--- a/dom/plugins/ipc/FunctionBroker.cpp
+++ b/dom/plugins/ipc/FunctionBroker.cpp
@@ -1060,17 +1060,17 @@ AcquireCredentialsHandleAFB::BaseType::m
 typedef RequestInfo<ID_AcquireCredentialsHandleA> ACHAReqInfo;
 
 template<> template<>
 struct ACHAReqInfo::FixedValue<0> { static const LPSTR value; };
 const LPSTR ACHAReqInfo::FixedValue<0>::value = nullptr;
 
 template<> template<>
 struct ACHAReqInfo::FixedValue<1> { static const LPSTR value; };
-const LPSTR ACHAReqInfo::FixedValue<1>::value = UNISP_NAME_A;
+const LPSTR ACHAReqInfo::FixedValue<1>::value = const_cast<char*>(UNISP_NAME_A); // -Wwritable-strings
 
 template<> template<>
 struct ACHAReqInfo::FixedValue<2> { static const unsigned long value; };
 const unsigned long ACHAReqInfo::FixedValue<2>::value = SECPKG_CRED_OUTBOUND;
 
 template<> template<>
 struct ACHAReqInfo::FixedValue<3> { static void* const value; };
 void* const ACHAReqInfo::FixedValue<3>::value = nullptr;

--- a/mozglue/build/Authenticode.cpp
+++ b/mozglue/build/Authenticode.cpp
@@ -240,17 +240,17 @@ SignedBinary::VerifySignature(const wcha
     static const mozilla::DynamicallyLinkedFunctionPtr<decltype(&::CryptCATAdminAcquireContext2)>
       pCryptCATAdminAcquireContext2(L"wintrust.dll", "CryptCATAdminAcquireContext2");
     if (!pCryptCATAdminAcquireContext2) {
       return false;
     }
 
     CERT_STRONG_SIGN_PARA policy = {sizeof(policy)};
     policy.dwInfoChoice = CERT_STRONG_SIGN_OID_INFO_CHOICE;
-    policy.pszOID = szOID_CERT_STRONG_SIGN_OS_CURRENT;
+    policy.pszOID = const_cast<char*>(szOID_CERT_STRONG_SIGN_OS_CURRENT); // -Wwritable-strings
 
     if (!pCryptCATAdminAcquireContext2(&rawCatAdmin, nullptr,
                                        BCRYPT_SHA256_ALGORITHM, &policy, 0)) {
       return false;
     }
   } else {
     static const mozilla::DynamicallyLinkedFunctionPtr<decltype(&::CryptCATAdminAcquireContext)>
       pCryptCATAdminAcquireContext(L"wintrust.dll", "CryptCATAdminAcquireContext");

--- a/security/manager/ssl/CredentialManagerSecret.cpp
+++ b/security/manager/ssl/CredentialManagerSecret.cpp
@@ -72,17 +72,17 @@ CredentialManagerSecret::StoreSecret(con
   CREDENTIALA cred = { 0 };
   cred.Type = CRED_TYPE_GENERIC;
   const nsCString& label = PromiseFlatCString(aLabel);
   cred.TargetName = const_cast<LPSTR>(label.get());
   cred.CredentialBlobSize = aSecret.Length();
   const nsCString& secret = PromiseFlatCString(aSecret);
   cred.CredentialBlob = (LPBYTE)secret.get();
   cred.Persist = CRED_PERSIST_LOCAL_MACHINE;
-  cred.UserName = "";
+  cred.UserName = const_cast<char*>(""); // -Wwritable-strings
 
   // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credwritea
   BOOL ok = CredWriteA(&cred, 0);
   if (!ok) {
     MOZ_LOG(gCredentialManagerSecretLog,
             LogLevel::Debug,
             ("CredWriteW failed %d", GetLastError()));
     return NS_ERROR_FAILURE;

--- a/security/manager/ssl/EnterpriseRoots.cpp
+++ b/security/manager/ssl/EnterpriseRoots.cpp
@@ -36,21 +36,21 @@ CertIsTrustAnchorForTLSServerAuth(PCCERT
   MOZ_ASSERT(certificate);
   if (!certificate) {
     return false;
   }
 
   PCCERT_CHAIN_CONTEXT pChainContext = nullptr;
   CERT_ENHKEY_USAGE enhkeyUsage;
   memset(&enhkeyUsage, 0, sizeof(CERT_ENHKEY_USAGE));
-  LPSTR identifiers[] = {
+  LPCSTR identifiers[] = {
     "1.3.6.1.5.5.7.3.1", // id-kp-serverAuth
   };
   enhkeyUsage.cUsageIdentifier = ArrayLength(identifiers);
-  enhkeyUsage.rgpszUsageIdentifier = identifiers;
+  enhkeyUsage.rgpszUsageIdentifier = const_cast<LPSTR*>(identifiers); // -Wwritable-strings
   CERT_USAGE_MATCH certUsage;
   memset(&certUsage, 0, sizeof(CERT_USAGE_MATCH));
   certUsage.dwType = USAGE_MATCH_TYPE_AND;
   certUsage.Usage = enhkeyUsage;
   CERT_CHAIN_PARA chainPara;
   memset(&chainPara, 0, sizeof(CERT_CHAIN_PARA));
   chainPara.cbSize = sizeof(CERT_CHAIN_PARA);
   chainPara.RequestedUsage = certUsage;

