Merge mozilla-inbound to mozilla-central. a=merge
authorCosmin Sabou <csabou@mozilla.com>
Wed, 05 Dec 2018 12:19:43 +0200
changeset 449406 caae48e4e6cf4477e11b6464bccdd5ba679ae31a
parent 449378 f1f136ea674c759c22ad7c13b547ca08bd25b147 (current diff)
parent 449405 e4e9bf768be8ed3da736584a2b2ca7d178d026ad (diff)
child 449407 180915caefbb15c6d28591718b494007c8651021
child 449420 49a3abc14837005b7e77b0b280f406af0d06a139
push id74260
push usercsabou@mozilla.com
push dateWed, 05 Dec 2018 10:21:18 +0000
treeherderautoland@180915caefbb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmerge
milestone65.0a1
first release with
nightly linux32
caae48e4e6cf / 65.0a1 / 20181205102000 / files
nightly linux64
caae48e4e6cf / 65.0a1 / 20181205102000 / files
nightly mac
caae48e4e6cf / 65.0a1 / 20181205102000 / files
nightly win32
caae48e4e6cf / 65.0a1 / 20181205102000 / files
nightly win64
caae48e4e6cf / 65.0a1 / 20181205102000 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Merge mozilla-inbound to mozilla-central. a=merge
browser/actors/NetErrorChild.jsm
taskcluster/docs/attributes.rst
--- a/browser/actors/NetErrorChild.jsm
+++ b/browser/actors/NetErrorChild.jsm
@@ -21,16 +21,18 @@ XPCOMUtils.defineLazyGlobalGetters(this,
 XPCOMUtils.defineLazyGetter(this, "gPipNSSBundle", function() {
   return Services.strings.createBundle("chrome://pipnss/locale/pipnss.properties");
 });
 XPCOMUtils.defineLazyGetter(this, "gBrandBundle", function() {
   return Services.strings.createBundle("chrome://branding/locale/brand.properties");
 });
 XPCOMUtils.defineLazyPreferenceGetter(this, "newErrorPagesEnabled",
   "browser.security.newcerterrorpage.enabled");
+XPCOMUtils.defineLazyPreferenceGetter(this, "mitmErrorPageEnabled",
+  "browser.security.newcerterrorpage.mitm.enabled");
 XPCOMUtils.defineLazyGetter(this, "gNSSErrorsBundle", function() {
   return Services.strings.createBundle("chrome://pipnss/locale/nsserrors.properties");
 });
 
 
 const SEC_ERROR_BASE          = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE;
 const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE;
 
@@ -119,18 +121,28 @@ class NetErrorChild extends ActorChild {
     }
 
     let msg1 = gPipNSSBundle.formatStringFromName("certErrorIntro",
                                                   [hostString], 1);
     msg1 += "\n\n";
 
     if (input.data.certIsUntrusted) {
       switch (input.data.code) {
-        // We only want to measure MitM rates for now. Treat it as unkown issuer.
         case MOZILLA_PKIX_ERROR_MITM_DETECTED:
+          if (newErrorPagesEnabled && mitmErrorPageEnabled) {
+            let brandName = gBrandBundle.GetStringFromName("brandShortName");
+            msg1 = gPipNSSBundle.GetStringFromName("certErrorMitM");
+            msg1 += "\n\n";
+            msg1 += gPipNSSBundle.formatStringFromName("certErrorMitM2", [brandName], 1);
+            msg1 += "\n\n";
+            msg1 += gPipNSSBundle.formatStringFromName("certErrorMitM3", [brandName], 1);
+            msg1 += "\n";
+            break;
+          }
+          // If the condition is false, fall through...
         case SEC_ERROR_UNKNOWN_ISSUER:
           let brandName = gBrandBundle.GetStringFromName("brandShortName");
           if (newErrorPagesEnabled) {
             msg1 = "";
             msg1 += gPipNSSBundle.formatStringFromName("certErrorTrust_UnknownIssuer4", [hostString], 1);
             msg1 += "\n\n";
             msg1 += gPipNSSBundle.formatStringFromName("certErrorTrust_UnknownIssuer6", [brandName, hostString], 2);
             msg1 += "\n\n";
@@ -405,16 +417,49 @@ class NetErrorChild extends ActorChild {
           gPipNSSBundle.GetStringFromName("certErrorSymantecDistrustAdministrator");
         descriptionContainer.append(adminDescription);
 
