www/waterfox: apply some FF59 fixes

12 files changed, 1165 insertions, 0 deletions

diff --git a/www/waterfox/Makefile b/www/waterfox/Makefile
index 1f5a84f5e87b..c659950c854b 100644
--- a/www/waterfox/Makefile
+++ b/www/waterfox/Makefile
@@ -3,6 +3,7 @@
 PORTNAME=	waterfox
 DISTVERSION=	56.0.4-20
 DISTVERSIONSUFFIX=	-ge03e284b083d
+PORTREVISION=	1
 CATEGORIES=	www ipv6
 
 MAINTAINER=	jbeich@FreeBSD.org
diff --git a/www/waterfox/files/patch-bug1325888 b/www/waterfox/files/patch-bug1325888
new file mode 100644
index 000000000000..39cff975859d
--- /dev/null
+++ b/www/waterfox/files/patch-bug1325888
@@ -0,0 +1,39 @@
+commit fb631be6ce75
+Author: DimiL <dlee@mozilla.com>
+Date:   Wed Nov 1 08:40:00 2017 +0800
+
+    Bug 1325888 - Clear cached completion result when close safebrowsing database. r=francois
+    
+    Safebrowsing testcase will close and then re-open database to simulate firefox restart.
+    This bug happened when DB service already has a previously cached completion result and then
+    re-open database. In this scenario, if testcase triggers another the same completion request,
+    we won't cache it because we thought we have it already (See nsUrlClassifierDBServiceWorker::CacheCompletion).
+    
+    This causes a testcase assertion when testcase expects the completion
+    result should be stored in LookupCache.
+    
+    MozReview-Commit-ID: 8o57jHv92OH
+    
+    --HG--
+    extra : rebase_source : 90861060437d6cef860b85dd669d76e74ceec660
+---
+ toolkit/components/url-classifier/nsUrlClassifierDBService.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git toolkit/components/url-classifier/nsUrlClassifierDBService.cpp toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
+index e1a1be065aaf..a108812a1792 100644
+--- toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
++++ toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
+@@ -812,6 +812,12 @@ nsUrlClassifierDBServiceWorker::CloseDb()
+     mClassifier = nullptr;
+   }
+ 
++  // Clear last completion result when close db so we will still cache completion
++  // result next time we re-open it.
++  if (mLastResults) {
++    mLastResults->Clear();
++  }
++
+   LOG(("urlclassifier db closed\n"));
+ 
+   return NS_OK;
diff --git a/www/waterfox/files/patch-bug1345058 b/www/waterfox/files/patch-bug1345058
new file mode 100644
index 000000000000..02874af1505b
--- /dev/null
+++ b/www/waterfox/files/patch-bug1345058
@@ -0,0 +1,620 @@
+commit 1f57fdb85d3d
+Author: Thomas Nguyen <tnguyen@mozilla.com>
+Date:   Mon Aug 14 14:05:23 2017 +0800
+
+    Bug 1345058 - Asynchronously decide if a flash document should be blocked. r=baku
+    
+    MozReview-Commit-ID: K91cSvIdOrb
+    
+    --HG--
+    extra : rebase_source : 4d91ab3499c0124129e74a054c5cc78882ff351e
+---
+ dom/base/nsDocument.cpp                            | 447 ++++++++++++++++++---
+ dom/base/nsDocument.h                              |   5 +
+ .../url-classifier/nsUrlClassifierDBService.cpp    |  22 +-
+ 3 files changed, 401 insertions(+), 73 deletions(-)
+
+diff --git dom/base/nsDocument.cpp dom/base/nsDocument.cpp
+index acfde3bc0210..386c96745438 100644
+--- dom/base/nsDocument.cpp
++++ dom/base/nsDocument.cpp
+@@ -279,6 +279,7 @@
+ #include "nsIURIClassifier.h"
+ #include "mozilla/DocumentStyleRootIterator.h"
+ #include "mozilla/ServoRestyleManager.h"
++#include "mozilla/ClearOnShutdown.h"
+ 
+ using namespace mozilla;
+ using namespace mozilla::dom;
+@@ -319,6 +320,65 @@ GetHttpChannelHelper(nsIChannel* aChannel, nsIHttpChannel** aHttpChannel)
+   return NS_OK;
+ }
+ 
++////////////////////////////////////////////////////////////////////
++// PrincipalFlashClassifier
++
++// Classify the flash based on the document principal.
++// The usage of this class is as follows:
++//
++// 1) Call AsyncClassify() as early as possible to asynchronously do
++//    classification against all the flash blocking related tables
++//    via nsIURIClassifier.asyncClassifyLocalWithTables.
++//
++// 2) At any time you need the classification result, call Result()
++//    and it is guaranteed to give you the result. Note that you have
++//    to specify "aIsThirdParty" to the function so please make sure
++//    you can already correctly decide if the document is third-party.
++//
++//    Behind the scenes, the sync classification API
++//    (nsIURIClassifier.classifyLocalWithTable) may be called as a fallback to
++//    synchronously get the result if the asyncClassifyLocalWithTables hasn't
++//    been done yet.
++//
++// 3) You can call Result() as many times as you want and only the first time
++//    it may unfortunately call the blocking sync API. The subsequent call
++//    will just return the result that came out at the first time.
++//
++class PrincipalFlashClassifier final : public nsIURIClassifierCallback
++{
++public:
++  NS_DECL_THREADSAFE_ISUPPORTS
++  NS_DECL_NSIURICLASSIFIERCALLBACK
++
++  PrincipalFlashClassifier();
++
++  // Fire async classification based on the given principal.
++  void AsyncClassify(nsIPrincipal* aPrincipal);
++
++  // Would block if the result hasn't come out.
++  mozilla::dom::FlashClassification ClassifyMaybeSync(nsIPrincipal* aPrincipal,
++                                           bool aIsThirdParty);
++
++private:
++ ~PrincipalFlashClassifier() = default;
++
++  void Reset();
++  bool EnsureUriClassifier();
++  mozilla::dom::FlashClassification CheckIfClassifyNeeded(nsIPrincipal* aPrincipal);
++  mozilla::dom::FlashClassification Resolve(bool aIsThirdParty);
++  mozilla::dom::FlashClassification AsyncClassifyInternal(nsIPrincipal* aPrincipal);
++  void GetClassificationTables(bool aIsThirdParty, nsACString& aTables);
++
++  // For the fallback sync classification.
++  nsCOMPtr<nsIURI> mClassificationURI;
++
++  nsCOMPtr<nsIURIClassifier> mUriClassifier;
++  bool mAsyncClassified;
++  nsTArray<nsCString> mMatchedTables;
++  mozilla::dom::FlashClassification mResult;
++};
++
++
+ #define NAME_NOT_VALID ((nsSimpleContentList*)1)
+ 
+ nsIdentifierMapEntry::~nsIdentifierMapEntry()
+@@ -1575,6 +1635,9 @@ nsDocument::nsDocument(const char* aContentType)
+ 
+   // void state used to differentiate an empty source from an unselected source
+   mPreloadPictureFoundSource.SetIsVoid(true);
++  // For determining if this is a flash document which should be
++  // blocked based on its principal.