--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -285,18 +285,18 @@ GetUserSid(nsAString& sidString)
 // This function handles one level of nesting. That is, if the desired value
 // is actually in a direct child of the given registry key (where the child
 // and/or the value being sought may not actually be present), this function
 // will handle that. In the normal case, though, optionalChildName will be
 // null.
 static nsresult
 ReadRegKeyValueWithDefault(nsCOMPtr<nsIWindowsRegKey> regKey,
                            uint32_t flags,
-                           wchar_t* optionalChildName,
-                           wchar_t* valueName,
+                           const wchar_t* optionalChildName,
+                           const wchar_t* valueName,
                            uint32_t defaultValue,
                            uint32_t& valueOut)
 {
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("ReadRegKeyValueWithDefault"));
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
           ("attempting to read '%S%s%S' with default '%u'",
            optionalChildName ? optionalChildName : L"",
            optionalChildName ? "\\" : "", valueName, defaultValue));

--- a/toolkit/components/maintenanceservice/maintenanceservice.cpp
+++ b/toolkit/components/maintenanceservice/maintenanceservice.cpp
@@ -103,17 +103,17 @@ wmain(int argc, WCHAR **argv)
     return 0;
   }
 
   if (!lstrcmpi(argv[1], L"check-cert") && argc > 2) {
     return DoesBinaryMatchAllowedCertificates(argv[2], argv[3], FALSE) ? 0 : 1;
   }
 
   SERVICE_TABLE_ENTRYW DispatchTable[] = {
-    { SVC_NAME, (LPSERVICE_MAIN_FUNCTIONW) SvcMain },
+    { const_cast<LPWSTR>(SVC_NAME), (LPSERVICE_MAIN_FUNCTIONW) SvcMain }, // -Wwritable-strings
     { nullptr, nullptr }
   };
 
   // This call returns when the service has stopped.
   // The process should simply terminate when the call returns.
   if (!StartServiceCtrlDispatcherW(DispatchTable)) {
     LOG_WARN(("StartServiceCtrlDispatcher failed.  (%d)", GetLastError()));
   }

--- a/toolkit/components/maintenanceservice/workmonitor.cpp
+++ b/toolkit/components/maintenanceservice/workmonitor.cpp
@@ -183,17 +183,17 @@ BOOL
 StartUpdateProcess(int argc,
                    LPWSTR *argv,
                    LPCWSTR installDir,
                    BOOL &processStarted)
 {
   LOG(("Starting update process as the service in session 0."));
   STARTUPINFO si = {0};
   si.cb = sizeof(STARTUPINFO);
-  si.lpDesktop = L"winsta0\\Default";
+  si.lpDesktop = const_cast<LPWSTR>(L"winsta0\\Default"); // -Wwritable-strings
   PROCESS_INFORMATION pi = {0};
 
   // The updater command line is of the form:
   // updater.exe update-dir apply [wait-pid [callback-dir callback-path args]]
   auto cmdLine = mozilla::MakeCommandLine(argc, argv);
 
   int index = 3;
   if (IsOldCommandline(argc, argv)) {
@@ -201,17 +201,17 @@ StartUpdateProcess(int argc,
   }
 
   // If we're about to start the update process from session 0,
   // then we should not show a GUI.  This only really needs to be done
   // on Vista and higher, but it's better to keep everything consistent
   // across all OS if it's of no harm.
   if (argc >= index) {
     // Setting the desktop to blank will ensure no GUI is displayed
-    si.lpDesktop = L"";
+    si.lpDesktop = const_cast<LPWSTR>(L""); // -Wwritable-strings
     si.dwFlags |= STARTF_USESHOWWINDOW;
     si.wShowWindow = SW_HIDE;
   }
 
   // Add an env var for MOZ_USING_SERVICE so the updater.exe can
   // do anything special that it needs to do for service updates.
   // Search in updater.cpp for more info on MOZ_USING_SERVICE.
   putenv(const_cast<char*>("MOZ_USING_SERVICE=1"));

--- a/toolkit/mozapps/update/common/updatehelper.cpp
+++ b/toolkit/mozapps/update/common/updatehelper.cpp
@@ -129,17 +129,17 @@ StartServiceUpdate(LPCWSTR installDir)
   if (!CopyFileW(newMaintServicePath, tmpService, FALSE)) {
     return FALSE;
   }
 
   // Start the upgrade comparison process
   STARTUPINFOW si = {0};
   si.cb = sizeof(STARTUPINFOW);
   // No particular desktop because no UI
-  si.lpDesktop = L"";
+  si.lpDesktop = const_cast<LPWSTR>(L""); // -Wwritable-strings
   PROCESS_INFORMATION pi = {0};
   WCHAR cmdLine[64] = { '\0' };
   wcsncpy(cmdLine, L"dummyparam.exe upgrade",
           sizeof(cmdLine) / sizeof(cmdLine[0]) - 1);
   BOOL svcUpdateProcessStarted = CreateProcessW(tmpService,
                                                 cmdLine,
                                                 nullptr, nullptr, FALSE,
                                                 0,

--- a/toolkit/mozapps/update/updater/updater.cpp
+++ b/toolkit/mozapps/update/updater/updater.cpp
@@ -2047,17 +2047,17 @@ LaunchWinPostProcess(const WCHAR *instal
   }
 
   // We want to launch the post update helper app to update the Windows
   // registry even if there is a failure with removing the uninstall.update
   // file or copying the update.log file.
   CopyFileW(slogFile, dlogFile, false);
 
   STARTUPINFOW si = {sizeof(si), 0};
-  si.lpDesktop = L"";
+  si.lpDesktop = const_cast<LPWSTR>(L""); // -Wwritable-strings
   PROCESS_INFORMATION pi = {0};
 
   bool ok = CreateProcessW(exefullpath,
                            cmdline,
                            nullptr,  // no special security attributes
                            nullptr,  // no special thread attributes
                            false,    // don't inherit filehandles
                            0,        // No special process creation flags