diff --git a/b2g/app/b2g.js b/b2g/app/b2g.js
index 150de07bba..c2a211b58e 100644
--- a/b2g/app/b2g.js
+++ b/b2g/app/b2g.js
@@ -224,7 +224,6 @@ pref("dom.use_watchdog", false);
 // ensure that those calls don't accidentally trigger the dialog.
 pref("dom.max_script_run_time", 0);
 pref("dom.max_chrome_script_run_time", 0);
-pref("dom.max_child_script_run_time", 0);
 
 // plugins
 pref("plugin.disable", true);
@@ -1044,6 +1043,12 @@ pref("layout.accessiblecaret.enabled", true);
 pref("layout.accessiblecaret.use_long_tap_injector", false);
 #endif
 
+// The active caret is disallow to be dragged across the other (inactive) caret.
+pref("layout.accessiblecaret.allow_dragging_across_other_caret", false);
+
+// Hide carets and text selection dialog during scrolling.
+pref("layout.accessiblecaret.always_show_when_scrolling", false);
+
 // Enable sync and mozId with Firefox Accounts.
 pref("services.sync.fxaccounts.enabled", true);
 pref("identity.fxaccounts.enabled", true);
diff --git a/b2g/installer/package-manifest.in b/b2g/installer/package-manifest.in
index 9ef7f7515d..f1df749a76 100644
--- a/b2g/installer/package-manifest.in
+++ b/b2g/installer/package-manifest.in
@@ -447,6 +447,8 @@
 @RESPATH@/components/PresentationDeviceInfoManager.js
 @RESPATH@/components/BuiltinProviders.manifest
 @RESPATH@/components/TCPPresentationServer.js
+@RESPATH@/components/PresentationDataChannelSessionTransport.js
+@RESPATH@/components/PresentationDataChannelSessionTransport.manifest
 
 #ifdef MOZ_SECUREELEMENT
 @RESPATH@/components/ACEService.js
diff --git a/browser/components/safebrowsing/content/test/browser_whitelisted.js b/browser/components/safebrowsing/content/test/browser_whitelisted.js
new file mode 100644
index 0000000000..45c12c399a
--- /dev/null
+++ b/browser/components/safebrowsing/content/test/browser_whitelisted.js
@@ -0,0 +1,41 @@
+/* Ensure that hostnames in the whitelisted pref are not blocked. */
+
+const PREF_WHITELISTED_HOSTNAMES = "urlclassifier.skipHostnames";
+const TEST_PAGE = "http://www.itisatrap.org/firefox/its-an-attack.html";
+var tabbrowser = null;
+
+registerCleanupFunction(function() {
+  tabbrowser = null;
+  Services.prefs.clearUserPref(PREF_WHITELISTED_HOSTNAMES);
+  while (gBrowser.tabs.length > 1) {
+    gBrowser.removeCurrentTab();
+  }
+});
+
+function testBlockedPage(window) {
+  info("Non-whitelisted pages must be blocked");
+  ok(true, "about:blocked was shown");
+}
+
+function testWhitelistedPage(window) {
+  info("Whitelisted pages must be skipped");
+  var getmeout_button = window.document.getElementById("getMeOutButton");
+  var ignorewarning_button = window.document.getElementById("ignoreWarningButton");
+  ok(!getmeout_button, "GetMeOut button not present");
+  ok(!ignorewarning_button, "IgnoreWarning button not present");
+}
+
+add_task(function* testNormalBrowsing() {
+  tabbrowser = gBrowser;
+  let tab = tabbrowser.selectedTab = tabbrowser.addTab();
+
+  info("Load a test page that's whitelisted");
+  Services.prefs.setCharPref(PREF_WHITELISTED_HOSTNAMES, "example.com,www.ItIsaTrap.org,example.net");
+  yield promiseTabLoadEvent(tab, TEST_PAGE, "load");
+  testWhitelistedPage(tab.ownerDocument.defaultView);
+
+  info("Load a test page that's no longer whitelisted");
+  Services.prefs.setCharPref(PREF_WHITELISTED_HOSTNAMES, "");
+  yield promiseTabLoadEvent(tab, TEST_PAGE, "AboutBlockedLoaded");
+  testBlockedPage(tab.ownerDocument.defaultView);
+});
diff --git a/browser/installer/package-manifest.in b/browser/installer/package-manifest.in
index 6522abcbb7..fd48e7d445 100644
--- a/browser/installer/package-manifest.in
+++ b/browser/installer/package-manifest.in
@@ -628,6 +628,8 @@
 @RESPATH@/components/PresentationDeviceInfoManager.js
 @RESPATH@/components/BuiltinProviders.manifest
 @RESPATH@/components/TCPPresentationServer.js
+@RESPATH@/components/PresentationDataChannelSessionTransport.js
+@RESPATH@/components/PresentationDataChannelSessionTransport.manifest
 