         learnMoreLink.href = baseURL + "symantec-warning";
 
         updateContainerPosition();
         break;
       case MOZILLA_PKIX_ERROR_MITM_DETECTED:
+        if (newErrorPagesEnabled && mitmErrorPageEnabled) {
+          // We don't actually know what the MitM is called (since we don't
+          // maintain a list), so we'll try and display the common name of the
+          // root issuer to the user. In the worst case they are as clueless as
+          // before, in the best case this gives them an actionable hint.
+          // This may be revised in the future.
+          let {securityInfo} = docShell.failedChannel;
+          securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
+          let mitmName = null;
+          for (let cert of securityInfo.failedCertChain.getEnumerator()) {
+            mitmName = cert.issuerCommonName;
+          }
+          for (let span of doc.querySelectorAll(".mitm-name")) {
+            span.textContent = mitmName;
+          }
+
+          learnMoreLink.href = baseURL + "security-error";
+
+          let title = doc.getElementById("et_mitm");
+          let desc = doc.getElementById("ed_mitm");
+          doc.querySelector(".title-text").textContent = title.textContent;
+          // eslint-disable-next-line no-unsanitized/property
+          doc.getElementById("errorShortDescText").innerHTML = desc.innerHTML;
+
+          // eslint-disable-next-line no-unsanitized/property
+          es.innerHTML = errWhatToDo.innerHTML;
+          // eslint-disable-next-line no-unsanitized/property
+          est.innerHTML = errWhatToDoTitle.innerHTML;
+
+          updateContainerPosition();
+          break;
+        }
+        // If the condition is false, fall through...
       case MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT:
         learnMoreLink.href = baseURL + "security-error";
         break;
 
       // In case the certificate expired we make sure the system clock
       // matches the remote-settings service (blocklist via Kinto) ping time
       // and is not before the build date.
       case SEC_ERROR_EXPIRED_CERTIFICATE:
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@@ -951,18 +951,20 @@ pref("app.feedback.baseURL", "https://in
 pref("app.productInfo.baseURL", "https://www.mozilla.org/firefox/features/");
 
 // Name of alternate about: page for certificate errors (when undefined, defaults to about:neterror)
 pref("security.alternate_certificate_error_page", "certerror");
 
 // Enable the new certificate error pages.
 #ifdef EARLY_BETA_OR_EARLIER
 pref("browser.security.newcerterrorpage.enabled", true);
+pref("browser.security.newcerterrorpage.mitm.enabled", true);
 #else
 pref("browser.security.newcerterrorpage.enabled", false);
+pref("browser.security.newcerterrorpage.mitm.enabled", false);
 #endif
 
 pref("security.certerrors.recordEventTelemetry", true);
 
 // Whether to start the private browsing mode at application startup
 pref("browser.privatebrowsing.autostart", false);
 
