
   virtual const SdpImageattrAttributeList& GetImageattr() const override;
   const SdpSimulcastAttribute& GetSimulcast() const override;
   virtual const SdpMsidAttributeList& GetMsid() const override;
+  virtual const SdpMsidSemanticAttributeList& GetMsidSemantic()
+    const override;
+  const SdpRidAttributeList& GetRid() const override;
   virtual const SdpRtcpFbAttributeList& GetRtcpFb() const override;
   virtual const SdpRtpmapAttributeList& GetRtpmap() const override;
   virtual const SdpSctpmapAttributeList& GetSctpmap() const override;
@@ -70,8 +73,6 @@ public:
   virtual const std::string& GetLabel() const override;
   virtual unsigned int GetMaxptime() const override;
   virtual const std::string& GetMid() const override;
-  virtual const SdpMsidSemanticAttributeList& GetMsidSemantic()
-    const override;
   virtual unsigned int GetPtime() const override;
 
   virtual SdpDirectionAttribute::Direction GetDirection() const override;
@@ -114,6 +115,7 @@ private:
                          SdpErrorHolder& errorHolder);
   void LoadFmtp(sdp_t* sdp, uint16_t level);
   void LoadMsids(sdp_t* sdp, uint16_t level, SdpErrorHolder& errorHolder);
+  bool LoadRid(sdp_t* sdp, uint16_t level, SdpErrorHolder& errorHolder);
   void LoadExtmap(sdp_t* sdp, uint16_t level, SdpErrorHolder& errorHolder);
   void LoadRtcpFb(sdp_t* sdp, uint16_t level, SdpErrorHolder& errorHolder);
   void LoadRtcp(sdp_t* sdp, uint16_t level, SdpErrorHolder& errorHolder);
diff --git a/media/webrtc/signaling/src/sdp/sipcc/ccsdp.h b/media/webrtc/signaling/src/sdp/sipcc/ccsdp.h
index 9c3b762757e3..c47b1d7bd7ab 100644
--- a/media/webrtc/signaling/src/sdp/sipcc/ccsdp.h
+++ b/media/webrtc/signaling/src/sdp/sipcc/ccsdp.h
@@ -186,6 +186,7 @@ typedef enum {
     SDP_ATTR_SSRC,
     SDP_ATTR_IMAGEATTR,
     SDP_ATTR_SIMULCAST,
+    SDP_ATTR_RID,
     SDP_MAX_ATTR_TYPES,
     SDP_ATTR_INVALID
 } sdp_attr_e;
diff --git a/media/webrtc/signaling/src/sdp/sipcc/sdp_attr_access.c b/media/webrtc/signaling/src/sdp/sipcc/sdp_attr_access.c
index 5cf0a680a4fb..a95de2ad5e02 100644
--- a/media/webrtc/signaling/src/sdp/sipcc/sdp_attr_access.c
+++ b/media/webrtc/signaling/src/sdp/sipcc/sdp_attr_access.c
@@ -684,7 +684,8 @@ static boolean sdp_attr_is_simple_string(sdp_attr_e attr_type) {
         (attr_type != SDP_ATTR_IDENTITY) &&
         (attr_type != SDP_ATTR_ICE_OPTIONS) &&
         (attr_type != SDP_ATTR_IMAGEATTR) &&
-        (attr_type != SDP_ATTR_SIMULCAST)) {
+        (attr_type != SDP_ATTR_SIMULCAST) &&
+        (attr_type != SDP_ATTR_RID)) {
       return FALSE;
     }
     return TRUE;
diff --git a/media/webrtc/signaling/src/sdp/sipcc/sdp_main.c b/media/webrtc/signaling/src/sdp/sipcc/sdp_main.c
index c84ad4bf3e5d..741669893987 100644
--- a/media/webrtc/signaling/src/sdp/sipcc/sdp_main.c
+++ b/media/webrtc/signaling/src/sdp/sipcc/sdp_main.c
@@ -198,6 +198,8 @@ const sdp_attrarray_t sdp_attr[SDP_MAX_ATTR_TYPES] =
       sdp_parse_attr_complete_line, sdp_build_attr_simple_string},
     {"simulcast", sizeof("simulcast"),
       sdp_parse_attr_complete_line, sdp_build_attr_simple_string},
+    {"rid", sizeof("rid"),
+      sdp_parse_attr_complete_line, sdp_build_attr_simple_string},
 };
 
 /* Note: These *must* be in the same order as the enum types. */
diff --git a/media/webrtc/signaling/test/sdp_unittests.cpp b/media/webrtc/signaling/test/sdp_unittests.cpp
index 52e82be84f7d..55eb937752bf 100644
--- a/media/webrtc/signaling/test/sdp_unittests.cpp
+++ b/media/webrtc/signaling/test/sdp_unittests.cpp
@@ -1196,6 +1196,8 @@ const std::string kBasicAudioVideoOffer =
 "a=imageattr:120 send * recv *" CRLF
 "a=imageattr:121 send [x=640,y=480] recv [x=640,y=480]" CRLF
 "a=simulcast:sendrecv 120;121" CRLF
+"a=rid:foo send" CRLF
+"a=rid:bar recv pt=96;max-width=800;max-height=600" CRLF
 "m=audio 9 RTP/SAVPF 0" CRLF
 "a=mid:third" CRLF
 "a=rtpmap:0 PCMU/8000" CRLF
@@ -1758,6 +1760,36 @@ TEST_P(NewSdpTest, CheckMsid) {
   ASSERT_EQ("", msids3.mMsids[0].appdata);
 }
 
+TEST_P(NewSdpTest, CheckRid)
+{
+  ParseSdp(kBasicAudioVideoOffer);
+  ASSERT_TRUE(!!mSdp);
+  ASSERT_EQ(3U, mSdp->GetMediaSectionCount()) << "Wrong number of media sections";
+
+  ASSERT_FALSE(mSdp->GetAttributeList().HasAttribute(
+        SdpAttribute::kRidAttribute));
+  ASSERT_FALSE(mSdp->GetMediaSection(0).GetAttributeList().HasAttribute(
+        SdpAttribute::kRidAttribute));
+  ASSERT_TRUE(mSdp->GetMediaSection(1).GetAttributeList().HasAttribute(
+        SdpAttribute::kRidAttribute));
+  ASSERT_FALSE(mSdp->GetMediaSection(2).GetAttributeList().HasAttribute(
+        SdpAttribute::kRidAttribute));
+
+  const SdpRidAttributeList& rids =
+    mSdp->GetMediaSection(1).GetAttributeList().GetRid();
+
+  ASSERT_EQ(2U, rids.mRids.size());
+  ASSERT_EQ("foo", rids.mRids[0].id);
+  ASSERT_EQ(sdp::kSend, rids.mRids[0].direction);
+  ASSERT_EQ(0U, rids.mRids[0].constraints.formats.size());
+  ASSERT_EQ("bar", rids.mRids[1].id);
+  ASSERT_EQ(sdp::kRecv, rids.mRids[1].direction);
+  ASSERT_EQ(1U, rids.mRids[1].constraints.formats.size());
+  ASSERT_EQ(96U, rids.mRids[1].constraints.formats[0]);
+  ASSERT_EQ(800U, rids.mRids[1].constraints.maxWidth);
+  ASSERT_EQ(600U, rids.mRids[1].constraints.maxHeight);
+}
+
 TEST_P(NewSdpTest, CheckMediaLevelIceUfrag) {
   ParseSdp(kBasicAudioVideoOffer);
   ASSERT_TRUE(!!mSdp) << "Parse failed: " << GetParseErrors();
@@ -3641,6 +3673,478 @@ TEST(NewSdpTestNoFixture, CheckSimulcastInvalidParse)
   ParseInvalid<SdpSimulcastAttribute>(" sendrecv 8 sendrecv ", 20);
 }
 
+static SdpRidAttributeList::Constraints
+ParseRidConstraints(const std::string& input)
+{
+  std::istringstream is(input);
+  std::string error;
+  SdpRidAttributeList::Constraints constraints;
+  EXPECT_TRUE(constraints.Parse(is, &error)) << error
+              << " for input \'" << input << "\'" ;
+  EXPECT_TRUE(is.eof());
+  return constraints;
+}
+
+TEST(NewSdpTestNoFixture, CheckRidConstraintsValidParse)
+{
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints(""));
+    ASSERT_EQ(0U, constraints.formats.size());
+    ASSERT_EQ(0U, constraints.maxWidth);
+    ASSERT_EQ(0U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("pt=96"));
+    ASSERT_EQ(1U, constraints.formats.size());
+    ASSERT_EQ(96U, constraints.formats[0]);
+    ASSERT_EQ(0U, constraints.maxWidth);
+    ASSERT_EQ(0U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+
+  // This is not technically permitted by the BNF, but the parse code is simpler
+  // if we allow it. If we decide to stop allowing this, this will need to be
+  // converted to an invalid parse test-case.
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("max-br=30000;pt=96"));
+    ASSERT_EQ(1U, constraints.formats.size());
+    ASSERT_EQ(96U, constraints.formats[0]);
+    ASSERT_EQ(0U, constraints.maxWidth);
+    ASSERT_EQ(0U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(30000U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("pt=96,97,98"));
+    ASSERT_EQ(3U, constraints.formats.size());
+    ASSERT_EQ(96U, constraints.formats[0]);
+    ASSERT_EQ(97U, constraints.formats[1]);
+    ASSERT_EQ(98U, constraints.formats[2]);
+    ASSERT_EQ(0U, constraints.maxWidth);
+    ASSERT_EQ(0U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("max-width=800"));
+    ASSERT_EQ(0U, constraints.formats.size());
+    ASSERT_EQ(800U, constraints.maxWidth);
+    ASSERT_EQ(0U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("max-height=640"));
+    ASSERT_EQ(0U, constraints.formats.size());
+    ASSERT_EQ(0U, constraints.maxWidth);
+    ASSERT_EQ(640U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("max-fps=30"));
+    ASSERT_EQ(0U, constraints.formats.size());
+    ASSERT_EQ(0U, constraints.maxWidth);
+    ASSERT_EQ(0U, constraints.maxHeight);
+    ASSERT_EQ(30U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("max-fs=3600"));
+    ASSERT_EQ(0U, constraints.formats.size());
+    ASSERT_EQ(0U, constraints.maxWidth);
+    ASSERT_EQ(0U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(3600U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("max-br=30000"));
+    ASSERT_EQ(0U, constraints.formats.size());
+    ASSERT_EQ(0U, constraints.maxWidth);
+    ASSERT_EQ(0U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(30000U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("max-pps=9216000"));
+    ASSERT_EQ(0U, constraints.formats.size());
+    ASSERT_EQ(0U, constraints.maxWidth);
+    ASSERT_EQ(0U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(9216000U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("depend=foo"));
+    ASSERT_EQ(0U, constraints.formats.size());
+    ASSERT_EQ(0U, constraints.maxWidth);
+    ASSERT_EQ(0U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(1U, constraints.dependIds.size());
+    ASSERT_EQ("foo", constraints.dependIds[0]);
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("max-foo=20"));
+    ASSERT_EQ(0U, constraints.formats.size());
+    ASSERT_EQ(0U, constraints.maxWidth);
+    ASSERT_EQ(0U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("depend=foo,bar"));
+    ASSERT_EQ(0U, constraints.formats.size());
+    ASSERT_EQ(0U, constraints.maxWidth);
+    ASSERT_EQ(0U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(2U, constraints.dependIds.size());
+    ASSERT_EQ("foo", constraints.dependIds[0]);
+    ASSERT_EQ("bar", constraints.dependIds[1]);
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("max-width=800;max-height=600"));
+    ASSERT_EQ(0U, constraints.formats.size());
+    ASSERT_EQ(800U, constraints.maxWidth);
+    ASSERT_EQ(600U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("pt=96,97;max-width=800;max-height=600"));
+    ASSERT_EQ(2U, constraints.formats.size());
+    ASSERT_EQ(96U, constraints.formats[0]);
+    ASSERT_EQ(97U, constraints.formats[1]);
+    ASSERT_EQ(800U, constraints.maxWidth);
+    ASSERT_EQ(600U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("depend=foo,bar;max-width=800;max-height=600"));
+    ASSERT_EQ(0U, constraints.formats.size());
+    ASSERT_EQ(800U, constraints.maxWidth);
+    ASSERT_EQ(600U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(2U, constraints.dependIds.size());
+    ASSERT_EQ("foo", constraints.dependIds[0]);
+    ASSERT_EQ("bar", constraints.dependIds[1]);
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints(
+        ParseRidConstraints("max-foo=20;max-width=800;max-height=600"));
+    ASSERT_EQ(0U, constraints.formats.size());
+    ASSERT_EQ(800U, constraints.maxWidth);
+    ASSERT_EQ(600U, constraints.maxHeight);
+    ASSERT_EQ(0U, constraints.maxFps);
+    ASSERT_EQ(0U, constraints.maxFs);
+    ASSERT_EQ(0U, constraints.maxBr);
+    ASSERT_EQ(0U, constraints.maxPps);
+    ASSERT_EQ(0U, constraints.dependIds.size());
+  }
+}
+
+TEST(NewSdpTestNoFixture, CheckRidConstraintsInvalidParse)
+{
+  ParseInvalid<SdpRidAttributeList::Constraints>(" ", 1);
+  ParseInvalid<SdpRidAttributeList::Constraints>("pt", 2);
+  ParseInvalid<SdpRidAttributeList::Constraints>("pt=", 3);
+  ParseInvalid<SdpRidAttributeList::Constraints>("pt=x", 3);
+  ParseInvalid<SdpRidAttributeList::Constraints>("pt=-1", 3);
+  ParseInvalid<SdpRidAttributeList::Constraints>("pt=96,", 6);
+  ParseInvalid<SdpRidAttributeList::Constraints>("pt=196", 6);
+  ParseInvalid<SdpRidAttributeList::Constraints>("max-width", 9);
+  ParseInvalid<SdpRidAttributeList::Constraints>("max-width=", 10);
+  ParseInvalid<SdpRidAttributeList::Constraints>("max-width=x", 10);
+  ParseInvalid<SdpRidAttributeList::Constraints>("max-width=-1", 10);
+  ParseInvalid<SdpRidAttributeList::Constraints>("max-width=800;", 14);
+  ParseInvalid<SdpRidAttributeList::Constraints>("max-width=800; ", 15);
+  ParseInvalid<SdpRidAttributeList::Constraints>("depend=", 7);
+  ParseInvalid<SdpRidAttributeList::Constraints>("depend=,", 7);
+  ParseInvalid<SdpRidAttributeList::Constraints>("depend=1,", 9);
+}
+
+TEST(NewSdpTestNoFixture, CheckRidConstraintsSerialize)
+{
+  {
+    SdpRidAttributeList::Constraints constraints;
+    std::ostringstream os;
+    constraints.Serialize(os);
+    ASSERT_EQ("", os.str());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints;
+    constraints.formats.push_back(96);
+    std::ostringstream os;
+    constraints.Serialize(os);
+    ASSERT_EQ(" pt=96", os.str());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints;
+    constraints.formats.push_back(96);
+    constraints.formats.push_back(97);
+    std::ostringstream os;
+    constraints.Serialize(os);
+    ASSERT_EQ(" pt=96,97", os.str());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints;
+    constraints.maxWidth = 800;
+    std::ostringstream os;
+    constraints.Serialize(os);
+    ASSERT_EQ(" max-width=800", os.str());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints;
+    constraints.maxHeight = 600;
+    std::ostringstream os;
+    constraints.Serialize(os);
+    ASSERT_EQ(" max-height=600", os.str());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints;
+    constraints.maxFps = 30;
+    std::ostringstream os;
+    constraints.Serialize(os);
+    ASSERT_EQ(" max-fps=30", os.str());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints;
+    constraints.maxFs = 3600;
+    std::ostringstream os;
+    constraints.Serialize(os);
+    ASSERT_EQ(" max-fs=3600", os.str());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints;
+    constraints.maxBr = 30000;
+    std::ostringstream os;
+    constraints.Serialize(os);
+    ASSERT_EQ(" max-br=30000", os.str());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints;
+    constraints.maxPps = 9216000;
+    std::ostringstream os;
+    constraints.Serialize(os);
+    ASSERT_EQ(" max-pps=9216000", os.str());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints;
+    constraints.dependIds.push_back("foo");
+    std::ostringstream os;
+    constraints.Serialize(os);
+    ASSERT_EQ(" depend=foo", os.str());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints;
+    constraints.dependIds.push_back("foo");
+    constraints.dependIds.push_back("bar");
+    std::ostringstream os;
+    constraints.Serialize(os);
+    ASSERT_EQ(" depend=foo,bar", os.str());
+  }
+
+  {
+    SdpRidAttributeList::Constraints constraints;
+    constraints.formats.push_back(96);
+    constraints.maxBr = 30000;
+    std::ostringstream os;
+    constraints.Serialize(os);
+    ASSERT_EQ(" pt=96;max-br=30000", os.str());
+  }
+}
+
+static SdpRidAttributeList::Rid
+ParseRid(const std::string& input)
+{
+  std::istringstream is(input);
+  std::string error;
+  SdpRidAttributeList::Rid rid;
+  EXPECT_TRUE(rid.Parse(is, &error)) << error;
+  EXPECT_TRUE(is.eof());
+  return rid;
+}
+
+TEST(NewSdpTestNoFixture, CheckRidValidParse)
+{
+  {
+    SdpRidAttributeList::Rid rid(ParseRid("1 send"));
+    ASSERT_EQ("1", rid.id);
+    ASSERT_EQ(sdp::kSend, rid.direction);
+    ASSERT_EQ(0U, rid.constraints.formats.size());
+    ASSERT_EQ(0U, rid.constraints.maxWidth);
+    ASSERT_EQ(0U, rid.constraints.maxHeight);
+    ASSERT_EQ(0U, rid.constraints.maxFps);
+    ASSERT_EQ(0U, rid.constraints.maxFs);
+    ASSERT_EQ(0U, rid.constraints.maxBr);
+    ASSERT_EQ(0U, rid.constraints.maxPps);
+    ASSERT_EQ(0U, rid.constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Rid rid(ParseRid("1 send pt=96;max-width=800"));
+    ASSERT_EQ("1", rid.id);
+    ASSERT_EQ(sdp::kSend, rid.direction);
+    ASSERT_EQ(1U, rid.constraints.formats.size());
+    ASSERT_EQ(96U, rid.constraints.formats[0]);
+    ASSERT_EQ(800U, rid.constraints.maxWidth);
+    ASSERT_EQ(0U, rid.constraints.maxHeight);
+    ASSERT_EQ(0U, rid.constraints.maxFps);
+    ASSERT_EQ(0U, rid.constraints.maxFs);
+    ASSERT_EQ(0U, rid.constraints.maxBr);
+    ASSERT_EQ(0U, rid.constraints.maxPps);
+    ASSERT_EQ(0U, rid.constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Rid rid(ParseRid("1 send pt=96,97,98;max-width=800"));
+    ASSERT_EQ("1", rid.id);
+    ASSERT_EQ(sdp::kSend, rid.direction);
+    ASSERT_EQ(3U, rid.constraints.formats.size());
+    ASSERT_EQ(96U, rid.constraints.formats[0]);
+    ASSERT_EQ(97U, rid.constraints.formats[1]);
+    ASSERT_EQ(98U, rid.constraints.formats[2]);
+    ASSERT_EQ(800U, rid.constraints.maxWidth);
+    ASSERT_EQ(0U, rid.constraints.maxHeight);
+    ASSERT_EQ(0U, rid.constraints.maxFps);
+    ASSERT_EQ(0U, rid.constraints.maxFs);
+    ASSERT_EQ(0U, rid.constraints.maxBr);
+    ASSERT_EQ(0U, rid.constraints.maxPps);
+    ASSERT_EQ(0U, rid.constraints.dependIds.size());
+  }
+
+  {
+    SdpRidAttributeList::Rid rid(
+        ParseRid("0123456789az-_ recv max-width=800"));
+    ASSERT_EQ("0123456789az-_", rid.id);
+    ASSERT_EQ(sdp::kRecv, rid.direction);
+    ASSERT_EQ(0U, rid.constraints.formats.size());
+    ASSERT_EQ(800U, rid.constraints.maxWidth);
+    ASSERT_EQ(0U, rid.constraints.maxHeight);
+    ASSERT_EQ(0U, rid.constraints.maxFps);
+    ASSERT_EQ(0U, rid.constraints.maxFs);
+    ASSERT_EQ(0U, rid.constraints.maxBr);
+    ASSERT_EQ(0U, rid.constraints.maxPps);
+    ASSERT_EQ(0U, rid.constraints.dependIds.size());
+  }
+
+}
+
+TEST(NewSdpTestNoFixture, CheckRidInvalidParse)
+{
+  ParseInvalid<SdpRidAttributeList::Rid>("", 0);
+  ParseInvalid<SdpRidAttributeList::Rid>(" ", 1);
+  ParseInvalid<SdpRidAttributeList::Rid>("foo", 3);
+  ParseInvalid<SdpRidAttributeList::Rid>("foo ", 4);
+  ParseInvalid<SdpRidAttributeList::Rid>("foo  ", 5);
+  ParseInvalid<SdpRidAttributeList::Rid>("foo bar", 7);
+  ParseInvalid<SdpRidAttributeList::Rid>("foo recv ", 9);
+  ParseInvalid<SdpRidAttributeList::Rid>("foo recv pt=", 12);
+}
+
+TEST(NewSdpTestNoFixture, CheckRidSerialize)
+{
+  {
+    SdpRidAttributeList::Rid rid;
+    rid.id = "foo";
+    rid.direction = sdp::kSend;
+    std::ostringstream os;
+    rid.Serialize(os);
+    ASSERT_EQ("foo send", os.str());
+  }
+}
+
 } // End namespace test.
 
 int main(int argc, char **argv) {
diff --git a/memory/jemalloc/moz.build b/memory/jemalloc/moz.build
index a4b7842554ec..ed05a2d15783 100644
--- a/memory/jemalloc/moz.build
+++ b/memory/jemalloc/moz.build
@@ -72,4 +72,5 @@ DEFINES['abort'] = 'moz_abort'
 GENERATED_INCLUDES += ['src/include']
 LOCAL_INCLUDES += ['src/include']
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
diff --git a/mfbt/Array.h b/mfbt/Array.h
index b2ab578d4b8a..30e183bb2447 100644
--- a/mfbt/Array.h
+++ b/mfbt/Array.h
@@ -11,6 +11,7 @@
 
 #include "mozilla/Assertions.h"
 #include "mozilla/Attributes.h"
+#include "mozilla/ReverseIterator.h"
 
 #include <stddef.h>
 
@@ -33,6 +34,27 @@ public:
     MOZ_ASSERT(aIndex < Length);
     return mArr[aIndex];
   }
+
+  typedef T*                        iterator;
+  typedef const T*                  const_iterator;
+  typedef ReverseIterator<T*>       reverse_iterator;
+  typedef ReverseIterator<const T*> const_reverse_iterator;
+
+  // Methods for range-based for loops.
+  iterator begin() { return mArr; }
+  const_iterator begin() const { return mArr; }
+  const_iterator cbegin() const { return begin(); }
+  iterator end() { return mArr + Length; }
+  const_iterator end() const { return mArr + Length; }
+  const_iterator cend() const { return end(); }
+
+  // Methods for reverse iterating.
+  reverse_iterator rbegin() { return reverse_iterator(end()); }
+  const_reverse_iterator rbegin() const { return const_reverse_iterator(end()); }
+  const_reverse_iterator crbegin() const { return rbegin(); }
+  reverse_iterator rend() { return reverse_iterator(begin()); }
+  const_reverse_iterator rend() const { return const_reverse_iterator(begin()); }
+  const_reverse_iterator crend() const { return rend(); }
 };
 
 template<typename T>
diff --git a/mfbt/ArrayUtils.h b/mfbt/ArrayUtils.h
index 9566a3f40a8a..b572272dd1c7 100644
--- a/mfbt/ArrayUtils.h
+++ b/mfbt/ArrayUtils.h
@@ -20,6 +20,7 @@
 
 #include "mozilla/Alignment.h"
 #include "mozilla/Array.h"
+#include "mozilla/EnumeratedArray.h"
 #include "mozilla/TypeTraits.h"
 
 namespace mozilla {
@@ -64,6 +65,13 @@ ArrayLength(const Array<T, N>& aArr)
   return N;
 }
 
+template<typename E, E N, typename T>
+MOZ_CONSTEXPR size_t
+ArrayLength(const EnumeratedArray<E, N, T>& aArr)
+{
+  return size_t(N);
+}
+
 /*
  * Compute the address one past the last element of a constant-length array.
  *
diff --git a/mfbt/DebugOnly.h b/mfbt/DebugOnly.h
index 67d963cf1de5..451d9bc37381 100644
--- a/mfbt/DebugOnly.h
+++ b/mfbt/DebugOnly.h
@@ -51,8 +51,8 @@ public:
   void operator++(int) { value++; }
   void operator--(int) { value--; }
 
-  // Do not define operator+=() or operator-=() here.  These will coerce via
-  // the implicit cast and built-in operators.  Defining explicit methods here
+  // Do not define operator+=(), etc. here.  These will coerce via the
+  // implicit cast and built-in operators.  Defining explicit methods here
   // will create ambiguity the compiler can't deal with.
 
   T* operator&() { return &value; }
@@ -72,6 +72,9 @@ public:
   void operator--(int) { }
   DebugOnly& operator+=(const T&) { return *this; }
   DebugOnly& operator-=(const T&) { return *this; }
+  DebugOnly& operator&=(const T&) { return *this; }
+  DebugOnly& operator|=(const T&) { return *this; }
+  DebugOnly& operator^=(const T&) { return *this; }
 #endif
 
   /*
diff --git a/mfbt/EnumeratedArray.h b/mfbt/EnumeratedArray.h
index d6d7bad613eb..afd06ea8056e 100644
--- a/mfbt/EnumeratedArray.h
+++ b/mfbt/EnumeratedArray.h
@@ -46,7 +46,9 @@ public:
   static const size_t kSize = size_t(SizeAsEnumValue);
 
 private:
-  Array<ValueType, kSize> mArray;
+  typedef Array<ValueType, kSize> ArrayType;
+
+  ArrayType mArray;
 
 public:
   EnumeratedArray() {}
@@ -67,6 +69,27 @@ public:
   {
     return mArray[size_t(aIndex)];
   }
+
+  typedef typename ArrayType::iterator               iterator;
+  typedef typename ArrayType::const_iterator         const_iterator;
+  typedef typename ArrayType::reverse_iterator       reverse_iterator;
+  typedef typename ArrayType::const_reverse_iterator const_reverse_iterator;
+
+  // Methods for range-based for loops.
+  iterator begin() { return mArray.begin(); }
+  const_iterator begin() const { return mArray.begin(); }
+  const_iterator cbegin() const { return mArray.cbegin(); }
+  iterator end() { return mArray.end(); }
+  const_iterator end() const { return mArray.end(); }
+  const_iterator cend() const { return mArray.cend(); }
+
+  // Methods for reverse iterating.
+  reverse_iterator rbegin() { return mArray.rbegin(); }
+  const_reverse_iterator rbegin() const { return mArray.rbegin(); }
+  const_reverse_iterator crbegin() const { return mArray.crbegin(); }
+  reverse_iterator rend() { return mArray.rend(); }
+  const_reverse_iterator rend() const { return mArray.rend(); }
+  const_reverse_iterator crend() const { return mArray.crend(); }
 };
 
 } // namespace mozilla
diff --git a/mfbt/EnumeratedRange.h b/mfbt/EnumeratedRange.h
index 2fd0f881f1f9..fdca95632146 100644
--- a/mfbt/EnumeratedRange.h
+++ b/mfbt/EnumeratedRange.h
@@ -171,6 +171,9 @@ private:
 #endif
 
 // Create a range to iterate from aBegin to aEnd, exclusive.
+//
+// (Once we can rely on std::underlying_type, we can remove the IntType
+// template parameter.)
 template<typename IntType, typename EnumType>
 inline detail::EnumeratedRange<IntType, EnumType>
 MakeEnumeratedRange(EnumType aBegin, EnumType aEnd)
@@ -189,11 +192,17 @@ MakeEnumeratedRange(EnumType aBegin, EnumType aEnd)
 
 // Create a range to iterate from EnumType(0) to aEnd, exclusive. EnumType(0)
 // should exist, but note that there is no way for us to ensure that it does!
-template<typename IntType, typename EnumType>
-inline detail::EnumeratedRange<IntType, EnumType>
+// Since the enumeration starts at EnumType(0), we know for sure that the values
+// will be in range of our deduced IntType.
+template<typename EnumType>
+inline detail::EnumeratedRange<
+  typename UnsignedStdintTypeForSize<sizeof(EnumType)>::Type,
+  EnumType>
 MakeEnumeratedRange(EnumType aEnd)
 {
-  return MakeEnumeratedRange<IntType>(EnumType(0), aEnd);
+  return MakeEnumeratedRange<
+    typename UnsignedStdintTypeForSize<sizeof(EnumType)>::Type>(EnumType(0),
+                                                                aEnd);
 }
 
 #ifdef __GNUC__
diff --git a/mfbt/RangedArray.h b/mfbt/RangedArray.h
index 8ef2dd02a51a..afe6267ff3f6 100644
--- a/mfbt/RangedArray.h
+++ b/mfbt/RangedArray.h
@@ -22,6 +22,10 @@ namespace mozilla {
 template<typename T, size_t MinIndex, size_t Length>
 class RangedArray
 {
+private:
+  typedef Array<T, Length> ArrayType;
+  ArrayType mArr;
+
 public:
   T& operator[](size_t aIndex)
   {
@@ -35,8 +39,26 @@ public:
     return mArr[aIndex - MinIndex];
   }
 
-private:
-  Array<T, Length> mArr;
+  typedef typename ArrayType::iterator               iterator;
+  typedef typename ArrayType::const_iterator         const_iterator;
+  typedef typename ArrayType::reverse_iterator       reverse_iterator;
+  typedef typename ArrayType::const_reverse_iterator const_reverse_iterator;
+
+  // Methods for range-based for loops.
+  iterator begin() { return mArr.begin(); }
+  const_iterator begin() const { return mArr.begin(); }
+  const_iterator cbegin() const { return mArr.cbegin(); }
+  iterator end() { return mArr.end(); }
+  const_iterator end() const { return mArr.end(); }
+  const_iterator cend() const { return mArr.cend(); }
+
+  // Methods for reverse iterating.
+  reverse_iterator rbegin() { return mArr.rbegin(); }
+  const_reverse_iterator rbegin() const { return mArr.rbegin(); }
+  const_reverse_iterator crbegin() const { return mArr.crbegin(); }
+  reverse_iterator rend() { return mArr.rend(); }
+  const_reverse_iterator rend() const { return mArr.rend(); }
+  const_reverse_iterator crend() const { return mArr.crend(); }
 };
 
 } // namespace mozilla
diff --git a/mobile/android/base/BrowserApp.java b/mobile/android/base/BrowserApp.java
index 85e695bd9f81..a7dc843047de 100644
--- a/mobile/android/base/BrowserApp.java
+++ b/mobile/android/base/BrowserApp.java
@@ -3362,7 +3362,12 @@ public class BrowserApp extends GeckoApp
 
         // Track the menu action. We don't know much about the context, but we can use this to determine
         // the frequency of use for various actions.
-        Telemetry.sendUIEvent(TelemetryContract.Event.ACTION, TelemetryContract.Method.MENU, getResources().getResourceEntryName(itemId));
+        String extras = getResources().getResourceEntryName(itemId);
+        if (TextUtils.equals(extras, "new_private_tab")) {
+            // Mask private browsing
+            extras = "new_tab";
+        }
+        Telemetry.sendUIEvent(TelemetryContract.Event.ACTION, TelemetryContract.Method.MENU, extras);
 
         mBrowserToolbar.cancelEdit();
 
diff --git a/mobile/android/base/IntentHelper.java b/mobile/android/base/IntentHelper.java
index 9c01e7b50671..f4315c5ed9a0 100644
--- a/mobile/android/base/IntentHelper.java
+++ b/mobile/android/base/IntentHelper.java
@@ -25,10 +25,12 @@ import android.text.TextUtils;
 import android.util.Log;
 
 import java.io.UnsupportedEncodingException;
+import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URLEncoder;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Locale;
 
 public final class IntentHelper implements GeckoEventListener,
                                            NativeEventListener {
@@ -50,6 +52,8 @@ public final class IntentHelper implements GeckoEventListener,
     private static String EXTRA_BROWSER_FALLBACK_URL = "browser_fallback_url";
 
     /** A partial URI to an error page - the encoded error URI should be appended before loading. */
+    private static final String GENERIC_URI_PREFIX = "about:neterror?e=generic&u=";
+    private static final String MALFORMED_URI_PREFIX = "about:neterror?e=malformedURI&u=";
     private static String UNKNOWN_PROTOCOL_URI_PREFIX = "about:neterror?e=unknownProtocolFound&u=";
 
     private static IntentHelper instance;
@@ -184,7 +188,22 @@ public final class IntentHelper implements GeckoEventListener,
         //   https://developer.chrome.com/multidevice/android/intents
         if (intent.hasExtra(EXTRA_BROWSER_FALLBACK_URL)) {
             final String fallbackUrl = intent.getStringExtra(EXTRA_BROWSER_FALLBACK_URL);
-            callback.sendError(fallbackUrl);
+            String urlToLoad;
+            try {
+                final String anyCaseScheme = new URI(fallbackUrl).getScheme();
+                final String scheme = (anyCaseScheme == null) ? null : anyCaseScheme.toLowerCase(Locale.US);
+                if ("http".equals(scheme) || "https".equals(scheme)) {
+                    urlToLoad = fallbackUrl;
+                } else {
+                    Log.w(LOGTAG, "Fallback URI uses unsupported scheme: " + scheme);
+                    urlToLoad = GENERIC_URI_PREFIX + fallbackUrl;
+                }
+            } catch (final URISyntaxException e) {
+                // Do not include Exception to avoid leaking uris.
+                Log.w(LOGTAG, "Exception parsing fallback URI");
+                urlToLoad = MALFORMED_URI_PREFIX + fallbackUrl;
+            }
+            callback.sendError(urlToLoad);
 
