Security and patch rollup for FPR3 from ESR52

[classilla]

Through 52dc0f52595d

Not relevant:
M1373222 (not in code)
M1390002 (appears to be Windows-only, we have different code also)

Not taking:
M1379539 (we don't care)

Deferred:
M1387918 https://hg.mozilla.org/releases/mozilla-esr52/rev/32eec29a85a5 This depends on an earlier deferral and we may not actually be vulnerable in the shipped configuration.

Candidates:
M1380824 https://hg.mozilla.org/releases/mozilla-esr52/rev/fbddb5cdd3c7 (to nsEditor.cpp)
https://bugzilla.mozilla.org/show_bug.cgi?id=1390550 (we might simply take the entire updated library from ESR52 directly, or we could just use the changes in the commit if that doesn't work)
M1390980 https://hg.mozilla.org/releases/mozilla-esr52/rev/e45e21461784 (modified for ATSUI, of course)
M1376036 https://hg.mozilla.org/releases/mozilla-esr52/rev/68a444daf85b sec-moderate, but probably a good idea, and we seem to support what is necessary
M1376825 https://hg.mozilla.org/releases/mozilla-esr52/rev/eeeec9cafc4e we are probably not actually affected, but it won't hurt
M1385272 https://hg.mozilla.org/releases/mozilla-esr52/rev/d68fa12fbffc

[classilla]

Through eaadb31758d8

Not relevant:
M1379536 (already working in our version)
M1279171 (Windows-specific)
M1393467 (we don't use Skia and it sucks and you suck and everything that uses it sucks)
M1377618 (not vulnerable)
M1376399 (Windows-specific)
M1360334 (apparently only in a configuration we don't ship, and code isn't present anyway)

Not taking:
M1386787 (we don't ship IPC, and this cannot be exploited without it)
M1379540 (we don't care)
M1384308 (we don't care)
M1388611 (no migration path supported and we don't implement bug 1122124)
M1379540 (we don't care)
remainder of M1389974 (we don't care, no plugins)

Deferred:
M1396320 (only if we expand CSP -- currently this regression does not exist)

Candidates:
M1371657 https://hg.mozilla.org/releases/mozilla-esr52/rev/ae110cf77596
M1393624 https://hg.mozilla.org/releases/mozilla-esr52/rev/db3e2bfb7aa7
M1386905 https://hg.mozilla.org/releases/mozilla-esr52/rev/badbf4308211
M1395598 https://hg.mozilla.org/releases/mozilla-esr52/rev/d78675515c78 though this is probably next to impossible to exploit on our old version
M1384801 https://hg.mozilla.org/releases/mozilla-esr52/rev/9556e792f905 though this code probably can't ever execute in our default configuration
M1396570 https://hg.mozilla.org/releases/mozilla-esr52/rev/24db61862c54 (JS/XPConnect)
M1380292 https://hg.mozilla.org/releases/mozilla-esr52/rev/1a02f11c6efe
M1389974 https://hg.mozilla.org/releases/mozilla-esr52/rev/eaadb31758d8 (JS changes only)

[classilla]

Through 955c244a6bfd

Not relevant:
M1394024 (Windows only)

Not taking:
M1400721 (we don't use Skia or FreeType)

Deferred:
https://bugzilla.mozilla.org/show_bug.cgi?id=1371889 this is way too risky for an incompletely implemented feature (in 45), and it's not clear how exploitable we are in the default configuration.

Candidates:
M1368269 https://hg.mozilla.org/releases/mozilla-esr52/rev/0cff5e66e0f4
M1400399 https://hg.mozilla.org/releases/mozilla-esr52/rev/d6f78b1349b7