 // Whether the bookmark panel should be shown when bookmarking a page.
--- a/browser/base/content/aboutNetError-new.xhtml
+++ b/browser/base/content/aboutNetError-new.xhtml
@@ -63,16 +63,17 @@
         <h1 id="et_nssBadCert">&certerror.longpagetitle2;</h1>
         <h1 id="et_nssBadCert_sts">&certerror.sts.longpagetitle;</h1>
         <h1 id="et_cspBlocked">&cspBlocked.title;</h1>
         <h1 id="et_remoteXUL">&remoteXUL.title;</h1>
         <h1 id="et_corruptedContentErrorv2">&corruptedContentErrorv2.title;</h1>
         <h1 id="et_sslv3Used">&sslv3Used.title;</h1>
         <h1 id="et_inadequateSecurityError">&inadequateSecurityError.title;</h1>
         <h1 id="et_blockedByPolicy">&blockedByPolicy.title;</h1>
+        <h1 id="et_mitm">&certerror.mitm.title;</h1>
         <h1 id="et_clockSkewError">&clockSkewError.title;</h1>
         <h1 id="et_networkProtocolError">&networkProtocolError.title;</h1>
       </div>
       <div id="errorDescriptionsContainer">
         <div id="ed_generic">&generic.longDesc;</div>
         <div id="ed_captivePortal">&captivePortal.longDesc2;</div>
         <div id="ed_dnsNotFound">&dnsNotFound.longDesc1;</div>
         <div id="ed_fileNotFound">&fileNotFound.longDesc;</div>
@@ -91,16 +92,17 @@
         <div id="ed_proxyResolveFailure">&proxyResolveFailure.longDesc;</div>
         <div id="ed_proxyConnectFailure">&proxyConnectFailure.longDesc;</div>
         <div id="ed_contentEncodingError">&contentEncodingError.longDesc;</div>
         <div id="ed_unsafeContentType">&unsafeContentType.longDesc;</div>
         <div id="ed_nssFailure2">&nssFailure2.longDesc2;</div>
         <div id="ed_nssBadCert">&certerror.introPara2;</div>
         <div id="ed_nssBadCert_sts">&certerror.sts.introPara;</div>
         <div id="ed_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE">&certerror.expiredCert.introPara;</div>
+        <div id="ed_mitm">&certerror.mitm.longDesc;</div>
         <div id="ed_cspBlocked">&cspBlocked.longDesc;</div>
         <div id="ed_remoteXUL">&remoteXUL.longDesc;</div>
         <div id="ed_corruptedContentErrorv2">&corruptedContentErrorv2.longDesc;</div>
         <div id="ed_sslv3Used">&sslv3Used.longDesc2;</div>
         <div id="ed_inadequateSecurityError">&inadequateSecurityError.longDesc;</div>
         <div id="ed_blockedByPolicy"></div>
         <div id="ed_clockSkewError">&clockSkewError.longDesc;</div>
         <div id="ed_networkProtocolError">&networkProtocolError.longDesc;</div>
@@ -114,21 +116,29 @@
       </div>
       <div id="whatCanYouDoAboutItContainer">
         <div id="es_nssBadCert_SEC_ERROR_UNKNOWN_ISSUER">&certerror.unknownIssuer.whatCanYouDoAboutIt;</div>
         <div id="es_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
         <div id="es_nssBadCert_SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
         <div id="es_nssBadCert_MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
         <div id="es_nssBadCert_MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE">&certerror.expiredCert.whatCanYouDoAboutIt2;</div>
         <div id="es_nssBadCert_SSL_ERROR_BAD_CERT_DOMAIN">&certerror.badCertDomain.whatCanYouDoAboutIt;</div>
+        <div id="es_nssBadCert_MOZILLA_PKIX_ERROR_MITM_DETECTED">
+          <ul>
+            <li>&certerror.mitm.whatCanYouDoAboutIt1;</li>
+            <li>&certerror.mitm.whatCanYouDoAboutIt2;</li>
+            <li id="mitmWhatCanYouDoAboutIt3">&certerror.mitm.whatCanYouDoAboutIt3;</li>
+          </ul>
+        </div>
       </div>
       <!-- Stores an alternative text for when we don't want to add "Recommended" to the
            return button. This is one of many l10n atrocities in this file and should be
            removed when we finally switch to Fluent. -->
       <span id="stsReturnButtonText">&returnToPreviousPage.label;</span>
+      <span id="stsMitmWhatCanYouDoAboutIt3">&certerror.mitm.sts.whatCanYouDoAboutIt3;</span>
     </div>
 
     <!-- PAGE CONTAINER (for styling purposes only) -->
     <div id="errorPageContainer" class="container">
       <div id="text-container">
         <!-- Error Title -->
         <div class="title">
           <h1 class="title-text"/>
--- a/browser/base/content/aboutNetError.js
+++ b/browser/base/content/aboutNetError.js
@@ -129,16 +129,21 @@ function disallowCertOverridesIfNeeded()
   }
   if (cssClass == "badStsCert") {
     document.getElementById("badStsCertExplanation").removeAttribute("hidden");
 
     if (gNewErrorPagesEnabled) {
       let stsReturnButtonText = document.getElementById("stsReturnButtonText").textContent;
       document.getElementById("returnButton").textContent = stsReturnButtonText;
       document.getElementById("advancedPanelReturnButton").textContent = stsReturnButtonText;
+
+      let stsMitmWhatCanYouDoAboutIt3 =
+        document.getElementById("stsMitmWhatCanYouDoAboutIt3").innerHTML;
+      // eslint-disable-next-line no-unsanitized/property
+      document.getElementById("mitmWhatCanYouDoAboutIt3").innerHTML = stsMitmWhatCanYouDoAboutIt3;
     }
   }
 }
 