         } else if (intent.getPackage() != null) {
             // Note on alternative flows: we could get the intent package from a component, however, for
diff --git a/mobile/android/base/home/HomeFragment.java b/mobile/android/base/home/HomeFragment.java
index a19accc39f15..656488a8692f 100644
--- a/mobile/android/base/home/HomeFragment.java
+++ b/mobile/android/base/home/HomeFragment.java
@@ -36,6 +36,7 @@ import android.content.Intent;
 import android.content.res.Configuration;
 import android.os.Bundle;
 import android.support.v4.app.Fragment;
+import android.text.TextUtils;
 import android.util.Log;
 import android.view.ContextMenu;
 import android.view.ContextMenu.ContextMenuInfo;
@@ -179,7 +180,12 @@ public abstract class HomeFragment extends Fragment {
 
         // Track the menu action. We don't know much about the context, but we can use this to determine
         // the frequency of use for various actions.
-        Telemetry.sendUIEvent(TelemetryContract.Event.ACTION, TelemetryContract.Method.CONTEXT_MENU, getResources().getResourceEntryName(itemId));
+        String extras = getResources().getResourceEntryName(itemId);
+        if (TextUtils.equals(extras, "home_open_private_tab")) {
+            // Mask private browsing
+            extras = "home_open_new_tab";
+        }
+        Telemetry.sendUIEvent(TelemetryContract.Event.ACTION, TelemetryContract.Method.CONTEXT_MENU, extras);
 
         if (itemId == R.id.home_copyurl) {
             if (info.url == null) {
diff --git a/mobile/android/base/tabs/TabsPanel.java b/mobile/android/base/tabs/TabsPanel.java
index b9dd6d50bf59..14efd96c5a5a 100644
--- a/mobile/android/base/tabs/TabsPanel.java
+++ b/mobile/android/base/tabs/TabsPanel.java
@@ -26,6 +26,7 @@ import org.mozilla.gecko.widget.GeckoPopupMenu;
 import org.mozilla.gecko.widget.IconTabWidget;
 
 import android.content.Context;
+import android.content.res.Configuration;
 import android.content.res.Resources;
 import android.graphics.Rect;
 import android.util.AttributeSet;
@@ -74,7 +75,9 @@ public class TabsPanel extends LinearLayout
 
 
     public static View createTabsLayout(final Context context, final AttributeSet attrs) {
-        if (HardwareUtils.isTablet() || AppConstants.NIGHTLY_BUILD) {
+        final boolean isLandscape = context.getResources().getConfiguration().orientation == Configuration.ORIENTATION_LANDSCAPE;
+
+        if (HardwareUtils.isTablet() || isLandscape) {
             return new TabsGridLayout(context, attrs);
         } else {
             return new TabsListLayout(context, attrs);
@@ -189,11 +192,11 @@ public class TabsPanel extends LinearLayout
     }
 
     private void addTab() {
+        Telemetry.sendUIEvent(TelemetryContract.Event.ACTION, TelemetryContract.Method.ACTIONBAR, "new_tab");
+
         if (mCurrentPanel == Panel.NORMAL_TABS) {
-            Telemetry.sendUIEvent(TelemetryContract.Event.ACTION, TelemetryContract.Method.ACTIONBAR, "new_tab");
             mActivity.addTab();
         } else {
-            Telemetry.sendUIEvent(TelemetryContract.Event.ACTION, TelemetryContract.Method.ACTIONBAR, "new_private_tab");
             mActivity.addPrivateTab();
         }
 
@@ -215,8 +218,7 @@ public class TabsPanel extends LinearLayout
 
         if (itemId == R.id.close_all_tabs) {
             if (mCurrentPanel == Panel.NORMAL_TABS) {
-                final String extras = getResources().getResourceEntryName(itemId);
-                Telemetry.sendUIEvent(TelemetryContract.Event.ACTION, TelemetryContract.Method.MENU, extras);
+                Telemetry.sendUIEvent(TelemetryContract.Event.ACTION, TelemetryContract.Method.MENU, "close_all_tabs");
 
                 // Disable the menu button so that the menu won't interfere with the tab close animation.
                 mMenuButton.setEnabled(false);
@@ -229,8 +231,8 @@ public class TabsPanel extends LinearLayout
 
         if (itemId == R.id.close_private_tabs) {
             if (mCurrentPanel == Panel.PRIVATE_TABS) {
-                final String extras = getResources().getResourceEntryName(itemId);
-                Telemetry.sendUIEvent(TelemetryContract.Event.ACTION, TelemetryContract.Method.MENU, extras);
+                // Mask private browsing
+                Telemetry.sendUIEvent(TelemetryContract.Event.ACTION, TelemetryContract.Method.MENU, "close_all_tabs");
 
                 ((CloseAllPanelView) mPanelPrivate).closeAll();
             } else {
diff --git a/mobile/android/base/util/GeckoJarReader.java b/mobile/android/base/util/GeckoJarReader.java
index 501d8819af61..c95bc1b7e638 100644
--- a/mobile/android/base/util/GeckoJarReader.java
+++ b/mobile/android/base/util/GeckoJarReader.java
@@ -52,6 +52,9 @@ public final class GeckoJarReader {
             inputStream = getStream(zip, jarUrls, url);
             if (inputStream != null) {
                 bitmap = new BitmapDrawable(resources, inputStream);
+                // BitmapDrawable created from a stream does not set the correct target density from resources.
+                // In fact it discards the resources https://android.googlesource.com/platform/frameworks/base/+/refs/heads/master/graphics/java/android/graphics/drawable/BitmapDrawable.java#191
+                bitmap.setTargetDensity(resources.getDisplayMetrics());
             }
         } catch (IOException | URISyntaxException ex) {
             Log.e(LOGTAG, "Exception ", ex);
diff --git a/mobile/android/chrome/content/browser.js b/mobile/android/chrome/content/browser.js
index 7aa088fecdcd..7b6490543772 100644
--- a/mobile/android/chrome/content/browser.js
+++ b/mobile/android/chrome/content/browser.js
@@ -696,7 +696,7 @@ var BrowserApp = {
       NativeWindow.contextmenus.add(stringGetter("contextmenu.openInPrivateTab"),
         NativeWindow.contextmenus.linkOpenableContext,
         function (aTarget) {
-          UITelemetry.addEvent("action.1", "contextmenu", null, "web_open_private_tab");
+          UITelemetry.addEvent("action.1", "contextmenu", null, "web_open_new_tab");
           UITelemetry.addEvent("loadurl.1", "contextmenu", null);
 
           let url = NativeWindow.contextmenus._getLinkURL(aTarget);
@@ -1805,8 +1805,8 @@ var BrowserApp = {
                 PrivateBrowsingUtils.addToTrackingAllowlist(normalizedUrl);
               } else {
                 Services.perms.add(normalizedUrl, "trackingprotection", Services.perms.ALLOW_ACTION);
+                Telemetry.addData("TRACKING_PROTECTION_EVENTS", 1);
               }
-              Telemetry.addData("TRACKING_PROTECTION_EVENTS", 1);
             } else {
               // Remove the current host from the 'trackingprotection' consumer
               // of the permission manager. This effectively removes this host
@@ -1815,8 +1815,8 @@ var BrowserApp = {
                 PrivateBrowsingUtils.removeFromTrackingAllowlist(normalizedUrl);
               } else {
                 Services.perms.remove(normalizedUrl, "trackingprotection");
+                Telemetry.addData("TRACKING_PROTECTION_EVENTS", 2);
               }
-              Telemetry.addData("TRACKING_PROTECTION_EVENTS", 2);
             }
           }
         }
@@ -6549,7 +6549,7 @@ var IdentityHandler = {
 
   getTrackingMode: function getTrackingMode(aState, aBrowser) {
     if (aState & Ci.nsIWebProgressListener.STATE_BLOCKED_TRACKING_CONTENT) {
-      Telemetry.addData("TRACKING_PROTECTION_SHIELD", 2);
+      this.shieldHistogramAdd(aBrowser, 2);
       return this.TRACKING_MODE_CONTENT_BLOCKED;
     }
 
@@ -6559,14 +6559,21 @@ var IdentityHandler = {
                      PrivateBrowsingUtils.isBrowserPrivate(aBrowser));
 
     if ((aState & Ci.nsIWebProgressListener.STATE_LOADED_TRACKING_CONTENT) && tpEnabled) {
-      Telemetry.addData("TRACKING_PROTECTION_SHIELD", 1);
+      this.shieldHistogramAdd(aBrowser, 1);
       return this.TRACKING_MODE_CONTENT_LOADED;
     }
 
-    Telemetry.addData("TRACKING_PROTECTION_SHIELD", 0);
+    this.shieldHistogramAdd(aBrowser, 0);
     return this.TRACKING_MODE_UNKNOWN;
   },
 
+  shieldHistogramAdd: function(browser, value) {
+    if (PrivateBrowsingUtils.isBrowserPrivate(browser)) {
+      return;
+    }
+    Telemetry.addData("TRACKING_PROTECTION_SHIELD", value);
+  },
+
   /**
    * Determine the identity of the page being displayed by examining its SSL cert
    * (if available). Return the data needed to update the UI.
diff --git a/mobile/locales/Makefile.in b/mobile/locales/Makefile.in
index ecf96301f706..902c8769245f 100644
--- a/mobile/locales/Makefile.in
+++ b/mobile/locales/Makefile.in
@@ -115,7 +115,7 @@ search-preqs =\
 .PHONY: searchplugins
 searchplugins: $(search-preqs)
 	$(call py_action,jar_maker,\
-          $(QUIET) -j $(FINAL_TARGET)/chrome \
+          $(QUIET) -d $(FINAL_TARGET) \
           -s $(topsrcdir)/$(relativesrcdir)/en-US/searchplugins \
           -s $(LOCALE_SRCDIR)/searchplugins \
           $(MAKE_JARS_FLAGS) $(search-jar))
diff --git a/modules/brotli/moz.build b/modules/brotli/moz.build
index 3dc3e3d3489c..07b35100e551 100644
--- a/modules/brotli/moz.build
+++ b/modules/brotli/moz.build
@@ -23,6 +23,7 @@ UNIFIED_SOURCES += [
     'dec/streams.c',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 Library('brotli')
diff --git a/modules/libjar/nsJARChannel.cpp b/modules/libjar/nsJARChannel.cpp
index e100cebb247f..b6ea70580427 100644
--- a/modules/libjar/nsJARChannel.cpp
+++ b/modules/libjar/nsJARChannel.cpp
@@ -989,15 +989,10 @@ nsJARChannel::AsyncOpen(nsIStreamListener *listener, nsISupports *ctx)
 NS_IMETHODIMP
 nsJARChannel::AsyncOpen2(nsIStreamListener *aListener)
 {
-  if (!mLoadInfo) {
-    MOZ_ASSERT(mLoadInfo, "can not enforce security without loadInfo");
-    return NS_ERROR_UNEXPECTED;
-  }
-  // setting the flag on the loadInfo indicates that the underlying
-  // channel will be openend using AsyncOpen2() and hence performs
-  // the necessary security checks.
-  mLoadInfo->SetEnforceSecurity(true);
-  return AsyncOpen(aListener, nullptr);
+  nsCOMPtr<nsIStreamListener> listener = aListener;
+  nsresult rv = nsContentSecurityManager::doContentSecurityCheck(this, listener);
+  NS_ENSURE_SUCCESS(rv, rv);
+  return AsyncOpen(listener, nullptr);
 }
 
 nsresult
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index 981cbfb3f8be..9f1e986e34fb 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -3268,9 +3268,9 @@ pref("ui.osk.enabled", true);
 pref("ui.osk.detect_physical_keyboard", true);
 // Path to TabTip.exe on local machine. Cached for performance reasons.
 pref("ui.osk.on_screen_keyboard_path", "");
-// Only show the on-screen keyboard when Windows is in Tablet mode. Setting
-// this pref to false will allow the OSK to show in regular non-tablet mode.
-pref("ui.osk.require_tablet_mode", true);
+// Only try to show the on-screen keyboard on Windows 10 and later. Setting
+// this pref to false will allow the OSK to show on Windows 8 and 8.1.
+pref("ui.osk.require_win10", false);
 // This pref stores the "reason" that the on-screen keyboard was either
 // shown or not shown when focus is moved to an editable text field. It is
 // used to help debug why the keyboard is either not appearing when expected
@@ -4530,11 +4530,15 @@ pref("dom.mozSettings.enabled", false);
 pref("dom.mozPermissionSettings.enabled", false);
 
 // W3C touch events
-// 0 - disabled, 1 - enabled, 2 - autodetect (win)
+// 0 - disabled, 1 - enabled, 2 - autodetect (win/gtk3)
 #ifdef XP_WIN
 pref("dom.w3c_touch_events.enabled", 2);
 #endif
 
+#if MOZ_WIDGET_GTK == 3
+pref("dom.w3c_touch_events.enabled", 2);
+#endif
+
 // W3C draft pointer events
 pref("dom.w3c_pointer_events.enabled", false);
 
diff --git a/netwerk/base/LoadInfo.cpp b/netwerk/base/LoadInfo.cpp
index 51c7ae70b147..82ae12f23310 100644
--- a/netwerk/base/LoadInfo.cpp
+++ b/netwerk/base/LoadInfo.cpp
@@ -30,7 +30,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
                            aTriggeringPrincipal : mLoadingPrincipal.get())
   , mLoadingContext(do_GetWeakReference(aLoadingContext))
   , mSecurityFlags(aSecurityFlags)
-  , mContentPolicyType(aContentPolicyType)
+  , mInternalContentPolicyType(aContentPolicyType)
   , mUpgradeInsecureRequests(false)
   , mInnerWindowID(0)
   , mOuterWindowID(0)
@@ -88,7 +88,7 @@ LoadInfo::LoadInfo(const LoadInfo& rhs)
   , mTriggeringPrincipal(rhs.mTriggeringPrincipal)
   , mLoadingContext(rhs.mLoadingContext)
   , mSecurityFlags(rhs.mSecurityFlags)
-  , mContentPolicyType(rhs.mContentPolicyType)
+  , mInternalContentPolicyType(rhs.mInternalContentPolicyType)
   , mUpgradeInsecureRequests(rhs.mUpgradeInsecureRequests)
   , mInnerWindowID(rhs.mInnerWindowID)
   , mOuterWindowID(rhs.mOuterWindowID)
@@ -112,7 +112,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
   : mLoadingPrincipal(aLoadingPrincipal)
   , mTriggeringPrincipal(aTriggeringPrincipal)
   , mSecurityFlags(aSecurityFlags)
-  , mContentPolicyType(aContentPolicyType)
+  , mInternalContentPolicyType(aContentPolicyType)
   , mUpgradeInsecureRequests(aUpgradeInsecureRequests)
   , mInnerWindowID(aInnerWindowID)
   , mOuterWindowID(aOuterWindowID)
@@ -190,6 +190,14 @@ LoadInfo::GetSecurityFlags(nsSecurityFlags* aResult)
   return NS_OK;
 }
 
+void
+LoadInfo::SetWithCredentialsSecFlag()
+{
+  MOZ_ASSERT(!mEnforceSecurity,
+             "Request should not have been opened yet");
+  mSecurityFlags |= nsILoadInfo::SEC_REQUIRE_CORS_WITH_CREDENTIALS;
+}
+
 NS_IMETHODIMP
 LoadInfo::GetSecurityMode(uint32_t *aFlags)
 {
@@ -242,16 +250,16 @@ LoadInfo::GetAllowChrome(bool* aResult)
 }
 
 NS_IMETHODIMP
-LoadInfo::GetContentPolicyType(nsContentPolicyType* aResult)
+LoadInfo::GetExternalContentPolicyType(nsContentPolicyType* aResult)
 {
-  *aResult = nsContentUtils::InternalContentPolicyTypeToExternal(mContentPolicyType);
+  *aResult = nsContentUtils::InternalContentPolicyTypeToExternal(mInternalContentPolicyType);
   return NS_OK;
 }
 
 nsContentPolicyType
 LoadInfo::InternalContentPolicyType()
 {
-  return mContentPolicyType;
+  return mInternalContentPolicyType;
 }
 
 NS_IMETHODIMP
diff --git a/netwerk/base/LoadInfo.h b/netwerk/base/LoadInfo.h
index cad67a47f8d2..bf0a7200aead 100644
--- a/netwerk/base/LoadInfo.h
+++ b/netwerk/base/LoadInfo.h
@@ -15,6 +15,7 @@
 #include "nsTArray.h"
 
 class nsINode;
+class nsXMLHttpRequest;
 
 namespace mozilla {
 
@@ -77,11 +78,17 @@ private:
 
   ~LoadInfo();
 
+  // This function is the *only* function which can change the securityflags
+  // of a loadinfo. It only exists because of the XHR code. Don't call it
+  // from anywhere else!
+  void SetWithCredentialsSecFlag();
+  friend class ::nsXMLHttpRequest;
+
   nsCOMPtr<nsIPrincipal>           mLoadingPrincipal;
   nsCOMPtr<nsIPrincipal>           mTriggeringPrincipal;
   nsWeakPtr                        mLoadingContext;
   nsSecurityFlags                  mSecurityFlags;
-  nsContentPolicyType              mContentPolicyType;
+  nsContentPolicyType              mInternalContentPolicyType;
   bool                             mUpgradeInsecureRequests;
   uint64_t                         mInnerWindowID;
   uint64_t                         mOuterWindowID;
diff --git a/netwerk/base/nsIForcePendingChannel.idl b/netwerk/base/nsIForcePendingChannel.idl
index bb428bda8782..a4d6ef894bc1 100644
--- a/netwerk/base/nsIForcePendingChannel.idl
+++ b/netwerk/base/nsIForcePendingChannel.idl
@@ -9,7 +9,7 @@
  * behavior for the channel's IsPending(), forcing 'true' to be returned.
  */
 
-[scriptable, uuid(225ab092-1554-423a-9492-606f6db3b4fb)]
+[noscript, uuid(2ac3e1ca-049f-44c3-a519-f0681f51e9b1)]
 interface nsIForcePendingChannel : nsISupports
 {
 
diff --git a/netwerk/base/nsILoadInfo.idl b/netwerk/base/nsILoadInfo.idl
index 8a26922ef7a5..ef2e17ba906e 100644
--- a/netwerk/base/nsILoadInfo.idl
+++ b/netwerk/base/nsILoadInfo.idl
@@ -22,7 +22,7 @@ typedef unsigned long nsSecurityFlags;
 /**
  * An nsILoadOwner represents per-load information about who started the load.
  */
-[scriptable, builtinclass, uuid(ef0080f3-33f5-475f-a3d6-9fd3be0612e3)]
+[scriptable, builtinclass, uuid(c6dacd0c-7faf-4943-811f-03583591bc85)]
 interface nsILoadInfo : nsISupports
 {
   /**
@@ -255,13 +255,13 @@ interface nsILoadInfo : nsISupports
    * Specifically, content policy types with _INTERNAL_ in their name will
    * never get returned from this attribute.
    */
-  readonly attribute nsContentPolicyType contentPolicyType;
+  readonly attribute nsContentPolicyType externalContentPolicyType;
 
 %{ C++
-  inline nsContentPolicyType GetContentPolicyType()
+  inline nsContentPolicyType GetExternalContentPolicyType()
   {
     nsContentPolicyType result;
-    mozilla::DebugOnly<nsresult> rv = GetContentPolicyType(&result);
+    mozilla::DebugOnly<nsresult> rv = GetExternalContentPolicyType(&result);
     MOZ_ASSERT(NS_SUCCEEDED(rv));
     return result;
   }
diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp
index 9206cca3b941..8127da2e2ec4 100644
--- a/netwerk/base/nsIOService.cpp
+++ b/netwerk/base/nsIOService.cpp
@@ -662,7 +662,6 @@ nsIOService::NewChannelFromURIWithLoadInfo(nsIURI* aURI,
                                            nsILoadInfo* aLoadInfo,
                                            nsIChannel** result)
 {
-  NS_ENSURE_ARG_POINTER(aLoadInfo);
   return NewChannelFromURIWithProxyFlagsInternal(aURI,
                                                  nullptr, // aProxyURI
                                                  0,       // aProxyFlags
@@ -759,8 +758,11 @@ nsIOService::NewChannelFromURIWithProxyFlagsInternal(nsIURI* aURI,
             rv = pph->NewProxiedChannel(aURI, nullptr, aProxyFlags, aProxyURI,
                                         getter_AddRefs(channel));
             NS_ENSURE_SUCCESS(rv, rv);
-            // we have to wrap that channel
-            channel = new nsSecCheckWrapChannel(channel, aLoadInfo);
+
+            // The protocol handler does not implement NewProxiedChannel2, so
+            // maybe we need to wrap the channel (see comment in MaybeWrap
+            // function).
+            channel = nsSecCheckWrapChannel::MaybeWrap(channel, aLoadInfo);
         }
     }
     else {
@@ -770,8 +772,10 @@ nsIOService::NewChannelFromURIWithProxyFlagsInternal(nsIURI* aURI,
         if (NS_FAILED(rv)) {
             rv = handler->NewChannel(aURI, getter_AddRefs(channel));
             NS_ENSURE_SUCCESS(rv, rv);
-            // we have to wrap that channel
-            channel = new nsSecCheckWrapChannel(channel, aLoadInfo);
+            // The protocol handler does not implement NewChannel2, so
+            // maybe we need to wrap the channel (see comment in MaybeWrap
+            // function).
+            channel = nsSecCheckWrapChannel::MaybeWrap(channel, aLoadInfo);
         }
     }
 
diff --git a/netwerk/base/nsIPackagedAppVerifier.idl b/netwerk/base/nsIPackagedAppVerifier.idl
index 9f616e5e2b9f..8e6419e3f7ef 100644
--- a/netwerk/base/nsIPackagedAppVerifier.idl
+++ b/netwerk/base/nsIPackagedAppVerifier.idl
@@ -17,11 +17,12 @@ interface nsIPackagedAppVerifierListener;
  * onStartRequest/onDataAvailable/onStopRequest.
  *
  */
-[scriptable, uuid(16419a80-4cc3-11e5-b970-0800200c9a66)]
+[scriptable, uuid(fbb28ef8-d3d0-4a2b-af98-8010163a2bfb)]
 interface nsIPackagedAppVerifier : nsIStreamListener
 {
-  // The package origin of either a signed or unsigned package.
-  readonly attribute ACString packageOrigin;
+  // The package identifier of the signed package. For a unsigned package, this
+  // attribute is empty.
+  readonly attribute ACString packageIdentifier;
 
   // Whether this package is signed.
   readonly attribute boolean isPackageSigned;
@@ -49,7 +50,6 @@ interface nsIPackagedAppVerifier : nsIStreamListener
    * The verifier init function.
    */
   void init(in nsIPackagedAppVerifierListener aListener,
-            in ACString aPackageOrigin,
             in ACString aSignature,
             in nsICacheEntry aPackageCacheEntry);
 
diff --git a/netwerk/base/nsNetUtil.inl b/netwerk/base/nsNetUtil.inl
index 35ba2d50a155..bf58f9a65078 100644
--- a/netwerk/base/nsNetUtil.inl
+++ b/netwerk/base/nsNetUtil.inl
@@ -200,34 +200,38 @@ NS_NewChannelInternal(nsIChannel           **outChannel,
   // NS_NewChannelInternal is mostly called for channel redirects. We should allow
   // the creation of a channel even if the original channel did not have a loadinfo
   // attached.
-  if (!aLoadInfo) {
-    return NS_NewChannelInternal(outChannel,
-                                 aUri,
-                                 nullptr, // aLoadingNode
-                                 nullptr, // aLoadingPrincipal
-                                 nullptr, // aTriggeringPrincipal
-                                 nsILoadInfo::SEC_NORMAL,
-                                 nsIContentPolicy::TYPE_OTHER,
-                                 aLoadGroup,
-                                 aCallbacks,
-                                 aLoadFlags,
-                                 aIoService);
-  }
-  nsresult rv = NS_NewChannelInternal(outChannel,
-                                      aUri,
-                                      aLoadInfo->LoadingNode(),
-                                      aLoadInfo->LoadingPrincipal(),
-                                      aLoadInfo->TriggeringPrincipal(),
-                                      aLoadInfo->GetSecurityFlags(),
-                                      aLoadInfo->GetContentPolicyType(),
-                                      aLoadGroup,
-                                      aCallbacks,
-                                      aLoadFlags,
-                                      aIoService);
+  NS_ENSURE_ARG_POINTER(outChannel);
+
+  nsCOMPtr<nsIIOService> grip;
+  nsresult rv = net_EnsureIOService(&aIoService, grip);
   NS_ENSURE_SUCCESS(rv, rv);
-  // Please note that we still call SetLoadInfo on the channel because
-  // we want the same instance of the loadInfo to be set on the channel.
-  (*outChannel)->SetLoadInfo(aLoadInfo);
+
+  nsCOMPtr<nsIChannel> channel;
+  rv = aIoService->NewChannelFromURIWithLoadInfo(
+         aUri,
+         aLoadInfo,
+         getter_AddRefs(channel));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  if (aLoadGroup) {
+    rv = channel->SetLoadGroup(aLoadGroup);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
+
+  if (aCallbacks) {
+    rv = channel->SetNotificationCallbacks(aCallbacks);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
+
+  if (aLoadFlags != nsIRequest::LOAD_NORMAL) {
+    // Retain the LOAD_REPLACE load flag if set.
+    nsLoadFlags normalLoadFlags = 0;
+    channel->GetLoadFlags(&normalLoadFlags);
+    rv = channel->SetLoadFlags(aLoadFlags | (normalLoadFlags & nsIChannel::LOAD_REPLACE));
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
+
+  channel.forget(outChannel);
   return NS_OK;
 }
 
diff --git a/netwerk/base/nsSecCheckWrapChannel.cpp b/netwerk/base/nsSecCheckWrapChannel.cpp
index 9a6184eeb802..97d0c7e534e8 100644
--- a/netwerk/base/nsSecCheckWrapChannel.cpp
+++ b/netwerk/base/nsSecCheckWrapChannel.cpp
@@ -5,7 +5,7 @@
 
 #include "nsContentSecurityManager.h"
 #include "nsSecCheckWrapChannel.h"
-#include "nsHttpChannel.h"
+#include "nsIForcePendingChannel.h"
 #include "nsCOMPtr.h"
 
 static PRLogModuleInfo*
@@ -84,6 +84,31 @@ nsSecCheckWrapChannel::nsSecCheckWrapChannel(nsIChannel* aChannel,
   }
 }
 
+// static
+already_AddRefed<nsIChannel>
+nsSecCheckWrapChannel::MaybeWrap(nsIChannel* aChannel, nsILoadInfo* aLoadInfo)
+{
+  // Maybe a custom protocol handler actually returns a gecko
+  // http/ftpChannel - To check this we will check whether the channel
+  // implements a gecko non-scriptable interface e.g. nsIForcePendingChannel.
+  nsCOMPtr<nsIForcePendingChannel> isGeckoChannel = do_QueryInterface(aChannel);
+
+  nsCOMPtr<nsIChannel> channel = aChannel;
+  if (isGeckoChannel) {
+    // If it is a gecko channel (ftp or http) we do not need to wrap it.
+    channel->SetLoadInfo(aLoadInfo);
+  } else {
+    nsCOMPtr<nsIHttpChannel> httpChannel =
+      do_QueryInterface(aChannel);
+    // we can only wrap http channel.
+    if (httpChannel) {
+      // we have to wrap that channel
+      channel = new nsSecCheckWrapChannel(aChannel, aLoadInfo);
+    }
+  }
+  return channel.forget();
+}
+
 nsSecCheckWrapChannel::~nsSecCheckWrapChannel()
 {
 }
diff --git a/netwerk/base/nsSecCheckWrapChannel.h b/netwerk/base/nsSecCheckWrapChannel.h
index d29aef190146..c77386ffe983 100644
--- a/netwerk/base/nsSecCheckWrapChannel.h
+++ b/netwerk/base/nsSecCheckWrapChannel.h
@@ -88,6 +88,8 @@ public:
   NS_IMETHOD Open2(nsIInputStream** aStream);
 
   nsSecCheckWrapChannel(nsIChannel* aChannel, nsILoadInfo* aLoadInfo);
+  static already_AddRefed<nsIChannel> MaybeWrap(nsIChannel* aChannel,
+                                                nsILoadInfo* aLoadInfo);
 
 protected:
   virtual ~nsSecCheckWrapChannel();
diff --git a/netwerk/cache/nsDiskCacheDeviceSQL.cpp b/netwerk/cache/nsDiskCacheDeviceSQL.cpp
index 0a072fe3c17c..da97b92a23fa 100644
--- a/netwerk/cache/nsDiskCacheDeviceSQL.cpp
+++ b/netwerk/cache/nsDiskCacheDeviceSQL.cpp
@@ -1914,6 +1914,9 @@ nsOfflineCacheDevice::EvictEntries(const char *clientID)
 
     rv = statement->Execute();
     NS_ENSURE_SUCCESS(rv, rv);
+
+    // TODO - Should update internal hashtables.
+    // Low priority, since this API is not widely used.
   }
   else
   {
@@ -1930,6 +1933,11 @@ nsOfflineCacheDevice::EvictEntries(const char *clientID)
 
     rv = statement->Execute();
     NS_ENSURE_SUCCESS(rv, rv);
+
+    MutexAutoLock lock(mLock);
+    mCaches.Clear();
+    mActiveCaches.Clear();
+    mActiveCachesByGroup.Clear();
   }
 
   evictionObserver.Apply();
diff --git a/netwerk/protocol/http/PackagedAppService.cpp b/netwerk/protocol/http/PackagedAppService.cpp
index 917a584d3111..591398daadc9 100644
--- a/netwerk/protocol/http/PackagedAppService.cpp
+++ b/netwerk/protocol/http/PackagedAppService.cpp
@@ -362,19 +362,19 @@ PackagedAppService::PackagedAppChannelListener::OnStartRequest(nsIRequest *aRequ
   // to know if it's a signed package. Notify requesters if it's signed.
   if (isFromCache) {
     bool isPackageSigned = false;
-    nsCString signedPackageOrigin;
+    nsCString signedPackageId;
     nsCOMPtr<nsICacheEntry> packageCacheEntry = GetPackageCacheEntry(aRequest);
     if (packageCacheEntry) {
-      const char* key = PackagedAppVerifier::kSignedPakOriginMetadataKey;
+      const char* key = PackagedAppVerifier::kSignedPakIdMetadataKey;
       nsXPIDLCString value;
       nsresult rv = packageCacheEntry->GetMetaDataElement(key,
                                                           getter_Copies(value));
       isPackageSigned = (NS_SUCCEEDED(rv) && !value.IsEmpty());
-      signedPackageOrigin = value;
+      signedPackageId = value;
     }
     if (isPackageSigned) {
       LOG(("The cached package is signed. Notify the requesters."));
-      mDownloader->NotifyOnStartSignedPackageRequest(signedPackageOrigin);
+      mDownloader->NotifyOnStartSignedPackageRequest(signedPackageId);
     }
   }
 
@@ -447,7 +447,6 @@ PackagedAppService::PackagedAppDownloader::EnsureVerifier(nsIRequest *aRequest)
   nsCOMPtr<nsICacheEntry> packageCacheEntry = GetPackageCacheEntry(aRequest);
 
   mVerifier = new PackagedAppVerifier(this,
-                                      mPackageOrigin,
                                       signature,
                                       packageCacheEntry);
 }
@@ -769,7 +768,7 @@ PackagedAppService::PackagedAppDownloader::AddCallback(nsIURI *aURI,
       if (mVerifier && mVerifier->GetIsPackageSigned()) {
         // TODO: Bug 1178526 will deal with the package identifier things.
         //       For now we just use the origin as the identifier.
-        listener->OnStartSignedPackageRequest(mVerifier->GetPackageOrigin());
+        listener->OnStartSignedPackageRequest(mVerifier->GetPackageIdentifier());
         listener = nullptr; // So that the request will not be added to the queue.
       }
       mCacheStorage->AsyncOpenURI(aURI, EmptyCString(),
@@ -903,7 +902,24 @@ PackagedAppService::PackagedAppDownloader::NotifyOnStartSignedPackageRequest(con
   mRequesters.Clear();
 }
 
-void PackagedAppService::PackagedAppDownloader::InstallSignedPackagedApp(const ResourceCacheInfo* aInfo)
+static bool
+AddPackageIdToOrigin(nsACString& aOrigin, const nsACString& aPackageId)
+{
+  nsAutoCString originNoSuffix;
+  mozilla::OriginAttributes attrs;
+  if (!attrs.PopulateFromOrigin(aOrigin, originNoSuffix)) {
+    return false;
+  }
+
+  attrs.mSignedPkg = NS_ConvertUTF8toUTF16(aPackageId);
+  nsAutoCString suffixWithPackageId;
+  attrs.CreateSuffix(suffixWithPackageId);
+  aOrigin = originNoSuffix + suffixWithPackageId;
+  return true;
+}
+
+void
+PackagedAppService::PackagedAppDownloader::InstallSignedPackagedApp(const ResourceCacheInfo* aInfo)
 {
   // TODO: Bug 1178533 to register permissions, system messages etc on navigation to
   //       signed packages.
@@ -921,13 +937,14 @@ void PackagedAppService::PackagedAppDownloader::InstallSignedPackagedApp(const R
   nsCString manifestURL;
   aInfo->mURI->GetAsciiSpec(manifestURL);
 
-  // Use the origin stored in the verifier since the signed packaged app would
-  // have a specifi package identifer defined in the manifest file.
-  nsCString packageOrigin;
-  mVerifier->GetPackageOrigin(packageOrigin);
+
+  nsCString originWithPackageId = mPackageOrigin;
+  if (!AddPackageIdToOrigin(originWithPackageId, mVerifier->GetPackageIdentifier())) {
+    NS_WARNING("mPackageOrigin is malformed.");
+  }
 
   installer->InstallPackagedWebapp(mManifestContent.get(),
-                                   packageOrigin.get(),
+                                   originWithPackageId.get(),
                                    manifestURL.get(),
                                    &isSuccess);
   if (!isSuccess) {
@@ -990,9 +1007,7 @@ PackagedAppService::PackagedAppDownloader::OnManifestVerified(const ResourceCach
     return;
   }
 