++  mPrincipalFlashClassifier = new PrincipalFlashClassifier();
+ }
+ 
+ void
+@@ -2761,6 +2824,11 @@ nsDocument::StartDocumentLoad(const char* aCommand, nsIChannel* aChannel,
+     aChannel->Cancel(NS_ERROR_CSP_FRAME_ANCESTOR_VIOLATION);
+   }
+ 
++  // Perform a async flash classification based on the doc principal
++  // in an early stage to reduce the blocking time.
++  mFlashClassification = FlashClassification::Unclassified;
++  mPrincipalFlashClassifier->AsyncClassify(GetPrincipal());
++
+   return NS_OK;
+ }
+ 
+@@ -13483,6 +13551,23 @@ nsIDocument::UpdateStyleBackendType()
+ #endif
+ }
+ 
++/**
++ * Retrieves the classification of the Flash plugins in the document based on
++ * the classification lists. We perform AsyncInitFlashClassification on
++ * StartDocumentLoad() and the result may not be initialized when this function
++ * gets called. In that case, We can only unfortunately have a blocking wait.
++ *
++ * For more information, see
++ * toolkit/components/url-classifier/flash-block-lists.rst
++ */
++FlashClassification
++nsDocument::PrincipalFlashClassification()
++{
++  MOZ_ASSERT(mPrincipalFlashClassifier);
++  return mPrincipalFlashClassifier->ClassifyMaybeSync(GetPrincipal(),
++                                                      IsThirdParty());
++}
++
+ /**
+  * Helper function for |nsDocument::PrincipalFlashClassification|
+  *
+@@ -13523,27 +13608,279 @@ ArrayContainsTable(const nsTArray<nsCString>& aTableArray,
+   return false;
+ }
+ 
+-/**
+- * Retrieves the classification of the Flash plugins in the document based on
+- * the classification lists.
+- *
+- * For more information, see
+- * toolkit/components/url-classifier/flash-block-lists.rst
+- */
++namespace {
++
++// An object to store all preferences we need for flash blocking feature.
++struct PrefStore
++{
++  PrefStore()
++  {
++    Preferences::AddBoolVarCache(&mFlashBlockEnabled,
++                                 "plugins.flashBlock.enabled");
++    Preferences::AddBoolVarCache(&mPluginsHttpOnly,
++                                 "plugins.http_https_only");
++
++    // We only need to register string-typed preferences.
++    Preferences::RegisterCallback(UpdateStringPrefs, "urlclassifier.flashAllowTable", this);
++    Preferences::RegisterCallback(UpdateStringPrefs, "urlclassifier.flashAllowExceptTable", this);
++    Preferences::RegisterCallback(UpdateStringPrefs, "urlclassifier.flashTable", this);
++    Preferences::RegisterCallback(UpdateStringPrefs, "urlclassifier.flashExceptTable", this);
++    Preferences::RegisterCallback(UpdateStringPrefs, "urlclassifier.flashSubDocTable", this);
++    Preferences::RegisterCallback(UpdateStringPrefs, "urlclassifier.flashSubDocExceptTable", this);
++
++    UpdateStringPrefs();
++  }
++
++  ~PrefStore()
++  {
++    Preferences::UnregisterCallback(UpdateStringPrefs, "urlclassifier.flashAllowTable", this);
++    Preferences::UnregisterCallback(UpdateStringPrefs, "urlclassifier.flashAllowExceptTable", this);
++    Preferences::UnregisterCallback(UpdateStringPrefs, "urlclassifier.flashTable", this);
++    Preferences::UnregisterCallback(UpdateStringPrefs, "urlclassifier.flashExceptTable", this);
++    Preferences::UnregisterCallback(UpdateStringPrefs, "urlclassifier.flashSubDocTable", this);
++    Preferences::UnregisterCallback(UpdateStringPrefs, "urlclassifier.flashSubDocExceptTable", this);
++  }
++
++  void UpdateStringPrefs()
++  {
++    Preferences::GetCString("urlclassifier.flashAllowTable", mAllowTables);
++    Preferences::GetCString("urlclassifier.flashAllowExceptTable", mAllowExceptionsTables);
++    Preferences::GetCString("urlclassifier.flashTable", mDenyTables);
++    Preferences::GetCString("urlclassifier.flashExceptTable", mDenyExceptionsTables);
++    Preferences::GetCString("urlclassifier.flashSubDocTable", mSubDocDenyTables);
++    Preferences::GetCString("urlclassifier.flashSubDocExceptTable", mSubDocDenyExceptionsTables);
++  }
++
++  static void UpdateStringPrefs(const char*, void* aClosure)
++  {
++    static_cast<PrefStore*>(aClosure)->UpdateStringPrefs();
++  }
++
++  bool mFlashBlockEnabled;
++  bool mPluginsHttpOnly;
++
++  nsCString mAllowTables;
++  nsCString mAllowExceptionsTables;
++  nsCString mDenyTables;
++  nsCString mDenyExceptionsTables;
++  nsCString mSubDocDenyTables;
++  nsCString mSubDocDenyExceptionsTables;
++};
++
++static const
++PrefStore& GetPrefStore()
++{
++  static UniquePtr<PrefStore> sPrefStore;
++  if (!sPrefStore) {
++    sPrefStore.reset(new PrefStore());
++    ClearOnShutdown(&sPrefStore);
++  }
++  return *sPrefStore;
++}
++
++} // end of unnamed namespace.
++
++////////////////////////////////////////////////////////////////////
++// PrincipalFlashClassifier implementation.
++
++NS_IMPL_ISUPPORTS(PrincipalFlashClassifier, nsIURIClassifierCallback)
++
++PrincipalFlashClassifier::PrincipalFlashClassifier()
++{
++  Reset();
++}
++
++void
++PrincipalFlashClassifier::Reset()
++{
++  mAsyncClassified = false;
++  mMatchedTables.Clear();
++  mResult = FlashClassification::Unclassified;
++}
++
++void
++PrincipalFlashClassifier::GetClassificationTables(bool aIsThirdParty,
++                                                  nsACString& aTables)
++{
++  aTables.Truncate();
++  auto& prefs = GetPrefStore();
++
++  MaybeAddTableToTableList(prefs.mAllowTables, aTables);
++  MaybeAddTableToTableList(prefs.mAllowExceptionsTables, aTables);
++  MaybeAddTableToTableList(prefs.mDenyTables, aTables);
++  MaybeAddTableToTableList(prefs.mDenyExceptionsTables, aTables);
++
++  if (aIsThirdParty) {
++    MaybeAddTableToTableList(prefs.mSubDocDenyTables, aTables);
++    MaybeAddTableToTableList(prefs.mSubDocDenyExceptionsTables, aTables);
++  }
++}
++
++bool
++PrincipalFlashClassifier::EnsureUriClassifier()
++{
++  if (!mUriClassifier) {
++    mUriClassifier = do_GetService(NS_URICLASSIFIERSERVICE_CONTRACTID);
++  }
++
++  return !!mUriClassifier;
++}
++
+ FlashClassification
+-nsDocument::PrincipalFlashClassification()
++PrincipalFlashClassifier::ClassifyMaybeSync(nsIPrincipal* aPrincipal, bool aIsThirdParty)
++{
++  if (FlashClassification::Unclassified != mResult) {
++    // We already have the result. Just return it.
++    return mResult;
++  }
++
++  // TODO: Bug 1342333 - Entirely remove the use of the sync API
++  // (ClassifyLocalWithTables).