 function initPage() {
   var err = getErrorCode();
   // List of error pages with an illustration.
   let illustratedErrors = [
--- a/browser/base/content/test/static/browser_misused_characters_in_strings.js
+++ b/browser/base/content/test/static/browser_misused_characters_in_strings.js
@@ -44,16 +44,28 @@ let gWhitelist = [{
     file: "netError.dtd",
     key: "certerror.wrongSystemTimeWithoutReference",
     type: "single-quote",
   }, {
     file: "netError.dtd",
     key: "clockSkewError.longDesc",
     type: "single-quote",
   }, {
+    file: "netError.dtd",
+    key: "certerror.mitm.longDesc",
+    type: "single-quote",
+  }, {
+    file: "netError.dtd",
+    key: "certerror.mitm.whatCanYouDoAboutIt3",
+    type: "single-quote",
+  }, {
+    file: "netError.dtd",
+    key: "certerror.mitm.sts.whatCanYouDoAboutIt3",
+    type: "single-quote",
+  }, {
     file: "phishing-afterload-warning-message.dtd",
     key: "safeb.palm.advisory.desc2",
     type: "single-quote",
   }, {
     file: "phishing-afterload-warning-message.dtd",
     key: "safeb.blocked.malwarePage.errorDesc.override",
     type: "single-quote",
   }, {
--- a/browser/locales/en-US/chrome/overrides/netError.dtd
+++ b/browser/locales/en-US/chrome/overrides/netError.dtd
@@ -229,16 +229,23 @@ certificate.">
 
 <!ENTITY inadequateSecurityError.title "Your connection is not secure">
 <!-- LOCALIZATION NOTE (inadequateSecurityError.longDesc) - Do not translate
      "NS_ERROR_NET_INADEQUATE_SECURITY". -->
 <!ENTITY inadequateSecurityError.longDesc "<p><span class='hostname'></span> uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site.</p><p>Error code: NS_ERROR_NET_INADEQUATE_SECURITY</p>">
 
 <!ENTITY blockedByPolicy.title "Blocked Page">
 
+<!ENTITY certerror.mitm.title "Software is Preventing &brandShortName; From Safely Connecting to This Site">
+<!ENTITY certerror.mitm.longDesc "<span class='hostname'></span> is most likely a safe site, but a secure connection could not be established. This issue is caused by <span class='mitm-name'/>, which is either software on your computer or your network.">
+<!ENTITY certerror.mitm.whatCanYouDoAboutIt1 "If your antivirus software includes a feature that scans encrypted connections (often called “web scanning” or “https scanning”), you can disable that feature. If that doesn’t work, you can remove and reinstall the antivirus software.">
+<!ENTITY certerror.mitm.whatCanYouDoAboutIt2 "If you are on a corporate network, you can contact your IT department.">
+<!ENTITY certerror.mitm.whatCanYouDoAboutIt3 "If you are not familiar with <span class='mitm-name'/>, then this could be an attack and you should not continue to the site.">
+<!ENTITY certerror.mitm.sts.whatCanYouDoAboutIt3 "If you are not familiar with <span class='mitm-name'/>, then this could be an attack, and there is nothing you can do to access the site.">
+
 <!ENTITY clockSkewError.title "Your Computer Clock is Wrong">
 <!ENTITY clockSkewError.longDesc "Your computer thinks it is <span id='wrongSystemTime_systemDate1'/>, which prevents &brandShortName; from connecting securely. To visit <span class='hostname'></span>, update your computer clock in your system settings to the current date, time, and time zone, and then refresh <span class='hostname'></span>.">
 
 <!ENTITY prefReset.longDesc "It looks like your network security settings might be causing this. Do you want the default settings to be restored?">
 <!ENTITY prefReset.label "Restore default settings">
 
 <!ENTITY networkProtocolError.title "Network Protocol Error">
 <!ENTITY networkProtocolError.longDesc "<p>The page you are trying to view cannot be shown because an error in the network protocol was detected.</p><ul><li>Please contact the website owners to inform them of this problem.</li></ul>">
--- a/browser/themes/shared/aboutNetError-new.css
+++ b/browser/themes/shared/aboutNetError-new.css
@@ -140,17 +140,18 @@ body:not(:-moz-any(.clockSkewError,.badS
   flex-direction: row;
   flex-wrap: wrap;
   justify-content: space-between;
   align-content: space-between;
   align-items: flex-start;
   margin-top: 1em;
 }
 