-  nsCString packageOrigin;
-  mVerifier->GetPackageOrigin(packageOrigin);
-  NotifyOnStartSignedPackageRequest(packageOrigin);
+  NotifyOnStartSignedPackageRequest(mVerifier->GetPackageIdentifier());
   InstallSignedPackagedApp(aInfo);
 }
 
@@ -1010,7 +1025,7 @@ PackagedAppService::PackagedAppDownloader::OnResourceVerified(const ResourceCach
   if (mVerifier->GetIsPackageSigned()) {
     // TODO: Bug 1178526 will deal with the package identifier things.
     //       For now we just use the origin as the identifier.
-    NotifyOnStartSignedPackageRequest(mVerifier->GetPackageOrigin());
+    NotifyOnStartSignedPackageRequest(mVerifier->GetPackageIdentifier());
   }
 
   // Serve this resource to all listeners.
diff --git a/netwerk/protocol/http/PackagedAppVerifier.cpp b/netwerk/protocol/http/PackagedAppVerifier.cpp
index d823b29dcd2b..a455f64b4d03 100644
--- a/netwerk/protocol/http/PackagedAppVerifier.cpp
+++ b/netwerk/protocol/http/PackagedAppVerifier.cpp
@@ -33,22 +33,21 @@ NS_IMPL_ISUPPORTS(PackagedAppVerifier, nsIPackagedAppVerifier, nsIVerificationCa
 
 NS_IMPL_ISUPPORTS(PackagedAppVerifier::ResourceCacheInfo, nsISupports)
 
-const char* PackagedAppVerifier::kSignedPakOriginMetadataKey = "signed-pak-origin";
+const char* PackagedAppVerifier::kSignedPakIdMetadataKey = "package-id";
 
 PackagedAppVerifier::PackagedAppVerifier()
 {
   MOZ_RELEASE_ASSERT(NS_IsMainThread(),
                      "PackagedAppVerifier::OnResourceVerified must be on main thread");
 
-  Init(nullptr, EmptyCString(), EmptyCString(), nullptr);
+  Init(nullptr, EmptyCString(), nullptr);
 }
 
 PackagedAppVerifier::PackagedAppVerifier(nsIPackagedAppVerifierListener* aListener,
-                                         const nsACString& aPackageOrigin,
                                          const nsACString& aSignature,
                                          nsICacheEntry* aPackageCacheEntry)
 {
-  Init(aListener, aPackageOrigin, aSignature, aPackageCacheEntry);
+  Init(aListener, aSignature, aPackageCacheEntry);
 }
 
 PackagedAppVerifier::~PackagedAppVerifier()
@@ -62,7 +61,6 @@ PackagedAppVerifier::~PackagedAppVerifier()
 }
 
 NS_IMETHODIMP PackagedAppVerifier::Init(nsIPackagedAppVerifierListener* aListener,
-                                        const nsACString& aPackageOrigin,
                                         const nsACString& aSignature,
                                         nsICacheEntry* aPackageCacheEntry)
 {
@@ -77,11 +75,11 @@ NS_IMETHODIMP PackagedAppVerifier::Init(nsIPackagedAppVerifierListener* aListene
 
   mListener = aListener;
   mState = STATE_UNKNOWN;
-  mPackageOrigin = aPackageOrigin;
   mSignature = aSignature;
   mIsPackageSigned = false;
   mPackageCacheEntry = aPackageCacheEntry;
   mIsFirstResource = true;
+  mManifest = EmptyCString();
 
   nsresult rv;
   mPackagedAppUtils = do_CreateInstance(NS_PACKAGEDAPPUTILS_CONTRACTID, &rv);
@@ -271,12 +269,6 @@ PackagedAppVerifier::VerifyManifest(const ResourceCacheInfo* aInfo)
 
   mState = STATE_MANIFEST_VERIFYING;
 
-  if (gDeveloperMode) {
-    LOG(("Developer mode! Bypass verification."));
-    FireVerifiedEvent(true, true);
-    return;
-  }
-
   if (mSignature.IsEmpty()) {
     LOG(("No signature. No need to do verification."));
     FireVerifiedEvent(true, true);
@@ -352,6 +344,11 @@ PackagedAppVerifier::OnManifestVerified(bool aSuccess)
     return;
   }
 
+  if (!aSuccess && gDeveloperMode) {
+    aSuccess = true;
+    LOG(("Developer mode! Treat junk signature valid."));
+  }
+
   // Only when the manifest verified and package has signature would we
   // regard this package is signed.
   mIsPackageSigned = aSuccess && !mSignature.IsEmpty();
@@ -359,14 +356,18 @@ PackagedAppVerifier::OnManifestVerified(bool aSuccess)
   mState = aSuccess ? STATE_MANIFEST_VERIFIED_OK
                     : STATE_MANIFEST_VERIFIED_FAILED;
 
-  // TODO: Update mPackageOrigin.
+  // Obtain the package identifier from manifest if the package is signed.
+  if (mIsPackageSigned) {
+    mPackagedAppUtils->GetPackageIdentifier(mPackageIdentifer);
+    LOG(("PackageIdentifer is: %s", mPackageIdentifer.get()));
+  }
 
   // If the package is signed, add related info to the package cache.
   if (mIsPackageSigned && mPackageCacheEntry) {
     LOG(("This package is signed. Add this info to the cache channel."));
     if (mPackageCacheEntry) {
-      mPackageCacheEntry->SetMetaDataElement(kSignedPakOriginMetadataKey,
-                                             mPackageOrigin.get());
+      mPackageCacheEntry->SetMetaDataElement(kSignedPakIdMetadataKey,
+                                             mPackageIdentifer.get());
       mPackageCacheEntry = nullptr; // the cache entry is no longer needed.
     }
   }
@@ -432,9 +433,9 @@ PackagedAppVerifier::WouldVerify() const
 //---------------------------------------------------------------
 
 NS_IMETHODIMP
-PackagedAppVerifier::GetPackageOrigin(nsACString& aPackageOrigin)
+PackagedAppVerifier::GetPackageIdentifier(nsACString& aPackageIdentifier)
 {
-  aPackageOrigin = mPackageOrigin;
+  aPackageIdentifier = mPackageIdentifer;
   return NS_OK;
 }
 
diff --git a/netwerk/protocol/http/PackagedAppVerifier.h b/netwerk/protocol/http/PackagedAppVerifier.h
index 4241bbeba4bc..b97b5de06a68 100644
--- a/netwerk/protocol/http/PackagedAppVerifier.h
+++ b/netwerk/protocol/http/PackagedAppVerifier.h
@@ -93,7 +93,6 @@ public:
   PackagedAppVerifier();
 
   PackagedAppVerifier(nsIPackagedAppVerifierListener* aListener,
-                      const nsACString& aPackageOrigin,
                       const nsACString& aSignature,
                       nsICacheEntry* aPackageCacheEntry);
 
@@ -109,14 +108,14 @@ public:
     return mIsPackageSigned;
   }
 
-  const nsACString& GetPackageOrigin() const
+  const nsACString& GetPackageIdentifier() const
   {
-    return mPackageOrigin;
+    return mPackageIdentifer;
   }
 
   bool WouldVerify() const;
 
-  static const char* kSignedPakOriginMetadataKey;
+  static const char* kSignedPakIdMetadataKey;
 
 private:
   virtual ~PackagedAppVerifier();
@@ -193,6 +192,8 @@ private:
 
   // A place to store the computed hashes of each resource.
   nsClassHashtable<nsCStringHashKey, nsCString> mResourceHashStore;
+
+  nsCString mPackageIdentifer;
 }; // class PackagedAppVerifier
 
 } // namespace net
diff --git a/netwerk/protocol/http/SpdyStream31.cpp b/netwerk/protocol/http/SpdyStream31.cpp
index c8cd93235883..24138161e98a 100644
--- a/netwerk/protocol/http/SpdyStream31.cpp
+++ b/netwerk/protocol/http/SpdyStream31.cpp
@@ -455,10 +455,11 @@ SpdyStream31::GenerateSynFrame()
     ToLowerCase(name);
 
     // exclusions.. mostly from 3.2.1
+    // we send accept-encoding here because we often include brotli
+    // in that list which is greater than the implied accept-encoding: gzip
     if (name.EqualsLiteral("connection") ||
         name.EqualsLiteral("keep-alive") ||
         name.EqualsLiteral("host") ||
-        name.EqualsLiteral("accept-encoding") ||
         name.EqualsLiteral("te") ||
         name.EqualsLiteral("transfer-encoding"))
       continue;
diff --git a/netwerk/protocol/http/nsCORSListenerProxy.cpp b/netwerk/protocol/http/nsCORSListenerProxy.cpp
index 1f8757312db8..dd26a4efa93f 100644
--- a/netwerk/protocol/http/nsCORSListenerProxy.cpp
+++ b/netwerk/protocol/http/nsCORSListenerProxy.cpp
@@ -414,8 +414,7 @@ nsPreflightCache::GetCacheKey(nsIURI* aURI,
 
 NS_IMPL_ISUPPORTS(nsCORSListenerProxy, nsIStreamListener,
                   nsIRequestObserver, nsIChannelEventSink,
-                  nsIInterfaceRequestor, nsIAsyncVerifyRedirectCallback,
-                  nsIThreadRetargetableStreamListener)
+                  nsIInterfaceRequestor, nsIThreadRetargetableStreamListener)
 
 /* static */
 void
@@ -592,9 +591,6 @@ nsCORSListenerProxy::OnStopRequest(nsIRequest* aRequest,
   nsresult rv = mOuterListener->OnStopRequest(aRequest, aContext, aStatusCode);
   mOuterListener = nullptr;
   mOuterNotificationCallbacks = nullptr;
-  mRedirectCallback = nullptr;
-  mOldRedirectChannel = nullptr;
-  mNewRedirectChannel = nullptr;
   return rv;
 }
 
@@ -650,7 +646,7 @@ NS_IMETHODIMP
 nsCORSListenerProxy::AsyncOnChannelRedirect(nsIChannel *aOldChannel,
                                             nsIChannel *aNewChannel,
                                             uint32_t aFlags,
-                                            nsIAsyncVerifyRedirectCallback *cb)
+                                            nsIAsyncVerifyRedirectCallback *aCb)
 {
   nsresult rv;
   if (!NS_IsInternalSameURIRedirect(aOldChannel, aNewChannel, aFlags) &&
@@ -714,54 +710,24 @@ nsCORSListenerProxy::AsyncOnChannelRedirect(nsIChannel *aOldChannel,
         return rv;
       }
     }
-  }
 
-  // Prepare to receive callback
-  mRedirectCallback = cb;
-  mOldRedirectChannel = aOldChannel;
-  mNewRedirectChannel = aNewChannel;
+    rv = UpdateChannel(aNewChannel, DataURIHandling::Disallow);
+    if (NS_FAILED(rv)) {
+        NS_WARNING("nsCORSListenerProxy::AsyncOnChannelRedirect: "
+                   "UpdateChannel() returned failure");
+      aOldChannel->Cancel(rv);
+      return rv;
+    }
+  }
 
   nsCOMPtr<nsIChannelEventSink> outer =
     do_GetInterface(mOuterNotificationCallbacks);
   if (outer) {
-    rv = outer->AsyncOnChannelRedirect(aOldChannel, aNewChannel, aFlags, this);
-    if (NS_FAILED(rv)) {
-        aOldChannel->Cancel(rv); // is this necessary...?
-        mRedirectCallback = nullptr;
-        mOldRedirectChannel = nullptr;
-        mNewRedirectChannel = nullptr;
-    }
-    return rv;  
+    return outer->AsyncOnChannelRedirect(aOldChannel, aNewChannel, aFlags, aCb);
   }
 
-  (void) OnRedirectVerifyCallback(NS_OK);
-  return NS_OK;
-}
+  aCb->OnRedirectVerifyCallback(NS_OK);
 
-NS_IMETHODIMP
-nsCORSListenerProxy::OnRedirectVerifyCallback(nsresult result)
-{
-  NS_ASSERTION(mRedirectCallback, "mRedirectCallback not set in callback");
-  NS_ASSERTION(mOldRedirectChannel, "mOldRedirectChannel not set in callback");
-  NS_ASSERTION(mNewRedirectChannel, "mNewRedirectChannel not set in callback");
-
-  if (NS_SUCCEEDED(result)) {
-    nsresult rv = UpdateChannel(mNewRedirectChannel, DataURIHandling::Disallow);
-      if (NS_FAILED(rv)) {
-          NS_WARNING("nsCORSListenerProxy::OnRedirectVerifyCallback: "
-                     "UpdateChannel() returned failure");
-      }
-      result = rv;
-  }
-
-  if (NS_FAILED(result)) {
-    mOldRedirectChannel->Cancel(result);
-  }
-
-  mOldRedirectChannel = nullptr;
-  mNewRedirectChannel = nullptr;
-  mRedirectCallback->OnRedirectVerifyCallback(result);
-  mRedirectCallback   = nullptr;
   return NS_OK;
 }
 
@@ -863,6 +829,12 @@ nsCORSListenerProxy::UpdateChannel(nsIChannel* aChannel,
     if (dataScheme) {
       return NS_OK;
     }
+    nsCOMPtr<nsILoadInfo> loadInfo;
+    aChannel->GetLoadInfo(getter_AddRefs(loadInfo));
+    if (loadInfo && loadInfo->GetAboutBlankInherits() &&
+        NS_IsAboutBlank(uri)) {
+      return NS_OK;
+    }
   }
 
   // Set CORS attributes on channel so that intercepted requests get correct
diff --git a/netwerk/protocol/http/nsCORSListenerProxy.h b/netwerk/protocol/http/nsCORSListenerProxy.h
index 5a0064494a03..d58b9b113cca 100644
--- a/netwerk/protocol/http/nsCORSListenerProxy.h
+++ b/netwerk/protocol/http/nsCORSListenerProxy.h
@@ -40,7 +40,6 @@ enum class DataURIHandling
 class nsCORSListenerProxy final : public nsIStreamListener,
                                   public nsIInterfaceRequestor,
                                   public nsIChannelEventSink,
-                                  public nsIAsyncVerifyRedirectCallback,
                                   public nsIThreadRetargetableStreamListener
 {
 public:
@@ -53,7 +52,6 @@ public:
   NS_DECL_NSISTREAMLISTENER
   NS_DECL_NSIINTERFACEREQUESTOR
   NS_DECL_NSICHANNELEVENTSINK
-  NS_DECL_NSIASYNCVERIFYREDIRECTCALLBACK
   NS_DECL_NSITHREADRETARGETABLESTREAMLISTENER
 
   // Must be called at startup.
@@ -103,9 +101,6 @@ private:
 #ifdef DEBUG
   bool mInited;
 #endif
-  nsCOMPtr<nsIAsyncVerifyRedirectCallback> mRedirectCallback;
-  nsCOMPtr<nsIChannel> mOldRedirectChannel;
-  nsCOMPtr<nsIChannel> mNewRedirectChannel;
 };
 
 #endif
diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
index 4c803a0eab25..c21c8c19b776 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -343,7 +343,7 @@ nsHttpChannel::Connect()
             nsContentUtils::GetSecurityManager()->
                 GetChannelResultPrincipal(this, getter_AddRefs(resultPrincipal));
             bool crossOriginNavigation =
-                (mLoadInfo->GetContentPolicyType() == nsIContentPolicy::TYPE_DOCUMENT) &&
+                (mLoadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_DOCUMENT) &&
                 (!resultPrincipal->Equals(mLoadInfo->LoadingPrincipal()));
 
             if (!crossOriginNavigation) {
@@ -2007,14 +2007,16 @@ nsHttpChannel::StartRedirectChannelToURI(nsIURI *upgradedURI, uint32_t flags)
     // Inform consumers about this fake redirect
     mRedirectChannel = newChannel;
 
-    // Ensure that internally-redirected channels cannot be intercepted, which would look
-    // like two separate requests to the nsINetworkInterceptController.
-    nsLoadFlags loadFlags = nsIRequest::LOAD_NORMAL;
-    rv = mRedirectChannel->GetLoadFlags(&loadFlags);
-    NS_ENSURE_SUCCESS(rv, rv);
-    loadFlags |= nsIChannel::LOAD_BYPASS_SERVICE_WORKER;
-    rv = mRedirectChannel->SetLoadFlags(loadFlags);
-    NS_ENSURE_SUCCESS(rv, rv);
+    if (!(flags & nsIChannelEventSink::REDIRECT_STS_UPGRADE)) {
+        // Ensure that internally-redirected channels cannot be intercepted, which would look
+        // like two separate requests to the nsINetworkInterceptController.
+        nsLoadFlags loadFlags = nsIRequest::LOAD_NORMAL;
+        rv = mRedirectChannel->GetLoadFlags(&loadFlags);
+        NS_ENSURE_SUCCESS(rv, rv);
+        loadFlags |= nsIChannel::LOAD_BYPASS_SERVICE_WORKER;
+        rv = mRedirectChannel->SetLoadFlags(loadFlags);
+        NS_ENSURE_SUCCESS(rv, rv);
+    }
 
     PushRedirectAsyncFunc(
         &nsHttpChannel::ContinueAsyncRedirectChannelToURI);
diff --git a/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp b/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
index c56f2be05926..9cc2a368fe2b 100644
--- a/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
+++ b/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
@@ -824,7 +824,7 @@ nsHttpChannelAuthProvider::BlockPrompt()
     }
 
     if (gHttpHandler->IsTelemetryEnabled()) {
-      if (loadInfo->GetContentPolicyType() == nsIContentPolicy::TYPE_DOCUMENT) {
+      if (loadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_DOCUMENT) {
         Telemetry::Accumulate(Telemetry::HTTP_AUTH_DIALOG_STATS,
                               HTTP_AUTH_DIALOG_TOP_LEVEL_DOC);
       } else {
@@ -842,8 +842,8 @@ nsHttpChannelAuthProvider::BlockPrompt()
     }
 
     // Allow if it is the top-level document or xhr.
-    if ((loadInfo->GetContentPolicyType() == nsIContentPolicy::TYPE_DOCUMENT) ||
-        (loadInfo->GetContentPolicyType() == nsIContentPolicy::TYPE_XMLHTTPREQUEST)) {
+    if ((loadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_DOCUMENT) ||
+        (loadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_XMLHTTPREQUEST)) {
         return false;
     }
 
diff --git a/netwerk/protocol/http/nsIHttpChannelInternal.idl b/netwerk/protocol/http/nsIHttpChannelInternal.idl
index 3bc2817ea8d2..5275805ebe0e 100644
--- a/netwerk/protocol/http/nsIHttpChannelInternal.idl
+++ b/netwerk/protocol/http/nsIHttpChannelInternal.idl
@@ -39,8 +39,7 @@ interface nsIHttpUpgradeListener : nsISupports
  * using any feature exposed by this interface, be aware that this interface
  * will change and you will be broken.  You have been warned.
  */
-[scriptable, uuid(5f019a6f-6f6f-4b5c-8994-70cdbc40258e)]
-
+[scriptable, uuid(99767aaf-937d-4f2f-8990-bc79bd7c0ece)]
 interface nsIHttpChannelInternal : nsISupports
 {
     /**
@@ -235,7 +234,6 @@ interface nsIHttpChannelInternal : nsISupports
     const unsigned long CORS_MODE_SAME_ORIGIN = 0;
     const unsigned long CORS_MODE_NO_CORS = 1;
     const unsigned long CORS_MODE_CORS = 2;
-    const unsigned long CORS_MODE_CORS_WITH_FORCED_PREFLIGHT = 3;
     /**
      * Set by nsCORSListenerProxy to indicate CORS load type. Defaults to CORS_MODE_NO_CORS.
      */
diff --git a/netwerk/protocol/websocket/WebSocketChannel.cpp b/netwerk/protocol/websocket/WebSocketChannel.cpp
index 3a3943f9ec77..7191a8bd1b65 100644
--- a/netwerk/protocol/websocket/WebSocketChannel.cpp
+++ b/netwerk/protocol/websocket/WebSocketChannel.cpp
@@ -3244,6 +3244,8 @@ WebSocketChannel::AsyncOpen(nsIURI *aURI,
     return rv;
   }
 
+  // Ideally we'd call newChannelFromURIWithLoadInfo here, but that doesn't
+  // allow setting proxy uri/flags
   rv = io2->NewChannelFromURIWithProxyFlags2(
               localURI,
               mURI,
@@ -3254,7 +3256,7 @@ WebSocketChannel::AsyncOpen(nsIURI *aURI,
               mLoadInfo->LoadingPrincipal(),
               mLoadInfo->TriggeringPrincipal(),
               mLoadInfo->GetSecurityFlags(),
-              mLoadInfo->GetContentPolicyType(),
+              mLoadInfo->InternalContentPolicyType(),
               getter_AddRefs(localChannel));
   NS_ENSURE_SUCCESS(rv, rv);
 
diff --git a/netwerk/protocol/wyciwyg/WyciwygChannelChild.cpp b/netwerk/protocol/wyciwyg/WyciwygChannelChild.cpp
index ca16a2779fac..f60610fddbbc 100644
--- a/netwerk/protocol/wyciwyg/WyciwygChannelChild.cpp
+++ b/netwerk/protocol/wyciwyg/WyciwygChannelChild.cpp
@@ -104,7 +104,7 @@ WyciwygChannelChild::Init(nsIURI* uri)
     mozilla::ipc::PrincipalToPrincipalInfo(mLoadInfo->TriggeringPrincipal(),
                                            &triggeringPrincipalInfo);
     securityFlags = mLoadInfo->GetSecurityFlags();
-    policyType = mLoadInfo->GetContentPolicyType();
+    policyType = mLoadInfo->InternalContentPolicyType();
   }
   else {
     // use default values if no loadInfo is provided
diff --git a/netwerk/sctp/src/moz.build b/netwerk/sctp/src/moz.build
index 4fcc0d53f4e0..3000b3d7334e 100644
--- a/netwerk/sctp/src/moz.build
+++ b/netwerk/sctp/src/moz.build
@@ -43,6 +43,7 @@ Library('nksctp_s')
 
 include('/ipc/chromium/chromium-config.mozbuild')
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
diff --git a/netwerk/test/unit/test_packaged_app_verifier.js b/netwerk/test/unit/test_packaged_app_verifier.js
index b2159e665db4..1667dc2506b7 100644
--- a/netwerk/test/unit/test_packaged_app_verifier.js
+++ b/netwerk/test/unit/test_packaged_app_verifier.js
@@ -38,6 +38,7 @@ var gLoadContextInfoFactory =
 const kUriIdx                 = 0;
 const kStatusCodeIdx          = 1;
 const kVerificationSuccessIdx = 2;
+const kContentIdx             = 3;
 
 function enable_developer_mode()
 {
@@ -50,7 +51,7 @@ function reset_developer_mode()
 }
 
 function createVerifierListener(aExpecetedCallbacks,
-                                aExpectedOrigin,
+                                aExpectedPackageId,
                                 aExpectedIsSigned,
                                 aPackageCacheEntry) {
   let cnt = 0;
@@ -77,15 +78,15 @@ function createVerifierListener(aExpecetedCallbacks,
 
       if (isManifest) {
         // Check if the verifier got the right package info.
-        equal(gVerifier.packageOrigin, aExpectedOrigin, 'package origin');
+        equal(gVerifier.packageIdentifier, aExpectedPackageId, 'package identifier');
         equal(gVerifier.isPackageSigned, aExpectedIsSigned, 'is package signed');
 
         // Check if the verifier wrote the signed package origin to the cache.
         ok(!!aPackageCacheEntry, aPackageCacheEntry.key);
-        let signePakOriginInCache = aPackageCacheEntry.getMetaDataElement('signed-pak-origin');
-        equal(signePakOriginInCache,
-              (aExpectedIsSigned ? aExpectedOrigin : ''),
-              'signed-pak-origin in cache');
+        let signePakIdInCache = aPackageCacheEntry.getMetaDataElement('package-id');
+        equal(signePakIdInCache,
+              (aExpectedIsSigned ? aExpectedPackageId : ''),
+              'package-id in cache');
       }
 
       if (isLastPart) {
@@ -96,14 +97,29 @@ function createVerifierListener(aExpecetedCallbacks,
   };
 };
 
-function feedResources(aExpectedCallbacks) {
+function feedData(aString) {
+  let stringStream = Cc["@mozilla.org/io/string-input-stream;1"].
+                           createInstance(Ci.nsIStringInputStream);
+  stringStream.setData(aString, aString.length);
+  gVerifier.onDataAvailable(null, null, stringStream, 0, aString.length);
+}
+
+function feedResources(aExpectedCallbacks, aSignature) {
   for (let i = 0; i < aExpectedCallbacks.length; i++) {
     let expectedCallback = aExpectedCallbacks[i];
     let isLastPart = (i === aExpectedCallbacks.length - 1);
 
+    // Start request.
     let uri = gIoService.newURI(expectedCallback[kUriIdx], null, null);
     gVerifier.onStartRequest(null, uri);
 
+    // Feed data at once.
+    let contentString = expectedCallback[kContentIdx];
+    if (contentString !== undefined) {
+      feedData(contentString);
+    }
+
+    // Stop request.
     let info = gVerifier.createResourceCacheInfo(uri,
                                                  null,
                                                  expectedCallback[kStatusCodeIdx],
@@ -148,13 +164,13 @@ function test_no_signature(aDeveloperMode) {
     createPackageCache(packageUriString, gLoadContextInfoFactory.default);
 
   let verifierListener = createVerifierListener(expectedCallbacks,
-                                                kOrigin,
+                                                '',
                                                 isPackageSigned,
                                                 packageCacheEntry);
 
-  gVerifier.init(verifierListener, kOrigin, '', packageCacheEntry);
+  gVerifier.init(verifierListener, '', packageCacheEntry);
 
-  feedResources(expectedCallbacks);
+  feedResources(expectedCallbacks, '');
 }
 
 function test_invalid_signature(aDeveloperMode) {
@@ -168,9 +184,15 @@ function test_invalid_signature(aDeveloperMode) {
   let verificationResult = aDeveloperMode; // Verification always success in developer mode.
   let isPackageSigned = aDeveloperMode;   // Package is always considered as signed in developer mode.
 
+  const kPackagedId = '611FC2FE-491D-4A47-B3B3-43FBDF6F404F';
+  const kManifestContent = 'Content-Location: manifest.webapp\r\n' +
+                           'Content-Type: application/x-web-app-manifest+json\r\n' +
+                           '\r\n' +
+                           '{ "package-identifier": "' + kPackagedId + '" }';
+
   const expectedCallbacks = [
-  // URL                      statusCode   verificationResult
-    [kOrigin + '/manifest',   Cr.NS_OK,    verificationResult],
+  // URL                      statusCode   verificationResult     content
+    [kOrigin + '/manifest',   Cr.NS_OK,    verificationResult,    kManifestContent],
     [kOrigin + '/1.html',     Cr.NS_OK,    verificationResult],
     [kOrigin + '/2.js',       Cr.NS_OK,    verificationResult],
     [kOrigin + '/3.jpg',      Cr.NS_OK,    verificationResult],
@@ -183,13 +205,14 @@ function test_invalid_signature(aDeveloperMode) {
     createPackageCache(packageUriString, gLoadContextInfoFactory.private);
 
   let verifierListener = createVerifierListener(expectedCallbacks,
-                                                kOrigin,
+                                                aDeveloperMode ? kPackagedId : '',
                                                 isPackageSigned,
                                                 packageCacheEntry);
 
-  gVerifier.init(verifierListener, kOrigin, 'invalid signature', packageCacheEntry);
+  let signature = 'manifest-signature: 11111111111111111111111';
+  gVerifier.init(verifierListener, signature, packageCacheEntry);
 
-  feedResources(expectedCallbacks);
+  feedResources(expectedCallbacks, signature);
 }
 
 function test_no_signature_developer_mode()
@@ -218,4 +241,4 @@ function run_test()
 
   // run tests
   run_next_test();
-}
+}
\ No newline at end of file
diff --git a/other-licenses/android/moz.build b/other-licenses/android/moz.build
index f16401fddaa1..a99652ee9643 100644
--- a/other-licenses/android/moz.build
+++ b/other-licenses/android/moz.build
@@ -27,6 +27,7 @@ SOURCES += [
     'res_state.c',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'mozglue'
diff --git a/other-licenses/skia-npapi/moz.build b/other-licenses/skia-npapi/moz.build
index bb6c9dc01ba8..d433fc9a919e 100644
--- a/other-licenses/skia-npapi/moz.build
+++ b/other-licenses/skia-npapi/moz.build
@@ -16,6 +16,7 @@ UNIFIED_SOURCES += [
     'SkANP.cpp',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
diff --git a/other-licenses/snappy/moz.build b/other-licenses/snappy/moz.build
index 481bcd451d22..aae8eee00895 100644
--- a/other-licenses/snappy/moz.build
+++ b/other-licenses/snappy/moz.build
@@ -17,6 +17,7 @@ UNIFIED_SOURCES += [
     'src/snappy.cc',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
diff --git a/parser/htmlparser/nsHTMLTags.cpp b/parser/htmlparser/nsHTMLTags.cpp
index 758a18539500..f46b9ffdf001 100644
--- a/parser/htmlparser/nsHTMLTags.cpp
+++ b/parser/htmlparser/nsHTMLTags.cpp
@@ -14,283 +14,9 @@
 
 using namespace mozilla;
 