 ; InputMethod API
 @RESPATH@/components/MozKeyboard.js
diff --git a/devtools/client/locales/en-US/netmonitor.dtd b/devtools/client/locales/en-US/netmonitor.dtd
index 5cf4231f97..81a308c92b 100644
--- a/devtools/client/locales/en-US/netmonitor.dtd
+++ b/devtools/client/locales/en-US/netmonitor.dtd
@@ -120,6 +120,10 @@
   -  in the network details footer for the "Flash" filtering button. -->
 <!ENTITY netmonitorUI.footer.filterFlash  "Flash">
 
+<!-- LOCALIZATION NOTE (netmonitorUI.footer.filterWS): This is the label displayed
+  -  in the network details footer for the "WS" filtering button. -->
+<!ENTITY netmonitorUI.footer.filterWS  "WS">
+
 <!-- LOCALIZATION NOTE (netmonitorUI.footer.filterOther): This is the label displayed
   -  in the network details footer for the "Other" filtering button. -->
 <!ENTITY netmonitorUI.footer.filterOther  "Other">
diff --git a/devtools/client/netmonitor/netmonitor-view.js b/devtools/client/netmonitor/netmonitor-view.js
index 5cd19d7cb1..76a13875c7 100644
--- a/devtools/client/netmonitor/netmonitor-view.js
+++ b/devtools/client/netmonitor/netmonitor-view.js
@@ -983,7 +983,7 @@ RequestsMenuView.prototype = Heritage.extend(WidgetMethods, {
    *
    * @param string type
    *        Either "all", "html", "css", "js", "xhr", "fonts", "images", "media"
-   *        "flash" or "other".
+   *        "flash", "ws" or "other".
    */
   filterOn: function(type = "all") {
     if (type === "all") {
@@ -1026,7 +1026,7 @@ RequestsMenuView.prototype = Heritage.extend(WidgetMethods, {
    *
    * @param string type
    *        Either "all", "html", "css", "js", "xhr", "fonts", "images", "media"
-   *        "flash" or "other".
+   *        "flash", "ws" or "other".
    */
   _disableFilter: function(type) {
     // Remove the filter from list of active filters.
@@ -1048,7 +1048,7 @@ RequestsMenuView.prototype = Heritage.extend(WidgetMethods, {
    *
    * @param string type
    *        Either "all", "html", "css", "js", "xhr", "fonts", "images", "media"
-   *        "flash" or "other".
+   *        "flash", "ws" or "other".
    */
   _enableFilter: function(type) {
     // Make sure this is a valid filter type.
@@ -1100,6 +1100,7 @@ RequestsMenuView.prototype = Heritage.extend(WidgetMethods, {
       images: this.isImage,
       media: this.isMedia,
       flash: this.isFlash,
+      ws: this.isWS,
       other: this.isOther,
       freetext: this.isFreetextMatch
     };
@@ -1240,8 +1241,10 @@ RequestsMenuView.prototype = Heritage.extend(WidgetMethods, {
       mimeType.includes("/x-javascript"));
   },
 
-  isXHR: function({ attachment: { isXHR } }) {
-    return isXHR;
+  isXHR: function(item) {
+    // Show the request it is XHR, except
+    // if the request is a WS upgrade
+    return item.attachment.isXHR && !this.isWS(item);
   },
 
   isFont: function({ attachment: { url, mimeType } }) {
@@ -1276,6 +1279,36 @@ RequestsMenuView.prototype = Heritage.extend(WidgetMethods, {
       url.includes(".flv");
   },
 
+  isWS: function({ attachment: { requestHeaders, responseHeaders } }) {
+    // Detect a websocket upgrade if request has an Upgrade header
+    // with value 'websocket'
+
+    if (!requestHeaders || !Array.isArray(requestHeaders.headers)) {
+      return false;
+    }
+
+    // Find the 'upgrade' header.
+    var upgradeHeader = requestHeaders.headers.find(header => {
+      return (header.name == "Upgrade");
+    });
+
+    // If no header found on request, check response - mainly to get
+    // something we can unit test, as it is impossible to set
+    // the Upgrade header on outgoing XHR as per the spec.
+    if (!upgradeHeader && responseHeaders && Array.isArray(responseHeaders.headers)) {
+      upgradeHeader = responseHeaders.headers.find(header => {
+        return (header.name == "Upgrade");
+      });
+    }
+
+    // Return false if there is no such header or if its value isn't 'websocket'.
+    if (!upgradeHeader || upgradeHeader.value != "websocket") {
+      return false;
+    }
+
+    return true;
+  },
+
   isOther: function(e) {
     return !this.isHtml(e) &&
            !this.isCss(e) &&
@@ -1284,7 +1317,8 @@ RequestsMenuView.prototype = Heritage.extend(WidgetMethods, {
            !this.isFont(e) &&
            !this.isImage(e) &&
            !this.isMedia(e) &&
-           !this.isFlash(e);
+           !this.isFlash(e) &&
+           !this.isWS(e);
   },
 