++  if (!mAsyncClassified) {
++
++    //
++    // We may
++    //   1) have called AsyncClassifyLocalWithTables but OnClassifyComplete
++    //      hasn't been called.
++    //   2) haven't even called AsyncClassifyLocalWithTables.
++    //
++    // In both cases we need to do the synchronous classification as the fallback.
++    //
++
++    if (!EnsureUriClassifier()) {
++      return FlashClassification::Denied;
++    }
++    mResult = CheckIfClassifyNeeded(aPrincipal);
++    if (FlashClassification::Unclassified != mResult) {
++      return mResult;
++    }
++
++    nsresult rv;
++    nsAutoCString classificationTables;
++    GetClassificationTables(aIsThirdParty, classificationTables);
++
++    if (!mClassificationURI) {
++      rv = aPrincipal->GetURI(getter_AddRefs(mClassificationURI));
++      if (NS_FAILED(rv) || !mClassificationURI) {
++        mResult = FlashClassification::Denied;
++        return mResult;
++      }
++    }
++
++    rv = mUriClassifier->ClassifyLocalWithTables(mClassificationURI,
++                                                 classificationTables,
++                                                 mMatchedTables);
++    if (NS_WARN_IF(NS_FAILED(rv))) {
++      if (rv == NS_ERROR_MALFORMED_URI) {
++        // This means that the URI had no hostname (ex: file://doc.html). In this
++        // case, we allow the default (Unknown plugin) behavior.
++        mResult = FlashClassification::Unknown;
++      } else {
++        mResult = FlashClassification::Denied;
++      }
++      return mResult;
++    }
++  }
++
++  // Resolve the result based on mMatchedTables and aIsThirdParty.
++  mResult = Resolve(aIsThirdParty);
++  MOZ_ASSERT(FlashClassification::Unclassified != mResult);
++
++  // The subsequent call of Result() will return the resolved result
++  // and never reach here until Reset() is called.
++  return mResult;
++}
++
++/*virtual*/ nsresult
++PrincipalFlashClassifier::OnClassifyComplete(nsresult /*aErrorCode*/,
++                                             const nsACString& aLists, // Only this matters.
++                                             const nsACString& /*aProvider*/,
++                                             const nsACString& /*aPrefix*/)
++{
++  mAsyncClassified = true;
++
++  if (FlashClassification::Unclassified != mResult) {
++    // Result() has been called prior to this callback.
++    return NS_OK;
++  }
++
++  // TODO: Bug 1364804 - We should use a callback type which notifies
++  // the result as a string array rather than a formatted string.
++
++  // We only populate the matched list without resolving the classification
++  // result because we are not sure if the parent doc has been properly set.
++  // We also parse the comma-separated tables to array. (the code is copied
++  // from Classifier::SplitTables.)
++  nsACString::const_iterator begin, iter, end;
++  aLists.BeginReading(begin);
++  aLists.EndReading(end);
++  while (begin != end) {
++    iter = begin;
++    FindCharInReadable(',', iter, end);
++    nsDependentCSubstring table = Substring(begin,iter);
++    if (!table.IsEmpty()) {
++      mMatchedTables.AppendElement(Substring(begin, iter));
++    }
++    begin = iter;
++    if (begin != end) {
++      begin++;
++    }
++  }
++
++  return NS_OK;
++}
++
++// We resolve the classification result based on aIsThirdParty
++// and the matched tables we got ealier on (via either sync or async API).
++FlashClassification
++PrincipalFlashClassifier::Resolve(bool aIsThirdParty)
++{
++  MOZ_ASSERT(FlashClassification::Unclassified == mResult,
++             "We already have resolved classification result.");
++
++  if (mMatchedTables.IsEmpty()) {
++    return FlashClassification::Unknown;
++  }
++
++  auto& prefs = GetPrefStore();
++  if (ArrayContainsTable(mMatchedTables, prefs.mDenyTables) &&
++      !ArrayContainsTable(mMatchedTables, prefs.mDenyExceptionsTables)) {
++    return FlashClassification::Denied;
++  } else if (ArrayContainsTable(mMatchedTables, prefs.mAllowTables) &&
++             !ArrayContainsTable(mMatchedTables, prefs.mAllowExceptionsTables)) {
++    return FlashClassification::Allowed;
++  }
++
++  if (aIsThirdParty && ArrayContainsTable(mMatchedTables, prefs.mSubDocDenyTables) &&
++      !ArrayContainsTable(mMatchedTables, prefs.mSubDocDenyExceptionsTables)) {
++    return FlashClassification::Denied;
++  }
++
++  return FlashClassification::Unknown;
++}
++
++void
++PrincipalFlashClassifier::AsyncClassify(nsIPrincipal* aPrincipal)
++{
++  MOZ_ASSERT(FlashClassification::Unclassified == mResult,
++             "The old classification result should be reset first.");
++  Reset();
++  mResult = AsyncClassifyInternal(aPrincipal);
++}
++
++FlashClassification
++PrincipalFlashClassifier::CheckIfClassifyNeeded(nsIPrincipal* aPrincipal)
+ {
+   nsresult rv;
+ 
+-  bool httpOnly = Preferences::GetBool("plugins.http_https_only", true);
+-  bool flashBlock = Preferences::GetBool("plugins.flashBlock.enabled", false);
++  auto& prefs = GetPrefStore();
+ 
+   // If neither pref is on, skip the null-principal and principal URI checks.
+-  if (!httpOnly && !flashBlock) {
+-    return FlashClassification::Unknown;
++  if (prefs.mPluginsHttpOnly && !prefs.mFlashBlockEnabled) {
++   return FlashClassification::Unknown;
+   }
+ 
+-  nsCOMPtr<nsIPrincipal> principal = GetPrincipal();
++  nsCOMPtr<nsIPrincipal> principal = aPrincipal;
+   if (principal->GetIsNullPrincipal()) {
+     return FlashClassification::Denied;
+   }
+@@ -13554,7 +13891,7 @@ nsDocument::PrincipalFlashClassification()
+     return FlashClassification::Denied;
+   }
+ 
+-  if (httpOnly) {
++  if (prefs.mPluginsHttpOnly) {
+     // Only allow plugins for documents from an HTTP/HTTPS origin. This should
+     // allow dependent data: URIs to load plugins, but not:
+     // * chrome documents
+@@ -13570,49 +13907,50 @@ nsDocument::PrincipalFlashClassification()
+ 
+   // If flash blocking is disabled, it is equivalent to all sites being
+   // on neither list.