-// C++ sucks! There's no way to do this with a macro, at least not
-// that I know, if you know how to do this with a macro then please do
-// so...
-static const char16_t sHTMLTagUnicodeName_a[] =
-  {'a', '\0'};
-static const char16_t sHTMLTagUnicodeName_abbr[] =
-  {'a', 'b', 'b', 'r', '\0'};
-static const char16_t sHTMLTagUnicodeName_acronym[] =
-  {'a', 'c', 'r', 'o', 'n', 'y', 'm', '\0'};
-static const char16_t sHTMLTagUnicodeName_address[] =
-  {'a', 'd', 'd', 'r', 'e', 's', 's', '\0'};
-static const char16_t sHTMLTagUnicodeName_applet[] =
-  {'a', 'p', 'p', 'l', 'e', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_area[] =
-  {'a', 'r', 'e', 'a', '\0'};
-static const char16_t sHTMLTagUnicodeName_article[] =
-  {'a', 'r', 't', 'i', 'c', 'l', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_aside[] =
-  {'a', 's', 'i', 'd', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_audio[] =
-  {'a', 'u', 'd', 'i', 'o', '\0'};
-static const char16_t sHTMLTagUnicodeName_b[] =
-  {'b', '\0'};
-static const char16_t sHTMLTagUnicodeName_base[] =
-  {'b', 'a', 's', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_basefont[] =
-  {'b', 'a', 's', 'e', 'f', 'o', 'n', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_bdo[] =
-  {'b', 'd', 'o', '\0'};
-static const char16_t sHTMLTagUnicodeName_bgsound[] =
-  {'b', 'g', 's', 'o', 'u', 'n', 'd', '\0'};
-static const char16_t sHTMLTagUnicodeName_big[] =
-  {'b', 'i', 'g', '\0'};
-static const char16_t sHTMLTagUnicodeName_blockquote[] =
-  {'b', 'l', 'o', 'c', 'k', 'q', 'u', 'o', 't', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_body[] =
-  {'b', 'o', 'd', 'y', '\0'};
-static const char16_t sHTMLTagUnicodeName_br[] =
-  {'b', 'r', '\0'};
-static const char16_t sHTMLTagUnicodeName_button[] =
-  {'b', 'u', 't', 't', 'o', 'n', '\0'};
-static const char16_t sHTMLTagUnicodeName_canvas[] =
-  {'c', 'a', 'n', 'v', 'a', 's', '\0'};
-static const char16_t sHTMLTagUnicodeName_caption[] =
-  {'c', 'a', 'p', 't', 'i', 'o', 'n', '\0'};
-static const char16_t sHTMLTagUnicodeName_center[] =
-  {'c', 'e', 'n', 't', 'e', 'r', '\0'};
-static const char16_t sHTMLTagUnicodeName_cite[] =
-  {'c', 'i', 't', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_code[] =
-  {'c', 'o', 'd', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_col[] =
-  {'c', 'o', 'l', '\0'};
-static const char16_t sHTMLTagUnicodeName_colgroup[] =
-  {'c', 'o', 'l', 'g', 'r', 'o', 'u', 'p', '\0'};
-static const char16_t sHTMLTagUnicodeName_content[] =
-  {'c', 'o', 'n', 't', 'e', 'n', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_data[] =
-  {'d', 'a', 't', 'a', '\0'};
-static const char16_t sHTMLTagUnicodeName_datalist[] =
-  {'d', 'a', 't', 'a', 'l', 'i', 's', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_dd[] =
-  {'d', 'd', '\0'};
-static const char16_t sHTMLTagUnicodeName_del[] =
-  {'d', 'e', 'l', '\0'};
-static const char16_t sHTMLTagUnicodeName_dfn[] =
-  {'d', 'f', 'n', '\0'};
-static const char16_t sHTMLTagUnicodeName_dir[] =
-  {'d', 'i', 'r', '\0'};
-static const char16_t sHTMLTagUnicodeName_div[] =
-  {'d', 'i', 'v', '\0'};
-static const char16_t sHTMLTagUnicodeName_dl[] =
-  {'d', 'l', '\0'};
-static const char16_t sHTMLTagUnicodeName_dt[] =
-  {'d', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_em[] =
-  {'e', 'm', '\0'};
-static const char16_t sHTMLTagUnicodeName_embed[] =
-  {'e', 'm', 'b', 'e', 'd', '\0'};
-static const char16_t sHTMLTagUnicodeName_extapp[] =
-  {'e', 'x', 't', 'a', 'p', 'p', '\0'};
-static const char16_t sHTMLTagUnicodeName_fieldset[] =
-  {'f', 'i', 'e', 'l', 'd', 's', 'e', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_figcaption[] =
-  {'f', 'i', 'g', 'c', 'a', 'p', 't', 'i', 'o', 'n', '\0'};
-static const char16_t sHTMLTagUnicodeName_figure[] =
-  {'f', 'i', 'g', 'u', 'r', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_font[] =
-  {'f', 'o', 'n', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_footer[] =
-  {'f', 'o', 'o', 't', 'e', 'r', '\0'};
-static const char16_t sHTMLTagUnicodeName_form[] =
-  {'f', 'o', 'r', 'm', '\0'};
-static const char16_t sHTMLTagUnicodeName_frame[] =
-  {'f', 'r', 'a', 'm', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_frameset[] =
-  {'f', 'r', 'a', 'm', 'e', 's', 'e', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_h1[] =
-  {'h', '1', '\0'};
-static const char16_t sHTMLTagUnicodeName_h2[] =
-  {'h', '2', '\0'};
-static const char16_t sHTMLTagUnicodeName_h3[] =
-  {'h', '3', '\0'};
-static const char16_t sHTMLTagUnicodeName_h4[] =
-  {'h', '4', '\0'};
-static const char16_t sHTMLTagUnicodeName_h5[] =
-  {'h', '5', '\0'};
-static const char16_t sHTMLTagUnicodeName_h6[] =
-  {'h', '6', '\0'};
-static const char16_t sHTMLTagUnicodeName_head[] =
-  {'h', 'e', 'a', 'd', '\0'};
-static const char16_t sHTMLTagUnicodeName_header[] =
-  {'h', 'e', 'a', 'd', 'e', 'r', '\0'};
-static const char16_t sHTMLTagUnicodeName_hgroup[] =
-  {'h', 'g', 'r', 'o', 'u', 'p', '\0'};
-static const char16_t sHTMLTagUnicodeName_hr[] =
-  {'h', 'r', '\0'};
-static const char16_t sHTMLTagUnicodeName_html[] =
-  {'h', 't', 'm', 'l', '\0'};
-static const char16_t sHTMLTagUnicodeName_i[] =
-  {'i', '\0'};
-static const char16_t sHTMLTagUnicodeName_iframe[] =
-  {'i', 'f', 'r', 'a', 'm', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_image[] =
-  {'i', 'm', 'a', 'g', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_img[] =
-  {'i', 'm', 'g', '\0'};
-static const char16_t sHTMLTagUnicodeName_input[] =
-  {'i', 'n', 'p', 'u', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_ins[] =
-  {'i', 'n', 's', '\0'};
-static const char16_t sHTMLTagUnicodeName_kbd[] =
-  {'k', 'b', 'd', '\0'};
-static const char16_t sHTMLTagUnicodeName_keygen[] =
-  {'k', 'e', 'y', 'g', 'e', 'n', '\0'};
-static const char16_t sHTMLTagUnicodeName_label[] =
-  {'l', 'a', 'b', 'e', 'l', '\0'};
-static const char16_t sHTMLTagUnicodeName_legend[] =
-  {'l', 'e', 'g', 'e', 'n', 'd', '\0'};
-static const char16_t sHTMLTagUnicodeName_li[] =
-  {'l', 'i', '\0'};
-static const char16_t sHTMLTagUnicodeName_link[] =
-  {'l', 'i', 'n', 'k', '\0'};
-static const char16_t sHTMLTagUnicodeName_listing[] =
-  {'l', 'i', 's', 't', 'i', 'n', 'g', '\0'};
-static const char16_t sHTMLTagUnicodeName_main[] =
-  {'m', 'a', 'i', 'n', '\0'};
-static const char16_t sHTMLTagUnicodeName_map[] =
-  {'m', 'a', 'p', '\0'};
-static const char16_t sHTMLTagUnicodeName_mark[] =
-  {'m', 'a', 'r', 'k', '\0'};
-static const char16_t sHTMLTagUnicodeName_marquee[] =
-  {'m', 'a', 'r', 'q', 'u', 'e', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_menu[] =
-  {'m', 'e', 'n', 'u', '\0'};
-static const char16_t sHTMLTagUnicodeName_menuitem[] =
-  {'m', 'e', 'n', 'u', 'i', 't', 'e', 'm', '\0'};
-static const char16_t sHTMLTagUnicodeName_meta[] =
-  {'m', 'e', 't', 'a', '\0'};
-static const char16_t sHTMLTagUnicodeName_meter[] =
-  {'m', 'e', 't', 'e', 'r', '\0'};
-static const char16_t sHTMLTagUnicodeName_multicol[] =
-  {'m', 'u', 'l', 't', 'i', 'c', 'o', 'l', '\0'};
-static const char16_t sHTMLTagUnicodeName_nav[] =
-  {'n', 'a', 'v', '\0'};
-static const char16_t sHTMLTagUnicodeName_nobr[] =
-  {'n', 'o', 'b', 'r', '\0'};
-static const char16_t sHTMLTagUnicodeName_noembed[] =
-  {'n', 'o', 'e', 'm', 'b', 'e', 'd', '\0'};
-static const char16_t sHTMLTagUnicodeName_noframes[] =
-  {'n', 'o', 'f', 'r', 'a', 'm', 'e', 's', '\0'};
-static const char16_t sHTMLTagUnicodeName_noscript[] =
-  {'n', 'o', 's', 'c', 'r', 'i', 'p', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_object[] =
-  {'o', 'b', 'j', 'e', 'c', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_ol[] =
-  {'o', 'l', '\0'};
-static const char16_t sHTMLTagUnicodeName_optgroup[] =
-  {'o', 'p', 't', 'g', 'r', 'o', 'u', 'p', '\0'};
-static const char16_t sHTMLTagUnicodeName_option[] =
-  {'o', 'p', 't', 'i', 'o', 'n', '\0'};
-static const char16_t sHTMLTagUnicodeName_output[] =
-  {'o', 'u', 't', 'p', 'u', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_p[] =
-  {'p', '\0'};
-static const char16_t sHTMLTagUnicodeName_param[] =
-  {'p', 'a', 'r', 'a', 'm', '\0'};
-static const char16_t sHTMLTagUnicodeName_picture[] =
-  {'p', 'i', 'c', 't', 'u', 'r', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_plaintext[] =
-  {'p', 'l', 'a', 'i', 'n', 't', 'e', 'x', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_pre[] =
-  {'p', 'r', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_progress[] =
-  {'p', 'r', 'o', 'g', 'r', 'e', 's', 's', '\0'};
-static const char16_t sHTMLTagUnicodeName_q[] =
-  {'q', '\0'};
-static const char16_t sHTMLTagUnicodeName_rb[] =
-  {'r', 'b', '\0'};
-static const char16_t sHTMLTagUnicodeName_rp[] =
-  {'r', 'p', '\0'};
-static const char16_t sHTMLTagUnicodeName_rt[] =
-  {'r', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_rtc[] =
-  {'r', 't', 'c', '\0'};
-static const char16_t sHTMLTagUnicodeName_ruby[] =
-  {'r', 'u', 'b', 'y', '\0'};
-static const char16_t sHTMLTagUnicodeName_s[] =
-  {'s', '\0'};
-static const char16_t sHTMLTagUnicodeName_samp[] =
-  {'s', 'a', 'm', 'p', '\0'};
-static const char16_t sHTMLTagUnicodeName_script[] =
-  {'s', 'c', 'r', 'i', 'p', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_section[] =
-  {'s', 'e', 'c', 't', 'i', 'o', 'n', '\0'};
-static const char16_t sHTMLTagUnicodeName_select[] =
-  {'s', 'e', 'l', 'e', 'c', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_shadow[] =
-  {'s', 'h', 'a', 'd', 'o', 'w', '\0'};
-static const char16_t sHTMLTagUnicodeName_small[] =
-  {'s', 'm', 'a', 'l', 'l', '\0'};
-static const char16_t sHTMLTagUnicodeName_source[] =
-  {'s', 'o', 'u', 'r', 'c', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_span[] =
-  {'s', 'p', 'a', 'n', '\0'};
-static const char16_t sHTMLTagUnicodeName_strike[] =
-  {'s', 't', 'r', 'i', 'k', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_strong[] =
-  {'s', 't', 'r', 'o', 'n', 'g', '\0'};
-static const char16_t sHTMLTagUnicodeName_style[] =
-  {'s', 't', 'y', 'l', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_sub[] =
-  {'s', 'u', 'b', '\0'};
-static const char16_t sHTMLTagUnicodeName_sup[] =
-  {'s', 'u', 'p', '\0'};
-static const char16_t sHTMLTagUnicodeName_table[] =
-  {'t', 'a', 'b', 'l', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_tbody[] =
-  {'t', 'b', 'o', 'd', 'y', '\0'};
-static const char16_t sHTMLTagUnicodeName_td[] =
-  {'t', 'd', '\0'};
-static const char16_t sHTMLTagUnicodeName_textarea[] =
-  {'t', 'e', 'x', 't', 'a', 'r', 'e', 'a', '\0'};
-static const char16_t sHTMLTagUnicodeName_tfoot[] =
-  {'t', 'f', 'o', 'o', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_th[] =
-  {'t', 'h', '\0'};
-static const char16_t sHTMLTagUnicodeName_thead[] =
-  {'t', 'h', 'e', 'a', 'd', '\0'};
-static const char16_t sHTMLTagUnicodeName_template[] =
-  {'t', 'e', 'm', 'p', 'l', 'a', 't', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_time[] =
-  {'t', 'i', 'm', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_title[] =
-  {'t', 'i', 't', 'l', 'e', '\0'};
-static const char16_t sHTMLTagUnicodeName_tr[] =
-  {'t', 'r', '\0'};
-static const char16_t sHTMLTagUnicodeName_track[] =
-  {'t', 'r', 'a', 'c', 'k', '\0'};
-static const char16_t sHTMLTagUnicodeName_tt[] =
-  {'t', 't', '\0'};
-static const char16_t sHTMLTagUnicodeName_u[] =
-  {'u', '\0'};
-static const char16_t sHTMLTagUnicodeName_ul[] =
-  {'u', 'l', '\0'};
-static const char16_t sHTMLTagUnicodeName_var[] =
-  {'v', 'a', 'r', '\0'};
-static const char16_t sHTMLTagUnicodeName_video[] =
-  {'v', 'i', 'd', 'e', 'o', '\0'};
-static const char16_t sHTMLTagUnicodeName_wbr[] =
-  {'w', 'b', 'r', '\0'};
-static const char16_t sHTMLTagUnicodeName_xmp[] =
-  {'x', 'm', 'p', '\0'};
-
 // static array of unicode tag names
-#define HTML_TAG(_tag, _classname) sHTMLTagUnicodeName_##_tag,
-#define HTML_HTMLELEMENT_TAG(_tag) sHTMLTagUnicodeName_##_tag,
+#define HTML_TAG(_tag, _classname) MOZ_UTF16(#_tag),
+#define HTML_HTMLELEMENT_TAG(_tag) MOZ_UTF16(#_tag),
 #define HTML_OTHER(_tag)
 const char16_t* const nsHTMLTags::sTagUnicodeTable[] = {
 #include "nsHTMLTagList.h"
diff --git a/python/mozbuild/mozbuild/backend/fastermake.py b/python/mozbuild/mozbuild/backend/fastermake.py
index 50f41b7bc015..c90589956037 100644
--- a/python/mozbuild/mozbuild/backend/fastermake.py
+++ b/python/mozbuild/mozbuild/backend/fastermake.py
@@ -210,15 +210,8 @@ class FasterMakeBackend(CommonBackend):
 
         for jarinfo in pp.out:
             install_target = obj.install_target
-            # Bug 1150417 added some gross hacks, which we don't try to
-            # support generically. Fortunately, the hacks don't define more
-            # than chrome manifest entries, so just assume we don't get
-            # any installation entries.
-            if jarinfo.name.startswith('../'):
-                assert not jarinfo.entries
-
-            base = mozpath.join('chrome', jarinfo.name)
-
+            if jarinfo.base:
+                install_target = mozpath.join(install_target, jarinfo.base)
             for e in jarinfo.entries:
                 if e.is_locale:
                     src = mozpath.join(
@@ -241,11 +234,11 @@ class FasterMakeBackend(CommonBackend):
                                 yield p + '/'
                     prefix = ''.join(_prefix(src))
 
-                    self._install_manifests[obj.install_target] \
+                    self._install_manifests[install_target] \
                         .add_pattern_symlink(
                         prefix,
                         src[len(prefix):],
-                        mozpath.join(base, e.output))
+                        mozpath.join(jarinfo.name, e.output))
                     continue
 
                 if not os.path.exists(src):
@@ -261,7 +254,7 @@ class FasterMakeBackend(CommonBackend):
                         # it, but it's how it works in the recursive make,
                         # not that anything relies on that, but it's simpler.
                         src = mozpath.join(obj.objdir, e.source)
-                    self._dependencies['install-%s' % obj.install_target] \
+                    self._dependencies['install-%s' % install_target] \
                         .append(mozpath.relpath(
                         src, self.environment.topobjdir))
 
@@ -272,26 +265,26 @@ class FasterMakeBackend(CommonBackend):
                     self._add_preprocess(
                         obj,
                         src,
-                        mozpath.join(base, mozpath.dirname(e.output)),
+                        mozpath.join(jarinfo.name, mozpath.dirname(e.output)),
                         mozpath.basename(e.output),
                         defines=defines,
                         **kwargs)
                 else:
-                    self._install_manifests[obj.install_target].add_symlink(
+                    self._install_manifests[install_target].add_symlink(
                         src,
-                        mozpath.join(base, e.output))
+                        mozpath.join(jarinfo.name, e.output))
 
-            manifest = mozpath.normpath(mozpath.join(obj.install_target, base))
+            manifest = mozpath.normpath(mozpath.join(install_target,
+                                                     jarinfo.name))
             manifest += '.manifest'
             for m in jarinfo.chrome_manifests:
                 self._manifest_entries[manifest].append(
-                    m.replace('%', jarinfo.name + '/'))
+                    m.replace('%', mozpath.basename(jarinfo.name) + '/'))
 
-            # ../ special cased for bug 1150417 again.
-            if not jarinfo.name.startswith('../'):
-                manifest = mozpath.normpath(mozpath.join(obj.install_target,
+            if jarinfo.name != 'chrome':
+                manifest = mozpath.normpath(mozpath.join(install_target,
                                                          'chrome.manifest'))
-                entry = 'manifest %s.manifest' % base
+                entry = 'manifest %s.manifest' % jarinfo.name
                 if entry not in self._manifest_entries[manifest]:
                     self._manifest_entries[manifest].append(entry)
 
diff --git a/python/mozbuild/mozbuild/base.py b/python/mozbuild/mozbuild/base.py
index f8983b1d5712..5591cc14a256 100644
--- a/python/mozbuild/mozbuild/base.py
+++ b/python/mozbuild/mozbuild/base.py
@@ -278,8 +278,8 @@ class MozbuildObject(ProcessExecutionMixin):
 
     @property
     def bindir(self):
-        from . import mozinfo
-        if mozinfo.os == "mac":
+        import mozinfo
+        if mozinfo.isMac:
             return os.path.join(self.topobjdir, 'dist', self.substs['MOZ_MACBUNDLE_NAME'], 'Contents', 'Resources')
         return os.path.join(self.topobjdir, 'dist', 'bin')
 
diff --git a/python/mozbuild/mozbuild/jar.py b/python/mozbuild/mozbuild/jar.py
index 0f659a553677..01dd50600a7a 100644
--- a/python/mozbuild/mozbuild/jar.py
+++ b/python/mozbuild/mozbuild/jar.py
@@ -79,8 +79,19 @@ class JarManifestEntry(object):
 
 
 class JarInfo(object):
-    def __init__(self, name):
-        self.name = name
+    def __init__(self, base_or_jarinfo, name=None):
+        if name is None:
+            assert isinstance(base_or_jarinfo, JarInfo)
+            self.base = base_or_jarinfo.base
+            self.name = base_or_jarinfo.name
+        else:
+            assert not isinstance(base_or_jarinfo, JarInfo)
+            self.base = base_or_jarinfo or ''
+            self.name = name
+            # For compatibility with existing jar.mn files, if there is no
+            # base, the jar name is under chrome/
+            if not self.base:
+                self.name = mozpath.join('chrome', self.name)
         self.relativesrcdir = None
         self.chrome_manifests = []
         self.entries = []
@@ -89,7 +100,14 @@ class JarInfo(object):
 class JarManifestParser(object):
 
     ignore = re.compile('\s*(\#.*)?$')
-    jarline = re.compile('(?:(?P<jarfile>[\w\d.\-\_\\\/{}]+).jar\:)|(?:\s*(\#.*)?)\s*$')
+    jarline = re.compile('''
+        (?:
+            (?:\[(?P<base>[\w\d.\-\_\\\/{}]+)\]\s*)? # optional [base/path]
+            (?P<jarfile>[\w\d.\-\_\\\/{}]+).jar\:    # filename.jar:
+        |
+            (?:\s*(\#.*)?)                           # comment
+        )\s*$                                        # whitespaces
+        ''', re.VERBOSE)
     relsrcline = re.compile('relativesrcdir\s+(?P<relativesrcdir>.+?):')
     regline = re.compile('\%\s+(.*)$')
     entryre = '(?P<optPreprocess>\*)?(?P<optOverwrite>\+?)\s+'
@@ -110,13 +128,18 @@ class JarManifestParser(object):
 
         # A jar manifest file can declare several different sections, each of
         # which applies to a given "jar file". Each of those sections starts
-        # with "<name>.jar:".
+        # with "<name>.jar:", in which case the path is assumed relative to
+        # a "chrome" directory, or "[<base/path>] <subpath/name>.jar:", where
+        # a base directory is given (usually pointing at the root of the
+        # application or addon) and the jar path is given relative to the base
+        # directory.
         if self._current_jar is None:
             m = self.jarline.match(line)
             if not m:
                 raise RuntimeError(line)
             if m.group('jarfile'):
-                self._current_jar = JarInfo(m.group('jarfile'))
+                self._current_jar = JarInfo(m.group('base'),
+                                            m.group('jarfile'))
                 self._jars.append(self._current_jar)
             return
 
@@ -128,7 +151,7 @@ class JarManifestParser(object):
         m = self.relsrcline.match(line)
         if m:
             if self._current_jar.chrome_manifests or self._current_jar.entries:
-                self._current_jar = JarInfo(self._current_jar.name)
+                self._current_jar = JarInfo(self._current_jar)
                 self._jars.append(self._current_jar)
             self._current_jar.relativesrcdir = m.group('relativesrcdir')
             return
@@ -229,7 +252,7 @@ class JarMaker(object):
                      )
         p.add_option('--relativesrcdir', type='string',
                      help='relativesrcdir to be used for localization')
-        p.add_option('-j', type='string', help='jarfile directory')
+        p.add_option('-d', type='string', help='base directory')
         p.add_option('--root-manifest-entry-appid', type='string',
                      help='add an app id specific root chrome manifest entry.'
                      )
@@ -250,7 +273,7 @@ class JarMaker(object):
             logging.info('WARNING: Includes produce non-empty output')
         self.pp.out = None
 
-    def finalizeJar(self, jarPath, chromebasepath, register, doZip=True):
+    def finalizeJar(self, jardir, jarbase, jarname, chromebasepath, register, doZip=True):
         '''Helper method to write out the chrome registration entries to
          jarfile.manifest or chrome.manifest, or both.
 
@@ -261,18 +284,19 @@ class JarMaker(object):
         if not register:
             return
 
-        chromeManifest = os.path.join(os.path.dirname(jarPath), '..',
-                'chrome.manifest')
+        chromeManifest = os.path.join(jardir, jarbase, 'chrome.manifest')
 
         if self.useJarfileManifest:
-            self.updateManifest(jarPath + '.manifest',
+            self.updateManifest(os.path.join(jardir, jarbase,
+                                             jarname + '.manifest'),
                                 chromebasepath.format(''), register)
-            addEntriesToListFile(chromeManifest,
-                                 ['manifest chrome/{0}.manifest'.format(os.path.basename(jarPath))])
+            if jarname != 'chrome':
+                addEntriesToListFile(chromeManifest,
+                                     ['manifest {0}.manifest'.format(jarname)])
         if self.useChromeManifest:
+            chromebase = os.path.dirname(jarname) + '/'
             self.updateManifest(chromeManifest,
-                                chromebasepath.format('chrome/'),
-                                register)
+                                chromebasepath.format(chromebase), register)
 
         # If requested, add a root chrome manifest entry (assumed to be in the parent directory
         # of chromeManifest) with the application specific id. In cases where we're building
@@ -378,7 +402,7 @@ class JarMaker(object):
             chromebasepath = 'jar:' + chromebasepath + '.jar!'
         chromebasepath += '/'
 
-        jarfile = os.path.join(jardir, jarinfo.name)
+        jarfile = os.path.join(jardir, jarinfo.base, jarinfo.name)
         jf = None
         if self.outputFormat == 'jar':
             # jar
@@ -400,7 +424,8 @@ class JarMaker(object):
         for e in jarinfo.entries:
             self._processEntryLine(e, outHelper, jf)
 
-        self.finalizeJar(jarfile, chromebasepath, jarinfo.chrome_manifests)
+        self.finalizeJar(jardir, jarinfo.base, jarinfo.name, chromebasepath,
+                         jarinfo.chrome_manifests)
         if jf is not None:
             jf.close()
 
@@ -596,4 +621,4 @@ def main(args=None):
         infile = sys.stdin
     else:
         (infile, ) = args
-    jm.makeJar(infile, options.j)
+    jm.makeJar(infile, options.d)
diff --git a/python/mozbuild/mozbuild/test/test_jarmaker.py b/python/mozbuild/mozbuild/test/test_jarmaker.py
index 8bc2dc3e6f7c..a4d4156a72e7 100644
--- a/python/mozbuild/mozbuild/test/test_jarmaker.py
+++ b/python/mozbuild/mozbuild/test/test_jarmaker.py
@@ -166,13 +166,12 @@ class TestJarMaker(unittest.TestCase):
 
     def _jar_and_compare(self, infile, **kwargs):
         jm = JarMaker(outputFormat='jar')
-        jardir = os.path.join(self.builddir, 'chrome')
         if 'topsourcedir' not in kwargs:
             kwargs['topsourcedir'] = self.srcdir
         for attr in ('topsourcedir', 'sourcedirs'):
             if attr in kwargs:
                 setattr(jm, attr, kwargs[attr])
-        jm.makeJar(infile, jardir)
+        jm.makeJar(infile, self.builddir)
         cwd = os.getcwd()
         os.chdir(self.builddir)
         try:
@@ -239,8 +238,7 @@ class TestJarMaker(unittest.TestCase):
         jm = JarMaker(outputFormat='symlink')
         jm.sourcedirs = [self.srcdir]
         jm.topsourcedir = self.srcdir
-        jardir = os.path.join(self.builddir, 'chrome')
-        jm.makeJar(os.path.join(self.srcdir,'jar.mn'), jardir)
+        jm.makeJar(os.path.join(self.srcdir,'jar.mn'), self.builddir)
         # All we do is check that srcdir/bar points to builddir/chrome/test/dir/foo
         srcbar = os.path.join(self.srcdir, 'bar')
         destfoo = os.path.join(self.builddir, 'chrome', 'test', 'dir', 'foo')
@@ -288,8 +286,7 @@ class TestJarMaker(unittest.TestCase):
         jm = JarMaker(outputFormat='symlink')
         jm.sourcedirs = [self.srcdir]
         jm.topsourcedir = self.srcdir
-        jardir = os.path.join(self.builddir, 'chrome')
-        jm.makeJar(os.path.join(self.srcdir,'jar.mn'), jardir)
+        jm.makeJar(os.path.join(self.srcdir,'jar.mn'), self.builddir)
 
         expected_symlinks = {
             ('bar', 'foo.js'): ('foo.js',),
diff --git a/testing/mochitest/tests/SimpleTest/SimpleTest.js b/testing/mochitest/tests/SimpleTest/SimpleTest.js
index 175073de6690..6c2090a2ecfc 100644
--- a/testing/mochitest/tests/SimpleTest/SimpleTest.js
+++ b/testing/mochitest/tests/SimpleTest/SimpleTest.js
@@ -1125,7 +1125,7 @@ SimpleTest.monitorConsole = function (continuation, msgs, forbidUnexpectedMsgs)
   }
 
   function msgMatches(msg, pat) {
-    for (k in pat) {
+    for (var k in pat) {
       if (!(k in msg)) {
         return false;
       }
diff --git a/testing/taskcluster/scripts/misc/build-clang-linux.sh b/testing/taskcluster/scripts/misc/build-clang-linux.sh
new file mode 100755
index 000000000000..5e32a0e99f49
--- /dev/null
+++ b/testing/taskcluster/scripts/misc/build-clang-linux.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+set -x -e -v
+
+# This script is for building clang for Linux.
+
+WORKSPACE=$HOME/workspace
+HOME_DIR=$WORKSPACE/build
+UPLOAD_DIR=$WORKSPACE/artifacts
+
+# Fetch our toolchain from tooltool
+cd $HOME_DIR
+wget -O tooltool.py https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py
+chmod +x tooltool.py
+: TOOLTOOL_CACHE                ${TOOLTOOL_CACHE:=/home/worker/tooltool-cache}
+export TOOLTOOL_CACHE
+cd src
+$HOME_DIR/tooltool.py -m browser/config/tooltool-manifests/linux64/releng.manifest fetch
+
+# gets a bit too verbose here
+set +x
+
+cd build/unix/build-clang
+./build-clang.py -c clang-static-analysis-linux64-centos6.json
+
+set -x
+
+# Put a tarball in the artifacts dir
+mkdir -p $UPLOAD_DIR
+cp clang.tar.* $UPLOAD_DIR
diff --git a/testing/taskcluster/tasks/builds/android_api_11_b2gdroid.yml b/testing/taskcluster/tasks/builds/android_api_11_b2gdroid.yml
index f1d3beb40863..1a0011e0c38c 100644
--- a/testing/taskcluster/tasks/builds/android_api_11_b2gdroid.yml
+++ b/testing/taskcluster/tasks/builds/android_api_11_b2gdroid.yml
@@ -5,8 +5,8 @@ $inherits:
     build_type: 'opt'
 task:
   metadata:
-      name: '[TC] Android armv7 API 11+ b2gdroid'
-      description: 'Android armv7 API 11+ b2gdroid'
+      name: '[TC] B2GDroid armv7 API 11+'
+      description: 'B2GDroid armv7 API 11+'
 
   workerType: android-api-11
 
@@ -54,7 +54,7 @@ task:
     treeherder:
       machine:
         # see https://github.com/mozilla/treeherder/blob/master/ui/js/values.js
-        platform: android-4-0-armv7-api11
+        platform: b2gdroid-4-0-armv7-api11
     # Rather then enforcing particular conventions we require that all build
     # tasks provide the "build" extra field to specify where the build and tests
     # files are located.
diff --git a/testing/taskcluster/tasks/builds/android_api_11_partner_sample1.yml b/testing/taskcluster/tasks/builds/android_api_11_partner_sample1.yml
index 6cea101d419d..735201c785c3 100644
--- a/testing/taskcluster/tasks/builds/android_api_11_partner_sample1.yml
+++ b/testing/taskcluster/tasks/builds/android_api_11_partner_sample1.yml
@@ -63,7 +63,7 @@ task:
     treeherder:
       machine:
         # see https://github.com/mozilla/treeherder/blob/master/ui/js/values.js
-        platform: android-4-0-armv7-api11
+        platform: android-4-0-armv7-api11-partner1
     # Rather then enforcing particular conventions we require that all build
     # tasks provide the "build" extra field to specify where the build and tests
     # files are located.
diff --git a/testing/web-platform/README.md b/testing/web-platform/README.md
index be7601f3cf5c..dc387b8921e3 100644
--- a/testing/web-platform/README.md
+++ b/testing/web-platform/README.md
@@ -29,11 +29,25 @@ FAQ
   testsuite. How do I do that?
 
   See the section on tests below. You can commit the tests directly to
-  the Mozilla repository and they will be upstreamed next time the
-  test is imported. For this reason please ensure that any tests you
-  write are testing correct-pre-spec behaviour even if we don't yet
-  pass, get proper review, and have a commit message that makes sense
-  outside of the Mozilla context.
+  the Mozilla repository under `testing/web-platform/tests` and they
+  will be upstreamed next time the test is imported. For this reason
+  please ensure that any tests you write are testing correct-per-spec
+  behaviour even if we don't yet pass, get proper review, and have a
+  commit message that makes sense outside of the Mozilla
+  context. If you are writing tests that should not be upstreamed yet
+  for some reason they must be located under
+  `testing/web-platform/mozilla/tests`.
+
+  It is important to note that in order for the tests to run the
+  manifest file must be updated; this should not be done by hand, but
+  by running `mach web-platform-tests --manifest-update`.
+
+  `mach web-platform-tests-create <path>` is a helper script designed
+  to help create new web-platform-tests. It opens a locally configured
+  editor at `<path>` with web-platform-tests boilerplate filled in,
+  and in the background runs `mach web-platform-tests
+  --manifest-update <path>`, so the test being developed is added to
+  the manifest and opened for interactive development.
 
 * How do I write a test that requires the use of a Mozilla-specific
   feature?
@@ -188,12 +202,21 @@ similar to standard Gecko reftests without an explicit manifest file,
 but with in-test or filename conventions for identifying the
 reference.
 
-New tests must presently be submitted upstream before they can be run
-on Mozilla infrastructure. This situation is expected to be temporary.
-
 Full documentation on test authoring and submission can be found on
 [testthewebforward.org](http://testthewebforward.org/docs).
 