   isFreetextMatch: function({ attachment: { url } }, text) {
@@ -3616,7 +3650,8 @@ PerformanceStatisticsView.prototype = {
    */
   _sanitizeChartDataSource: function(items, emptyCache) {
     let data = [
-      "html", "css", "js", "xhr", "fonts", "images", "media", "flash", "other"
+      "html", "css", "js", "xhr", "fonts", "images", "media", "flash", "ws",
+      "other"
     ].map(e => ({
       cached: 0,
       count: 0,
@@ -3650,13 +3685,16 @@ PerformanceStatisticsView.prototype = {
       } else if (RequestsMenuView.prototype.isFlash(requestItem)) {
         // "flash"
         type = 7;
+      } else if (RequestsMenuView.prototype.isWS(requestItem)) {
+        // "ws"
+        type = 8;
       } else if (RequestsMenuView.prototype.isXHR(requestItem)) {
         // Verify XHR last, to categorize other mime types in their own blobs.
         // "xhr"
         type = 3;
       } else {
         // "other"
-        type = 8;
+        type = 9;
       }
 
       if (emptyCache || !responseIsFresh(details)) {
diff --git a/devtools/client/netmonitor/netmonitor.xul b/devtools/client/netmonitor/netmonitor.xul
index 8c3c7589ea..7f911e8e29 100644
--- a/devtools/client/netmonitor/netmonitor.xul
+++ b/devtools/client/netmonitor/netmonitor.xul
@@ -143,6 +143,11 @@
                   data-key="flash"
                   label="&netmonitorUI.footer.filterFlash;">
           </button>
+          <button id="requests-menu-filter-ws-button"
+                  class="requests-menu-filter-button"
+                  data-key="ws"
+                  label="&netmonitorUI.footer.filterWS;">
+          </button>
           <button id="requests-menu-filter-other-button"
                   class="requests-menu-filter-button"
                   data-key="other"
diff --git a/devtools/client/netmonitor/test/browser_net_filter-01.js b/devtools/client/netmonitor/test/browser_net_filter-01.js
index 2a68ae8776..2d42353c8b 100644
--- a/devtools/client/netmonitor/test/browser_net_filter-01.js
+++ b/devtools/client/netmonitor/test/browser_net_filter-01.js
@@ -21,6 +21,11 @@ const REQUESTS_WITH_MEDIA_AND_FLASH = REQUESTS_WITH_MEDIA.concat([
   { url: "sjs_content-type-test-server.sjs?fmt=flash" },
 ]);
 
+const REQUESTS_WITH_MEDIA_AND_FLASH_AND_WS = REQUESTS_WITH_MEDIA_AND_FLASH.concat([
+  /* "Upgrade" is a reserved header and can not be set on XMLHttpRequest */
+  { url: "sjs_content-type-test-server.sjs?fmt=ws" },
+]);
+
 function test() {
   initNetMonitor(FILTERING_URL).then(([aTab, aDebuggee, aMonitor]) => {
 
@@ -39,7 +44,7 @@ function test() {
 
     RequestsMenu.lazyUpdate = false;
 
-    waitForNetworkEvents(aMonitor, 8).then(() => {
+    waitForNetworkEvents(aMonitor, 9).then(() => {
       EventUtils.sendMouseEvent({ type: "mousedown" }, $("#details-pane-toggle"));
 