+-  if (!flashBlock) {
++  if (!prefs.mFlashBlockEnabled) {
+     return FlashClassification::Unknown;
+   }
+ 
+-  nsAutoCString allowTables, allowExceptionsTables,
+-                denyTables, denyExceptionsTables,
+-                subDocDenyTables, subDocDenyExceptionsTables,
+-                tables;
+-  Preferences::GetCString("urlclassifier.flashAllowTable", allowTables);
+-  MaybeAddTableToTableList(allowTables, tables);
+-  Preferences::GetCString("urlclassifier.flashAllowExceptTable",
+-                          allowExceptionsTables);
+-  MaybeAddTableToTableList(allowExceptionsTables, tables);
+-  Preferences::GetCString("urlclassifier.flashTable", denyTables);
+-  MaybeAddTableToTableList(denyTables, tables);
+-  Preferences::GetCString("urlclassifier.flashExceptTable",
+-                          denyExceptionsTables);
+-  MaybeAddTableToTableList(denyExceptionsTables, tables);
+-
+-  bool isThirdPartyDoc = IsThirdParty();
+-  if (isThirdPartyDoc) {
+-    Preferences::GetCString("urlclassifier.flashSubDocTable",
+-                            subDocDenyTables);
+-    MaybeAddTableToTableList(subDocDenyTables, tables);
+-    Preferences::GetCString("urlclassifier.flashSubDocExceptTable",
+-                            subDocDenyExceptionsTables);
+-    MaybeAddTableToTableList(subDocDenyExceptionsTables, tables);
++  return FlashClassification::Unclassified;
++}
++
++// Using nsIURIClassifier.asyncClassifyLocalWithTables to do classification
++// against the flash related tables based on the given principal.
++FlashClassification
++PrincipalFlashClassifier::AsyncClassifyInternal(nsIPrincipal* aPrincipal)
++{
++  auto result = CheckIfClassifyNeeded(aPrincipal);
++  if (FlashClassification::Unclassified != result) {
++    return result;
+   }
+ 
++  // We haven't been able to decide if it's a third party document
++  // since determining if a document is third-party may depend on its
++  // parent document. At the time we call AsyncClassifyInternal
++  // (i.e. StartDocumentLoad) the parent document may not have been
++  // set. As a result, we wait until Resolve() to be called to
++  // take "is third party" into account. At this point, we just assume
++  // it's third-party to include every list.
++  nsAutoCString tables;
++  GetClassificationTables(true, tables);
++
+   if (tables.IsEmpty()) {
+     return FlashClassification::Unknown;
+   }
+ 
+-  nsCOMPtr<nsIURIClassifier> uriClassifier =
+-    do_GetService(NS_URICLASSIFIERSERVICE_CONTRACTID, &rv);
+-  if (NS_FAILED(rv)) {
++  if (!EnsureUriClassifier()) {
+     return FlashClassification::Denied;
+   }
+ 
+-  nsTArray<nsCString> results;
+-  rv = uriClassifier->ClassifyLocalWithTables(classificationURI,
+-                                              tables,
+-                                              results);
++  nsresult rv = aPrincipal->GetURI(getter_AddRefs(mClassificationURI));
++  if (NS_FAILED(rv) || !mClassificationURI) {
++    return FlashClassification::Denied;
++  }
++
++  rv = mUriClassifier->AsyncClassifyLocalWithTables(mClassificationURI,
++                                                    tables,
++                                                    this);
++
+   if (NS_FAILED(rv)) {
+     if (rv == NS_ERROR_MALFORMED_URI) {
+       // This means that the URI had no hostname (ex: file://doc.html). In this
+@@ -13623,24 +13961,7 @@ nsDocument::PrincipalFlashClassification()
+     }
+   }
+ 
+-  if (results.IsEmpty()) {
+-    return FlashClassification::Unknown;
+-  }
+-
+-  if (ArrayContainsTable(results, denyTables) &&
+-      !ArrayContainsTable(results, denyExceptionsTables)) {
+-    return FlashClassification::Denied;
+-  } else if (ArrayContainsTable(results, allowTables) &&
+-             !ArrayContainsTable(results, allowExceptionsTables)) {
+-    return FlashClassification::Allowed;
+-  }
+-
+-  if (isThirdPartyDoc && ArrayContainsTable(results, subDocDenyTables) &&
+-      !ArrayContainsTable(results, subDocDenyExceptionsTables)) {
+-    return FlashClassification::Denied;
+-  }
+-
+-  return FlashClassification::Unknown;
++  return FlashClassification::Unclassified;
+ }
+ 
+ FlashClassification
+diff --git dom/base/nsDocument.h dom/base/nsDocument.h
+index be3d59698b56..5a2938f353a3 100644
+--- dom/base/nsDocument.h
++++ dom/base/nsDocument.h
+@@ -72,6 +72,7 @@
+ #include "CustomElementRegistry.h"
+ #include "mozilla/dom/Performance.h"
+ #include "mozilla/Maybe.h"
++#include "nsIURIClassifier.h"
+ 
+ #define XML_DECLARATION_BITS_DECLARATION_EXISTS   (1 << 0)
+ #define XML_DECLARATION_BITS_ENCODING_EXISTS      (1 << 1)
+@@ -346,6 +347,9 @@ protected:
+   bool mHaveShutDown;
+ };
+ 
++// For classifying a flash document based on its principal.
++class PrincipalFlashClassifier;
++
+ // Base class for our document implementations.
+ class nsDocument : public nsIDocument,
+                    public nsIDOMDocument,
+@@ -1184,6 +1188,7 @@ protected:
+   // non-null when this document is in fullscreen mode.
+   nsWeakPtr mFullscreenRoot;
+ 
++  RefPtr<PrincipalFlashClassifier> mPrincipalFlashClassifier;
+   mozilla::dom::FlashClassification mFlashClassification;
+   // Do not use this value directly. Call the |IsThirdParty()| method, which
+   // caches its result here.
+diff --git toolkit/components/url-classifier/nsUrlClassifierDBService.cpp toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
+index 074bfc583b93..6476b8d546f3 100644
+--- toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
++++ toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
+@@ -1783,6 +1783,18 @@ nsUrlClassifierDBService::AsyncClassifyLocalWithTables(nsIURI *aURI,
+   MOZ_ASSERT(NS_IsMainThread(), "AsyncClassifyLocalWithTables must be called "
+                                 "on main thread");
+ 
++  // We do this check no matter what process we are in to return
++  // error as early as possible.
++  nsCOMPtr<nsIURI> uri = NS_GetInnermostURI(aURI);
++  NS_ENSURE_TRUE(uri, NS_ERROR_FAILURE);
++
++  nsAutoCString key;
++  // Canonicalize the url
++  nsCOMPtr<nsIUrlClassifierUtils> utilsService =
++    do_GetService(NS_URLCLASSIFIERUTILS_CONTRACTID);
++  nsresult rv = utilsService->GetKeyForURI(uri, key);
++  NS_ENSURE_SUCCESS(rv, rv);
++
+   if (XRE_IsContentProcess()) {
+     using namespace mozilla::dom;
+     using namespace mozilla::ipc;
+@@ -1815,16 +1827,6 @@ nsUrlClassifierDBService::AsyncClassifyLocalWithTables(nsIURI *aURI,
+   using namespace mozilla::Telemetry;
+   auto startTime = TimeStamp::Now(); // For telemetry.