+Test Manifest
+-------------
+
+web-platform-tests use a large auto-generated JSON file as their
+manifest. This stores data about the type of tests, their references,
+if any, and their timeout, gathered by inspecting the filenames and
+the contents of the test files.
+
+In order to update the manifest it is recommended that you run `mach
+web-platform-tests --manifest-update`. This rescans the test directory
+looking for new, removed, or altered tests.
+
 Running Tests In Other Browsers
 -------------------------------
 
diff --git a/testing/web-platform/mach_commands.py b/testing/web-platform/mach_commands.py
index e84e43da32f2..ca839f9af0b1 100644
--- a/testing/web-platform/mach_commands.py
+++ b/testing/web-platform/mach_commands.py
@@ -118,11 +118,11 @@ class WebPlatformTestsReduce(WebPlatformTestsRunner):
 
 class WebPlatformTestsCreator(MozbuildObject):
     template_prefix = """<!doctype html>
-<meta charset=utf-8>
+%(documentElement)s<meta charset=utf-8>
 """
     template_long_timeout = "<meta name=timeout content=long>\n"
 
-    template_body = """<title></title>
+    template_body_th = """<title></title>
 <script src=/resources/testharness.js></script>
 <script src=/resources/testharnessreport.js></script>
 <script>
@@ -130,27 +130,78 @@ class WebPlatformTestsCreator(MozbuildObject):
 </script>
 """
 
+    template_body_reftest = """<title></title>
+<link rel=%(match)s href=%(ref)s>
+"""
+
+    template_body_reftest_wait = """<script src="/common/reftest-wait.js"></script>
+"""
+
+    def rel_path(self, path):
+        if path is None:
+            return
+
+        abs_path = os.path.normpath(os.path.abspath(path))
+        return os.path.relpath(abs_path, self.topsrcdir)
+
+    def rel_url(self, rel_path):
+        upstream_path = os.path.join("testing", "web-platform", "tests")
+        local_path = os.path.join("testing", "web-platform", "mozilla", "tests")
+
+        if rel_path.startswith(upstream_path):
+            return rel_path[len(upstream_path):].replace(os.path.sep, "/")
+        elif rel_path.startswith(local_path):
+            return "/_mozilla" + rel_path[len(local_path):].replace(os.path.sep, "/")
+        else:
+            return None
+
     def run_create(self, context, **kwargs):
         import subprocess
 
-        path = os.path.normpath(os.path.abspath(kwargs["path"]))
+        path = self.rel_path(kwargs["path"])
+        ref_path = self.rel_path(kwargs["ref"])
 
-        rel_path = os.path.relpath(path, self.topsrcdir)
-        if not (rel_path.startswith("testing/web-platform/tests") or
-                rel_path.startswith("testing/web-platform/mozilla/tests")):
-            print("""Test path is not in wpt directories:
+        if kwargs["ref"]:
+            kwargs["reftest"] = True
+
+        if self.rel_url(path) is None:
+            print("""Test path %s is not in wpt directories:
 testing/web-platform/tests for tests that may be shared
-testing/web-platform/mozilla/tests for Gecko only tests""")
+testing/web-platform/mozilla/tests for Gecko-only tests""" % path)
             return 1
 
+        if ref_path and self.rel_url(ref_path) is None:
+            print("""Reference path %s is not in wpt directories:
+testing/web-platform/tests for tests that may be shared
+            testing/web-platform/mozilla/tests for Gecko-only tests""" % ref_path)
+            return 1
+
+
         if os.path.exists(path) and not kwargs["overwrite"]:
             print("Test path already exists, pass --overwrite to replace")
             return 1
 
-        template = self.template_prefix
+        if kwargs["mismatch"] and not kwargs["reftest"]:
+            print("--mismatch only makes sense for a reftest")
+            return 1
+
+        if kwargs["wait"] and not kwargs["reftest"]:
+            print("--wait only makes sense for a reftest")
+            return 1
+
+        args = {"documentElement": "<html class=reftest-wait>\n" if kwargs["wait"] else ""}
+        template = self.template_prefix % args
         if kwargs["long_timeout"]:
             template += self.template_long_timeout
-        template += self.template_body
+
+        if kwargs["reftest"]:
+            args = {"match": "match" if not kwargs["mismatch"] else "mismatch",
+                    "ref": self.rel_url(ref_path) if kwargs["ref"] else '""'}
+            template += self.template_body_reftest % args
+            if kwargs["wait"]:
+                template += self.template_body_reftest_wait
+        else:
+            template += self.template_body_th
         with open(path, "w") as f:
             f.write(template)
 
@@ -199,6 +250,13 @@ def create_parser_create():
                    help="Test should be given a long timeout (typically 60s rather than 10s, but varies depending on environment)")
     p.add_argument("--overwrite", action="store_true",
                    help="Allow overwriting an existing test file")
+    p.add_argument("-r", "--reftest", action="store_true",
+                   help="Create a reftest rather than a testharness (js) test"),
+    p.add_argument("-ref", "--reference", dest="ref", help="Path to the reference file")
+    p.add_argument("--mismatch", action="store_true",
+                   help="Create a mismatch reftest")
+    p.add_argument("--wait", action="store_true",
+                   help="Create a reftest that waits until takeScreenshot() is called")
     p.add_argument("path", action="store", help="Path to the test file")
     return p
 
diff --git a/testing/web-platform/meta/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.ini b/testing/web-platform/meta/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.ini
deleted file mode 100644
index 84384983a897..000000000000
--- a/testing/web-platform/meta/content-security-policy/blink-contrib/shared-worker-connect-src-allowed.sub.html.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[shared-worker-connect-src-allowed.sub.html]
-  type: testharness
-  [Expecting alerts: ["xhr allowed","TEST COMPLETE"\]]
-    expected: FAIL
-
diff --git a/testing/web-platform/meta/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.ini b/testing/web-platform/meta/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.ini
new file mode 100644
index 000000000000..b4b7dd9e89fa
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/blink-contrib/shared-worker-connect-src-blocked.sub.html.ini
@@ -0,0 +1,4 @@
+[shared-worker-connect-src-blocked.sub.html]
+  type: testharness
+  [Expecting alerts: ["xhr blocked","TEST COMPLETE"\]]
+    expected: FAIL
diff --git a/testing/web-platform/meta/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.ini b/testing/web-platform/meta/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.ini
new file mode 100644
index 000000000000..698eadb9cfd5
--- /dev/null
+++ b/testing/web-platform/meta/content-security-policy/blink-contrib/worker-connect-src-blocked.sub.html.ini
@@ -0,0 +1,4 @@
+[worker-connect-src-blocked.sub.html]
+  type: testharness
+  [Expecting alerts: ["xhr blocked","TEST COMPLETE"\]]
+    expected: FAIL
diff --git a/testing/web-platform/meta/cors/redirect-userinfo.htm.ini b/testing/web-platform/meta/cors/redirect-userinfo.htm.ini
deleted file mode 100644
index deda6a4054b6..000000000000
--- a/testing/web-platform/meta/cors/redirect-userinfo.htm.ini
+++ /dev/null
@@ -1,12 +0,0 @@
-[redirect-userinfo.htm]
-  type: testharness
-  expected: TIMEOUT
-  [Disallow redirect with userinfo (//user:pass@)]
-    expected: TIMEOUT
-
-  [Disallow redirect with userinfo (//user:@)]
-    expected: TIMEOUT
-
-  [Disallow redirect with userinfo (//user@)]
-    expected: TIMEOUT
-
diff --git a/testing/web-platform/meta/dom/historical.html.ini b/testing/web-platform/meta/dom/historical.html.ini
index a642e999f697..52decf4accad 100644
--- a/testing/web-platform/meta/dom/historical.html.ini
+++ b/testing/web-platform/meta/dom/historical.html.ini
@@ -9,9 +9,6 @@
   [Historical DOM features must be removed: createCDATASection]
     expected: FAIL
 
-  [DocumentType member must be nuked: internalSubset]
-    expected: FAIL
-
   [Node member must be nuked: namespaceURI]
     expected: FAIL
 
diff --git a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html
index 4ad69b7e2385..014bb21aed3d 100644
--- a/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html
+++ b/testing/web-platform/tests/content-security-policy/blink-contrib/connect-src-xmlhttprequest-blocked.sub.html
@@ -18,7 +18,13 @@ connect-src 'self'; script-src 'self' 'unsafe-inline';
         try {
             var xhr = new XMLHttpRequest;
             xhr.open("GET", "http://www1.{{host}}:{{ports[http][0]}}/content-security-policy/support/fail.png", true);
-            log("Fail");
+            xhr.send();
+            xhr.onload = function() {
+                log("Fail");
+            }
+            xhr.onerror = function() {
+                log("Pass");
+            }
         } catch (e) {
             log("Pass");
         }
diff --git a/toolkit/components/addoncompat/RemoteAddonsChild.jsm b/toolkit/components/addoncompat/RemoteAddonsChild.jsm
index c1ea329e26ee..aafa7556604b 100644
--- a/toolkit/components/addoncompat/RemoteAddonsChild.jsm
+++ b/toolkit/components/addoncompat/RemoteAddonsChild.jsm
@@ -222,7 +222,7 @@ function AboutProtocolChannel(uri, contractID, loadInfo)
   this._contractID = contractID;
   this._loadingPrincipal = loadInfo.loadingPrincipal;
   this._securityFlags = loadInfo.securityFlags;
-  this._contentPolicyType = loadInfo.contentPolicyType;
+  this._contentPolicyType = loadInfo.externalContentPolicyType;
 }
 
 AboutProtocolChannel.prototype = {
diff --git a/toolkit/components/extensions/Extension.jsm b/toolkit/components/extensions/Extension.jsm
index 6c7843c15b3d..8f7e9004670e 100644
--- a/toolkit/components/extensions/Extension.jsm
+++ b/toolkit/components/extensions/Extension.jsm
@@ -25,6 +25,8 @@ Cu.import("resource://gre/modules/devtools/shared/event-emitter.js");
 
 XPCOMUtils.defineLazyModuleGetter(this, "Locale",
                                   "resource://gre/modules/Locale.jsm");
+XPCOMUtils.defineLazyModuleGetter(this, "Log",
+                                  "resource://gre/modules/Log.jsm");
 XPCOMUtils.defineLazyModuleGetter(this, "MatchPattern",
                                   "resource://gre/modules/MatchPattern.jsm");
 XPCOMUtils.defineLazyModuleGetter(this, "NetUtil",
@@ -59,6 +61,8 @@ var {
   flushJarCache,
 } = ExtensionUtils;
 
+const LOGGER_ID_BASE = "addons.webextension.";
+
 var scriptScope = this;
 
 // This object loads the ext-*.js scripts that define the extension API.
@@ -336,8 +340,11 @@ this.Extension = function(addonData)
   this.addonData = addonData;
   this.id = addonData.id;
   this.baseURI = Services.io.newURI("moz-extension://" + uuid, null, null);
+  this.baseURI.QueryInterface(Ci.nsIURL);
   this.manifest = null;
   this.localeMessages = null;
+  this.logger = Log.repository.getLogger(LOGGER_ID_BASE + this.id.replace(/\./g, "-"));
+  this.principal = this.createPrincipal();
 
   this.views = new Set();
 
@@ -433,12 +440,10 @@ this.Extension.generate = function(id, data)
     let components = filename.split("/");
     let path = "";
     for (let component of components.slice(0, -1)) {
-      path += component;
+      path += component + "/";
       if (!zipW.hasEntry(path)) {
         zipW.addEntryDirectory(path, time, false);
       }
-
-      path += "/";
     }
   }
 
@@ -487,6 +492,24 @@ Extension.prototype = {
     Management.emit("test-message", this, ...args);
   },
 
+  createPrincipal(uri = this.baseURI) {
+    return Services.scriptSecurityManager.createCodebasePrincipal(
+      uri, {addonId: this.id});
+  },
+
+  // Checks that the given URL is a child of our baseURI.
+  isExtensionURL(url) {
+    let uri = Services.io.newURI(url, null, null);
+
+    let common = this.baseURI.getCommonBaseSpec(uri);
+    return common == this.baseURI.spec;
+  },
+
+  // Report an error about the extension's manifest file.
+  manifestError(message) {
+    this.logger.error(`Loading extension '${this.id}': ${message}`);
+  },
+
   // Representation of the extension to send to content
   // processes. This should include anything the content process might
   // need.
diff --git a/toolkit/components/extensions/ExtensionUtils.jsm b/toolkit/components/extensions/ExtensionUtils.jsm
index 0baf222fd8b2..c1cb5562f191 100644
--- a/toolkit/components/extensions/ExtensionUtils.jsm
+++ b/toolkit/components/extensions/ExtensionUtils.jsm
@@ -45,7 +45,8 @@ function runSafeSync(context, f, ...args)
   try {
     args = Cu.cloneInto(args, context.cloneScope);
   } catch (e) {
-    dump(`runSafe failure\n${context.cloneScope}\n${Error().stack}`);
+    Cu.reportError(e);
+    dump(`runSafe failure: cloning into ${context.cloneScope}: ${e}\n\n${Error().stack}`);
   }
   return runSafeSyncWithoutClone(f, ...args);
 }
@@ -57,7 +58,8 @@ function runSafe(context, f, ...args)
   try {
     args = Cu.cloneInto(args, context.cloneScope);
   } catch (e) {
-    dump(`runSafe failure\n${context.cloneScope}\n${Error().stack}`);
+    Cu.reportError(e);
+    dump(`runSafe failure: cloning into ${context.cloneScope}: ${e}\n\n${Error().stack}`);
   }
   return runSafeWithoutClone(f, ...args);
 }
diff --git a/toolkit/components/extensions/ext-backgroundPage.js b/toolkit/components/extensions/ext-backgroundPage.js
index 8990a7cdf0d9..ef4aa0c52852 100644
--- a/toolkit/components/extensions/ext-backgroundPage.js
+++ b/toolkit/components/extensions/ext-backgroundPage.js
@@ -21,13 +21,26 @@ BackgroundPage.prototype = {
     let webNav = Services.appShell.createWindowlessBrowser(false);
     this.webNav = webNav;
 
-    let principal = Services.scriptSecurityManager.createCodebasePrincipal(this.extension.baseURI,
-                                                                           {addonId: this.extension.id});
+    let url;
+    if (this.page) {
+      url = this.extension.baseURI.resolve(this.page);
+    } else {
+      // TODO: Chrome uses "_generated_background_page.html" for this.
+      url = this.extension.baseURI.resolve("_blank.html");
+    }
+
+    if (!this.extension.isExtensionURL(url)) {
+      this.extension.manifestError("Background page must be a file within the extension");
+      url = this.extension.baseURI.resolve("_blank.html");
+    }
+
+    let uri = Services.io.newURI(url, null, null);
+    let principal = this.extension.createPrincipal(uri);
 
     let interfaceRequestor = webNav.QueryInterface(Ci.nsIInterfaceRequestor);
     let docShell = interfaceRequestor.getInterface(Ci.nsIDocShell);
 
-    this.context = new ExtensionPage(this.extension, {type: "background", docShell});
+    this.context = new ExtensionPage(this.extension, {type: "background", docShell, uri});
     GlobalManager.injectInDocShell(docShell, this.extension, this.context);
 
     docShell.createAboutBlankContentViewer(principal);
@@ -36,12 +49,6 @@ BackgroundPage.prototype = {
     this.contentWindow = window;
     this.context.contentWindow = window;
 
-    let url;
-    if (this.page) {
-      url = this.extension.baseURI.resolve(this.page);
-    } else {
-      url = this.extension.baseURI.resolve("_blank.html");
-    }
     webNav.loadURI(url, 0, null, null, null);
 
     // TODO: Right now we run onStartup after the background page
@@ -51,6 +58,12 @@ BackgroundPage.prototype = {
         let doc = window.document;
         for (let script of this.scripts) {
           let url = this.extension.baseURI.resolve(script);
+
+          if (!this.extension.isExtensionURL(url)) {
+            this.extension.manifestError("Background scripts must be files within the extension");
+            continue;
+          }
+
           let tag = doc.createElement("script");
           tag.setAttribute("src", url);
           tag.async = false;
diff --git a/toolkit/components/filewatcher/NativeFileWatcherWin.cpp b/toolkit/components/filewatcher/NativeFileWatcherWin.cpp
index bf86b7ac1cd0..dd9098abc142 100644
--- a/toolkit/components/filewatcher/NativeFileWatcherWin.cpp
+++ b/toolkit/components/filewatcher/NativeFileWatcherWin.cpp
@@ -1,3 +1,5 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
@@ -250,21 +252,6 @@ private:
   nsCOMPtr<nsIThread> mWorkerThread;
 };
 
-/**
- * An helper callback function used to print information about any
- * pending watch when shutting down the nsINativeFileWatcher service.
- */
-static PLDHashOperator
-WatchedPathsInfoHashtableTraverser(nsVoidPtrHashKey::KeyType key,
-                                   WatchedResourceDescriptor* watchedResource,
-                                   void* userArg)
-{
-  FILEWATCHERLOG("NativeFileWatcherIOTask::DeactivateRunnableMethod - "
-                 "%S is still being watched.", watchedResource->mPath.get());
-
-  return PL_DHASH_NEXT;
-}
-
 /**
  * This runnable is dispatched from the main thread to get the notifications of the
  * changes in the watched resources by continuously calling the blocking function
@@ -855,8 +842,11 @@ NativeFileWatcherIOTask::DeactivateRunnableMethod()
              "watches manually before quitting.");
 
   // Log any pending watch.
-  (void)mWatchedResourcesByHandle.EnumerateRead(
-    &WatchedPathsInfoHashtableTraverser, nullptr);
+  for (auto it = mWatchedResourcesByHandle.Iter(); !it.Done(); it.Next()) {
+    FILEWATCHERLOG("NativeFileWatcherIOTask::DeactivateRunnableMethod - "
+                   "%S is still being watched.", it.UserData()->mPath.get());
+
+  }
 
   // We return immediately if |mShuttingDown| is true (see below for
   // details about the shutdown protocol being followed).
diff --git a/toolkit/components/places/nsNavHistory.cpp b/toolkit/components/places/nsNavHistory.cpp
index ce0559b2f9f1..5b4a3e8247be 100644
--- a/toolkit/components/places/nsNavHistory.cpp
+++ b/toolkit/components/places/nsNavHistory.cpp
@@ -1,4 +1,5 @@
-//* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
@@ -2152,19 +2153,6 @@ nsNavHistory::ConstructQueryString(
   return NS_OK;
 }
 
-PLDHashOperator BindAdditionalParameter(nsNavHistory::StringHash::KeyType aParamName,
-                                        nsCString aParamValue,
-                                        void* aStatement)
-{
-  mozIStorageStatement* stmt = static_cast<mozIStorageStatement*>(aStatement);
-
-  nsresult rv = stmt->BindUTF8StringByName(aParamName, aParamValue);
-  if (NS_FAILED(rv))
-    return PL_DHASH_STOP;
-
-  return PL_DHASH_NEXT;
-}
-
 // nsNavHistory::GetQueryResults
 //
 //    Call this to get the results from a complex query. This is used by
@@ -2221,7 +2209,12 @@ nsNavHistory::GetQueryResults(nsNavHistoryQueryResultNode *aResultNode,
     }
   }
 
-  addParams.EnumerateRead(BindAdditionalParameter, statement.get());
+  for (auto iter = addParams.Iter(); !iter.Done(); iter.Next()) {
+    nsresult rv = statement->BindUTF8StringByName(iter.Key(), iter.Data());
+    if (NS_FAILED(rv)) {
+      break;
+    }
+  }
 
   // Optimize the case where there is no need for any post-query filtering.
   if (NeedToFilterResultSet(aQueries, aOptions)) {
@@ -3047,7 +3040,13 @@ nsNavHistory::AsyncExecuteLegacyQueries(nsINavHistoryQuery** aQueries,
       NS_ENSURE_SUCCESS(rv, rv);
     }
   }
-  addParams.EnumerateRead(BindAdditionalParameter, statement.get());
+
+  for (auto iter = addParams.Iter(); !iter.Done(); iter.Next()) {
+    nsresult rv = statement->BindUTF8StringByName(iter.Key(), iter.Data());
+    if (NS_FAILED(rv)) {
+      break;
+    }
+  }
 
   rv = statement->ExecuteAsync(aCallback, _stmt);
   NS_ENSURE_SUCCESS(rv, rv);
diff --git a/toolkit/components/protobuf/moz.build b/toolkit/components/protobuf/moz.build
index 9ebb44450a65..c0c52635dbfa 100644
--- a/toolkit/components/protobuf/moz.build
+++ b/toolkit/components/protobuf/moz.build
@@ -106,6 +106,7 @@ SOURCES += [
     'src/google/protobuf/wire_format.cc',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
diff --git a/toolkit/components/remote/nsGTKRemoteService.cpp b/toolkit/components/remote/nsGTKRemoteService.cpp
index 4edb7089d883..0612fd1eb5b4 100644
--- a/toolkit/components/remote/nsGTKRemoteService.cpp
+++ b/toolkit/components/remote/nsGTKRemoteService.cpp
@@ -43,23 +43,13 @@ nsGTKRemoteService::Startup(const char* aAppName, const char* aProfileName)
   gtk_widget_realize(mServerWindow);
   HandleCommandsFor(mServerWindow, nullptr);
 
-  mWindows.EnumerateRead(StartupHandler, this);
+  for (auto iter = mWindows.Iter(); !iter.Done(); iter.Next()) {
+    HandleCommandsFor(iter.Key(), iter.UserData());
+  }
 
   return NS_OK;
 }
 
-PLDHashOperator
-nsGTKRemoteService::StartupHandler(GtkWidget* aKey,
-                                   nsIWeakReference* aData,
-                                   void* aClosure)
-{
-  GtkWidget* widget = (GtkWidget*) aKey;
-  nsGTKRemoteService* aThis = (nsGTKRemoteService*) aClosure;
-
-  aThis->HandleCommandsFor(widget, aData);
-  return PL_DHASH_NEXT;
-}
-
 static nsIWidget* GetMainWidget(nsIDOMWindow* aWindow)
 {
   // get the native window for this instance
diff --git a/toolkit/components/remote/nsGTKRemoteService.h b/toolkit/components/remote/nsGTKRemoteService.h
index 428dd2989b84..034a77a24c78 100644
--- a/toolkit/components/remote/nsGTKRemoteService.h
+++ b/toolkit/components/remote/nsGTKRemoteService.h
@@ -34,11 +34,6 @@ private:
                          nsIWeakReference* aWindow);
 
 
-  static PLDHashOperator StartupHandler(GtkWidget* aKey,
-                                        nsIWeakReference* aData,
-                                        void* aClosure);
-
-
   static gboolean HandlePropertyChange(GtkWidget *widget,
                                        GdkEventProperty *event,
                                        nsIWeakReference* aThis);
diff --git a/toolkit/components/telemetry/TelemetrySession.jsm b/toolkit/components/telemetry/TelemetrySession.jsm
index 899f21e13d9b..395038b0b8ff 100644
--- a/toolkit/components/telemetry/TelemetrySession.jsm
+++ b/toolkit/components/telemetry/TelemetrySession.jsm
@@ -1237,19 +1237,30 @@ var Impl = {
     this._log.trace("assemblePayloadWithMeasurements - reason: " + reason +
                     ", submitting subsession data: " + isSubsession);
 
+    // This allows wrapping data retrieval calls in a try-catch block so that
+    // failures don't break the rest of the ping assembly.
+    const protect = (fn) => {
+      try {
+        return fn();
+      } catch (ex) {
+        this.log.error("assemblePayloadWithMeasurements - caught exception", ex);
+        return null;
+      }
+    };
+
     // Payload common to chrome and content processes.
     let payloadObj = {
       ver: PAYLOAD_VERSION,
       simpleMeasurements: simpleMeasurements,
-      histograms: this.getHistograms(isSubsession, clearSubsession),
-      keyedHistograms: this.getKeyedHistograms(isSubsession, clearSubsession),
+      histograms: protect(() => this.getHistograms(isSubsession, clearSubsession)),
+      keyedHistograms: protect(() => this.getKeyedHistograms(isSubsession, clearSubsession)),
     };
 
     // Add extended set measurements common to chrome & content processes
     if (Telemetry.canRecordExtended) {
-      payloadObj.chromeHangs = Telemetry.chromeHangs;
-      payloadObj.threadHangStats = this.getThreadHangStats(Telemetry.threadHangStats);
-      payloadObj.log = TelemetryLog.entries();
+      payloadObj.chromeHangs = protect(() => Telemetry.chromeHangs);
+      payloadObj.threadHangStats = protect(() => this.getThreadHangStats(Telemetry.threadHangStats));
+      payloadObj.log = protect(() => TelemetryLog.entries());
     }
 
     if (Utils.isContentProcess) {
@@ -1261,20 +1272,21 @@ var Impl = {
 
     // Add extended set measurements for chrome process.
     if (Telemetry.canRecordExtended) {
-      payloadObj.slowSQL = Telemetry.slowSQL;
-      payloadObj.fileIOReports = Telemetry.fileIOReports;
-      payloadObj.lateWrites = Telemetry.lateWrites;
+      payloadObj.slowSQL = protect(() => Telemetry.slowSQL);
+      payloadObj.fileIOReports = protect(() => Telemetry.fileIOReports);
+      payloadObj.lateWrites = protect(() => Telemetry.lateWrites);
 
       // Add the addon histograms if they are present
-      let addonHistograms = this.getAddonHistograms();
-      if (Object.keys(addonHistograms).length > 0) {
+      let addonHistograms = protect(() => this.getAddonHistograms());
+      if (addonHistograms && Object.keys(addonHistograms).length > 0) {
         payloadObj.addonHistograms = addonHistograms;
       }
 
-      payloadObj.addonDetails = AddonManagerPrivate.getTelemetryDetails();
-      payloadObj.UIMeasurements = UITelemetry.getUIMeasurements();
+      payloadObj.addonDetails = protect(() => AddonManagerPrivate.getTelemetryDetails());
+      payloadObj.UIMeasurements = protect(() => UITelemetry.getUIMeasurements());
 
-      if (Object.keys(this._slowSQLStartup).length != 0 &&
+      if (this._slowSQLStartup &&
+          Object.keys(this._slowSQLStartup).length != 0 &&
           (Object.keys(this._slowSQLStartup.mainThread).length ||
            Object.keys(this._slowSQLStartup.otherThreads).length)) {
         payloadObj.slowSQLStartup = this._slowSQLStartup;
@@ -1282,7 +1294,7 @@ var Impl = {
     }
 
     if (this._childTelemetry.length) {
-      payloadObj.childPayloads = this.getChildPayloads();
+      payloadObj.childPayloads = protect(() => this.getChildPayloads());
     }
 
     return payloadObj;
diff --git a/toolkit/components/telemetry/docs/main-ping.rst b/toolkit/components/telemetry/docs/main-ping.rst
index 2efba653b197..175a856f26e8 100644
--- a/toolkit/components/telemetry/docs/main-ping.rst
+++ b/toolkit/components/telemetry/docs/main-ping.rst
@@ -43,17 +43,18 @@ Structure::
         subsessionLength: <number>, // the subsession length in seconds, monotonic
       },
 
-      childPayloads: {...}, // only present with e10s; a reduced payload from content processes
+      childPayloads: {...}, // only present with e10s; a reduced payload from content processes, null on failure
+      simpleMeasurements: {...},
 
-      simpleMeasurements: { ... },
-      histograms: {},
-      keyedHistograms: {},
-      chromeHangs: {},
-      threadHangStats: {},
-      log: [],
+      // The following properties may all be null if we fail to collect them.
+      histograms: {...},
+      keyedHistograms: {...},
+      chromeHangs: {...},
+      threadHangStats: {...},
+      log: [...],
       fileIOReports: {...},
       lateWrites: {...},
-      addonDetails: { ... },
+      addonDetails: {...},
       addonHistograms: {...},
       UIMeasurements: {...},
       slowSQL: {...},
diff --git a/toolkit/components/thumbnails/PageThumbs.jsm b/toolkit/components/thumbnails/PageThumbs.jsm
index d405de5c4faa..5d500f348756 100644
--- a/toolkit/components/thumbnails/PageThumbs.jsm
+++ b/toolkit/components/thumbnails/PageThumbs.jsm
@@ -158,7 +158,7 @@ this.PageThumbs = {
    */
   getThumbnailURL: function PageThumbs_getThumbnailURL(aUrl) {
     return this.scheme + "://" + this.staticHost +
-           "?url=" + encodeURIComponent(aUrl);
+           "/?url=" + encodeURIComponent(aUrl);
   },
 
    /**
diff --git a/toolkit/components/thumbnails/PageThumbsProtocol.js b/toolkit/components/thumbnails/PageThumbsProtocol.js
index d9cc8bd596d4..2ff58baa0983 100644
--- a/toolkit/components/thumbnails/PageThumbsProtocol.js
+++ b/toolkit/components/thumbnails/PageThumbsProtocol.js
@@ -10,7 +10,7 @@
  *
  * URL structure:
  *
- * moz-page-thumb://thumbnail?url=http%3A%2F%2Fwww.mozilla.org%2F
+ * moz-page-thumb://thumbnail/?url=http%3A%2F%2Fwww.mozilla.org%2F
  *
  * This URL requests an image for 'http://www.mozilla.org/'.
  */
@@ -24,14 +24,17 @@ const Ci = Components.interfaces;
 
 Cu.import("resource://gre/modules/PageThumbs.jsm");
 Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+Cu.import("resource://gre/modules/osfile.jsm", this);
 
 XPCOMUtils.defineLazyModuleGetter(this, "Services",
   "resource://gre/modules/Services.jsm");
 XPCOMUtils.defineLazyModuleGetter(this, "FileUtils",
   "resource://gre/modules/FileUtils.jsm");
 
+const SUBSTITUTING_URL_CID = "{dea9657c-18cf-4984-bde9-ccef5d8ab473}";
+
 /**
- * Implements the thumbnail protocol handler responsible for moz-page-thumb: URIs.
+ * Implements the thumbnail protocol handler responsible for moz-page-thumb: URLs.
  */
 function Protocol() {
 }
@@ -68,7 +71,7 @@ Protocol.prototype = {
    * @return The newly created URI.
    */
   newURI: function Proto_newURI(aSpec, aOriginCharset) {
-    let uri = Cc["@mozilla.org/network/simple-uri;1"].createInstance(Ci.nsIURI);
+    let uri = Components.classesByID[SUBSTITUTING_URL_CID].createInstance(Ci.nsIURL);
     uri.spec = aSpec;
     return uri;
   },
@@ -80,9 +83,8 @@ Protocol.prototype = {
    * @return The newly created channel.
    */
   newChannel2: function Proto_newChannel2(aURI, aLoadInfo) {
-    let {url} = parseURI(aURI);
-    let file = PageThumbsStorage.getFilePathForURL(url);
-    let fileuri = Services.io.newFileURI(new FileUtils.File(file));
+    let {file} = aURI.QueryInterface(Ci.nsIFileURL);
+    let fileuri = Services.io.newFileURI(file);
     let channel = Services.io.newChannelFromURIWithLoadInfo(fileuri, aLoadInfo);
     channel.originalURI = aURI;
     return channel;
@@ -98,8 +100,34 @@ Protocol.prototype = {
    */
   allowPort: () => false,
 
+  // nsISubstitutingProtocolHandler methods
+
+  /*
+   * Substituting the scheme and host isn't enough, we also transform the path.
+   * So declare no-op implementations for (get|set|has)Substitution methods and
+   * do all the work in resolveURI.
+   */
+
+  setSubstitution(root, baseURI) {},
+
+  getSubstitution(root) {
+    throw Cr.NS_ERROR_NOT_AVAILABLE;
+  },
+
+  hasSubstitution(root) {
+    return false;
+  },
+
+  resolveURI(resURI) {
+    let {url} = parseURI(resURI);
+    let path = PageThumbsStorage.getFilePathForURL(url);
+    return OS.Path.toFileURI(path);
+  },
+
+  // xpcom machinery
   classID: Components.ID("{5a4ae9b5-f475-48ae-9dce-0b4c1d347884}"),
-  QueryInterface: XPCOMUtils.generateQI([Ci.nsIProtocolHandler])
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIProtocolHandler,
+                                         Ci.nsISubstitutingProtocolHandler])
 };
 
 this.NSGetFactory = XPCOMUtils.generateNSGetFactory([Protocol]);
@@ -110,9 +138,10 @@ this.NSGetFactory = XPCOMUtils.generateNSGetFactory([Protocol]);
  * @return The parsed parameters.
  */
 function parseURI(aURI) {
-  let {scheme, staticHost} = PageThumbs;
-  let re = new RegExp("^" + scheme + "://" + staticHost + ".*?\\?");
-  let query = aURI.spec.replace(re, "");
+  if (aURI.host != PageThumbs.staticHost)
+    throw Cr.NS_ERROR_NOT_AVAILABLE;
+
+  let {query} = aURI.QueryInterface(Ci.nsIURL);
   let params = {};
 
   query.split("&").forEach(function (aParam) {
diff --git a/toolkit/components/thumbnails/moz.build b/toolkit/components/thumbnails/moz.build
index 6c54fc3f20be..3625a2167ccc 100644
--- a/toolkit/components/thumbnails/moz.build
+++ b/toolkit/components/thumbnails/moz.build
@@ -5,6 +5,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 BROWSER_CHROME_MANIFESTS += ['test/browser.ini']
+XPCSHELL_TESTS_MANIFESTS += ['test/xpcshell.ini']
 
 EXTRA_COMPONENTS += [
     'BrowserPageThumbs.manifest',
diff --git a/toolkit/components/thumbnails/test/browser_thumbnails_update.js b/toolkit/components/thumbnails/test/browser_thumbnails_update.js
index 523dece88e7d..3a251fed817a 100644
--- a/toolkit/components/thumbnails/test/browser_thumbnails_update.js
+++ b/toolkit/components/thumbnails/test/browser_thumbnails_update.js
@@ -88,6 +88,11 @@ function capIfStaleErrorResponseUpdateTest() {
   yield addTab(URL);
 
   yield captureAndCheckColor(0, 255, 0, "we have a green thumbnail");
+
+  // image cache entry timestamps have second resolution
+  // so make sure the second part of this test takes part in a different second.
+  yield wait(2000);
+
   // update the thumbnail to be stale, then re-request it.  The server will
   // return a 400 response and a red thumbnail.
   // The service should not save the thumbnail - so we (a) check the thumbnail
@@ -119,6 +124,11 @@ function capIfStaleGoodResponseUpdateTest() {
   let browser = gBrowser.selectedBrowser;
 
   yield captureAndCheckColor(0, 255, 0, "we have a green thumbnail");
+
+  // image cache entry timestamps have second resolution
+  // so make sure the second part of this test takes part in a different second.
+  yield wait(2000);
+
   // update the thumbnail to be stale, then re-request it.  The server will
   // return a 200 response and a red thumbnail - so that new thumbnail should
   // end up captured.
@@ -148,6 +158,11 @@ function regularCapErrorResponseUpdateTest() {
   yield addTab(URL);
   yield captureAndCheckColor(0, 255, 0, "we have a green thumbnail");
   gBrowser.removeTab(gBrowser.selectedTab);
+
+  // image cache entry timestamps have second resolution
+  // so make sure the second part of this test takes part in a different second.
+  yield wait(2000);
+
   // do it again - the server will return a 400, so the foreground service
   // should not update it.
   yield addTab(URL);
@@ -162,6 +177,11 @@ function regularCapGoodResponseUpdateTest() {
   yield addTab(URL);
   yield captureAndCheckColor(0, 255, 0, "we have a green thumbnail");
   gBrowser.removeTab(gBrowser.selectedTab);
+
+  // image cache entry timestamps have second resolution
+  // so make sure the second part of this test takes part in a different second.
+  yield wait(2000);
+
   // do it again - the server will return a 200, so the foreground service
   // should  update it.
   yield addTab(URL);
diff --git a/toolkit/components/thumbnails/test/test_thumbnails_interfaces.js b/toolkit/components/thumbnails/test/test_thumbnails_interfaces.js
new file mode 100644
index 000000000000..8272b2e06933
--- /dev/null
+++ b/toolkit/components/thumbnails/test/test_thumbnails_interfaces.js
@@ -0,0 +1,31 @@
+// tests to check that moz-page-thumb URLs correctly resolve as file:// URLS
+"use strict";
+
+const Cu = Components.utils;
+const Cc = Components.classes;
+const Cr = Components.results;
+const Ci = Components.interfaces;
+
+Cu.import("resource://gre/modules/Services.jsm");
+
+// need profile so that PageThumbsStorage can resolve the path to the underlying file
+do_get_profile();
+
+function run_test() {
+  // first check the protocol handler implements the correct interface
+  let handler = Services.io.getProtocolHandler("moz-page-thumb");
+  ok(handler instanceof Ci.nsISubstitutingProtocolHandler,
+     "moz-page-thumb handler provides substituting interface");
+
+  // then check that the file URL resolution works
+  let uri = Services.io.newURI("moz-page-thumb://thumbnail/?url=http%3A%2F%2Fwww.mozilla.org%2F",
+                               null, null);
+  ok(uri instanceof Ci.nsIFileURL, "moz-page-thumb:// is a FileURL");
+  ok(uri.file, "This moz-page-thumb:// object is backed by a file");
+
+  // and check that the error case works as specified
+  let bad = Services.io.newURI("moz-page-thumb://wronghost/?url=http%3A%2F%2Fwww.mozilla.org%2F",
+                               null, null);
+  Assert.throws(() => handler.resolveURI(bad), /NS_ERROR_NOT_AVAILABLE/i,
+                "moz-page-thumb object with wrong host must not resolve to a file path");
+}
diff --git a/toolkit/components/thumbnails/test/xpcshell.ini b/toolkit/components/thumbnails/test/xpcshell.ini
new file mode 100644
index 000000000000..13f4ab2475f0
--- /dev/null
+++ b/toolkit/components/thumbnails/test/xpcshell.ini
@@ -0,0 +1,6 @@
+[DEFAULT]
+head =
+tail =
+
+[test_thumbnails_interfaces.js]
+skip-if = os == 'b2g' || os == 'android' # xpcom interface not packaged
diff --git a/toolkit/components/url-classifier/ProtocolParser.cpp b/toolkit/components/url-classifier/ProtocolParser.cpp
index d58e2b56715d..9c1e73ed7fb1 100644
--- a/toolkit/components/url-classifier/ProtocolParser.cpp
+++ b/toolkit/components/url-classifier/ProtocolParser.cpp
@@ -234,7 +234,6 @@ ProtocolParser::ProcessChunkControl(const nsCString& aLine)
     mChunkState.type = (command == 'a') ? CHUNK_ADD : CHUNK_SUB;
   } else if (StringEndsWith(mTableUpdate->TableName(),
     NS_LITERAL_CSTRING("-digest256"))) {
-    PARSER_LOG(("Processing digest256 data"));
     mChunkState.type = (command == 'a') ? CHUNK_ADD_DIGEST : CHUNK_SUB_DIGEST;
   }
   nsresult rv;
@@ -313,7 +312,6 @@ ProtocolParser::ProcessChunk(bool* aDone)
   *aDone = false;
   mState = PROTOCOL_STATE_CONTROL;
 