-span#hostname {
+.mitm-name,
+#hostname {
   font-weight: bold;
 }
 
 #automaticallyReportInFuture {
   cursor: pointer;
 }
 
 #errorCode:not([href]) {
--- a/devtools/client/debugger/new/src/components/App.js
+++ b/devtools/client/debugger/new/src/components/App.js
@@ -264,16 +264,17 @@ class App extends Component<Props, State
         style={{ width: "100vw" }}
         initialSize={prefs.endPanelSize}
         minSize={30}
         maxSize={maxSize}
         splitterSize={1}
         vert={horizontal}
         onResizeEnd={num => {
           prefs.endPanelSize = num;
+          this.triggerEditorPaneResize();
         }}
         startPanel={
           <SplitBox
             style={{ width: "100vw" }}
             initialSize={prefs.startPanelSize}
             minSize={30}
             maxSize="85%"
             splitterSize={1}
@@ -288,17 +289,16 @@ class App extends Component<Props, State
         endPanelControl={true}
         endPanel={
           <SecondaryPanes
             horizontal={horizontal}
             toggleShortcutsModal={() => this.toggleShortcutsModal()}
           />
         }
         endPanelCollapsed={endPanelCollapsed}
-        onResizeEnd={this.triggerEditorPaneResize}
       />
     );
   };
 
   renderShortcutsModal() {
     const additionalClass = isMacOS ? "mac" : "";
 
     if (!features.shortcuts) {
--- a/layout/reftests/svg/reftest.list
+++ b/layout/reftests/svg/reftest.list
@@ -320,17 +320,17 @@ random-if(gtkWidget) == objectBoundingBo
 
 == opacity-and-gradient-01.svg pass.svg
 skip-if(d2d) fuzzy-if(cocoaWidget,0-1,0-99974) fuzzy-if(skiaContent,0-1,0-200000) == opacity-and-gradient-02.svg opacity-and-gradient-02-ref.svg
 == opacity-and-pattern-01.svg pass.svg
 fuzzy-if(/^Windows\x20NT\x2010\.0/.test(http.oscpu)||skiaContent,0-1,0-10000) == opacity-and-transform-01.svg opacity-and-transform-01-ref.svg
 
 fuzzy-if(Android,0-8,0-200) == outer-svg-border-and-padding-01.svg outer-svg-border-and-padding-01-ref.svg
 
-fuzzy(0-16,0-193) fuzzy-if(skiaContent,0-7,0-175) fuzzy-if(webrender,54-54,124-124) == outline.html outline-ref.html # Bug 1392106, Bug 1503525
+fuzzy(0-16,0-193) fuzzy-if(skiaContent,0-7,0-193) fuzzy-if(webrender,54-54,124-124) == outline.html outline-ref.html # Bug 1392106, Bug 1503525
 
 == overflow-on-outer-svg-01.svg overflow-on-outer-svg-01-ref.svg
 == overflow-on-outer-svg-02a.xhtml overflow-on-outer-svg-02-ref.xhtml
 == overflow-on-outer-svg-02b.xhtml overflow-on-outer-svg-02-ref.xhtml
 == overflow-on-outer-svg-02c.xhtml overflow-on-outer-svg-02-ref.xhtml
 == overflow-on-outer-svg-02d.xhtml overflow-on-outer-svg-02-ref.xhtml
 == overflow-on-outer-svg-03a.xhtml overflow-on-outer-svg-03-ref.xhtml
 == overflow-on-outer-svg-03b.xhtml overflow-on-outer-svg-03-ref.xhtml
--- a/layout/reftests/w3c-css/submitted/contain/contain-layout-suppress-baseline-002.html
+++ b/layout/reftests/w3c-css/submitted/contain/contain-layout-suppress-baseline-002.html
@@ -1,17 +1,17 @@
 <!DOCTYPE html>
 <html>
 <head>
   <meta charset="utf-8">
   <title>CSS Test: 'contain: layout' should make elements behave as if they have no baseline</title>
   <link rel="author" title="Daniel Holbert" href="mailto:dholbert@mozilla.com">
   <link rel="help" href="https://drafts.csswg.org/css-contain/#containment-layout">
   <link rel="help" href="https://drafts.csswg.org/css-flexbox-1/#valdef-align-items-baseline">
-  <link rel="match" href="contain-layout-suppress-baseline-001-ref.html">
+  <link rel="match" href="contain-layout-suppress-baseline-002-ref.html">
   <style>
   .flexBaselineCheck {
     display: flex;
     border: 1px solid black;
     height: 70px;
   }
   .flexBaselineCheck > * {
     contain: layout;
--- a/modules/libpref/init/StaticPrefList.h
+++ b/modules/libpref/init/StaticPrefList.h
@@ -704,17 +704,17 @@ VARCACHE_PREF(
 // set to false.)
 VARCACHE_PREF(
   "layout.css.prefixes.device-pixel-ratio-webkit",
    layout_css_prefixes_device_pixel_ratio_webkit,
   bool, true
 )
 