+ 
+-  nsCOMPtr<nsIURI> uri = NS_GetInnermostURI(aURI);
+-  NS_ENSURE_TRUE(uri, NS_ERROR_FAILURE);
+-
+-  nsAutoCString key;
+-  // Canonicalize the url
+-  nsCOMPtr<nsIUrlClassifierUtils> utilsService =
+-    do_GetService(NS_URLCLASSIFIERUTILS_CONTRACTID);
+-  nsresult rv = utilsService->GetKeyForURI(uri, key);
+-  NS_ENSURE_SUCCESS(rv, rv);
+-
+   auto worker = mWorker;
+   nsCString tables(aTables);
+ 
diff --git a/www/waterfox/files/patch-bug1363038 b/www/waterfox/files/patch-bug1363038
new file mode 100644
index 000000000000..5f8465966d55
--- /dev/null
+++ b/www/waterfox/files/patch-bug1363038
@@ -0,0 +1,68 @@
+commit 9d1887c28c05
+Author: Thomas Nguyen <tnguyen@mozilla.com>
+Date:   Tue Aug 22 14:51:44 2017 +0800
+
+    Bug 1363038 - Remove synchronous dispatch when worker is racing against shutdown r=hchang
+    
+    MozReview-Commit-ID: JOkOukz1fov
+    
+    --HG--
+    extra : rebase_source : 9e4204cebcd4615078019a51818250ff8125efe1
+---
+ .../url-classifier/nsUrlClassifierDBService.cpp     | 21 ++++++++-------------
+ .../url-classifier/nsUrlClassifierDBService.h       |  3 +++
+ 2 files changed, 11 insertions(+), 13 deletions(-)
+
+diff --git toolkit/components/url-classifier/nsUrlClassifierDBService.cpp toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
+index 3f7e3c8daaac..074bfc583b93 100644
+--- toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
++++ toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
+@@ -1616,12 +1616,6 @@ nsUrlClassifierDBService::Init()
+   ReadTablesFromPrefs();
+   nsresult rv;
+ 
+-  {
+-    // Force PSM loading on main thread
+-    nsCOMPtr<nsICryptoHash> dummy = do_CreateInstance(NS_CRYPTO_HASH_CONTRACTID, &rv);
+-    NS_ENSURE_SUCCESS(rv, rv);
+-  }
+-
+   {
+     // Force nsIUrlClassifierUtils loading on main thread.
+     nsCOMPtr<nsIUrlClassifierUtils> dummy =
+@@ -2278,13 +2272,14 @@ nsUrlClassifierDBService::Shutdown()
+   //    is to avoid racing for Classifier::mUpdateThread
+   //    between main thread and the worker thread. (Both threads
+   //    would access Classifier::mUpdateThread.)
+-  using Worker = nsUrlClassifierDBServiceWorker;
+-  RefPtr<nsIRunnable> r = NewRunnableMethod(
+-    "nsUrlClassifierDBServiceWorker::FlushAndDisableAsyncUpdate",
+-    mWorker,
+-    &Worker::FlushAndDisableAsyncUpdate);
+-  SyncRunnable::DispatchToThread(gDbBackgroundThread, r);
+-
++  if (mWorker->IsDBOpened()) {
++    using Worker = nsUrlClassifierDBServiceWorker;
++    RefPtr<nsIRunnable> r = NewRunnableMethod(
++      "nsUrlClassifierDBServiceWorker::FlushAndDisableAsyncUpdate",
++      mWorker,
++      &Worker::FlushAndDisableAsyncUpdate);
++    SyncRunnable::DispatchToThread(gDbBackgroundThread, r);
++  }
+   // At this point the update thread has been shut down and
+   // the worker thread should only have at most one event,
+   // which is the callback event.
+diff --git toolkit/components/url-classifier/nsUrlClassifierDBService.h toolkit/components/url-classifier/nsUrlClassifierDBService.h
+index 13987b0ed2ee..8d284f5b0842 100644
+--- toolkit/components/url-classifier/nsUrlClassifierDBService.h
++++ toolkit/components/url-classifier/nsUrlClassifierDBService.h
+@@ -227,6 +227,9 @@ public:
+   // will be nulled out in NotifyUpdateObserver.
+   bool IsBusyUpdating() const { return !!mUpdateObserver; }
+ 
++  // Check the DB ready state of the worker thread
++  bool IsDBOpened() const { return !!mClassifier; }
++
+   // Delegate Classifier to disable async update. If there is an
+   // ongoing update on the update thread, we will be blocked until
+   // the background update is done and callback is fired.
diff --git a/www/waterfox/files/patch-bug1385609 b/www/waterfox/files/patch-bug1385609
new file mode 100644
index 000000000000..0fd7ca695a5a
--- /dev/null
+++ b/www/waterfox/files/patch-bug1385609
@@ -0,0 +1,102 @@
+commit dd42019824ed
+Author: Thomas Nguyen <tnguyen@mozilla.com>
+Date:   Wed Aug 30 18:04:10 2017 +0800
+
+    Bug 1385609 - Fix backoff issue that makes SB lists no longer update r=francois
+    
+    The issue occurs when nsITimer is fired earlier than the backoff time. In that
+    case, the update doesn't proceed and we never make another attempt because the
+    backoff update timer was oneshot.
+    
+    We fix the issue in two ways:
+    
+    - Add a tolerance of 1 second in case the timer fires too early.
+    - Set another oneshot timer whenever we are prevented from updating due to
+    backoff.
+    
+    MozReview-Commit-ID: E2ogNRsHJVK
+    
+    --HG--
+    extra : rebase_source : c81fa77934f6c39e1c5d07b19785a01546e02542
+---
+ toolkit/components/url-classifier/nsUrlClassifierLib.js      | 12 +++++++++---
+ .../components/url-classifier/nsUrlClassifierListManager.js  |  5 ++++-
+ toolkit/components/url-classifier/tests/unit/test_backoff.js |  2 +-
+ 3 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git toolkit/components/url-classifier/nsUrlClassifierLib.js toolkit/components/url-classifier/nsUrlClassifierLib.js
+index e2457d85474c..38d1977e4641 100644
+--- toolkit/components/url-classifier/nsUrlClassifierLib.js
++++ toolkit/components/url-classifier/nsUrlClassifierLib.js
+@@ -77,17 +77,20 @@ this.HTTP_TEMPORARY_REDIRECT    = 307;
+  * @param timeoutIncrement Number time (ms) the starting timeout period
+  *     we double this time for consecutive errors
+  * @param maxTimeout Number time (ms) maximum timeout period
++ * @param tolerance Checking next request tolerance.
+  */
+ this.RequestBackoff =
+ function RequestBackoff(maxErrors, retryIncrement,
+                         maxRequests, requestPeriod,
+-                        timeoutIncrement, maxTimeout) {
++                        timeoutIncrement, maxTimeout,
++                        tolerance) {
+   this.MAX_ERRORS_ = maxErrors;
+   this.RETRY_INCREMENT_ = retryIncrement;
+   this.MAX_REQUESTS_ = maxRequests;
+   this.REQUEST_PERIOD_ = requestPeriod;
+   this.TIMEOUT_INCREMENT_ = timeoutIncrement;
+   this.MAX_TIMEOUT_ = maxTimeout;
++  this.TOLERANCE_ = tolerance;
+ 
+   // Queue of ints keeping the time of all requests
+   this.requestTimes_ = [];
+@@ -111,7 +114,9 @@ RequestBackoff.prototype.reset = function() {
+  */
+ RequestBackoff.prototype.canMakeRequest = function() {
+   var now = Date.now();
+-  if (now < this.nextRequestTime_) {
++  // Note that nsITimer delay is approximate: the timer can be fired before the
++  // requested time has elapsed. So, give it a tolerance
++  if (now + this.TOLERANCE_ < this.nextRequestTime_) {
+     return false;
+   }
+ 
+@@ -180,7 +185,8 @@ function RequestBackoffV4(maxRequests, requestPeriod) {
+                   maxRequests /* num requests */,
+                 requestPeriod /* request time, 60 min */,
+               backoffInterval /* backoff interval, 60 min */,
+-          24 * 60 * 60 * 1000 /* max backoff, 24hr */);
++          24 * 60 * 60 * 1000 /* max backoff, 24hr */,
++                         1000 /* tolerance of 1 sec */);
+ }
+ 
+ // Expose this whole component.