       isnot(RequestsMenu.selectedItem, null,
@@ -51,83 +56,89 @@ function test() {
 
       // First test with single filters...
       testFilterButtons(aMonitor, "all");
-      testContents([1, 1, 1, 1, 1, 1, 1, 1])
+      testContents([1, 1, 1, 1, 1, 1, 1, 1, 1])
         .then(() => {
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-html-button"));
           testFilterButtons(aMonitor, "html");
-          return testContents([1, 0, 0, 0, 0, 0, 0, 0]);
+          return testContents([1, 0, 0, 0, 0, 0, 0, 0, 0]);
         })
         .then(() => {
           // Reset filters
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-css-button"));
           testFilterButtons(aMonitor, "css");
-          return testContents([0, 1, 0, 0, 0, 0, 0, 0]);
+          return testContents([0, 1, 0, 0, 0, 0, 0, 0, 0]);
         })
         .then(() => {
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-js-button"));
           testFilterButtons(aMonitor, "js");
-          return testContents([0, 0, 1, 0, 0, 0, 0, 0]);
+          return testContents([0, 0, 1, 0, 0, 0, 0, 0, 0]);
         })
         .then(() => {
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-xhr-button"));
           testFilterButtons(aMonitor, "xhr");
-          return testContents([1, 1, 1, 1, 1, 1, 1, 1]);
+          return testContents([1, 1, 1, 1, 1, 1, 1, 1, 0]);
         })
         .then(() => {
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-fonts-button"));
           testFilterButtons(aMonitor, "fonts");
-          return testContents([0, 0, 0, 1, 0, 0, 0, 0]);
+          return testContents([0, 0, 0, 1, 0, 0, 0, 0, 0]);
         })
         .then(() => {
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-images-button"));
           testFilterButtons(aMonitor, "images");
-          return testContents([0, 0, 0, 0, 1, 0, 0, 0]);
+          return testContents([0, 0, 0, 0, 1, 0, 0, 0, 0]);
         })
         .then(() => {
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-media-button"));
           testFilterButtons(aMonitor, "media");
-          return testContents([0, 0, 0, 0, 0, 1, 1, 0]);
+          return testContents([0, 0, 0, 0, 0, 1, 1, 0, 0]);
         })
         .then(() => {
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-flash-button"));
           testFilterButtons(aMonitor, "flash");
-          return testContents([0, 0, 0, 0, 0, 0, 0, 1]);
+          return testContents([0, 0, 0, 0, 0, 0, 0, 1, 0]);
+        })
+        .then(() => {
+          EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
+          EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-ws-button"));
+          testFilterButtons(aMonitor, "ws");
+          return testContents([0, 0, 0, 0, 0, 0, 0, 0, 1]);
         })
         .then(() => {
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           testFilterButtons(aMonitor, "all");
-          return testContents([1, 1, 1, 1, 1, 1, 1, 1]);
+          return testContents([1, 1, 1, 1, 1, 1, 1, 1, 1]);
         })
         .then(() => {
           // Text in filter box that matches nothing should hide all.
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           setFreetextFilter("foobar");
-          return testContents([0, 0, 0, 0, 0, 0, 0, 0]);
+          return testContents([0, 0, 0, 0, 0, 0, 0, 0, 0]);
         })
         .then(() => {
           // Text in filter box that matches should filter out everything else.
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           setFreetextFilter("sample");
-          return testContents([1, 1, 1, 0, 0, 0, 0, 0]);
+          return testContents([1, 1, 1, 0, 0, 0, 0, 0, 0]);
         })
         .then(() => {
           // Text in filter box that matches should filter out everything else.
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           setFreetextFilter("SAMPLE");
-          return testContents([1, 1, 1, 0, 0, 0, 0, 0]);
+          return testContents([1, 1, 1, 0, 0, 0, 0, 0, 0]);
         })
         .then(() => {
           // Test negative filtering (only show unmatched items)
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           setFreetextFilter("-sample");
-          return testContents([0, 0, 0, 1, 1, 1, 1, 1]);
+          return testContents([0, 0, 0, 1, 1, 1, 1, 1, 1]);
         })
         // ...then combine multiple filters together.
         .then(() => {
@@ -135,43 +146,44 @@ function test() {
           setFreetextFilter("");
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-html-button"));
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-css-button"));
-          testFilterButtonsCustom(aMonitor, [0, 1, 1, 0, 0, 0, 0, 0, 0, 0]);
-          return testContents([1, 1, 0, 0, 0, 0, 0, 0]);
+          testFilterButtonsCustom(aMonitor, [0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0]);
+          return testContents([1, 1, 0, 0, 0, 0, 0, 0, 0]);
         })
         .then(() => {
           // Html and css filter enabled and text filter should show just the html and css match.
           // Should not show both the items that match the button plus the items that match the text.
           setFreetextFilter("sample");
-          return testContents([1, 1, 0, 0, 0, 0, 0, 0]);
+          return testContents([1, 1, 0, 0, 0, 0, 0, 0, 0]);
         })
 