 // Are -moz-prefixed gradient functions enabled?
-#ifdef EARLY_BETA_OR_EARLIER
+#ifdef NIGHTLY_BUILD
 # define PREF_VALUE false
 #else
 # define PREF_VALUE true
 #endif
 VARCACHE_PREF(
   "layout.css.prefixes.gradients",
    layout_css_prefixes_gradients,
   bool, PREF_VALUE
--- a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
@@ -286,16 +286,22 @@ certErrorMismatchMultiple3=Websites prov
 # LOCALIZATION NOTE (certErrorExpiredNow): Do not translate %1$S (date+time of expired certificate) or %2$S (current date+time)
 certErrorExpiredNow=The certificate expired on %1$S. The current time is %2$S.
 certErrorExpiredNow2=Websites prove their identity via certificates, which are valid for a set time period. The certificate for %S appears to be expired.
 
 # LOCALIZATION NOTE (certErrorNotYetValidNow): Do not translate %1$S (date+time certificate will become valid) or %2$S (current date+time)
 certErrorNotYetValidNow=The certificate will not be valid until %1$S. The current time is %2$S.
 certErrorNotYetValidNow2=Websites prove their identity via certificates, which are valid for a set time period. The certificate for %S appears to be not yet valid.
 
+certErrorMitM=Websites prove their identity via certificates, which are issued by certificate authorities.
+# LOCALIZATION NOTE (certErrorMitM2): %S is brandShortName
+certErrorMitM2=%S is backed by the non-profit Mozilla, which administers a completely open certificate authority (CA) store. The CA store helps ensure that certificate authorities are following best practices for user security.
+# LOCALIZATION NOTE (certErrorMitM3): %S is brandShortName
+certErrorMitM3=%S uses the Mozilla CA store to verify that a connection is secure, rather than certificates supplied by the user’s operating system. So, if an antivirus program or a network is intercepting a connection with a security certificate issued by a CA that is not in the Mozilla CA store, the connection is considered unsafe.
+
 # LOCALIZATION NOTE (certErrorSymantecDistrustDescription1): %S will be replaced by the domain for which the certificate is valid.
 certErrorSymantecDistrustDescription1=Websites prove their identity via certificates, which are issued by certificate authorities. Most browsers no longer trust certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign. %S uses a certificate from one of these authorities and so the website’s identity cannot be proven.
 certErrorSymantecDistrustAdministrator=You may notify the website’s administrator about this problem.
 
 # LOCALIZATION NOTE (certErrorCodePrefix3): %S is replaced by the error code.
 certErrorCodePrefix3=Error code: %S
 
 P12DefaultNickname=Imported Certificate
--- a/taskcluster/docs/actions.rst
+++ b/taskcluster/docs/actions.rst
@@ -58,24 +58,29 @@ To create a new callback action you must
       order=10000,  # Order in which it should appear relative to other actions
   )
   def hello_world_action(parameters, graph_config, input, task_group_id, task_id, task):
       print "Hello was triggered from taskGroupId: " + taskGroupId
 
 The arguments are:
 ``parameters``
   an instance of ``taskgraph.parameters.Parameters``, carrying decision task parameters from the original decision task.
+
 ``graph_config``
   an instance of ``taskgraph.config.GraphConfig``, carrying configuration for this tree
+
 ``input``
   the input from the user triggering the action (if any)
+
 ``task_group_id``
   the target task group on which this action should operate
+
 ``task_id``
   the target task on which this action should operate (or None if it is operating on the whole group)
+
 ``task``
   the definition of the target task (or None, as for ``task_id``)
 
 The example above defines an action that is available in the context-menu for
 the entire task-group (result-set or push in Treeherder terminology). To create
 an action that shows up in the context menu for a task we would specify the
 ``context`` parameter.
 