+diff --git toolkit/components/url-classifier/nsUrlClassifierListManager.js toolkit/components/url-classifier/nsUrlClassifierListManager.js
+index 1e976b8597b7..5f10933163b6 100644
+--- toolkit/components/url-classifier/nsUrlClassifierListManager.js
++++ toolkit/components/url-classifier/nsUrlClassifierListManager.js
+@@ -236,7 +236,10 @@ PROT_ListManager.prototype.setUpdateCheckTimer = function(updateUrl,
+                                     .createInstance(Ci.nsITimer);
+   this.updateCheckers_[updateUrl].initWithCallback(() => {
+     this.updateCheckers_[updateUrl] = null;
+-    this.checkForUpdates(updateUrl);
++    if (updateUrl && !this.checkForUpdates(updateUrl)) {
++      // Make another attempt later.
++      this.setUpdateCheckTimer(updateUrl, this.updateInterval);
++    }
+   }, delay, Ci.nsITimer.TYPE_ONE_SHOT);
+ }
+ /**
+diff --git toolkit/components/url-classifier/tests/unit/test_backoff.js toolkit/components/url-classifier/tests/unit/test_backoff.js
+index 365568c479e9..205507e83dd6 100644
+--- toolkit/components/url-classifier/tests/unit/test_backoff.js
++++ toolkit/components/url-classifier/tests/unit/test_backoff.js
+@@ -11,7 +11,7 @@ function setNow(time) {
+ function run_test() {
+   // 3 errors, 1ms retry period, max 3 requests per ten milliseconds,
+   // 5ms backoff interval, 19ms max delay
+-  var rb = new jslib.RequestBackoff(3, 1, 3, 10, 5, 19);
++  var rb = new jslib.RequestBackoff(3, 1, 3, 10, 5, 19, 0);
+   setNow(1);
+   rb.noteServerResponse(200);
+   do_check_true(rb.canMakeRequest());
diff --git a/www/waterfox/files/patch-bug1393235 b/www/waterfox/files/patch-bug1393235
new file mode 100644
index 000000000000..c7586334a05d
--- /dev/null
+++ b/www/waterfox/files/patch-bug1393235
@@ -0,0 +1,88 @@
+commit 9398bd6f4378
+Author: Eric Rahm <erahm@mozilla.com>
+Date:   Tue Aug 22 19:30:46 2017 -0700
+
+    Bug 1393235 - Fix improper usages of string functions. r=njn
+    
+    This fixes usages of `Find`, `RFind` and the equality operator that kind of
+    work right now but will break with the proper type checking of a templatized
+    version of the string classes.
+    
+    For `Find` and `RFind` it appears that `nsCString::(R)Find("foo", 0)` calls
+    were being coerced to the `Find(char*, bool, int, int)` versions. The intent was
+    probably to just start searching from position zero.
+    
+    For the equality operator, the type of nullptr is nullptr_t rather than
+    char(16_t)* so we'd need to add an operator overload that takes nullptr_t. In
+    this case just using `IsVoid` is probably more appropriate.
+    
+    --HG--
+    extra : rebase_source : 50f78519084012ca669da0a211c489520c11d6b6
+---
+ docshell/base/nsDefaultURIFixup.cpp              | 2 +-
+ dom/media/gmp/ChromiumCDMChild.cpp               | 2 +-
+ toolkit/components/places/nsNavHistory.cpp       | 2 +-
+ toolkit/components/url-classifier/Classifier.cpp | 4 ++--
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git docshell/base/nsDefaultURIFixup.cpp docshell/base/nsDefaultURIFixup.cpp
+index 77e008b15a17..a1a893b8efb2 100644
+--- docshell/base/nsDefaultURIFixup.cpp
++++ docshell/base/nsDefaultURIFixup.cpp
+@@ -687,7 +687,7 @@ nsDefaultURIFixup::FixupURIProtocol(const nsACString& aURIString,
+   //   no-scheme.com/query?foo=http://www.foo.com
+   //   user:pass@no-scheme.com
+   //
+-  int32_t schemeDelim = uriString.Find("://", 0);
++  int32_t schemeDelim = uriString.Find("://");
+   int32_t firstDelim = uriString.FindCharInSet("/:");
+   if (schemeDelim <= 0 ||
+       (firstDelim != -1 && schemeDelim > firstDelim)) {
+diff --git dom/media/gmp/ChromiumCDMChild.cpp dom/media/gmp/ChromiumCDMChild.cpp
+index e99f913622ab..8dc288b4c57e 100644
+--- dom/media/gmp/ChromiumCDMChild.cpp
++++ dom/media/gmp/ChromiumCDMChild.cpp
+@@ -232,7 +232,7 @@ ChromiumCDMChild::OnResolveNewSessionPromiseInternal(uint32_t aPromiseId,
+     // a session it calls OnResolveNewSessionPromise with nullptr as the sessionId.
+     // We can safely assume this means that we have failed to load a session
+     // as the other methods specify calling 'OnRejectPromise' when they fail.