         .then(() => {
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-flash-button"));
           setFreetextFilter("");
-          testFilterButtonsCustom(aMonitor, [0, 1, 1, 0, 0, 0, 0, 0, 1, 0]);
-          return testContents([1, 1, 0, 0, 0, 0, 0, 1]);
+          testFilterButtonsCustom(aMonitor, [0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0]);
+          return testContents([1, 1, 0, 0, 0, 0, 0, 1, 0]);
         })
         .then(() => {
           // Disable some filters. Only one left active.
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-css-button"));
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-flash-button"));
           testFilterButtons(aMonitor, "html");
-          return testContents([1, 0, 0, 0, 0, 0, 0, 0]);
+          return testContents([1, 0, 0, 0, 0, 0, 0, 0, 0]);
         })
         .then(() => {
           // Disable last active filter. Should toggle to all.
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-html-button"));
           testFilterButtons(aMonitor, "all");
-          return testContents([1, 1, 1, 1, 1, 1, 1, 1]);
+          return testContents([1, 1, 1, 1, 1, 1, 1, 1, 1]);
         })
         .then(() => {
           // Enable few filters and click on all. Only "all" should be checked.
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-html-button"));
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-css-button"));
-          testFilterButtonsCustom(aMonitor, [0, 1, 1, 0, 0, 0, 0, 0, 0]);
+          EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-ws-button"));
+          testFilterButtonsCustom(aMonitor, [0, 1, 1, 0, 0, 0, 0, 0, 0, 1]);
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           testFilterButtons(aMonitor, "all");
-          return testContents([1, 1, 1, 1, 1, 1, 1, 1]);
+          return testContents([1, 1, 1, 1, 1, 1, 1, 1, 1]);
         })
         .then(() => {
           return teardown(aMonitor);
@@ -261,11 +273,17 @@ function test() {
           type: "x-shockwave-flash",
           fullMimeType: "application/x-shockwave-flash"
       });
+      verifyRequestItemTarget(RequestsMenu.getItemAtIndex(8),
+        "GET", CONTENT_TYPE_SJS + "?fmt=ws", {
+          fuzzyUrl: true,
+          status: 101,
+          statusText: "Switching Protocols",
+      });
 
       return promise.resolve(null);
     }
 
     loadCommonFrameScript();
-    performRequestsInContent(REQUESTS_WITH_MEDIA_AND_FLASH);
+    performRequestsInContent(REQUESTS_WITH_MEDIA_AND_FLASH_AND_WS);
   });
 }
diff --git a/devtools/client/netmonitor/test/browser_net_filter-02.js b/devtools/client/netmonitor/test/browser_net_filter-02.js
index aafa039d21..0e2e8337bc 100644
--- a/devtools/client/netmonitor/test/browser_net_filter-02.js
+++ b/devtools/client/netmonitor/test/browser_net_filter-02.js
@@ -21,6 +21,11 @@ const REQUESTS_WITH_MEDIA_AND_FLASH = REQUESTS_WITH_MEDIA.concat([
   { url: "sjs_content-type-test-server.sjs?fmt=flash" },
 ]);
 
+const REQUESTS_WITH_MEDIA_AND_FLASH_AND_WS = REQUESTS_WITH_MEDIA_AND_FLASH.concat([
+  /* "Upgrade" is a reserved header and can not be set on XMLHttpRequest */
+  { url: "sjs_content-type-test-server.sjs?fmt=ws" },
+]);
+
 function test() {
   initNetMonitor(FILTERING_URL).then(([aTab, aDebuggee, aMonitor]) => {
     info("Starting test... ");
@@ -33,7 +38,7 @@ function test() {
 
     RequestsMenu.lazyUpdate = false;
 
-    waitForNetworkEvents(aMonitor, 8).then(() => {
+    waitForNetworkEvents(aMonitor, 9).then(() => {
       EventUtils.sendMouseEvent({ type: "mousedown" }, $("#details-pane-toggle"));
 
       isnot(RequestsMenu.selectedItem, null,
@@ -44,38 +49,38 @@ function test() {
         "The details pane should not be hidden after toggle button was pressed.");
 
       testFilterButtons(aMonitor, "all");
-      testContents([1, 1, 1, 1, 1, 1, 1, 1])
+      testContents([1, 1, 1, 1, 1, 1, 1, 1, 1])
         .then(() => {
           info("Testing html filtering.");
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-html-button"));
           testFilterButtons(aMonitor, "html");
-          return testContents([1, 0, 0, 0, 0, 0, 0, 0]);
+          return testContents([1, 0, 0, 0, 0, 0, 0, 0, 0]);
         })
         .then(() => {
           info("Performing more requests.");
-          performRequestsInContent(REQUESTS_WITH_MEDIA_AND_FLASH);
-          return waitForNetworkEvents(aMonitor, 8);
+          performRequestsInContent(REQUESTS_WITH_MEDIA_AND_FLASH_AND_WS);
+          return waitForNetworkEvents(aMonitor, 9);
         })
         .then(() => {
           info("Testing html filtering again.");
           testFilterButtons(aMonitor, "html");
-          return testContents([1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0]);
+          return testContents([1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0]);
         })
         .then(() => {
           info("Performing more requests.");
-          performRequestsInContent(REQUESTS_WITH_MEDIA_AND_FLASH);
-          return waitForNetworkEvents(aMonitor, 8);
+          performRequestsInContent(REQUESTS_WITH_MEDIA_AND_FLASH_AND_WS);
+          return waitForNetworkEvents(aMonitor, 9);
         })
         .then(() => {
           info("Testing html filtering again.");
           testFilterButtons(aMonitor, "html");
-          return testContents([1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0]);
+          return testContents([1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0]);
         })
         .then(() => {
           info("Resetting filters.");
           EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-all-button"));
           testFilterButtons(aMonitor, "all");
-          return testContents([1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]);
+          return testContents([1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]);
         })
         .then(() => {
           return teardown(aMonitor);
@@ -101,7 +106,7 @@ function test() {
           "The item at index " + i + " doesn't have the correct hidden state.");
       }
 