--- a/taskcluster/docs/attributes.rst
+++ b/taskcluster/docs/attributes.rst
@@ -37,17 +37,17 @@ be specified by name regardless of ``run
 If ``run_on_projects`` is set to an empty list, then the task will not run
 anywhere, unless its build platform is specified explicitly in try syntax.
 
 run_on_hg_branches
 ==================
 
 On a given project, the mercurial branch where this task should be in the target
 task set.  This is how requirements like "only run this RELBRANCH" get implemented.
-These are either the regular expression of a branch (e.g.: "GECKOVIEW_\d+_RELBRANCH")
+These are either the regular expression of a branch (e.g.: ``GECKOVIEW_\d+_RELBRANCH``)
 or the following alias:
 
  * `all` -- everywhere (the default)
 
 Like ``run_on_projects``, the same behavior applies if it is set to an empty list.
 
 task_duplicates
 ===============
--- a/taskcluster/docs/kinds.rst
+++ b/taskcluster/docs/kinds.rst
@@ -283,17 +283,17 @@ release-secondary-notify-ship
 -----------------------------
 Notify when an RC release has been shipped to the beta channel.
 
 release-notify-promote
 ----------------------
 Notify when a release has been promoted.
 
 release-notify-started
--------------------
+----------------------
 Notify when a release has been started.
 
 release-bouncer-sub
 -------------------
 Submits bouncer updates for releases.
 
 release-mark-as-shipped
 -----------------------
--- a/testing/mozharness/mozharness/mozilla/building/buildbase.py
+++ b/testing/mozharness/mozharness/mozilla/building/buildbase.py
@@ -144,17 +144,18 @@ class CheckTestCompleteParser(OutputPars
             self.tbpl_status = self.worst_level(TBPL_FAILURE, self.tbpl_status,
                                                 levels=TBPL_WORST_LEVEL_TUPLE)
 
         if self.fail_count > 0:
             self.tbpl_status = self.worst_level(TBPL_WARNING, self.tbpl_status,
                                                 levels=TBPL_WORST_LEVEL_TUPLE)
 
         # Account for the possibility that no test summary was output.
-        if self.pass_count == 0 and self.fail_count == 0:
+        if (self.pass_count == 0 and self.fail_count == 0 and
+           os.environ.get('TRY_SELECTOR') != 'coverage'):
             self.error('No tests run or test summary not found')
             self.tbpl_status = self.worst_level(TBPL_WARNING, self.tbpl_status,
                                                 levels=TBPL_WORST_LEVEL_TUPLE)
 
         if return_code not in success_codes:
             self.tbpl_status = self.worst_level(TBPL_FAILURE, self.tbpl_status,
                                                 levels=TBPL_WORST_LEVEL_TUPLE)
 
--- a/testing/mozharness/mozharness/mozilla/testing/unittest.py
+++ b/testing/mozharness/mozharness/mozilla/testing/unittest.py
@@ -1,16 +1,17 @@
 #!/usr/bin/env python
 # ***** BEGIN LICENSE BLOCK *****
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this file,
 # You can obtain one at http://mozilla.org/MPL/2.0/.
 # ***** END LICENSE BLOCK *****
 
 import re
+import os
 
 from mozharness.mozilla.testing.errors import TinderBoxPrintRe
 from mozharness.base.log import OutputParser, WARNING, INFO, CRITICAL, ERROR
 from mozharness.mozilla.automation import TBPL_WARNING, TBPL_FAILURE, TBPL_RETRY
 from mozharness.mozilla.automation import TBPL_SUCCESS, TBPL_WORST_LEVEL_TUPLE
 
 SUITE_CATEGORIES = ['mochitest', 'reftest', 'xpcshell']
 
@@ -197,18 +198,19 @@ class DesktopUnittestOutputParser(Output
         # only if fail_count was more then 0 but also if fail_count is still -1
         # (no fail summary line was found)
         if self.fail_count != 0:
             self.worst_log_level = self.worst_level(WARNING, self.worst_log_level)
             self.tbpl_status = self.worst_level(TBPL_WARNING, self.tbpl_status,
                                                 levels=TBPL_WORST_LEVEL_TUPLE)
 