+-    bool loadSuccessful = aSessionId != nullptr;
++    bool loadSuccessful = !aSessionId.IsEmpty();
+     GMP_LOG("ChromiumCDMChild::OnResolveNewSessionPromise(pid=%u, sid=%s) "
+             "resolving %s load session ",
+             aPromiseId,
+diff --git toolkit/components/places/nsNavHistory.cpp toolkit/components/places/nsNavHistory.cpp
+index 4e52752529fa..0b01d904b2f7 100644
+--- toolkit/components/places/nsNavHistory.cpp
++++ toolkit/components/places/nsNavHistory.cpp
+@@ -1939,7 +1939,7 @@ PlacesSQLQueryBuilder::Where()
+ 
+   // If we used WHERE already, we inject the conditions
+   // in place of {ADDITIONAL_CONDITIONS}
+-  if (mQueryString.Find("{ADDITIONAL_CONDITIONS}", 0) != kNotFound) {
++  if (mQueryString.Find("{ADDITIONAL_CONDITIONS}") != kNotFound) {
+     nsAutoCString innerCondition;
+     // If we have condition AND it
+     if (!mConditions.IsEmpty()) {
+diff --git toolkit/components/url-classifier/Classifier.cpp toolkit/components/url-classifier/Classifier.cpp
+index 500780150a91..68169925d2d0 100644
+--- toolkit/components/url-classifier/Classifier.cpp
++++ toolkit/components/url-classifier/Classifier.cpp
+@@ -992,7 +992,7 @@ Classifier::ScanStoreDir(nsIFile* aDirectory, nsTArray<nsCString>& aTables)
+     // Both v2 and v4 contain .pset file
+     nsCString suffix(NS_LITERAL_CSTRING(".pset"));
+ 
+-    int32_t dot = leafName.RFind(suffix, 0);
++    int32_t dot = leafName.RFind(suffix);
+     if (dot != -1) {
+       leafName.Cut(dot, suffix.Length());
+       aTables.AppendElement(leafName);
+@@ -1582,7 +1582,7 @@ Classifier::LoadMetadata(nsIFile* aDirectory, nsACString& aResult)
+     rv = file->GetNativeLeafName(tableName);
+     NS_ENSURE_SUCCESS(rv, rv);
+ 
+-    int32_t dot = tableName.RFind(METADATA_SUFFIX, 0);
++    int32_t dot = tableName.RFind(METADATA_SUFFIX);
+     if (dot == -1) {
+       continue;
+     }
diff --git a/www/waterfox/files/patch-bug1394601 b/www/waterfox/files/patch-bug1394601
new file mode 100644
index 000000000000..582385d1f60c
--- /dev/null
+++ b/www/waterfox/files/patch-bug1394601
@@ -0,0 +1,26 @@
+commit 99cb2b5a1879
+Author: Francois Marier <francois@mozilla.com>
+Date:   Mon Aug 28 17:06:00 2017 -0700
+
+    Bug 1394601 - Log an error when the Google API key is missing during Safe Browsing initialization. r=gcp
+    
+    MozReview-Commit-ID: DNwa9lR0J6K
+    
+    --HG--
+    extra : rebase_source : 0a547c0cf88e1ed09268cbb810abaaca09e98531
+---
+ toolkit/components/url-classifier/SafeBrowsing.jsm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git toolkit/components/url-classifier/SafeBrowsing.jsm toolkit/components/url-classifier/SafeBrowsing.jsm
+index 051432393539..32cab18c187f 100644
+--- toolkit/components/url-classifier/SafeBrowsing.jsm
++++ toolkit/components/url-classifier/SafeBrowsing.jsm
+@@ -343,6 +343,7 @@ this.SafeBrowsing = {
+       let googleKey = Services.urlFormatter.formatURL("%GOOGLE_API_KEY%").trim();
+       if ((provider == "google" || provider == "google4") &&
+           (!googleKey || googleKey == "no-google-api-key")) {
++        log("Missing Google API key, clearing updateURL and gethashURL.");
+         updateURL= "";
+         gethashURL= "";
+       }
diff --git a/www/waterfox/files/patch-bug1426869 b/www/waterfox/files/patch-bug1426869
new file mode 100644
index 000000000000..6a2327cdfb3c
--- /dev/null
+++ b/www/waterfox/files/patch-bug1426869
@@ -0,0 +1,25 @@
+commit 65d845f891a3
+Author: Jet Villegas <jvillegas@mozilla.com>
+Date:   Tue Jan 9 08:00:00 2018 +0200
+
+    Bug 1426869 - td.contenteditable=true focus breaks text selection. r=masayuki, a=RyanVM
+    
+    --HG--
+    extra : source : b3118b4fae1372c3aa57caf4b16af9834ce46539
+    extra : amend_source : 1187aa7d3d760aa60b974b874968aea4d0e09eea
+---
+ layout/generic/nsFrameSelection.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git layout/generic/nsFrameSelection.cpp layout/generic/nsFrameSelection.cpp
+index c483622e1ffb..a60d69bf79e0 100644
+--- layout/generic/nsFrameSelection.cpp
++++ layout/generic/nsFrameSelection.cpp
+@@ -1403,6 +1403,7 @@ nsFrameSelection::TakeFocus(nsIContent*        aNewFocus,
+ 
+     NS_ENSURE_STATE(mShell);
+     bool editableCell = false;
++    mCellParent = nullptr;
+     RefPtr<nsPresContext> context = mShell->GetPresContext();
+     if (context) {
+       RefPtr<HTMLEditor> htmlEditor = nsContentUtils::GetHTMLEditor(context);
diff --git a/www/waterfox/files/patch-bug1427118 b/www/waterfox/files/patch-bug1427118
new file mode 100644
index 000000000000..81203ab48c94
--- /dev/null
+++ b/www/waterfox/files/patch-bug1427118
@@ -0,0 +1,84 @@
+commit 85ac1989f1c2
+Author: Lee Salzman <lsalzman@mozilla.com>
+Date:   Mon Feb 19 21:19:53 2018 -0500
+
+    Bug 1427118 - Make RecordedFontData use fallible allocations. r=milan, a=RyanVM
+    
+    MozReview-Commit-ID: 3YzhOyXvrv
+    
+    --HG--
+    extra : source : a35fe8a4a82de45e10627b6fc760dd13d5df64a8
+---
+ gfx/2d/RecordedEventImpl.h | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git gfx/2d/RecordedEventImpl.h gfx/2d/RecordedEventImpl.h
+index bc1cec648302..0e8efb032cdf 100644
+--- gfx/2d/RecordedEventImpl.h
++++ gfx/2d/RecordedEventImpl.h
+@@ -913,7 +913,7 @@ public:
+     , mType(aUnscaledFont->GetType())
+     , mData(nullptr)
+   {
+-    mGetFontFileDataSucceeded = aUnscaledFont->GetFontFileData(&FontDataProc, this);
++    mGetFontFileDataSucceeded = aUnscaledFont->GetFontFileData(&FontDataProc, this) && mData;
+   }
+ 
+   ~RecordedFontData();
+@@ -2518,11 +2518,12 @@ RecordedSourceSurfaceCreation::RecordedSourceSurfaceCreation(S &aStream)
+   ReadElement(aStream, mRefPtr);
+   ReadElement(aStream, mSize);
+   ReadElement(aStream, mFormat);
+-  mData = (uint8_t*)new (fallible) char[mSize.width * mSize.height * BytesPerPixel(mFormat)];
++  size_t size = mSize.width * mSize.height * BytesPerPixel(mFormat);
++  mData = new (fallible) uint8_t[size];
+   if (!mData) {
+-    gfxWarning() << "RecordedSourceSurfaceCreation failed to allocate data";
++    gfxCriticalNote << "RecordedSourceSurfaceCreation failed to allocate data of size " << size;
+   } else {
+-    aStream.read((char*)mData, mSize.width * mSize.height * BytesPerPixel(mFormat));
++    aStream.read((char*)mData, size);
+   }
+ }
+ 
+@@ -2767,6 +2768,10 @@ RecordedFontData::~RecordedFontData()
+ inline bool
+ RecordedFontData::PlayEvent(Translator *aTranslator) const
+ {
++  if (!mData) {
++    return false;
++  }
++
+   RefPtr<NativeFontResource> fontResource =
+     Factory::CreateNativeFontResource(mData, mFontDetails.size,
+                                       aTranslator->GetReferenceDrawTarget()->GetBackendType(),
+@@ -2800,8 +2805,12 @@ RecordedFontData::OutputSimpleEventInfo(std::stringstream &aStringStream) const
+ inline void
+ RecordedFontData::SetFontData(const uint8_t *aData, uint32_t aSize, uint32_t aIndex)
+ {
+-  mData = new uint8_t[aSize];
+-  memcpy(mData, aData, aSize);
++  mData = new (fallible) uint8_t[aSize];
++  if (!mData) {
++    gfxCriticalNote << "RecordedFontData failed to allocate data for recording of size " << aSize;
++  } else {
++    memcpy(mData, aData, aSize);
++  }
+   mFontDetails.fontDataKey =
+     SFNTData::GetUniqueKey(aData, aSize, 0, nullptr);
+   mFontDetails.size = aSize;
+@@ -2830,8 +2839,12 @@ RecordedFontData::RecordedFontData(S &aStream)
+   ReadElement(aStream, mType);
+   ReadElement(aStream, mFontDetails.fontDataKey);
+   ReadElement(aStream, mFontDetails.size);
+-  mData = new uint8_t[mFontDetails.size];
+-  aStream.read((char*)mData, mFontDetails.size);
++  mData = new (fallible) uint8_t[mFontDetails.size];
++  if (!mData) {
++    gfxCriticalNote << "RecordedFontData failed to allocate data for playback of size " << mFontDetails.size;
++  } else {
++    aStream.read((char*)mData, mFontDetails.size);
++  }
+ }
+ 
+ inline
diff --git a/www/waterfox/files/patch-bug1435859 b/www/waterfox/files/patch-bug1435859
new file mode 100644
index 000000000000..bf87b95869e9
--- /dev/null
+++ b/www/waterfox/files/patch-bug1435859
@@ -0,0 +1,38 @@
+commit 58a5fb56c33a
+Author: Francois Marier <francois@mozilla.com>
+Date:   Thu Feb 15 12:30:40 2018 -0800
+
+    Bug 1435859 - Fix OOM crash on filenames without extensions. r=gcp, a=RyanVM
+    
+    Passing a value of -1 to nsCString::Truncate() converts that
+    value to a large integer and leads to an unnecessary 4GB
+    memory allocation.