-      for (let i = 0; i < aVisibility.length; i += 8) {
+      for (let i = 0; i < aVisibility.length; i += 9) {
         verifyRequestItemTarget(RequestsMenu.getItemAtIndex(i),
           "GET", CONTENT_TYPE_SJS + "?fmt=html", {
             fuzzyUrl: true,
@@ -111,7 +116,7 @@ function test() {
             fullMimeType: "text/html; charset=utf-8"
         });
       }
-      for (let i = 1; i < aVisibility.length; i += 8) {
+      for (let i = 1; i < aVisibility.length; i += 9) {
         verifyRequestItemTarget(RequestsMenu.getItemAtIndex(i),
           "GET", CONTENT_TYPE_SJS + "?fmt=css", {
             fuzzyUrl: true,
@@ -121,7 +126,7 @@ function test() {
             fullMimeType: "text/css; charset=utf-8"
         });
       }
-      for (let i = 2; i < aVisibility.length; i += 8) {
+      for (let i = 2; i < aVisibility.length; i += 9) {
         verifyRequestItemTarget(RequestsMenu.getItemAtIndex(i),
           "GET", CONTENT_TYPE_SJS + "?fmt=js", {
             fuzzyUrl: true,
@@ -131,7 +136,7 @@ function test() {
             fullMimeType: "application/javascript; charset=utf-8"
         });
       }
-      for (let i = 3; i < aVisibility.length; i += 8) {
+      for (let i = 3; i < aVisibility.length; i += 9) {
         verifyRequestItemTarget(RequestsMenu.getItemAtIndex(i),
           "GET", CONTENT_TYPE_SJS + "?fmt=font", {
             fuzzyUrl: true,
@@ -141,7 +146,7 @@ function test() {
             fullMimeType: "font/woff"
         });
       }
-      for (let i = 4; i < aVisibility.length; i += 8) {
+      for (let i = 4; i < aVisibility.length; i += 9) {
         verifyRequestItemTarget(RequestsMenu.getItemAtIndex(i),
           "GET", CONTENT_TYPE_SJS + "?fmt=image", {
             fuzzyUrl: true,
@@ -151,7 +156,7 @@ function test() {
             fullMimeType: "image/png"
         });
       }
-      for (let i = 5; i < aVisibility.length; i += 8) {
+      for (let i = 5; i < aVisibility.length; i += 9) {
         verifyRequestItemTarget(RequestsMenu.getItemAtIndex(i),
           "GET", CONTENT_TYPE_SJS + "?fmt=audio", {
             fuzzyUrl: true,
@@ -161,7 +166,7 @@ function test() {
             fullMimeType: "audio/ogg"
         });
       }
-      for (let i = 6; i < aVisibility.length; i += 8) {
+      for (let i = 6; i < aVisibility.length; i += 9) {
         verifyRequestItemTarget(RequestsMenu.getItemAtIndex(i),
           "GET", CONTENT_TYPE_SJS + "?fmt=video", {
             fuzzyUrl: true,
@@ -171,7 +176,7 @@ function test() {
             fullMimeType: "video/webm"
         });
       }
-      for (let i = 7; i < aVisibility.length; i += 8) {
+      for (let i = 7; i < aVisibility.length; i += 9) {
         verifyRequestItemTarget(RequestsMenu.getItemAtIndex(i),
           "GET", CONTENT_TYPE_SJS + "?fmt=flash", {
             fuzzyUrl: true,
@@ -181,11 +186,19 @@ function test() {
             fullMimeType: "application/x-shockwave-flash"
         });
       }
+      for (let i = 8; i < aVisibility.length; i += 9) {
+        verifyRequestItemTarget(RequestsMenu.getItemAtIndex(i),
+          "GET", CONTENT_TYPE_SJS + "?fmt=ws", {
+            fuzzyUrl: true,
+            status: 101,
+            statusText: "Switching Protocols"
+        });
+      }
 
       return promise.resolve(null);
     }
 
     loadCommonFrameScript();
-    performRequestsInContent(REQUESTS_WITH_MEDIA_AND_FLASH);
+    performRequestsInContent(REQUESTS_WITH_MEDIA_AND_FLASH_AND_WS);
   });
 }
diff --git a/devtools/client/netmonitor/test/browser_net_filter-04.js b/devtools/client/netmonitor/test/browser_net_filter-04.js
index 64f6e58f55..db0be01199 100644
--- a/devtools/client/netmonitor/test/browser_net_filter-04.js
+++ b/devtools/client/netmonitor/test/browser_net_filter-04.js
@@ -22,6 +22,11 @@ const REQUESTS_WITH_MEDIA_AND_FLASH = REQUESTS_WITH_MEDIA.concat([
   { url: "sjs_content-type-test-server.sjs?fmt=flash" },
 ]);
 