-  PARSER_LOG(("Handling a %d-byte chunk", chunk.Length()));
   if (StringEndsWith(mTableUpdate->TableName(),
                      NS_LITERAL_CSTRING("-shavar"))) {
     return ProcessShaChunk(chunk);
@@ -336,6 +334,8 @@ ProtocolParser::ProcessPlaintextChunk(const nsACString& aChunk)
     return NS_ERROR_FAILURE;
   }
 
+  PARSER_LOG(("Handling a %d-byte simple chunk", aChunk.Length()));
+
   nsTArray<nsCString> lines;
   ParseString(PromiseFlatCString(aChunk), '\n', lines);
 
@@ -409,6 +409,10 @@ ProtocolParser::ProcessShaChunk(const nsACString& aChunk)
     uint8_t numEntries = static_cast<uint8_t>(aChunk[start]);
     start++;
 
+    PARSER_LOG(("Handling a %d-byte shavar chunk containing %u entries"
+                " for domain %X", aChunk.Length(), numEntries,
+                domain.ToUint32()));
+
     nsresult rv;
     if (mChunkState.type == CHUNK_ADD && mChunkState.hashSize == PREFIX_SIZE) {
       rv = ProcessHostAdd(domain, numEntries, aChunk, &start);
@@ -434,6 +438,8 @@ ProtocolParser::ProcessShaChunk(const nsACString& aChunk)
 nsresult
 ProtocolParser::ProcessDigestChunk(const nsACString& aChunk)
 {
+  PARSER_LOG(("Handling a %d-byte digest256 chunk", aChunk.Length()));
+
   if (mChunkState.type == CHUNK_ADD_DIGEST) {
     return ProcessDigestAdd(aChunk);
   }
@@ -515,6 +521,7 @@ ProtocolParser::ProcessHostAdd(const Prefix& aDomain, uint8_t aNumEntries,
   for (uint8_t i = 0; i < aNumEntries; i++) {
     Prefix hash;
     hash.Assign(Substring(aChunk, *aStart, PREFIX_SIZE));
+    PARSER_LOG(("Add prefix %X", hash.ToUint32()));
     nsresult rv = mTableUpdate->NewAddPrefix(mChunkState.num, hash);
     if (NS_FAILED(rv)) {
       return rv;
@@ -545,6 +552,7 @@ ProtocolParser::ProcessHostSub(const Prefix& aDomain, uint8_t aNumEntries,
     memcpy(&addChunk, addChunkStr.BeginReading(), 4);
     addChunk = PR_ntohl(addChunk);
 
+    PARSER_LOG(("Sub prefix (addchunk=%u)", addChunk));
     nsresult rv = mTableUpdate->NewSubPrefix(addChunk, aDomain, mChunkState.num);
     if (NS_FAILED(rv)) {
       return rv;
@@ -569,6 +577,7 @@ ProtocolParser::ProcessHostSub(const Prefix& aDomain, uint8_t aNumEntries,
     prefix.Assign(Substring(aChunk, *aStart, PREFIX_SIZE));
     *aStart += PREFIX_SIZE;
 
+    PARSER_LOG(("Sub prefix %X (addchunk=%u)", prefix.ToUint32(), addChunk));
     nsresult rv = mTableUpdate->NewSubPrefix(addChunk, prefix, mChunkState.num);
     if (NS_FAILED(rv)) {
       return rv;
diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/crash_generation/moz.build b/toolkit/crashreporter/google-breakpad/src/client/linux/crash_generation/moz.build
index 16240982ae20..0ae4f801517e 100644
--- a/toolkit/crashreporter/google-breakpad/src/client/linux/crash_generation/moz.build
+++ b/toolkit/crashreporter/google-breakpad/src/client/linux/crash_generation/moz.build
@@ -9,6 +9,7 @@ UNIFIED_SOURCES += [
     'crash_generation_server.cc',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/handler/moz.build b/toolkit/crashreporter/google-breakpad/src/client/linux/handler/moz.build
index a62851b6533d..d78090fb0c79 100644
--- a/toolkit/crashreporter/google-breakpad/src/client/linux/handler/moz.build
+++ b/toolkit/crashreporter/google-breakpad/src/client/linux/handler/moz.build
@@ -10,6 +10,7 @@ UNIFIED_SOURCES += [
     'minidump_descriptor.cc',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
diff --git a/toolkit/crashreporter/google-breakpad/src/client/mac/handler/moz.build b/toolkit/crashreporter/google-breakpad/src/client/mac/handler/moz.build
index f3df971e00a2..d7939a433ffd 100644
--- a/toolkit/crashreporter/google-breakpad/src/client/mac/handler/moz.build
+++ b/toolkit/crashreporter/google-breakpad/src/client/mac/handler/moz.build
@@ -11,6 +11,7 @@ UNIFIED_SOURCES += [
     'minidump_generator.cc',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
diff --git a/toolkit/crashreporter/google-breakpad/src/common/dwarf/moz.build b/toolkit/crashreporter/google-breakpad/src/common/dwarf/moz.build
index 353053514b35..f6621725991d 100644
--- a/toolkit/crashreporter/google-breakpad/src/common/dwarf/moz.build
+++ b/toolkit/crashreporter/google-breakpad/src/common/dwarf/moz.build
@@ -12,6 +12,10 @@ if CONFIG['MOZ_CRASHREPORTER']:
         'dwarf2reader.cc',
         'functioninfo.cc',
     ]
+    HOST_CXXFLAGS += [
+        '-O2',
+        '-g',
+    ]
     LOCAL_INCLUDES += [
         '../..',
     ]
diff --git a/toolkit/crashreporter/google-breakpad/src/common/linux/moz.build b/toolkit/crashreporter/google-breakpad/src/common/linux/moz.build
index 13446dd33872..30e059e0d975 100644
--- a/toolkit/crashreporter/google-breakpad/src/common/linux/moz.build
+++ b/toolkit/crashreporter/google-breakpad/src/common/linux/moz.build
@@ -33,6 +33,10 @@ if CONFIG['MOZ_CRASHREPORTER']:
         'linux_libc_support.cc',
         'memory_mapped_file.cc',
     ]
+    HOST_CXXFLAGS += [
+        '-O2',
+        '-g',
+    ]
 
 Library('breakpad_linux_common_s')
 
diff --git a/toolkit/crashreporter/google-breakpad/src/common/mac/moz.build b/toolkit/crashreporter/google-breakpad/src/common/mac/moz.build
index 7e1a749c3343..db5bd6fd1b36 100644
--- a/toolkit/crashreporter/google-breakpad/src/common/mac/moz.build
+++ b/toolkit/crashreporter/google-breakpad/src/common/mac/moz.build
@@ -26,6 +26,10 @@ if CONFIG['MOZ_CRASHREPORTER']:
     HOST_SOURCES += [
         'dump_syms.cc',
     ]
+    HOST_CXXFLAGS += [
+        '-O2',
+        '-g',
+    ]
     HostLibrary('host_breakpad_mac_common_s')
 
 SOURCES += [
@@ -37,6 +41,7 @@ SOURCES += [
 
 Library('breakpad_mac_common_s')
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
diff --git a/toolkit/crashreporter/google-breakpad/src/common/moz.build b/toolkit/crashreporter/google-breakpad/src/common/moz.build
index df7155be79ff..6456e286446d 100644
--- a/toolkit/crashreporter/google-breakpad/src/common/moz.build
+++ b/toolkit/crashreporter/google-breakpad/src/common/moz.build
@@ -67,6 +67,10 @@ if CONFIG['OS_ARCH'] != 'WINNT' and CONFIG['MOZ_CRASHREPORTER']:
         'string_conversion.cc',
         'unique_string.cc',
     ]
+    HOST_CXXFLAGS += [
+        '-O2',
+        '-g',
+    ]
     HostLibrary('host_breakpad_common_s')
 
 if CONFIG['OS_ARCH'] == 'Darwin':
@@ -84,6 +88,7 @@ if CONFIG['OS_TARGET'] == 'Android':
 
 Library('breakpad_common_s')
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
diff --git a/toolkit/crashreporter/google-breakpad/src/common/solaris/moz.build b/toolkit/crashreporter/google-breakpad/src/common/solaris/moz.build
index d3286166eda2..92e5d065632c 100644
--- a/toolkit/crashreporter/google-breakpad/src/common/solaris/moz.build
+++ b/toolkit/crashreporter/google-breakpad/src/common/solaris/moz.build
@@ -21,6 +21,10 @@ HOST_SOURCES += [
     'file_id.cc',
     'guid_creator.cc',
 ]
+HOST_CXXFLAGS += [
+    '-O2',
+    '-g',
+]
 
 FINAL_LIBRARY = 'xul'
 
diff --git a/toolkit/crashreporter/google-breakpad/src/processor/moz.build b/toolkit/crashreporter/google-breakpad/src/processor/moz.build
index 0a5ae3a67a2a..6231737ca48e 100644
--- a/toolkit/crashreporter/google-breakpad/src/processor/moz.build
+++ b/toolkit/crashreporter/google-breakpad/src/processor/moz.build
@@ -21,6 +21,7 @@ UNIFIED_SOURCES += [
     'tokenize.cc',
 ]
 
+# We allow warnings for third-party code that can be updated from upstream.
 ALLOW_COMPILER_WARNINGS = True
 
 FINAL_LIBRARY = 'xul'
diff --git a/toolkit/crashreporter/nsExceptionHandler.cpp b/toolkit/crashreporter/nsExceptionHandler.cpp
index 55063ea143db..e4195b752493 100644
--- a/toolkit/crashreporter/nsExceptionHandler.cpp
+++ b/toolkit/crashreporter/nsExceptionHandler.cpp
@@ -1,4 +1,5 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
@@ -1708,23 +1709,6 @@ IsInWhitelist(const nsACString& key)
   return false;
 }
 
-static PLDHashOperator EnumerateEntries(const nsACString& key,
-                                        nsCString entry,
-                                        void* userData)
-{
-  if (!entry.IsEmpty()) {
-    NS_NAMED_LITERAL_CSTRING(kEquals, "=");
-    NS_NAMED_LITERAL_CSTRING(kNewline, "\n");
-    nsAutoCString line = key + kEquals + entry + kNewline;
-
-    crashReporterAPIData->Append(line);
-    if (IsInWhitelist(key)) {
-      crashEventAPIData->Append(line);
-    }
-  }
-  return PL_DHASH_NEXT;
-}
-
 // This function is miscompiled with MSVC 2005/2008 when PGO is on.
 #ifdef _MSC_VER
 #pragma optimize("", off)
@@ -1818,7 +1802,20 @@ nsresult AnnotateCrashReport(const nsACString& key, const nsACString& data)
   // now rebuild the file contents
   crashReporterAPIData->Truncate(0);
   crashEventAPIData->Truncate(0);
-  crashReporterAPIData_Hash->EnumerateRead(EnumerateEntries, nullptr);
+  for (auto it = crashReporterAPIData_Hash->Iter(); !it.Done(); it.Next()) {
+    const nsACString& key = it.Key();
+    nsCString entry = it.Data();
+    if (!entry.IsEmpty()) {
+      NS_NAMED_LITERAL_CSTRING(kEquals, "=");
+      NS_NAMED_LITERAL_CSTRING(kNewline, "\n");
+      nsAutoCString line = key + kEquals + entry + kNewline;
+
+      crashReporterAPIData->Append(line);
+      if (IsInWhitelist(key)) {
+        crashEventAPIData->Append(line);
+      }
+    }
+  }
 
   return NS_OK;
 }
@@ -2531,11 +2528,6 @@ struct Blacklist {
   const int mLen;
 };
 
-struct EnumerateAnnotationsContext {
-  const Blacklist& blacklist;
-  PRFileDesc* fd;
-};
-
 static void
 WriteAnnotation(PRFileDesc* fd, const nsACString& key, const nsACString& value)
 {
@@ -2545,24 +2537,6 @@ WriteAnnotation(PRFileDesc* fd, const nsACString& key, const nsACString& value)
   PR_Write(fd, "\n", 1);
 }
 
-static PLDHashOperator
-EnumerateAnnotations(const nsACString& key,
-                     nsCString entry,
-                     void* userData)
-{
-  EnumerateAnnotationsContext* ctx =
-    static_cast<EnumerateAnnotationsContext*>(userData);
-  const Blacklist& blacklist = ctx->blacklist;
-
-  // skip entries in the blacklist
-  if (blacklist.Contains(key))
-      return PL_DHASH_NEXT;
-
-  WriteAnnotation(ctx->fd, key, entry);
-
-  return PL_DHASH_NEXT;
-}
-
 static bool
 WriteExtraData(nsIFile* extraFile,
                const AnnotationTable& data,
@@ -2572,14 +2546,20 @@ WriteExtraData(nsIFile* extraFile,
 {
   PRFileDesc* fd;
   int truncOrAppend = truncate ? PR_TRUNCATE : PR_APPEND;
-  nsresult rv = 
+  nsresult rv =
     extraFile->OpenNSPRFileDesc(PR_WRONLY | PR_CREATE_FILE | truncOrAppend,
                                 0600, &fd);
   if (NS_FAILED(rv))
     return false;
 
-  EnumerateAnnotationsContext ctx = { blacklist, fd };
-  data.EnumerateRead(EnumerateAnnotations, &ctx);
+  for (auto iter = data.ConstIter(); !iter.Done(); iter.Next()) {
+    // Skip entries in the blacklist.
+    const nsACString& key = iter.Key();
+    if (blacklist.Contains(key)) {
+        continue;
+    }
+    WriteAnnotation(fd, key, iter.Data());
+  }
 
   if (writeCrashTime) {
     time_t crashTime = time(nullptr);
diff --git a/toolkit/modules/addons/WebRequest.jsm b/toolkit/modules/addons/WebRequest.jsm
index 9fcfaa802296..7cc7f35d17c1 100644
--- a/toolkit/modules/addons/WebRequest.jsm
+++ b/toolkit/modules/addons/WebRequest.jsm
@@ -250,7 +250,9 @@ var HttpObserverManager = {
     let listeners = this.listeners[kind];
     let browser = loadContext ? loadContext.topFrameElement : null;
     let loadInfo = channel.loadInfo;
-    let policyType = loadInfo.contentPolicyType;
+    let policyType = loadInfo ?
+                     loadInfo.externalContentPolicyType :
+                     Ci.nsIContentPolicy.TYPE_OTHER;
 
     let requestHeaders;
     let responseHeaders;
@@ -267,8 +269,8 @@ var HttpObserverManager = {
         method: channel.requestMethod,
         browser: browser,
         type: WebRequestCommon.typeForPolicyType(policyType),
-        windowId: loadInfo.outerWindowID,
-        parentWindowId: loadInfo.parentOuterWindowID,
+        windowId: loadInfo ? loadInfo.outerWindowID : 0,
+        parentWindowId: loadInfo ? loadInfo.parentOuterWindowID : 0,
       };
       if (opts.requestHeaders) {
         if (!requestHeaders) {
diff --git a/toolkit/mozapps/installer/packager.mk b/toolkit/mozapps/installer/packager.mk
index 465d6f76a2d7..fbee3f072ce9 100644
--- a/toolkit/mozapps/installer/packager.mk
+++ b/toolkit/mozapps/installer/packager.mk
@@ -209,7 +209,7 @@ checksum:
 
 
 upload: checksum
-	$(PYTHON) $(MOZILLA_DIR)/build/upload.py --base-path $(DIST) \
+	$(PYTHON) -u $(MOZILLA_DIR)/build/upload.py --base-path $(DIST) \
 		--package $(PACKAGE) \
 		--properties-file $(DIST)/mach_build_properties.json \
 		$(UPLOAD_FILES) \
diff --git a/toolkit/themes/linux/mozapps/jar.mn b/toolkit/themes/linux/mozapps/jar.mn
index 1ff4e3bbc7e5..b74fc755d218 100644
--- a/toolkit/themes/linux/mozapps/jar.mn
+++ b/toolkit/themes/linux/mozapps/jar.mn
@@ -37,6 +37,6 @@ toolkit.jar:
 #endif
 
 #if MOZ_BUILD_APP == browser
-../browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/chrome.jar:
+[browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}] chrome.jar:
 #endif
 % override chrome://mozapps/skin/passwordmgr/key.png       chrome://mozapps/skin/passwordmgr/key-16.png
diff --git a/toolkit/themes/osx/global/jar.mn b/toolkit/themes/osx/global/jar.mn
index 41b8b1cd5331..39198349f825 100644
--- a/toolkit/themes/osx/global/jar.mn
+++ b/toolkit/themes/osx/global/jar.mn
@@ -186,6 +186,6 @@ toolkit.jar:
   skin/classic/global/tree/folder@2x.png                             (tree/folder@2x.png)
 
 #if MOZ_BUILD_APP == browser
-../browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/chrome.jar:
+[browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}] chrome.jar:
 #endif
 % override chrome://global/skin/dirListing/local.png                 chrome://global/skin/dirListing/folder.png
diff --git a/toolkit/themes/osx/mozapps/jar.mn b/toolkit/themes/osx/mozapps/jar.mn
index 5454829ca38f..077d30b96b88 100644
--- a/toolkit/themes/osx/mozapps/jar.mn
+++ b/toolkit/themes/osx/mozapps/jar.mn
@@ -85,7 +85,7 @@ toolkit.jar:
   skin/classic/mozapps/handling/handling.css                      (handling/handling.css)
 
 #if MOZ_BUILD_APP == browser
-../browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/chrome.jar:
+[browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}] chrome.jar:
 #endif
 % override chrome://mozapps/skin/extensions/category-extensions.png       chrome://mozapps/skin/extensions/extensionGeneric.png
 % override chrome://mozapps/skin/extensions/category-languages.png        chrome://mozapps/skin/extensions/localeGeneric.png
diff --git a/toolkit/themes/windows/global/jar.mn b/toolkit/themes/windows/global/jar.mn
index dc45b5399596..30043db55b32 100644
--- a/toolkit/themes/windows/global/jar.mn
+++ b/toolkit/themes/windows/global/jar.mn
@@ -221,7 +221,7 @@ toolkit.jar:
   skin/classic/global/tree/twisty-open-XP.png                    (tree/twisty-open-XP.png)
 
 #if MOZ_BUILD_APP == browser
-../browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/chrome.jar:
+[browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}] chrome.jar:
 #endif
 % override chrome://global/skin/console/console-toolbar.png       chrome://global/skin/console/console-toolbar-XP.png      osversion<6
 % override chrome://global/skin/dirListing/folder.png             chrome://global/skin/dirListing/folder-XP.png            osversion<6
@@ -269,7 +269,7 @@ toolkit.jar:
 #endif
 
 #if MOZ_BUILD_APP == browser
-../browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/chrome.jar:
+[browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}] chrome.jar:
 #endif
 % override chrome://global/skin/arrow/arrow-lft-hov.gif           chrome://global/skin/arrow/arrow-lft.gif
 % override chrome://global/skin/arrow/arrow-rit-hov.gif           chrome://global/skin/arrow/arrow-rit.gif
diff --git a/toolkit/themes/windows/mozapps/jar.mn b/toolkit/themes/windows/mozapps/jar.mn
index 6d3db6499e03..2c81c97fa73a 100644
--- a/toolkit/themes/windows/mozapps/jar.mn
+++ b/toolkit/themes/windows/mozapps/jar.mn
@@ -95,7 +95,7 @@ toolkit.jar:
         skin/classic/mozapps/update/downloadButtons-XP.png         (update/downloadButtons-XP.png)
 
 #if MOZ_BUILD_APP == browser
-../browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/chrome.jar:
+[browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}] chrome.jar:
 #endif
 % override chrome://mozapps/skin/downloads/downloadButtons.png            chrome://mozapps/skin/downloads/downloadButtons-XP.png        osversion<6
 % override chrome://mozapps/skin/downloads/downloadIcon.png               chrome://mozapps/skin/downloads/downloadIcon-XP.png           osversion<6
@@ -116,7 +116,7 @@ toolkit.jar:
 #endif
 
 #if MOZ_BUILD_APP == browser
-../browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/chrome.jar:
+[browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}] chrome.jar:
 #endif
 % override chrome://mozapps/skin/extensions/category-dictionaries.png     chrome://mozapps/skin/extensions/dictionaryGeneric.png
 % override chrome://mozapps/skin/extensions/category-experiments.png      chrome://mozapps/skin/extensions/experimentGeneric.png
diff --git a/uriloader/prefetch/nsIPrefetchService.idl b/uriloader/prefetch/nsIPrefetchService.idl
index 8a670e4293a3..1d1e1edd2b0f 100644
--- a/uriloader/prefetch/nsIPrefetchService.idl
+++ b/uriloader/prefetch/nsIPrefetchService.idl
@@ -8,7 +8,7 @@ interface nsIURI;
 interface nsIDOMNode;
 interface nsISimpleEnumerator;
 
-[scriptable, uuid(bc4dbb34-b148-11e2-b82c-08002734a811)]
+[scriptable, uuid(2df8b475-f536-4a1a-afea-b39843df8005)]
 interface nsIPrefetchService : nsISupports
 {
     /**
@@ -26,9 +26,9 @@ interface nsIPrefetchService : nsISupports
                      in boolean aExplicit);
 
     /**
-     * Enumerate the items in the prefetch queue.
+     * Find out if there are any prefetches running or queued
      */
-    nsISimpleEnumerator enumerateQueue();
+    boolean hasMoreElements();
 
     // XXX do we need a way to cancel prefetch requests?
 };
diff --git a/uriloader/prefetch/nsPrefetchService.cpp b/uriloader/prefetch/nsPrefetchService.cpp
index e07ed0d122d4..f068ce55cfd3 100644
--- a/uriloader/prefetch/nsPrefetchService.cpp
+++ b/uriloader/prefetch/nsPrefetchService.cpp
@@ -53,6 +53,7 @@ static PRLogModuleInfo *gPrefetchLog;
 #define LOG_ENABLED() MOZ_LOG_TEST(gPrefetchLog, mozilla::LogLevel::Debug)
 
 #define PREFETCH_PREF "network.prefetch-next"
+#define PARALLELISM_PREF "network.prefetch-next.parallelism"
 
 //-----------------------------------------------------------------------------
 // helpers
@@ -67,99 +68,6 @@ PRTimeToSeconds(PRTime t_usec)
 
 #define NowInSeconds() PRTimeToSeconds(PR_Now())
 
-//-----------------------------------------------------------------------------
-// nsPrefetchQueueEnumerator
-//-----------------------------------------------------------------------------
-class nsPrefetchQueueEnumerator final : public nsISimpleEnumerator
-{
-public:
-    NS_DECL_ISUPPORTS
-    NS_DECL_NSISIMPLEENUMERATOR
-    explicit nsPrefetchQueueEnumerator(nsPrefetchService *aService);
-
-private:
-    ~nsPrefetchQueueEnumerator();
-
-    void Increment();
-
-    RefPtr<nsPrefetchService> mService;
-    RefPtr<nsPrefetchNode> mCurrent;
-    bool mStarted;
-};
-
-//-----------------------------------------------------------------------------
-// nsPrefetchQueueEnumerator <public>
-//-----------------------------------------------------------------------------
-nsPrefetchQueueEnumerator::nsPrefetchQueueEnumerator(nsPrefetchService *aService)
-    : mService(aService)
-    , mStarted(false)
-{
-    Increment();
-}
-
-nsPrefetchQueueEnumerator::~nsPrefetchQueueEnumerator()
-{
-}
-
-//-----------------------------------------------------------------------------
-// nsPrefetchQueueEnumerator::nsISimpleEnumerator
-//-----------------------------------------------------------------------------
-NS_IMETHODIMP
-nsPrefetchQueueEnumerator::HasMoreElements(bool *aHasMore)
-{
-    *aHasMore = (mCurrent != nullptr);
-    return NS_OK;
-}
-
-NS_IMETHODIMP
-nsPrefetchQueueEnumerator::GetNext(nsISupports **aItem)
-{
-    if (!mCurrent) return NS_ERROR_FAILURE;
-
-    NS_ADDREF(*aItem = static_cast<nsIStreamListener*>(mCurrent.get()));
-
-    Increment();
-
-    return NS_OK;
-}
-
-//-----------------------------------------------------------------------------
-// nsPrefetchQueueEnumerator <private>
-//-----------------------------------------------------------------------------
-
-void
-nsPrefetchQueueEnumerator::Increment()
-{
-  if (!mStarted) {
-    // If the service is currently serving a request, it won't be in
-    // the pending queue, so we return it first.  If it isn't, we'll
-    // just start with the pending queue.
-    mStarted = true;
-    mCurrent = mService->GetCurrentNode();
-    if (!mCurrent)
-      mCurrent = mService->GetQueueHead();
-    return;
-  }
-
-  if (mCurrent) {
-    if (mCurrent == mService->GetCurrentNode()) {
-      // If we just returned the node being processed by the service,
-      // start with the pending queue
-      mCurrent = mService->GetQueueHead();
-    }
-    else {
-      // Otherwise just advance to the next item in the queue
-      mCurrent = mCurrent->mNext;
-    }
-  }
-}
-
-//-----------------------------------------------------------------------------
-// nsPrefetchQueueEnumerator::nsISupports
-//-----------------------------------------------------------------------------
-
-NS_IMPL_ISUPPORTS(nsPrefetchQueueEnumerator, nsISimpleEnumerator)
-
 //-----------------------------------------------------------------------------
 // nsPrefetchNode <public>
 //-----------------------------------------------------------------------------
@@ -317,7 +225,7 @@ nsPrefetchNode::OnStopRequest(nsIRequest *aRequest,
     }
 
     mService->NotifyLoadCompleted(this);
-    mService->ProcessNextURI();
+    mService->ProcessNextURI(this);
     return NS_OK;
 }
 
@@ -406,6 +314,7 @@ nsPrefetchNode::OnRedirectResult(bool proceeding)
 nsPrefetchService::nsPrefetchService()
     : mQueueHead(nullptr)
     , mQueueTail(nullptr)
+    , mMaxParallelism(6)
     , mStopCount(0)
     , mHaveProcessed(false)
     , mDisabled(true)
@@ -415,6 +324,7 @@ nsPrefetchService::nsPrefetchService()
 nsPrefetchService::~nsPrefetchService()
 {
     Preferences::RemoveObserver(this, PREFETCH_PREF);
+    Preferences::RemoveObserver(this, PARALLELISM_PREF);
     // cannot reach destructor if prefetch in progress (listener owns reference
     // to this service)
     EmptyQueue();
@@ -432,6 +342,12 @@ nsPrefetchService::Init()
     mDisabled = !Preferences::GetBool(PREFETCH_PREF, !mDisabled);
     Preferences::AddWeakObserver(this, PREFETCH_PREF);
 
+    mMaxParallelism = Preferences::GetInt(PARALLELISM_PREF, mMaxParallelism);
+    if (mMaxParallelism < 1) {
+        mMaxParallelism = 1;
+    }
+    Preferences::AddWeakObserver(this, PARALLELISM_PREF);
+
     // Observe xpcom-shutdown event
     nsCOMPtr<nsIObserverService> observerService =
       mozilla::services::GetObserverService();
@@ -448,29 +364,40 @@ nsPrefetchService::Init()
 }
 
 void
-nsPrefetchService::ProcessNextURI()
+nsPrefetchService::ProcessNextURI(nsPrefetchNode *aFinished)
 {
     nsresult rv;
     nsCOMPtr<nsIURI> uri, referrer;
 
-    mCurrentNode = nullptr;
+    if (aFinished) {
+        mCurrentNodes.RemoveElement(aFinished);
+    }
+
+    if (mCurrentNodes.Length() >= static_cast<uint32_t>(mMaxParallelism)) {
+        // We already have enough prefetches going on, so hold off
+        // for now.
+        return;
+    }
 
     do {
-        rv = DequeueNode(getter_AddRefs(mCurrentNode));
+        RefPtr<nsPrefetchNode> node;
+        rv = DequeueNode(getter_AddRefs(node));
 
         if (NS_FAILED(rv)) break;
 
         if (LOG_ENABLED()) {
             nsAutoCString spec;
-            mCurrentNode->mURI->GetSpec(spec);
+            node->mURI->GetSpec(spec);
             LOG(("ProcessNextURI [%s]\n", spec.get()));
         }
 
         //
         // if opening the channel fails, then just skip to the next uri
         //
-        RefPtr<nsPrefetchNode> node = mCurrentNode;
         rv = node->OpenChannel();
+        if (NS_SUCCEEDED(rv)) {
+            mCurrentNodes.AppendElement(node);
+        }
     }
     while (NS_FAILED(rv));
 }
@@ -598,9 +525,11 @@ nsPrefetchService::StartPrefetching()
     // only start prefetching after we've received enough DOCUMENT
     // STOP notifications.  we do this inorder to defer prefetching
     // until after all sub-frames have finished loading.
-    if (mStopCount == 0 && !mCurrentNode) {
+    if (!mStopCount) {
         mHaveProcessed = true;
-        ProcessNextURI();
+        while (mQueueHead && mCurrentNodes.Length() < static_cast<uint32_t>(mMaxParallelism)) {
+            ProcessNextURI(nullptr);
+        }
     }
 }
 
@@ -611,12 +540,15 @@ nsPrefetchService::StopPrefetching()
 
     LOG(("StopPrefetching [stopcount=%d]\n", mStopCount));
 
-    // only kill the prefetch queue if we've actually started prefetching.
-    if (!mCurrentNode)
+    // only kill the prefetch queue if we are actively prefetching right now
+    if (mCurrentNodes.IsEmpty()) {
         return;
+    }
 
-    mCurrentNode->CancelChannel(NS_BINDING_ABORTED);
-    mCurrentNode = nullptr;
+    for (uint32_t i = 0; i < mCurrentNodes.Length(); ++i) {
+        mCurrentNodes[i]->CancelChannel(NS_BINDING_ABORTED);
+    }
+    mCurrentNodes.Clear();
     EmptyQueue();
 }
 
@@ -705,9 +637,9 @@ nsPrefetchService::Prefetch(nsIURI *aURI,
     //
     // cancel if being prefetched
     //
-    if (mCurrentNode) {
+    for (uint32_t i = 0; i < mCurrentNodes.Length(); ++i) {
         bool equals;
-        if (NS_SUCCEEDED(mCurrentNode->mURI->Equals(aURI, &equals)) && equals) {
+        if (NS_SUCCEEDED(mCurrentNodes[i]->mURI->Equals(aURI, &equals)) && equals) {
             LOG(("rejected: URL is already being prefetched\n"));
             return NS_ERROR_ABORT;
         }
@@ -733,8 +665,9 @@ nsPrefetchService::Prefetch(nsIURI *aURI,
     NotifyLoadRequested(enqueuedNode);
 
     // if there are no pages loading, kick off the request immediately
-    if (mStopCount == 0 && mHaveProcessed)
-        ProcessNextURI();
+    if (mStopCount == 0 && mHaveProcessed) {
+        ProcessNextURI(nullptr);
+    }
 
     return NS_OK;
 }
@@ -749,13 +682,9 @@ nsPrefetchService::PrefetchURI(nsIURI *aURI,
 }
 
 NS_IMETHODIMP
-nsPrefetchService::EnumerateQueue(nsISimpleEnumerator **aEnumerator)
+nsPrefetchService::HasMoreElements(bool *aHasMore)
 {
-    *aEnumerator = new nsPrefetchQueueEnumerator(this);
-    if (!*aEnumerator) return NS_ERROR_OUT_OF_MEMORY;
-
-    NS_ADDREF(*aEnumerator);
-
+    *aHasMore = (mCurrentNodes.Length() || mQueueHead);
     return NS_OK;
 }
 