+    
+    MozReview-Commit-ID: Icm5iUsEgA6
+    
+    --HG--
+    extra : source : d418ce8a05644edb16f317c13fc1c8cd2b6c3c2f
+---
+ toolkit/components/url-classifier/Classifier.cpp | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git toolkit/components/url-classifier/Classifier.cpp toolkit/components/url-classifier/Classifier.cpp
+index 9946469268fa..d5ba67fe300a 100644
+--- toolkit/components/url-classifier/Classifier.cpp
++++ toolkit/components/url-classifier/Classifier.cpp
+@@ -359,8 +359,13 @@ Classifier::DeleteTables(nsIFile* aDirectory, const nsTArray<nsCString>& aTables
+     rv = file->GetNativeLeafName(leafName);
+     NS_ENSURE_SUCCESS_VOID(rv);
+ 
+-    leafName.Truncate(leafName.RFind("."));
+-    if (aTables.Contains(leafName)) {
++    // Remove file extension if there's one.
++    int32_t dotPosition = leafName.RFind(".");
++    if (dotPosition >= 0) {
++      leafName.Truncate(dotPosition);
++    }
++
++    if (!leafName.IsEmpty() && aTables.Contains(leafName)) {
+       if (NS_FAILED(file->Remove(false))) {
+         NS_WARNING(nsPrintfCString("Fail to remove file %s from the disk",
+                                    leafName.get()).get());
diff --git a/www/waterfox/files/patch-bug1437507 b/www/waterfox/files/patch-bug1437507
new file mode 100644
index 000000000000..49defedde158
--- /dev/null
+++ b/www/waterfox/files/patch-bug1437507
@@ -0,0 +1,38 @@
+commit 4286f0e17d94
+Author: Brian Hackett <bhackett1024@gmail.com>
+Date:   Fri Feb 23 13:25:53 2018 -0500
+
+    Bug 1437507 - Fix JSObject::setFlags to call ensureShape before checking for dictionary mode. r=jandem, a=RyanVM
+    
+    --HG--
+    extra : source : ca6b74831ec3db204e024b07f200b0d1ce93557e
+---
+ js/src/vm/Shape.cpp | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git js/src/vm/Shape.cpp js/src/vm/Shape.cpp
+index 3ea96877b5f2..51eff27e0d1a 100644
+--- js/src/vm/Shape.cpp
++++ js/src/vm/Shape.cpp
+@@ -1329,6 +1329,10 @@ JSObject::setFlags(JSContext* cx, HandleObject obj, BaseShape::Flag flags,
+     if (obj->hasAllFlags(flags))
+         return true;
+ 
++    Shape* existingShape = obj->ensureShape(cx);
++    if (!existingShape)
++        return false;
++
+     if (obj->isNative() && obj->as<NativeObject>().inDictionaryMode()) {
+         if (generateShape == GENERATE_SHAPE) {
+             if (!NativeObject::generateOwnShape(cx, obj.as<NativeObject>()))
+@@ -1344,10 +1348,6 @@ JSObject::setFlags(JSContext* cx, HandleObject obj, BaseShape::Flag flags,
+         return true;
+     }
+ 
+-    Shape* existingShape = obj->ensureShape(cx);
+-    if (!existingShape)
+-        return false;
+-
+     Shape* newShape = Shape::setObjectFlags(cx, flags, obj->taggedProto(), existingShape);
+     if (!newShape)
+         return false;
diff --git a/www/waterfox/files/patch-revert-bug1393954 b/www/waterfox/files/patch-revert-bug1393954
new file mode 100644
index 000000000000..e6200b000c49
--- /dev/null
+++ b/www/waterfox/files/patch-revert-bug1393954
@@ -0,0 +1,36 @@
+Safe Browsing V2 is deprecated, switch to V4 by reverting FF56-only fix
+
+diff --git browser/app/profile/firefox.js browser/app/profile/firefox.js
+index 276ed7dd30bb..b22d17c999a5 100644
+--- browser/app/profile/firefox.js
++++ browser/app/profile/firefox.js
+@@ -1709,6 +1709,14 @@
+ // Whether or not to restore a session with lazy-browser tabs.
+ pref("browser.sessionstore.restore_tabs_lazily", true);
+ 
++// Enable safebrowsing v4 tables (suffixed by "-proto") update.
++pref("urlclassifier.malwareTable", "goog-malware-proto,goog-unwanted-proto,test-malware-simple,test-unwanted-simple");
++#ifdef MOZILLA_OFFICIAL
++pref("urlclassifier.phishTable", "goog-phish-proto,test-phish-simple");
++#else
++pref("urlclassifier.phishTable", "googpub-phish-proto,test-phish-simple");
++#endif
++
+ pref("browser.suppress_first_window_animation", true);
+ 
+ // Preferences for Photon onboarding system extension
+diff --git modules/libpref/init/all.js modules/libpref/init/all.js
+index 5c0d1a999ff8..d95b0bcfc79e 100644
+--- modules/libpref/init/all.js
++++ modules/libpref/init/all.js
+@@ -5331,8 +5331,8 @@
+ #endif
+ 
+ // Tables for application reputation.
+-pref("urlclassifier.downloadAllowTable", "goog-downloadwhite-digest256");
+-pref("urlclassifier.downloadBlockTable", "goog-badbinurl-shavar");
++pref("urlclassifier.downloadAllowTable", "goog-downloadwhite-proto");
++pref("urlclassifier.downloadBlockTable", "goog-badbinurl-proto");
+ 
+ pref("urlclassifier.disallow_completions", "test-malware-simple,test-phish-simple,test-unwanted-simple,test-track-simple,test-trackwhite-simple,test-block-simple,goog-downloadwhite-digest256,base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256,except-flashinfobar-digest256");
+