+const REQUESTS_WITH_MEDIA_AND_FLASH_AND_WS = REQUESTS_WITH_MEDIA_AND_FLASH.concat([
+  /* "Upgrade" is a reserved header and can not be set on XMLHttpRequest */
+  { url: "sjs_content-type-test-server.sjs?fmt=ws" },
+]);
+
 function test() {
   Services.prefs.setCharPref("devtools.netmonitor.filters", '["js", "bogus"]');
 
@@ -40,7 +45,7 @@ function test() {
     is(Prefs.filters[1], "bogus",
       "The second filter type is invalid, but loaded anyway.");
 
-    waitForNetworkEvents(aMonitor, 8).then(() => {
+    waitForNetworkEvents(aMonitor, 9).then(() => {
       testFilterButtons(aMonitor, "js");
       ok(true, "Only the correct filter type was taken into consideration.");
 
@@ -54,6 +59,6 @@ function test() {
     });
 
     loadCommonFrameScript();
-    performRequestsInContent(REQUESTS_WITH_MEDIA_AND_FLASH);
+    performRequestsInContent(REQUESTS_WITH_MEDIA_AND_FLASH_AND_WS);
   });
 }
diff --git a/devtools/client/netmonitor/test/browser_net_statistics-03.js b/devtools/client/netmonitor/test/browser_net_statistics-03.js
index 2200770b1c..7a0f8ed917 100644
--- a/devtools/client/netmonitor/test/browser_net_statistics-03.js
+++ b/devtools/client/netmonitor/test/browser_net_statistics-03.js
@@ -16,6 +16,7 @@ function test() {
     EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-html-button"));
     EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-css-button"));
     EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-js-button"));
+    EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-ws-button"));
     EventUtils.sendMouseEvent({ type: "click" }, $("#requests-menu-filter-other-button"));
     testFilterButtonsCustom(aMonitor, [0, 1, 1, 1, 0, 0, 0, 0, 0, 1]);
     ok(true, "The correct filtering predicates are used before entering perf. analysis mode.");
diff --git a/devtools/client/netmonitor/test/sjs_content-type-test-server.sjs b/devtools/client/netmonitor/test/sjs_content-type-test-server.sjs
index 9b940c5f1e..2cbea9deb5 100644
--- a/devtools/client/netmonitor/test/sjs_content-type-test-server.sjs
+++ b/devtools/client/netmonitor/test/sjs_content-type-test-server.sjs
@@ -205,6 +205,14 @@ function handleRequest(request, response) {
         response.finish();
         break;
       }
+      case "ws": {
+        response.setStatusLine(request.httpVersion, 101, "Switching Protocols");
+        response.setHeader("Connection", "upgrade", false);
+        response.setHeader("Upgrade", "websocket", false);
+        setCacheHeaders();
+        response.finish();
+        break;
+      }
       case "gzip": {
         // Note: we're doing a double gzip encoding to test multiple
         // converters in network monitor.
diff --git a/devtools/client/responsive.html/app.js b/devtools/client/responsive.html/app.js
index c6a6f47cef..306ca7b6a2 100644
--- a/devtools/client/responsive.html/app.js
+++ b/devtools/client/responsive.html/app.js
@@ -31,10 +31,22 @@ let App = createClass({
     screenshot: PropTypes.shape(Types.screenshot).isRequired,
   },
 
+  onBrowserMounted() {
+    window.postMessage({ type: "browser-mounted" }, "*");
+  },
+
   onChangeViewportDevice(id, device) {
     this.props.dispatch(changeDevice(id, device));
   },
 
+  onContentResize({ width, height }) {
+    window.postMessage({
+      type: "content-resize",
+      width,
+      height,
+    }, "*");
+  },
+
   onExit() {
     window.postMessage({ type: "exit" }, "*");
   },
@@ -60,7 +72,9 @@ let App = createClass({
     } = this.props;
 
     let {
+      onBrowserMounted,
       onChangeViewportDevice,
+      onContentResize,
       onExit,
       onResizeViewport,
       onRotateViewport,
@@ -81,7 +95,9 @@ let App = createClass({
         location,
         screenshot,
         viewports,
+        onBrowserMounted,
         onChangeViewportDevice,
+        onContentResize,
         onRotateViewport,
         onResizeViewport,
       })
diff --git a/devtools/client/responsive.html/components/browser.js b/devtools/client/responsive.html/components/browser.js
index e43cdffe0c..e66ca7ebd8 100644
--- a/devtools/client/responsive.html/components/browser.js
+++ b/devtools/client/responsive.html/components/browser.js
@@ -2,12 +2,18 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+/* eslint-env browser */
+
 "use strict";
 