         # Account for the possibility that no test summary was output.
-        if self.pass_count <= 0 and self.fail_count <= 0 and \
-                (self.known_fail_count is None or self.known_fail_count <= 0):
+        if (self.pass_count <= 0 and self.fail_count <= 0 and
+           (self.known_fail_count is None or self.known_fail_count <= 0) and
+           os.environ.get('TRY_SELECTOR') != 'coverage'):
             self.error('No tests run or test summary not found')
             self.worst_log_level = self.worst_level(WARNING,
                                                     self.worst_log_level)
             self.tbpl_status = self.worst_level(TBPL_WARNING,
                                                 self.tbpl_status,
                                                 levels=TBPL_WORST_LEVEL_TUPLE)
 
         if return_code not in success_codes:
--- a/testing/xpcshell/runxpcshelltests.py
+++ b/testing/xpcshell/runxpcshelltests.py
@@ -1615,17 +1615,17 @@ class XPCShellTests(object):
                 self.log.info("%s could not be cleaned up." % directory)
 
         if exceptions:
             self.log.info("Following exceptions were raised:")
             for t in tracebacks:
                 self.log.error(t)
             raise exceptions[0]
 
-        if self.testCount == 0:
+        if self.testCount == 0 and os.environ.get('TRY_SELECTOR') != 'coverage':
             self.log.error("No tests run. Did you pass an invalid --test-path?")
             self.failCount = 1
 
         self.log.info("INFO | Result summary:")
         self.log.info("INFO | Passed: %d" % self.passCount)
         self.log.info("INFO | Failed: %d" % self.failCount)
         self.log.info("INFO | Todo: %d" % self.todoCount)
         self.log.info("INFO | Retried: %d" % len(self.try_again_list))
--- a/tools/tryselect/push.py
+++ b/tools/tryselect/push.py
@@ -85,16 +85,19 @@ def push_to_try(method, msg, labels=None
                 push=True, closed_tree=False, files_to_change=None):
     check_working_directory(push)
 
     # Format the commit message
     closed_tree_string = " ON A CLOSED TREE" if closed_tree else ""
     commit_message = ('%s%s\n\nPushed via `mach try %s`' %
                       (msg, closed_tree_string, method))
 
+    if templates is not None:
+        templates.setdefault('env', {}).update({'TRY_SELECTOR': method})
+
     if labels or labels == []:
         try_task_config = {
             'version': 1,
             'tasks': sorted(labels),
         }
         if templates:
             try_task_config['templates'] = templates
         if push:
--- a/tools/tryselect/test/test_again.py
+++ b/tools/tryselect/test/test_again.py
@@ -34,17 +34,20 @@ def test_try_again(monkeypatch):
 
     args, kwargs = again.run_try_again()
 
     assert args[0] == 'again'
     assert args[1] == 'Fuzzy message'
 
     try_task_config = kwargs.pop('try_task_config')
     assert sorted(try_task_config.get('tasks')) == sorted(['foo', 'bar'])
-    assert try_task_config.get('templates') == {'artifact': True}
+    assert try_task_config.get('templates') == {
+        'artifact': True,
+        'env': {'TRY_SELECTOR': 'fuzzy'},
+    }
 
     with open(push.history_path, 'r') as fh:
         assert len(fh.readlines()) == 1
 
 
 def test_no_push_does_not_generate_history(tmpdir):
     assert not os.path.isfile(push.history_path)
 
--- a/widget/nsBaseWidget.cpp
+++ b/widget/nsBaseWidget.cpp
@@ -3112,17 +3112,18 @@ struct PrefPair {
 };
 
 static PrefPair debug_PrefValues[] = {
     {"nglayout.debug.crossing_event_dumping", false},
     {"nglayout.debug.event_dumping", false},
     {"nglayout.debug.invalidate_dumping", false},
     {"nglayout.debug.motion_event_dumping", false},
     {"nglayout.debug.paint_dumping", false},
-    {"nglayout.debug.paint_flashing", false}};
+    {"nglayout.debug.paint_flashing", false},
+    {"nglayout.debug.paint_flashing_chrome", false}};
 
 //////////////////////////////////////////////////////////////
 bool nsBaseWidget::debug_GetCachedBoolPref(const char* aPrefName) {
   NS_ASSERTION(nullptr != aPrefName, "cmon, pref name is null.");
 
   for (uint32_t i = 0; i < ArrayLength(debug_PrefValues); i++) {
     if (strcmp(debug_PrefValues[i].name, aPrefName) == 0) {
       return debug_PrefValues[i].value;