@@ -838,20 +767,34 @@ nsPrefetchService::Observe(nsISupports     *aSubject,
         mDisabled = true;
     }
     else if (!strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID)) {
-        if (Preferences::GetBool(PREFETCH_PREF, false)) {
-            if (mDisabled) {
-                LOG(("enabling prefetching\n"));
-                mDisabled = false;
-                AddProgressListener();
+        const char *pref = NS_ConvertUTF16toUTF8(aData).get();
+        if (!strcmp(pref, PREFETCH_PREF)) {
+            if (Preferences::GetBool(PREFETCH_PREF, false)) {
+                if (mDisabled) {
+                    LOG(("enabling prefetching\n"));
+                    mDisabled = false;
+                    AddProgressListener();
+                }
+            } else {
+                if (!mDisabled) {
+                    LOG(("disabling prefetching\n"));
+                    StopPrefetching();
+                    EmptyQueue();
+                    mDisabled = true;
+                    RemoveProgressListener();
+                }
             }
-        } 
-        else {
-            if (!mDisabled) {
-                LOG(("disabling prefetching\n"));
-                StopPrefetching();
-                EmptyQueue();
-                mDisabled = true;
-                RemoveProgressListener();
+        } else if (!strcmp(pref, PARALLELISM_PREF)) {
+            mMaxParallelism = Preferences::GetInt(PARALLELISM_PREF, mMaxParallelism);
+            if (mMaxParallelism < 1) {
+                mMaxParallelism = 1;
+            }
+            // If our parallelism has increased, go ahead and kick off enough
+            // prefetches to fill up our allowance. If we're now over our
+            // allowance, we'll just silently let some of them finish to get
+            // back below our limit.
+            while (mQueueHead && mCurrentNodes.Length() < static_cast<uint32_t>(mMaxParallelism)) {
+                ProcessNextURI(nullptr);
             }
         }
     }
diff --git a/uriloader/prefetch/nsPrefetchService.h b/uriloader/prefetch/nsPrefetchService.h
index 2047c4f246b5..1a93fd93511a 100644
--- a/uriloader/prefetch/nsPrefetchService.h
+++ b/uriloader/prefetch/nsPrefetchService.h
@@ -40,10 +40,7 @@ public:
     nsPrefetchService();
 
     nsresult Init();
-    void     ProcessNextURI();
-
-    nsPrefetchNode *GetCurrentNode() { return mCurrentNode.get(); }
-    nsPrefetchNode *GetQueueHead() { return mQueueHead; }
+    void     ProcessNextURI(nsPrefetchNode *aFinished);
 
     void NotifyLoadRequested(nsPrefetchNode *node);
     void NotifyLoadCompleted(nsPrefetchNode *node);
@@ -69,7 +66,8 @@ private:
 
     nsPrefetchNode                   *mQueueHead;
     nsPrefetchNode                   *mQueueTail;
-    RefPtr<nsPrefetchNode>          mCurrentNode;
+    nsTArray<RefPtr<nsPrefetchNode>> mCurrentNodes;
+    int32_t                           mMaxParallelism;
     int32_t                           mStopCount;
     // true if pending document loads have ever reached zero.
     int32_t                           mHaveProcessed;
diff --git a/widget/WidgetUtils.cpp b/widget/WidgetUtils.cpp
index b10b6bd9e5f1..fe15181d0210 100644
--- a/widget/WidgetUtils.cpp
+++ b/widget/WidgetUtils.cpp
@@ -9,6 +9,9 @@
 #ifdef XP_WIN
 #include "WinUtils.h"
 #endif
+#if MOZ_WIDGET_GTK == 3
+#include "mozilla/WidgetUtilsGtk.h"
+#endif
 
 namespace mozilla {
 
@@ -100,6 +103,8 @@ WidgetUtils::IsTouchDeviceSupportPresent()
 {
 #ifdef XP_WIN
   return WinUtils::IsTouchDeviceSupportPresent();
+#elif MOZ_WIDGET_GTK == 3
+  return WidgetUtilsGTK::IsTouchDeviceSupportPresent();
 #else
   return 0;
 #endif
diff --git a/widget/gtk/WidgetUtilsGtk.cpp b/widget/gtk/WidgetUtilsGtk.cpp
new file mode 100644
index 000000000000..393f66908dc1
--- /dev/null
+++ b/widget/gtk/WidgetUtilsGtk.cpp
@@ -0,0 +1,51 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "WidgetUtilsGtk.h"
+
+namespace mozilla {
+
+namespace widget {
+
+int32_t WidgetUtilsGTK::IsTouchDeviceSupportPresent()
+{
+#if GTK_CHECK_VERSION(3,4,0)
+    int32_t result = 0;
+    GdkDisplay* display = gdk_display_get_default();
+    if (!display) {
+        return 0;
+    }
+
+    GdkDeviceManager* manager = gdk_display_get_device_manager(display);
+    if (!manager) {
+        return 0;
+    }
+
+    GList* devices =
+        gdk_device_manager_list_devices(manager, GDK_DEVICE_TYPE_SLAVE);
+    GList* list = devices;
+
+    while (devices) {
+        GdkDevice* device = static_cast<GdkDevice*>(devices->data);
+        if (gdk_device_get_source(device) == GDK_SOURCE_TOUCHSCREEN) {
+            result = 1;
+            break;
+        }
+        devices = devices->next;
+   }
+
+   if (list) {
+       g_list_free(list);
+   }
+
+   return result;
+#else
+   return 0;
+#endif
+}
+
+}  // namespace widget
+
+} // namespace mozilla
diff --git a/widget/gtk/WidgetUtilsGtk.h b/widget/gtk/WidgetUtilsGtk.h
new file mode 100644
index 000000000000..8c132c11ba04
--- /dev/null
+++ b/widget/gtk/WidgetUtilsGtk.h
@@ -0,0 +1,25 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef WidgetUtilsGtk_h__
+#define WidgetUtilsGtk_h__
+
+#include <stdint.h>
+
+namespace mozilla {
+namespace widget {
+
+class WidgetUtilsGTK
+{
+public:
+  /* See WidgetUtils::IsTouchDeviceSupportPresent(). */
+  static int32_t IsTouchDeviceSupportPresent();
+};
+
+}  // namespace widget
+
+}  // namespace mozilla
+
+#endif // WidgetUtilsGtk_h__
diff --git a/widget/gtk/moz.build b/widget/gtk/moz.build
index 50bb32fa33bf..9b77796f649c 100644
--- a/widget/gtk/moz.build
+++ b/widget/gtk/moz.build
@@ -13,6 +13,10 @@ EXPORTS += [
     'nsIImageToPixbuf.h',
 ]
 
+EXPORTS.mozilla += [
+    'WidgetUtilsGtk.h'
+]
+
 UNIFIED_SOURCES += [
     'IMContextWrapper.cpp',
     'mozcontainer.c',
@@ -32,6 +36,7 @@ UNIFIED_SOURCES += [
     'nsWidgetFactory.cpp',
     'WakeLockListener.cpp',
     'WidgetTraceEvent.cpp',
+    'WidgetUtilsGtk.cpp',
 ]
 
 SOURCES += [
diff --git a/widget/gtk/mozgtk/mozgtk.c b/widget/gtk/mozgtk/mozgtk.c
index 88e4334fdb74..e4bb1cb3b2e8 100644
--- a/widget/gtk/mozgtk/mozgtk.c
+++ b/widget/gtk/mozgtk/mozgtk.c
@@ -507,6 +507,7 @@ STUB(gtk_window_unmaximize)
 STUB(gdk_device_get_source)
 STUB(gdk_device_manager_get_client_pointer)
 STUB(gdk_disable_multidevice)
+STUB(gdk_device_manager_list_devices)
 STUB(gdk_display_get_device_manager)
 STUB(gdk_error_trap_pop_ignored)
 STUB(gdk_event_get_source_device)
diff --git a/widget/gtk/nsColorPicker.cpp b/widget/gtk/nsColorPicker.cpp
index 639bc4b501d7..169df146e8e5 100644
--- a/widget/gtk/nsColorPicker.cpp
+++ b/widget/gtk/nsColorPicker.cpp
@@ -13,7 +13,7 @@
 
 NS_IMPL_ISUPPORTS(nsColorPicker, nsIColorPicker)
 
-#if GTK_CHECK_VERSION(3,4,0)
+#if defined(ACTIVATE_GTK3_COLOR_PICKER) && GTK_CHECK_VERSION(3,4,0)
 int nsColorPicker::convertGdkRgbaComponent(gdouble color_component) {
   // GdkRGBA value is in range [0.0..1.0]. We need something in range [0..255]
   return color_component * 255 + 0.5;
@@ -94,7 +94,7 @@ NS_IMETHODIMP nsColorPicker::Open(nsIColorPickerShownCallback *aColorPickerShown
   title.Adopt(ToNewUTF8String(mTitle));
   GtkWindow *parent_window = GTK_WINDOW(mParentWidget->GetNativeData(NS_NATIVE_SHELLWIDGET));
   
-#if GTK_CHECK_VERSION(3,4,0)
+#if defined(ACTIVATE_GTK3_COLOR_PICKER) && GTK_CHECK_VERSION(3,4,0)
   GtkWidget* color_chooser = gtk_color_chooser_dialog_new(title, parent_window);
     
   if (parent_window) {
@@ -134,7 +134,7 @@ NS_IMETHODIMP nsColorPicker::Open(nsIColorPickerShownCallback *aColorPickerShown
   return NS_OK;
 }
 
-#if GTK_CHECK_VERSION(3,4,0)
+#if defined(ACTIVATE_GTK3_COLOR_PICKER) && GTK_CHECK_VERSION(3,4,0)
 /* static */ void
 nsColorPicker::OnColorChanged(GtkColorChooser* color_chooser, GdkRGBA* color,
                               gpointer user_data)
@@ -208,7 +208,7 @@ nsColorPicker::Done(GtkWidget* color_chooser, gint response)
   switch (response) {
     case GTK_RESPONSE_OK:
     case GTK_RESPONSE_ACCEPT:
-#if GTK_CHECK_VERSION(3,4,0)
+#if defined(ACTIVATE_GTK3_COLOR_PICKER) && GTK_CHECK_VERSION(3,4,0)
       GdkRGBA color;
       gtk_color_chooser_get_rgba(GTK_COLOR_CHOOSER(color_chooser), &color);
       SetColor(&color);
diff --git a/widget/gtk/nsColorPicker.h b/widget/gtk/nsColorPicker.h
index 3783dd958606..107e6f058f61 100644
--- a/widget/gtk/nsColorPicker.h
+++ b/widget/gtk/nsColorPicker.h
@@ -12,6 +12,11 @@
 #include "nsIColorPicker.h"
 #include "nsString.h"
 
+// Don't activate the GTK3 color picker for now, because it is missing a few
+// things, mainly the ability to let the user select a color on the screen.
+// See bug 1198256.
+#undef ACTIVATE_GTK3_COLOR_PICKER
+
 class nsIWidget;
 
 class nsColorPicker final : public nsIColorPicker
@@ -31,7 +36,7 @@ private:
                          gpointer user_data);
   static void OnDestroy(GtkWidget* dialog, gpointer user_data);
   
-#if GTK_CHECK_VERSION(3,4,0)
+#if defined(ACTIVATE_GTK3_COLOR_PICKER) && GTK_CHECK_VERSION(3,4,0)
   static void OnColorChanged(GtkColorChooser* color_chooser, GdkRGBA* color,
                              gpointer user_data);
                              
diff --git a/widget/gtk/nsLookAndFeel.cpp b/widget/gtk/nsLookAndFeel.cpp
index a134863e9ae0..61bd8026cfd2 100644
--- a/widget/gtk/nsLookAndFeel.cpp
+++ b/widget/gtk/nsLookAndFeel.cpp
@@ -23,6 +23,7 @@
 #include "gtkdrawing.h"
 #include "nsStyleConsts.h"
 #include "gfxFontConstants.h"
+#include "WidgetUtils.h"
 
 #include <dlfcn.h>
 
@@ -634,8 +635,13 @@ nsLookAndFeel::GetIntImpl(IntID aID, int32_t &aResult)
         res = NS_ERROR_NOT_IMPLEMENTED;
         break;
     case eIntID_TouchEnabled:
+#if MOZ_WIDGET_GTK == 3
+        aResult = mozilla::widget::WidgetUtils::IsTouchDeviceSupportPresent();
+        break;
+#else
         aResult = 0;
         res = NS_ERROR_NOT_IMPLEMENTED;
+#endif
         break;
     case eIntID_MacGraphiteTheme:
     case eIntID_MacLionTheme:
diff --git a/widget/gtk/nsWindow.cpp b/widget/gtk/nsWindow.cpp
index 703eb6c71501..bfa37f44a395 100644
--- a/widget/gtk/nsWindow.cpp
+++ b/widget/gtk/nsWindow.cpp
@@ -6,9 +6,11 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "mozilla/ArrayUtils.h"
+#include "mozilla/EventForwards.h"
 #include "mozilla/MiscEvents.h"
 #include "mozilla/MouseEvents.h"
 #include "mozilla/TextEvents.h"
+#include "mozilla/TouchEvents.h"
 #include <algorithm>
 
 #include "GeckoProfiler.h"
@@ -144,6 +146,7 @@ const gint kEvents = GDK_EXPOSURE_MASK | GDK_STRUCTURE_MASK |
                      GDK_BUTTON_PRESS_MASK | GDK_BUTTON_RELEASE_MASK |
 #if GTK_CHECK_VERSION(3,4,0)
                      GDK_SMOOTH_SCROLL_MASK |
+                     GDK_TOUCH_MASK |
 #endif
                      GDK_SCROLL_MASK |
                      GDK_POINTER_MOTION_MASK |
@@ -214,6 +217,10 @@ static gboolean window_state_event_cb     (GtkWidget *widget,
 static void     theme_changed_cb          (GtkSettings *settings,
                                            GParamSpec *pspec,
                                            nsWindow *data);
+#if GTK_CHECK_VERSION(3,4,0)
+static gboolean touch_event_cb            (GtkWidget* aWidget,
+                                           GdkEventTouch* aEvent);
+#endif
 static nsWindow* GetFirstNSWindowForGDKWindow (GdkWindow *aGdkWindow);
 
 #ifdef __cplusplus
@@ -343,6 +350,9 @@ static bool              gGlobalsInitialized   = false;
 static bool              gRaiseWindows         = true;
 static nsWindow         *gPluginFocusWindow    = nullptr;
 
+#if GTK_CHECK_VERSION(3,4,0)
+static uint32_t          gLastTouchID = 0;
+#endif
 
 #define NS_WINDOW_TITLE_MAX_LENGTH 4095
 
@@ -408,6 +418,9 @@ nsWindow::nsWindow()
     mNeedsShow           = false;
     mEnabled             = true;
     mCreated             = false;
+#if GTK_CHECK_VERSION(3,4,0)
+    mHandleTouchEvent    = false;
+#endif
 
     mContainer           = nullptr;
     mGdkWindow           = nullptr;
@@ -920,6 +933,15 @@ nsWindow::IsVisible() const
     return mIsShown;
 }
 
+void
+nsWindow::RegisterTouchWindow()
+{
+#if GTK_CHECK_VERSION(3,4,0)
+    mHandleTouchEvent = true;
+    mTouches.Clear();
+#endif
+}
+
 NS_IMETHODIMP
 nsWindow::ConstrainPosition(bool aAllowSlop, int32_t *aX, int32_t *aY)
 {
@@ -3353,6 +3375,78 @@ nsWindow::OnDragDataReceivedEvent(GtkWidget *aWidget,
                            aSelectionData, aInfo, aTime);
 }
 
+#if GTK_CHECK_VERSION(3,4,0)
+static PLDHashOperator AppendTouchToEvent(GdkEventSequence* aKey,
+                                          dom::Touch* aData,
+                                          void* aArg)
+{
+  WidgetTouchEvent* event = reinterpret_cast<WidgetTouchEvent*>(aArg);
+  event->touches.AppendElement(new dom::Touch(*aData));
+
+  return PL_DHASH_NEXT;
+}
+
+gboolean
+nsWindow::OnTouchEvent(GdkEventTouch* aEvent)
+{
+    if (!mHandleTouchEvent) {
+        return FALSE;
+    }
+
+    EventMessage msg;
+    switch (aEvent->type) {
+    case GDK_TOUCH_BEGIN:
+        msg = eTouchStart;
+        break;
+    case GDK_TOUCH_UPDATE:
+        msg = eTouchMove;
+        break;
+    case GDK_TOUCH_END:
+        msg = eTouchEnd;
+        break;
+    case GDK_TOUCH_CANCEL:
+        msg = eTouchCancel;
+        break;
+    default:
+        return FALSE;
+    }
+
+    LayoutDeviceIntPoint touchPoint;
+    if (aEvent->window == mGdkWindow) {
+        touchPoint = LayoutDeviceIntPoint(aEvent->x, aEvent->y);
+    } else {
+        touchPoint = LayoutDeviceIntPoint(aEvent->x_root, aEvent->y_root) -
+                     WidgetToScreenOffset();
+    }
+
+    int32_t id;
+    RefPtr<dom::Touch> touch;
+    if (mTouches.Remove(aEvent->sequence, getter_AddRefs(touch))) {
+        id = touch->mIdentifier;
+    } else {
+        id = ++gLastTouchID & 0x7FFFFFFF;
+    }
+
+    touch = new dom::Touch(id, touchPoint, nsIntPoint(1,1), 0.0f, 0.0f);
+
+    WidgetTouchEvent event(true, msg, this);
+    KeymapWrapper::InitInputEvent(event, aEvent->state);
+    event.time = aEvent->time;
+
+    if (aEvent->type == GDK_TOUCH_BEGIN || aEvent->type == GDK_TOUCH_UPDATE) {
+        mTouches.Put(aEvent->sequence, touch.forget());
+        // add all touch points to event object
+        mTouches.EnumerateRead(AppendTouchToEvent, &event);
+    } else if (aEvent->type == GDK_TOUCH_END ||
+               aEvent->type == GDK_TOUCH_CANCEL) {
+        *event.touches.AppendElement() = touch.forget();
+    }
+
+    DispatchAPZAwareEvent(&event);
+    return TRUE;
+}
+#endif
+
 static void
 GetBrandName(nsXPIDLString& brandName)
 {
@@ -3819,6 +3913,10 @@ nsWindow::Create(nsIWidget        *aParent,
                          G_CALLBACK(property_notify_event_cb), nullptr);
         g_signal_connect(eventWidget, "scroll-event",
                          G_CALLBACK(scroll_event_cb), nullptr);
+#if GTK_CHECK_VERSION(3,4,0)
+        g_signal_connect(eventWidget, "touch-event",
+                         G_CALLBACK(touch_event_cb), nullptr);
+#endif
     }
 
     LOG(("nsWindow [%p]\n", (void *)this));
@@ -5844,6 +5942,21 @@ theme_changed_cb (GtkSettings *settings, GParamSpec *pspec, nsWindow *data)
     window->ThemeChanged();
 }
 
+#if GTK_CHECK_VERSION(3,4,0)
+static gboolean
+touch_event_cb(GtkWidget* aWidget, GdkEventTouch* aEvent)
+{
+    UpdateLastInputEventTime(aEvent);
+
+    nsWindow* window = GetFirstNSWindowForGDKWindow(aEvent->window);
+    if (!window) {
+        return FALSE;
+    }
+
+    return window->OnTouchEvent(aEvent);
+}
+#endif
+
 //////////////////////////////////////////////////////////////////////
 // These are all of our drag and drop operations
 
diff --git a/widget/gtk/nsWindow.h b/widget/gtk/nsWindow.h
index 1662e0bbe15b..8125b48a0c7e 100644
--- a/widget/gtk/nsWindow.h
+++ b/widget/gtk/nsWindow.h
@@ -17,6 +17,7 @@
 #include "nsIDragService.h"
 #include "nsITimer.h"
 #include "nsGkAtoms.h"
+#include "nsRefPtrHashtable.h"
 
 #include "nsBaseWidget.h"
 #include <gdk/gdk.h>
@@ -30,6 +31,7 @@
 #include "mozilla/a11y/Accessible.h"
 #endif
 #include "mozilla/EventForwards.h"
+#include "mozilla/TouchEvents.h"
 
 #include "IMContextWrapper.h"
 
@@ -207,6 +209,9 @@ public:
                                                gpointer         aData);
     gboolean           OnPropertyNotifyEvent(GtkWidget *aWidget,
                                              GdkEventProperty *aEvent);
+#if GTK_CHECK_VERSION(3,4,0)
+    gboolean           OnTouchEvent(GdkEventTouch* aEvent);
+#endif
 
     virtual already_AddRefed<mozilla::gfx::DrawTarget>
                        StartRemoteDrawingInRegion(nsIntRegion& aInvalidRegion) override;
@@ -347,6 +352,8 @@ protected:
     virtual nsresult NotifyIMEInternal(
                          const IMENotification& aIMENotification) override;
 
+    virtual void RegisterTouchWindow() override;
+
     nsCOMPtr<nsIWidget> mParent;
     // Is this a toplevel window?
     bool                mIsTopLevel;
@@ -362,6 +369,10 @@ protected:
     bool                mEnabled;
     // has the native window for this been created yet?
     bool                mCreated;
+#if GTK_CHECK_VERSION(3,4,0)
+    // whether we handle touch event
+    bool                mHandleTouchEvent;
+#endif
 
 private:
     void               DestroyChildWindows();
@@ -399,6 +410,9 @@ private:
 #if GTK_CHECK_VERSION(3,4,0)
     // This field omits duplicate scroll events caused by GNOME bug 726878.
     guint32             mLastScrollEventTime;
+
+    // for touch event handling
+    nsRefPtrHashtable<nsPtrHashKey<GdkEventSequence>, mozilla::dom::Touch> mTouches;
 #endif
 
 #ifdef MOZ_X11
diff --git a/widget/nsBaseWidget.cpp b/widget/nsBaseWidget.cpp
index bf40115974a8..421fab306860 100644
--- a/widget/nsBaseWidget.cpp
+++ b/widget/nsBaseWidget.cpp
@@ -910,6 +910,14 @@ void nsBaseWidget::ConfigureAPZCTreeManager()
     uint64_t rootLayerTreeId = mCompositorParent->RootLayerTreeId();
     CompositorParent::SetControllerForLayerTree(rootLayerTreeId, controller);
   }
+
+  // When APZ is enabled, we can actually enable raw touch events because we
+  // have code that can deal with them properly. If APZ is not enabled, this
+  // function doesn't get called.
+  if (Preferences::GetInt("dom.w3c_touch_events.enabled", 0) ||
+      Preferences::GetBool("dom.w3c_pointer_events.enabled", false)) {
+    RegisterTouchWindow();
+  }
 }
 
 void nsBaseWidget::ConfigureAPZControllerThread()
diff --git a/widget/nsBaseWidget.h b/widget/nsBaseWidget.h
index 17d4a7d48d18..f4d0be67dfc4 100644
--- a/widget/nsBaseWidget.h
+++ b/widget/nsBaseWidget.h
@@ -473,6 +473,7 @@ protected:
    * Notify the widget that this window is being used with OMTC.
    */
   virtual void WindowUsesOMTC() {}
+  virtual void RegisterTouchWindow() {}
 
   nsIDocument* GetDocument() const;
 
diff --git a/widget/tests/test_composition_text_querycontent.xul b/widget/tests/test_composition_text_querycontent.xul
index 3e519e53df8f..76c56e83d95f 100644
--- a/widget/tests/test_composition_text_querycontent.xul
+++ b/widget/tests/test_composition_text_querycontent.xul
@@ -19,6 +19,12 @@
 <script class="testbody" type="application/javascript">
 <![CDATA[
 
+// If setting selection with eSetSelection event whose range is larger than
+// the actual range, hits "Can only call this on frames that have been reflowed:
+// '!(GetStateBits() & NS_FRAME_FIRST_REFLOW) || (GetParent()->GetStateBits() &
+// NS_FRAME_TOO_DEEP_IN_FRAME_TREE)'" in nsTextFrame.cpp.
+// Strangely, this doesn't occur with RDP on Windows.
+SimpleTest.expectAssertions(0, 2);
 SimpleTest.waitForExplicitFinish();
 window.open("window_composition_text_querycontent.xul", "_blank", 
             "chrome,width=600,height=600");
diff --git a/widget/tests/window_composition_text_querycontent.xul b/widget/tests/window_composition_text_querycontent.xul
index 2b61e8cfc58a..ec752f6beeb8 100644
--- a/widget/tests/window_composition_text_querycontent.xul
+++ b/widget/tests/window_composition_text_querycontent.xul
@@ -121,6 +121,7 @@ const kIsWin = (navigator.platform.indexOf("Win") == 0);
 const kIsMac = (navigator.platform.indexOf("Mac") == 0);
 
 const kLFLen = kIsWin ? 2 : 1;
+const kLF = kIsWin ? "\r\n" : "\n";
 
 function checkQueryContentResult(aResult, aMessage)
 {
@@ -134,27 +135,33 @@ function checkQueryContentResult(aResult, aMessage)
 
 function checkContent(aExpectedText, aMessage, aID)
 {
+  if (!aID) {
+    aID = "";
+  }
   var textContent = synthesizeQueryTextContent(0, 100);
   if (!checkQueryContentResult(textContent, aMessage +
                                ": synthesizeQueryTextContent " + aID)) {
     return false;
   }
   is(textContent.text, aExpectedText,
-     aMessage + ": composition string is wrong" + aID);
+     aMessage + ": composition string is wrong " + aID);
   return textContent.text == aExpectedText;
 }
 
 function checkSelection(aExpectedOffset, aExpectedText, aMessage, aID)
 {
+  if (!aID) {
+    aID = "";
+  }
   var selectedText = synthesizeQuerySelectedText();
   if (!checkQueryContentResult(selectedText, aMessage +
                                ": synthesizeQuerySelectedText " + aID)) {
     return false;
   }
   is(selectedText.offset, aExpectedOffset,
-     aMessage + ": selection offset is wrong" + aID);
+     aMessage + ": selection offset is wrong " + aID);
   is(selectedText.text, aExpectedText,
-     aMessage + ": selected text is wrong" + aID);
+     aMessage + ": selected text is wrong " + aID);
   return selectedText.offset == aExpectedOffset &&
          selectedText.text == aExpectedText;
 }
@@ -2309,6 +2316,695 @@ function runCharAtPointAtOutsideTest()
   }
 }
 
+function runSetSelectionEventTest()
+{
+  contenteditable.focus();
+
+  var selection = windowOfContenteditable.getSelection();
+
+  // #1
+  contenteditable.innerHTML = "abc<br>def";
+
+  synthesizeSelectionSet(0, 6 + kLFLen);
+  is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #1 (0, 6+kLFLen): selection anchor node should be the first text node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #1 (0, 6+kLFLen): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #1 (0, 6+kLFLen): selection focus node should be the root node of the editor");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #1 (0, 6+kLFLen): selection focus offset should be the count of children");
+  checkSelection(0, "abc" + kLF + "def", "runSetSelectionEventTest #1 (0, 6+kLFLen)");
+
+  synthesizeSelectionSet(0, 100);
+  is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #1 (0, 100): selection anchor node should be the first text node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #1 (0, 100): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #1 (0, 100): selection focus node should be the root node of the editor");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #1 (0, 100): selection focus offset should be the count of children");
+  checkSelection(0, "abc" + kLF + "def", "runSetSelectionEventTest #1 (0, 100)");
+
+  synthesizeSelectionSet(2, 2 + kLFLen);
+  is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #1 (2, 2+kLFLen): selection anchor node should be the first text node");
+  is(selection.anchorOffset, 2,
+     "runSetSelectionEventTest #1 (2, 2+kLFLen): selection anchor offset should be 2");
+  is(selection.focusNode, contenteditable.lastChild,
+     "runSetSelectionEventTest #1 (2, 2+kLFLen): selection focus node should be the last text node");
+  is(selection.focusOffset, 1,
+     "runSetSelectionEventTest #1 (2, 2+kLFLen): selection focus offset should be 1");
+  checkSelection(2, "c" + kLF + "d", "runSetSelectionEventTest #1 (2, 2+kLFLen)");
+
+  synthesizeSelectionSet(1, 2);
+  is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #1 (1, 2): selection anchor node should be the first text node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #1 (1, 2): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #1 (1, 2): selection focus node should be the root node of the editor");
+  is(selection.focusOffset, 1,
+     "runSetSelectionEventTest #1 (1, 2): selection focus offset should be 1");
+  checkSelection(1, "bc", "runSetSelectionEventTest #1 (1, 2)");
+
+  synthesizeSelectionSet(3, kLFLen);
+  is(selection.anchorNode, contenteditable,
+     "runSetSelectionEventTest #1 (3, kLFLen): selection anchor node should be the root node of the editor");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #1 (3, kLFLen): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable.lastChild,
+     "runSetSelectionEventTest #1 (3, kLFLen): selection focus node should be the last text node");
+  is(selection.focusOffset, 0,
+     "runSetSelectionEventTest #1 (3, kLFLen): selection focus offset should be 0");
+  checkSelection(3, kLF, "runSetSelectionEventTest #1 (3, kLFLen)");
+
+  synthesizeSelectionSet(6+kLFLen, 0);
+  is(selection.anchorNode, contenteditable,
+     "runSetSelectionEventTest #1 (6+kLFLen, 0): selection anchor node should be the root node of the editor");
+  is(selection.anchorOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #1 (6+kLFLen, 0): selection anchor offset should be the count of children");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #1 (6+kLFLen, 0): selection focus node should be the root node of the editor");
+  is(selection.anchorOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #1 (6+kLFLen, 0): selection focus offset should be the count of children");
+  checkSelection(6 + kLFLen, "", "runSetSelectionEventTest #1 (6+kLFLen, 0)");
+
+  synthesizeSelectionSet(100, 0);
+  is(selection.anchorNode, contenteditable,
+     "runSetSelectionEventTest #1 (100, 0): selection anchor node should be the root node of the editor");
+  is(selection.anchorOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #1 (100, 0): selection anchor offset should be the count of children");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #1 (100, 0): selection focus node should be the root node of the editor");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #1 (100, 0): selection focus offset should be the count of children");
+  checkSelection(6 + kLFLen, "", "runSetSelectionEventTest #1 (100, 0)");
+
+  // #2
+  contenteditable.innerHTML = "<p>a<b>b</b>c</p><p>def</p>";
+
+  synthesizeSelectionSet(0, 4);
+  is(selection.anchorNode, contenteditable.firstChild.firstChild,
+     "runSetSelectionEventTest #2 (0, 4): selection anchor node should be the first text node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #2 (0, 4): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable.lastChild.firstChild,
+     "runSetSelectionEventTest #2 (0, 4): selection focus node should be the text node in the second <p> node");
+  is(selection.focusOffset, 1,
+     "runSetSelectionEventTest #2 (0, 4): selection focus offset should be 1");
+  checkSelection(0, "abcd", "runSetSelectionEventTest #2 (0, 4)");
+
+  synthesizeSelectionSet(0, 2);
+  is(selection.anchorNode, contenteditable.firstChild.firstChild,
+     "runSetSelectionEventTest #2 (0, 2): selection anchor node should be the first text node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #2 (0, 2): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable.firstChild.childNodes.item(1),
+     "runSetSelectionEventTest #2 (0, 2): selection focus node should be the <b> node");
+  is(selection.focusOffset, contenteditable.firstChild.childNodes.item(1).childNodes.length,
+     "runSetSelectionEventTest #2 (0, 2): selection focus offset should be the count of the <b>'s children");
+  checkSelection(0, "ab", "runSetSelectionEventTest #2 (0, 2)");
+
+  synthesizeSelectionSet(1, 2);
+  is(selection.anchorNode, contenteditable.firstChild.childNodes.item(1).firstChild,
+     "runSetSelectionEventTest #2 (1, 2): selection anchor node should be the text node in the <b> node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #2 (1, 2): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #2 (1, 2): selection focus node should be the first <p> node");
+  is(selection.focusOffset, contenteditable.firstChild.childNodes.length,
+     "runSetSelectionEventTest #2 (1, 2): selection focus offset should be the count of last <p>'s children");
+  checkSelection(1, "bc", "runSetSelectionEventTest #2 (1, 2)");
+
+  synthesizeSelectionSet(2, 2);
+  is(selection.anchorNode, contenteditable.firstChild.lastChild,
+     "runSetSelectionEventTest #2 (2, 2): selection anchor node should be the last text node in the first <p> node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #2 (2, 2): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable.lastChild.firstChild,
+     "runSetSelectionEventTest #2 (2, 2): selection focus node should be the text node in the last <p> node");
+  is(selection.focusOffset, 1,
+     "runSetSelectionEventTest #2 (2, 2): selection focus offset should be 1");
+  checkSelection(2, "cd", "runSetSelectionEventTest #2 (2, 2)");
+
+  synthesizeSelectionSet(3, 1);
+  is(selection.anchorNode, contenteditable.lastChild.firstChild,
+     "runSetSelectionEventTest #2 (3, 1): selection anchor node should be the text node in the second <p> node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #2 (3, 1): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable.lastChild.firstChild,
+     "runSetSelectionEventTest #2 (3, 1): selection focus node should be the text node in the second <p> node");
+  is(selection.focusOffset, 1,
+     "runSetSelectionEventTest #2 (3, 1): selection focus offset should be 1");
+  checkSelection(3, "d", "runSetSelectionEventTest #2 (3, 1)");
+
+  // #3
+  contenteditable.innerHTML = "<div>abc<p>def</p></div>";
+
+  synthesizeSelectionSet(1, 2);
+  is(selection.anchorNode, contenteditable.firstChild.firstChild,
+     "runSetSelectionEventTest #3 (1, 2): selection anchor node should be the first text node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #3 (1, 2): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #3 (1, 2): selection focus node should be the <div> node");
+  is(selection.focusOffset, 1,
+     "runSetSelectionEventTest #3 (1, 2): selection focus offset should be 1");
+  checkSelection(1, "bc", "runSetSelectionEventTest #3 (1, 2)");
+
+  synthesizeSelectionSet(1, 3);
+  is(selection.anchorNode, contenteditable.firstChild.firstChild,
+     "runSetSelectionEventTest #3 (1, 3): selection anchor node should be the first text node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #3 (1, 3): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable.firstChild.lastChild.firstChild,
+     "runSetSelectionEventTest #3 (1, 3): selection focus node should be the text node in the <p> node");
+  is(selection.focusOffset, 1,
+     "runSetSelectionEventTest #3 (1, 3): selection focus offset should be 1");
+  checkSelection(1, "bcd", "runSetSelectionEventTest #3 (1, 3)");
+
+  synthesizeSelectionSet(3, 0);
+  is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #3 (3, 0): selection anchor node should be the <div> node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #3 (3, 0): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #3 (3, 0): selection focus node should be the <div> node");
+  is(selection.focusOffset, 1,
+     "runSetSelectionEventTest #3 (3, 0): selection focus offset should be 1");
+  checkSelection(3, "", "runSetSelectionEventTest #3 (3, 0)");
+
+  synthesizeSelectionSet(0, 6);
+  is(selection.anchorNode, contenteditable.firstChild.firstChild,
+     "runSetSelectionEventTest #3 (0, 6): selection anchor node should be the first text node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #3 (0, 6): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable.firstChild.lastChild,
+     "runSetSelectionEventTest #3 (0, 6): selection focus node should be the <p> node");
+  is(selection.focusOffset, contenteditable.firstChild.lastChild.childNodes.length,
+     "runSetSelectionEventTest #3 (0, 6): selection focus offset should be the count of the <p>'s children");
+  checkSelection(0, "abcdef", "runSetSelectionEventTest #3 (0, 6)");
+
+  synthesizeSelectionSet(0, 100);
+  is(selection.anchorNode, contenteditable.firstChild.firstChild,
+     "runSetSelectionEventTest #3 (0, 100): selection anchor node should be the first text node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #3 (0, 100): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #3 (0, 100): selection focus node should be the root node");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #3 (0, 100): selection focus offset should be the count of the root's children");
+  checkSelection(0, "abcdef", "runSetSelectionEventTest #3 (0, 100)");
+
+  synthesizeSelectionSet(4, 2);
+  is(selection.anchorNode, contenteditable.firstChild.lastChild.firstChild,
+     "runSetSelectionEventTest #3 (4, 2): selection anchor node should be the text node in the <p> node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #3 (4, 2): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable.firstChild.lastChild,
+     "runSetSelectionEventTest #3 (4, 2): selection focus node should be the <p> node");
+  is(selection.focusOffset, contenteditable.firstChild.lastChild.childNodes.length,
+     "runSetSelectionEventTest #3 (4, 2): selection focus offset should be the count of the <p>'s children");
+  checkSelection(4, "ef", "runSetSelectionEventTest #3 (4, 2)");
+
+  synthesizeSelectionSet(4, 100);
+  is(selection.anchorNode, contenteditable.firstChild.lastChild.firstChild,
+     "runSetSelectionEventTest #3 (4, 100): selection anchor node should be the text node in the <p> node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #3 (4, 100): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #3 (4, 100): selection focus node should be the root node");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #3 (4, 100): selection focus offset should be the count of the root's children");
+  checkSelection(4, "ef", "runSetSelectionEventTest #3 (4, 100)");
+
+  synthesizeSelectionSet(6, 0);
+  is(selection.anchorNode, contenteditable.firstChild.lastChild,
+     "runSetSelectionEventTest #3 (6, 0): selection anchor node should be the <p> node");
+  is(selection.anchorOffset, contenteditable.firstChild.lastChild.childNodes.length,
+     "runSetSelectionEventTest #3 (6, 0): selection anchor offset should be the count of the <p>'s children");
+  is(selection.focusNode, contenteditable.firstChild.lastChild,
+     "runSetSelectionEventTest #3 (6, 0): selection focus node should be the <p> node");
+  is(selection.focusOffset, contenteditable.firstChild.lastChild.childNodes.length,
+     "runSetSelectionEventTest #3 (6, 0): selection focus offset should be the count of the <p>'s children");
+  checkSelection(6, "", "runSetSelectionEventTest #3 (6, 0)");
+
+  synthesizeSelectionSet(6, 1);
+  todo_is(selection.anchorNode, contenteditable.firstChild.lastChild,
+     "runSetSelectionEventTest #3 (6, 1): selection anchor node should be the <p> node");
+  is(selection.anchorOffset, contenteditable.firstChild.lastChild.childNodes.length,
+     "runSetSelectionEventTest #3 (6, 1): selection anchor offset should be the count of the <p>'s children");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #3 (6, 1): selection focus node should be the root node");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #3 (6, 1): selection focus offset should be the count of the root's children");
+  checkSelection(6, "", "runSetSelectionEventTest #3 (6, 1)");
+
+  // #4
+  contenteditable.innerHTML = "<div><p>abc</p>def</div>";
+
+  synthesizeSelectionSet(1, 2);
+  is(selection.anchorNode, contenteditable.firstChild.firstChild.firstChild,
+     "runSetSelectionEventTest #4 (1, 2): selection anchor node should be the text node in the <p> node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #4 (1, 2): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable.firstChild.firstChild,
+     "runSetSelectionEventTest #4 (1, 2): selection focus node should be the <p> node");
+  is(selection.focusOffset, contenteditable.firstChild.firstChild.childNodes.length,
+     "runSetSelectionEventTest #4 (1, 2): selection focus offset should be the count of the <p>'s children");
+  checkSelection(1, "bc", "runSetSelectionEventTest #4 (1, 2)");
+
+  synthesizeSelectionSet(1, 3);
+  is(selection.anchorNode, contenteditable.firstChild.firstChild.firstChild,
+     "runSetSelectionEventTest #4 (1, 3): selection anchor node should be the text node in the <p> node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #4 (1, 3): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable.firstChild.lastChild,
+     "runSetSelectionEventTest #4 (1, 3): selection focus node should be the last text node");
+  is(selection.focusOffset, 1,
+     "runSetSelectionEventTest #4 (1, 3): selection focus offset should be 1");
+  checkSelection(1, "bcd", "runSetSelectionEventTest #4 (1, 3)");
+
+  synthesizeSelectionSet(3, 0);
+  is(selection.anchorNode, contenteditable.firstChild.firstChild,
+     "runSetSelectionEventTest #4 (3, 0): selection anchor node should be the <p> node");
+  is(selection.anchorOffset, contenteditable.firstChild.firstChild.childNodes.length,
+     "runSetSelectionEventTest #4 (3, 0): selection anchor offset should be the count of <p>'s children");
+  is(selection.focusNode, contenteditable.firstChild.firstChild,
+     "runSetSelectionEventTest #4 (3, 0): selection focus node should be the <p> node");
+  is(selection.focusOffset, contenteditable.firstChild.firstChild.childNodes.length,
+     "runSetSelectionEventTest #4 (3, 0): selection focus offset should be the count of <p>'s children");
+  checkSelection(3, "", "runSetSelectionEventTest #4 (3, 0)");
+
+  synthesizeSelectionSet(0, 6);
+  is(selection.anchorNode, contenteditable.firstChild.firstChild.firstChild,
+     "runSetSelectionEventTest #4 (0, 6): selection anchor node should be the text node in the <p> node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #4 (0, 6): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #4 (0, 6): selection focus node should be the <div> node");
+  is(selection.focusOffset, contenteditable.firstChild.childNodes.length,
+     "runSetSelectionEventTest #4 (0, 6): selection focus offset should be the count of the <div>'s children");
+  checkSelection(0, "abcdef", "runSetSelectionEventTest #4 (0, 6)");
+
+  synthesizeSelectionSet(0, 100);
+  is(selection.anchorNode, contenteditable.firstChild.firstChild.firstChild,
+     "runSetSelectionEventTest #4 (0, 100): selection anchor node should be the text node in the <p> node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #4 (0, 100): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #4 (0, 100): selection focus node should be the root node");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #4 (0, 100): selection focus offset should be the count of the root's children");
+  checkSelection(0, "abcdef", "runSetSelectionEventTest #4 (0, 100)");
+
+  synthesizeSelectionSet(4, 2);
+  is(selection.anchorNode, contenteditable.firstChild.lastChild,
+     "runSetSelectionEventTest #4 (4, 2): selection anchor node should be the last text node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #4 (4, 2): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #4 (4, 2): selection focus node should be the <div> node");
+  is(selection.focusOffset, contenteditable.firstChild.childNodes.length,
+     "runSetSelectionEventTest #4 (4, 2): selection focus offset should be the count of the <div>'s children");
+  checkSelection(4, "ef", "runSetSelectionEventTest #4 (4, 2)");
+
+  synthesizeSelectionSet(4, 100);
+  is(selection.anchorNode, contenteditable.firstChild.lastChild,
+     "runSetSelectionEventTest #4 (4, 100): selection anchor node should be the last text node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #4 (4, 100): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #4 (4, 100): selection focus node should be the root node");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #4 (4, 100): selection focus offset should be the count of the root's children");
+  checkSelection(4, "ef", "runSetSelectionEventTest #4 (4, 100)");
+
+  synthesizeSelectionSet(6, 0);
+  is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #4 (6, 0): selection anchor node should be the <div> node");
+  is(selection.anchorOffset, contenteditable.firstChild.childNodes.length,
+     "runSetSelectionEventTest #4 (6, 0): selection anchor offset should be the count of the <div>'s children");
+  is(selection.focusNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #4 (6, 0): selection focus node should be the <div> node");
+  is(selection.focusOffset, contenteditable.firstChild.childNodes.length,
+     "runSetSelectionEventTest #4 (6, 0): selection focus offset should be the count of the <div>'s children");
+  checkSelection(6, "", "runSetSelectionEventTest #4 (6, 0)");
+
+  synthesizeSelectionSet(6, 1);
+  todo_is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #4 (6, 1): selection anchor node should be the <div> node");
+  todo_is(selection.anchorOffset, contenteditable.firstChild.childNodes.length,
+     "runSetSelectionEventTest #4 (6, 1): selection anchor offset should be the count of the <div>'s children");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #4 (6, 1): selection focus node should be the root node");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #4 (6, 1): selection focus offset should be the count of the root's children");
+  checkSelection(6, "", "runSetSelectionEventTest #4 (6, 1)");
+
+  // #5
+  contenteditable.innerHTML = "<br>";
+
+  synthesizeSelectionSet(0, kLFLen);
+  is(selection.anchorNode, contenteditable,
+     "runSetSelectionEventTest #5 (0, kLFLen): selection anchor node should be the root node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #5 (0, kLFLen): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #5 (0, kLFLen): selection focus node should be the root node");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #5 (0, kLFLen): selection focus offset should be the count of the root's children");
+  checkSelection(0, kLF, "runSetSelectionEventTest #5 (0, kLFLen)");
+
+  synthesizeSelectionSet(kLFLen, 0);
+  is(selection.anchorNode, contenteditable,
+     "runSetSelectionEventTest #5 (kLFLen, 0): selection anchor node should be the root node");
+  todo_is(selection.anchorOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #5 (kLFLen, 0): selection anchor offset should be the count of the root's children");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #5 (kLFLen, 0): selection focus node should be the root node");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #5 (kLFLen, 0): selection focus offset should be the count of the root's children");
+  // todo
+  // checkSelection(kLFLen, "", "runSetSelectionEventTest #5 (kLFLen, 0)");
+
+  synthesizeSelectionSet(kLFLen, 1);
+  is(selection.anchorNode, contenteditable,
+     "runSetSelectionEventTest #5 (kLFLen, 1): selection anchor node should be the root node");
+  is(selection.anchorOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #5 (kLFLen, 1): selection anchor offset should be the count of the root's children");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #5 (kLFLen, 1): selection focus node should be the root node");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #5 (kLFLen, 1): selection focus offset should be the count of the root's children");
+  checkSelection(kLFLen, "", "runSetSelectionEventTest #5 (kLFLen, 1)");
+
+  // #6
+  contenteditable.innerHTML = "<p><br></p>";
+
+  synthesizeSelectionSet(0, kLFLen);
+  is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #6 (0, kLFLen): selection anchor node should be the <p> node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #6 (0, kLFLen): selection anchor offset should be 1");
+  todo_is(selection.focusNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #6 (0, kLFLen): selection focus node should be the <p> node");
+  is(selection.focusOffset, contenteditable.firstChild.childNodes.length,
+     "runSetSelectionEventTest #6 (0, kLFLen): selection focus offset should be the count of the <p>'s children");
+  checkSelection(0, kLF, "runSetSelectionEventTest #6 (0, kLFLen)");
+
+  synthesizeSelectionSet(kLFLen, 0);
+  is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #6 (kLFLen, 0): selection anchor node should be the <p> node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #6 (kLFLen, 0): selection anchor offset should be the count of the root's children");
+  todo_is(selection.focusNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #6 (kLFLen, 0): selection focus node should be the <p> node");
+  is(selection.focusOffset, contenteditable.firstChild.childNodes.length,
+     "runSetSelectionEventTest #6 (kLFLen, 0): selection focus offset should be the count of the <p>'s children");
+  // todo
+  // checkSelection(kLFLen, "", "runSetSelectionEventTest #6 (kLFLen, 0)");
+
+  synthesizeSelectionSet(kLFLen, 1);
+  todo_is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #6 (kLFLen, 1): selection anchor node should be the <p> node");
+  is(selection.anchorOffset, contenteditable.firstChild.childNodes.length,
+     "runSetSelectionEventTest #6 (kLFLen, 1): selection anchor offset should be the count of the root's children");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #6 (kLFLen, 1): selection focus node should be the root node");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #6 (kLFLen, 1): selection focus offset should be the count of the root's children");
+  checkSelection(kLFLen, "", "runSetSelectionEventTest #6 (kLFLen, 1)");
+
+  // #7
+  contenteditable.innerHTML = "<br><br>";
+
+  synthesizeSelectionSet(0, kLFLen);
+  is(selection.anchorNode, contenteditable,
+     "runSetSelectionEventTest #7 (0, kLFLen): selection anchor node should be the root node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #7 (0, kLFLen): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #7 (0, kLFLen): selection focus node should be the root node");
+  is(selection.focusOffset, 1,
+     "runSetSelectionEventTest #7 (0, kLFLen): selection focus offset should be 1");
+  checkSelection(0, kLF, "runSetSelectionEventTest #7 (0, kLFLen)");
+
+  synthesizeSelectionSet(0, kLFLen * 2);
+  is(selection.anchorNode, contenteditable,
+     "runSetSelectionEventTest #7 (0, kLFLen*2): selection anchor node should be the root node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #7 (0, kLFLen*2): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #7 (0, kLFLen*2): selection focus node should be the root node");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #7 (0, kLFLen*2): selection focus offset should be the count of the root's children");
+  checkSelection(0, kLF + kLF, "runSetSelectionEventTest #7 (0, kLFLen*2)");
+
+  synthesizeSelectionSet(kLFLen, 0);
+  is(selection.anchorNode, contenteditable,
+     "runSetSelectionEventTest #7 (kLFLen, 0): selection anchor node should be the root node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #7 (kLFLen, 0): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #7 (kLFLen, 0): selection focus node should be the root node");
+  is(selection.focusOffset, 1,
+     "runSetSelectionEventTest #7 (kLFLen, 0): selection focus offset should be 1");
+  checkSelection(kLFLen, "", "runSetSelectionEventTest #7 (kLFLen, 0)");
+
+  synthesizeSelectionSet(kLFLen, kLFLen);
+  is(selection.anchorNode, contenteditable,
+     "runSetSelectionEventTest #7 (kLFLen, kLFLen): selection anchor node should be the root node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #7 (kLFLen, kLFLen): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #7 (kLFLen, kLFLen) selection focus node should be the root node");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #7 (kLFLen, kLFLen): selection focus offset should be the count of the root's children");
+  checkSelection(kLFLen, kLF, "runSetSelectionEventTest #7 (kLFLen, kLFLen)");
+
+  synthesizeSelectionSet(kLFLen * 2, 0);
+  is(selection.anchorNode, contenteditable,
+     "runSetSelectionEventTest #7 (kLFLen*2, 0): selection anchor node should be the root node");
+  todo_is(selection.anchorOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #7 (kLFLen*2, 0): selection anchor offset should be the count of the root's children");
+  is(selection.focusNode, contenteditable,
+     "runSetSelectionEventTest #7 (kLFLen*2, 0): selection focus node should be the root node");
+  is(selection.focusOffset, contenteditable.childNodes.length,
+     "runSetSelectionEventTest #7 (kLFLen*2, 0): selection focus offset should be the count of the root's children");
+  // todo
+  // checkSelection(kLFLen * 2, "", "runSetSelectionEventTest #7 (kLFLen*2, 0)");
+
+  // #8
+  contenteditable.innerHTML = "<p><br><br></p>";
+
+  synthesizeSelectionSet(0, kLFLen);
+  is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #8 (0, kLFLen): selection anchor node should be the <p> node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #8 (0, kLFLen): selection anchor offset should be 0");
+  is(selection.focusNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #8 (0, kLFLen): selection focus node should be the <p> node");
+  is(selection.focusOffset, 1,
+     "runSetSelectionEventTest #8 (0, kLFLen): selection focus offset should be 1");
+  checkSelection(0, kLF, "runSetSelectionEventTest #7 (0, kLFLen)");
+
+  synthesizeSelectionSet(0, kLFLen * 2);
+  is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #8 (0, kLFLen*2): selection anchor node should be the <p> node");
+  is(selection.anchorOffset, 0,
+     "runSetSelectionEventTest #8 (0, kLFLen*2): selection anchor offset should be 0");
+  todo_is(selection.focusNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #8 (0, kLFLen*2): selection focus node should be the <p> node");
+  todo_is(selection.focusOffset, contenteditable.firstChild.childNodes.length,
+     "runSetSelectionEventTest #8 (0, kLFLen*2): selection focus offset should be the count of the <p>'s children");
+  checkSelection(0, kLF + kLF, "runSetSelectionEventTest #8 (0, kLFLen*2)");
+
+  synthesizeSelectionSet(kLFLen, 0);
+  is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #8 (kLFLen, 0): selection anchor node should be the <p> node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #8 (kLFLen, 0): selection anchor offset should be 1");
+  is(selection.focusNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #8 (kLFLen, 0): selection focus node should be the <p> node");
+  is(selection.focusOffset, 1,
+     "runSetSelectionEventTest #8 (kLFLen, 0): selection focus offset should be 1");
+  checkSelection(kLFLen, "", "runSetSelectionEventTest #8 (kLFLen, 0)");
+
+  synthesizeSelectionSet(kLFLen, kLFLen);
+  is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #8 (kLFLen, kLFLen): selection anchor node should be the <p> node");
+  is(selection.anchorOffset, 1,
+     "runSetSelectionEventTest #8 (kLFLen, kLFLen): selection anchor offset should be 1");
+  todo_is(selection.focusNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #8 (kLFLen, kLFLen) selection focus node should be the <p> node");
+  todo_is(selection.focusOffset, contenteditable.firstChild.childNodes.length,
+     "runSetSelectionEventTest #8 (kLFLen, kLFLen): selection focus offset should be the count of the <p>'s children");
+  checkSelection(kLFLen, kLF, "runSetSelectionEventTest #8 (kLFLen, kLFLen)");
+
+  synthesizeSelectionSet(kLFLen * 2, 0);
+  is(selection.anchorNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #8 (kLFLen*2, 0): selection anchor node should be the <p> node");
+  todo_is(selection.anchorOffset, contenteditable.firstChild.childNodes.length,
+     "runSetSelectionEventTest #8 (kLFLen*2, 0): selection anchor offset should be the count of the <p>'s children");
+  todo_is(selection.focusNode, contenteditable.firstChild,
+     "runSetSelectionEventTest #8 (kLFLen*2, 0): selection focus node should be the <p> node");
+  todo_is(selection.focusOffset, contenteditable.firstChild.childNodes.length,
+     "runSetSelectionEventTest #8 (kLFLen*2, 0): selection focus offset should be the count of the <p>'s children");
+  // todo
+  // checkSelection(kLFLen * 2, "", "runSetSelectionEventTest #8 (kLFLen*2, 0)");
+}
+
+function runQueryTextContentEventTest()
+{
+  contenteditable.focus();
+
+  var result;
+
+  // #1
+  contenteditable.innerHTML = "abc<br>def";
+
+  result = synthesizeQueryTextContent(0, 6 + kLFLen);
+  is(result.text, "abc" + kLF + "def", "runQueryTextContentEventTest #1 (0, 6+kLFLen)");
+
+  result = synthesizeQueryTextContent(0, 100);
+  is(result.text, "abc" + kLF + "def", "runQueryTextContentEventTest #1 (0, 100)");
+
+  result = synthesizeQueryTextContent(2, 2 + kLFLen);
+  is(result.text, "c" + kLF + "d", "runQueryTextContentEventTest #1 (2, 2+kLFLen)");
+
+  result = synthesizeQueryTextContent(1, 2);
+  is(result.text, "bc", "runQueryTextContentEventTest #1 (1, 2)");
+
+  result = synthesizeQueryTextContent(3, kLFLen);
+  is(result.text, kLF, "runQueryTextContentEventTest #1 (3, kLFLen)");
+
+  result = synthesizeQueryTextContent(6 + kLFLen, 1);
+  is(result.text, "", "runQueryTextContentEventTest #1 (6 + kLFLen, 0)");
+
+  // #2
+  contenteditable.innerHTML = "<p>a<b>b</b>c</p><p>def</p>";
+
+  result = synthesizeQueryTextContent(0, 4);
+  is(result.text, "abcd", "runQueryTextContentEventTest #2 (0, 4)");
+
+  result = synthesizeQueryTextContent(0, 2);
+  is(result.text, "ab", "runQueryTextContentEventTest #2 (0, 2)");
+
+  result = synthesizeQueryTextContent(1, 2);
+  is(result.text, "bc", "runQueryTextContentEventTest #2 (1, 2)");
+
+  result = synthesizeQueryTextContent(2, 2);
+  is(result.text, "cd", "runQueryTextContentEventTest #2 (2, 2)");
+
+  result = synthesizeQueryTextContent(3, 1);
+  is(result.text, "d", "runQueryTextContentEventTest #2 (3, 1)");
+
+  // #3
+  contenteditable.innerHTML = "<div>abc<p>def</p></div>";
+
+  result = synthesizeQueryTextContent(1, 2);
+  is(result.text, "bc", "runQueryTextContentEventTest #3 (1, 2)");
+
+  result = synthesizeQueryTextContent(1, 3);
+  is(result.text, "bcd", "runQueryTextContentEventTest #3 (1, 3)");
+
+  result = synthesizeQueryTextContent(3, 1);
+  is(result.text, "d", "runQueryTextContentEventTest #3 (3, 1)");
+
+  result = synthesizeQueryTextContent(0, 6);
+  is(result.text, "abcdef", "runQueryTextContentEventTest #3 (0, 6)");
+
+  result = synthesizeQueryTextContent(0, 100);
+  is(result.text, "abcdef", "runQueryTextContentEventTest #3 (0, 100)");
+
+  result = synthesizeQueryTextContent(4, 2);
+  is(result.text, "ef", "runQueryTextContentEventTest #3 (4, 2)");
+
+  result = synthesizeQueryTextContent(4, 100);
+  is(result.text, "ef", "runQueryTextContentEventTest #3 (4, 100)");
+
+  result = synthesizeQueryTextContent(6, 1);
+  is(result.text, "", "runQueryTextContentEventTest #3 (6, 1)");
+
+  // #4
+  contenteditable.innerHTML = "<div><p>abc</p>def</div>";
+
+  result = synthesizeQueryTextContent(1, 2);
+  is(result.text, "bc", "runQueryTextContentEventTest #4 (1, 2)");
+
+  result = synthesizeQueryTextContent(1, 3);
+  is(result.text, "bcd", "runQueryTextContentEventTest #4 (1, 3)");
+
+  result = synthesizeQueryTextContent(3, 1);
+  is(result.text, "d", "runQueryTextContentEventTest #4 (3, 1)");
+
+  result = synthesizeQueryTextContent(0, 6);
+  is(result.text, "abcdef", "runQueryTextContentEventTest #4 (0, 6)");
+
+  result = synthesizeQueryTextContent(0, 100);
+  is(result.text, "abcdef", "runQueryTextContentEventTest #4 (0, 100)");
+
+  result = synthesizeQueryTextContent(4, 2);
+  is(result.text, "ef", "runQueryTextContentEventTest #4 (4, 2)");
+
+  result = synthesizeQueryTextContent(4, 100);
+  is(result.text, "ef", "runQueryTextContentEventTest #4 (4, 100)");
+
+  result = synthesizeQueryTextContent(6, 1);
+  is(result.text, "", "runQueryTextContentEventTest #4 (6, 1)");
+
+  // #5
+  contenteditable.innerHTML = "<br>";
+
+  result = synthesizeQueryTextContent(0, kLFLen);
+  is(result.text, kLF, "runQueryTextContentEventTest #5 (0, kLFLen)");
+
+  result = synthesizeQueryTextContent(kLFLen, 1);
+  is(result.text, "", "runQueryTextContentEventTest #5 (kLFLen, 1)");
+
+  // #6
+  contenteditable.innerHTML = "<p><br></p>";
+
+  result = synthesizeQueryTextContent(0, kLFLen);
+  is(result.text, kLF, "runQueryTextContentEventTest #6 (0, kLFLen)");
+
+  result = synthesizeQueryTextContent(kLFLen, 1);
+  is(result.text, "", "runQueryTextContentEventTest #5 (kLFLen, 1)");
+
+  // #7
+  contenteditable.innerHTML = "<br><br>";
+
+  result = synthesizeQueryTextContent(0, kLFLen);
+  is(result.text, kLF, "runQueryTextContentEventTest #7 (0, kLFLen)");
+
+  result = synthesizeQueryTextContent(0, kLFLen * 2);
+  is(result.text, kLF + kLF, "runQueryTextContentEventTest #7 (0, kLFLen*2)");
+
+  result = synthesizeQueryTextContent(kLFLen, kLFLen);
+  is(result.text, kLF, "runQueryTextContentEventTest #7 (kLFLen, kLFLen)");
+
+  result = synthesizeQueryTextContent(kLFLen * 2, 1);
+  is(result.text, "", "runQueryTextContentEventTest #7 (kLFLen*2, 1)");
+
+  // #8
+  contenteditable.innerHTML = "<p><br><br></p>";
+
+  result = synthesizeQueryTextContent(0, kLFLen);
+  is(result.text, kLF, "runQueryTextContentEventTest #8 (0, kLFLen)");
+
+  result = synthesizeQueryTextContent(0, kLFLen * 2);
+  is(result.text, kLF + kLF, "runQueryTextContentEventTest #8 (0, kLFLen*2)");
+
+  result = synthesizeQueryTextContent(kLFLen, kLFLen);
+  is(result.text, kLF, "runQueryTextContentEventTest #8 (kLFLen, kLFLen)");
+
+  result = synthesizeQueryTextContent(kLFLen * 2, 1);
+  is(result.text, "", "runQueryTextContentEventTest #8 (kLFLen*2, 1)");
+}
+
 function runCSSTransformTest()
 {
   textarea.focus();
@@ -4602,6 +5298,8 @@ function runTest()
   runCompositionEventTest();
   runCharAtPointTest(textarea, "textarea in the document");
   runCharAtPointAtOutsideTest();
+  runSetSelectionEventTest();
+  runQueryTextContentEventTest();
   runCSSTransformTest();
   runBug722639Test();
   runForceCommitTest();
diff --git a/widget/windows/WinIMEHandler.cpp b/widget/windows/WinIMEHandler.cpp
index 2ca69ca65b98..f5822886ed82 100644
--- a/widget/windows/WinIMEHandler.cpp
+++ b/widget/windows/WinIMEHandler.cpp
@@ -28,7 +28,7 @@
 const char* kOskPathPrefName = "ui.osk.on_screen_keyboard_path";
 const char* kOskEnabled = "ui.osk.enabled";
 const char* kOskDetectPhysicalKeyboard = "ui.osk.detect_physical_keyboard";
-const char* kOskRequireTabletMode = "ui.osk.require_tablet_mode";
+const char* kOskRequireWin10 = "ui.osk.require_win10";
 const char* kOskDebugReason = "ui.osk.debug.keyboardDisplayReason";
 
 namespace mozilla {
@@ -46,6 +46,9 @@ bool IMEHandler::sShowingOnScreenKeyboard = false;
 decltype(SetInputScopes)* IMEHandler::sSetInputScopes = nullptr;
 #endif // #ifdef NS_ENABLE_TSF
 
+static POWER_PLATFORM_ROLE sPowerPlatformRole = PlatformRoleUnspecified;
+static bool sDeterminedPowerPlatformRole = false;
+
 // static
 void
 IMEHandler::Initialize()
@@ -536,21 +539,22 @@ void
 IMEHandler::MaybeShowOnScreenKeyboard()
 {
   if (sPluginHasFocus ||
-      !IsWin10OrLater() ||
+      !IsWin8OrLater() ||
       !Preferences::GetBool(kOskEnabled, true) ||
       sShowingOnScreenKeyboard ||
       IMEHandler::IsKeyboardPresentOnSlate()) {
     return;
   }
 
-  // Tablet Mode is only supported on Windows 10 and higher.
-  // When touch-event detection within IME is better supported
-  // this check may be removed, and ShowOnScreenKeyboard can
-  // run on Windows 8 and higher (adjusting the IsWin10OrLater
-  // guard above and within MaybeDismissOnScreenKeyboard).
-  if (!IsInTabletMode() &&
-      Preferences::GetBool(kOskRequireTabletMode, true) &&
-      !AutoInvokeOnScreenKeyboardInDesktopMode()) {
+  // On Windows 10 we require tablet mode, unless the user has set the relevant
+  // Windows setting to enable the on-screen keyboard in desktop mode.
+  // We might be disabled specifically on Win8(.1), so we check that afterwards.
+  if (IsWin10OrLater()) {
+    if (!IsInTabletMode() && !AutoInvokeOnScreenKeyboardInDesktopMode()) {
+      return;
+    }
+  }
+  else if (Preferences::GetBool(kOskRequireWin10, true)) {
     return;
   }
 
@@ -562,7 +566,7 @@ void
 IMEHandler::MaybeDismissOnScreenKeyboard()
 {
   if (sPluginHasFocus ||
-      !IsWin10OrLater() ||
+      !IsWin8OrLater() ||
       !sShowingOnScreenKeyboard) {
     return;
   }
@@ -661,23 +665,33 @@ IMEHandler::IsKeyboardPresentOnSlate()
   // checked by first checking the role of the device and then the
   // corresponding system metric (SM_CONVERTIBLESLATEMODE). If it is being
   // used as a tablet then we want the OSK to show up.
-  typedef POWER_PLATFORM_ROLE (WINAPI* PowerDeterminePlatformRole)();
-  PowerDeterminePlatformRole power_determine_platform_role =
-    reinterpret_cast<PowerDeterminePlatformRole>(::GetProcAddress(
-      ::LoadLibraryW(L"PowrProf.dll"), "PowerDeterminePlatformRole"));
-  if (power_determine_platform_role) {
-    POWER_PLATFORM_ROLE role = power_determine_platform_role();
-    if (((role == PlatformRoleMobile) || (role == PlatformRoleSlate)) &&
-         (::GetSystemMetrics(SM_CONVERTIBLESLATEMODE) == 0)) {
-      if (role == PlatformRoleMobile) {
-        Preferences::SetString(kOskDebugReason, L"IKPOS: PlatformRoleMobile.");
-      } else if (role == PlatformRoleSlate) {
-        Preferences::SetString(kOskDebugReason, L"IKPOS: PlatformRoleSlate.");
-      }
-      return false;
+  typedef POWER_PLATFORM_ROLE (WINAPI* PowerDeterminePlatformRoleEx)(ULONG Version);
+  if (!sDeterminedPowerPlatformRole) {
+    sDeterminedPowerPlatformRole = true;
+    PowerDeterminePlatformRoleEx power_determine_platform_role =
+      reinterpret_cast<PowerDeterminePlatformRoleEx>(::GetProcAddress(
+        ::LoadLibraryW(L"PowrProf.dll"), "PowerDeterminePlatformRoleEx"));
+    if (power_determine_platform_role) {
+      sPowerPlatformRole = power_determine_platform_role(POWER_PLATFORM_ROLE_V2);
+    } else {
+      sPowerPlatformRole = PlatformRoleUnspecified;
     }
   }
 
+  // If this is not a mobile or slate (tablet) device, we don't need to
+  // do anything here.
+  if (sPowerPlatformRole != PlatformRoleMobile &&
+      sPowerPlatformRole != PlatformRoleSlate) {
+    Preferences::SetString(kOskDebugReason, L"IKPOS: PlatformRole is neither Mobile nor Slate.");
+    return true;
+  }
+
+  // Likewise, if the tablet/mobile isn't in "slate" mode, we should bail:
+  if (::GetSystemMetrics(SM_CONVERTIBLESLATEMODE) != 0) {
+    Preferences::SetString(kOskDebugReason, L"IKPOS: ConvertibleSlateMode is non-zero");
+    return true;
+  }
+
   const GUID KEYBOARD_CLASS_GUID =
     { 0x4D36E96B, 0xE325,  0x11CE,
       { 0xBF, 0xC1, 0x08, 0x00, 0x2B, 0xE1, 0x03, 0x18 } };
diff --git a/widget/windows/nsWindow.cpp b/widget/windows/nsWindow.cpp
index cce724bdce9a..d149d3601eb0 100644
--- a/widget/windows/nsWindow.cpp
+++ b/widget/windows/nsWindow.cpp
@@ -1329,25 +1329,10 @@ void nsWindow::SetThemeRegion()
  *
  **************************************************************/
 
-void nsWindow::ConfigureAPZCTreeManager()
-{
-  nsBaseWidget::ConfigureAPZCTreeManager();
-
-  // When APZ is enabled, we can actually enable raw touch events because we
-  // have code that can deal with them properly. If APZ is not enabled, this
-  // function doesn't get called, and |mGesture| will take care of touch-based
-  // scrolling. Note that RegisterTouchWindow may still do nothing depending
-  // on touch events prefs, and so it is possible to enable APZ without
-  // also enabling touch support.
-  RegisterTouchWindow();
-}
-
 void nsWindow::RegisterTouchWindow() {
-  if (Preferences::GetInt("dom.w3c_touch_events.enabled", 0)) {
-    mTouchWindow = true;
-    mGesture.RegisterTouchWindow(mWnd);
-    ::EnumChildWindows(mWnd, nsWindow::RegisterTouchForDescendants, 0);
-  }
+  mTouchWindow = true;
+  mGesture.RegisterTouchWindow(mWnd);
+  ::EnumChildWindows(mWnd, nsWindow::RegisterTouchForDescendants, 0);
 }
 
 BOOL CALLBACK nsWindow::RegisterTouchForDescendants(HWND aWnd, LPARAM aMsg) {
diff --git a/widget/windows/nsWindow.h b/widget/windows/nsWindow.h
index 39c2f4dab99b..d8093d2e8e47 100644
--- a/widget/windows/nsWindow.h
+++ b/widget/windows/nsWindow.h
@@ -297,8 +297,7 @@ protected:
   virtual ~nsWindow();
 
   virtual void WindowUsesOMTC() override;
-  virtual void ConfigureAPZCTreeManager() override;
-  void RegisterTouchWindow();
+  virtual void RegisterTouchWindow() override;
 
   virtual nsresult NotifyIMEInternal(
                      const IMENotification& aIMENotification) override;
diff --git a/xpcom/glue/nsTArray.h b/xpcom/glue/nsTArray.h
index 6147d5faecfc..6a7a3efbd84a 100644
--- a/xpcom/glue/nsTArray.h
+++ b/xpcom/glue/nsTArray.h
@@ -300,8 +300,6 @@ struct nsTArray_SafeElementAtHelper<nsCOMPtr<E>, Derived>
 {
 };
 
-template<class T> class nsRefPtr;
-
 template<class E, class Derived>
 struct nsTArray_SafeElementAtHelper<RefPtr<E>, Derived>
   : public nsTArray_SafeElementAtSmartPtrHelper<E, Derived>