-const { DOM: dom, createClass, PropTypes, addons } =
+const { Task } = require("resource://gre/modules/Task.jsm");
+const DevToolsUtils = require("devtools/shared/DevToolsUtils");
+const { getToplevelWindow } = require("sdk/window/utils");
+const { DOM: dom, createClass, addons, PropTypes } =
   require("devtools/client/shared/vendor/react");
 
 const Types = require("../types");
+const { waitForMessage } = require("../utils/e10s");
 
 module.exports = createClass({
 
@@ -15,32 +21,96 @@ module.exports = createClass({
 
   mixins: [ addons.PureRenderMixin ],
 
+  /**
+   * This component is not allowed to depend directly on frequently changing
+   * data (width, height) due to the use of `dangerouslySetInnerHTML` below.
+   * Any changes in props will cause the <iframe> to be removed and added again,
+   * throwing away the current state of the page.
+   */
   propTypes: {
     location: Types.location.isRequired,
-    width: Types.viewport.width.isRequired,
-    height: Types.viewport.height.isRequired,
-    isResizing: PropTypes.bool.isRequired,
+    onBrowserMounted: PropTypes.func.isRequired,
+    onContentResize: PropTypes.func.isRequired,
+  },
+
+  /**
+   * Once the browser element has mounted, load the frame script and enable
+   * various features, like floating scrollbars.
+   */
+  componentDidMount: Task.async(function*() {
+    let { onContentResize } = this;
+    let browser = this.refs.browserContainer.querySelector("iframe.browser");
+    let mm = browser.frameLoader.messageManager;
+
+    // Notify tests when the content has received a resize event.  This is not
+    // quite the same timing as when we _set_ a new size around the browser,
+    // since it still needs to do async work before the content is actually
+    // resized to match.
+    mm.addMessageListener("ResponsiveMode:OnContentResize", onContentResize);
+
+    let ready = waitForMessage(mm, "ResponsiveMode:ChildScriptReady");
+    mm.loadFrameScript("resource://devtools/client/responsivedesign/" +
+                       "responsivedesign-child.js", true);
+    yield ready;
+
+    let browserWindow = getToplevelWindow(window);
+    let requiresFloatingScrollbars =
+      !browserWindow.matchMedia("(-moz-overlay-scrollbars)").matches;
+    let started = waitForMessage(mm, "ResponsiveMode:Start:Done");
+    mm.sendAsyncMessage("ResponsiveMode:Start", {
+      requiresFloatingScrollbars,
+      // Tests expect events on resize to yield on various size changes
+      notifyOnResize: DevToolsUtils.testing,
+    });
+    yield started;
+
+    // manager.js waits for this signal before allowing browser tests to start
+    this.props.onBrowserMounted();
+  }),
+
+  componentWillUnmount() {
+    let { onContentResize } = this;
+    let browser = this.refs.browserContainer.querySelector("iframe.browser");
+    let mm = browser.frameLoader.messageManager;
+    mm.removeMessageListener("ResponsiveMode:OnContentResize", onContentResize);
+    mm.sendAsyncMessage("ResponsiveMode:Stop");
+  },
+
+  onContentResize(msg) {
+    let { onContentResize } = this.props;
+    let { width, height } = msg.data;
+    onContentResize({
+      width,
+      height,
+    });
   },
 
   render() {
     let {
       location,
-      width,
-      height,
-      isResizing,
     } = this.props;
 
-    let className = "browser";
-    if (isResizing) {
-      className += " resizing";
-    }
+    // innerHTML expects & to be an HTML entity
+    location = location.replace(/&/g, "&amp;");
 
-    return dom.iframe(
+    return dom.div(
       {
-        className,
-        src: location,
-        width,
-        height,
+        ref: "browserContainer",
+        className: "browser-container",
+
+        /**
+         * React uses a whitelist for attributes, so we need some way to set
+         * attributes it does not know about, such as @mozbrowser.  If this were
+         * the only issue, we could use componentDidMount or ref: node => {} to
+         * set the atttibutes. In the case of @remote, the attribute must be set
+         * before the element is added to the DOM to have any effect, which we
+         * are able to do with this approach.
+         */
+        dangerouslySetInnerHTML: {
+          __html: `<iframe class="browser" mozbrowser="true" remote="true"
+                           noisolation="true" src="${location}"
+                           width="100%" height="100%"></iframe>`
+        }
       }
     );
   },
diff --git a/devtools/client/responsive.html/components/resizable-viewport.js b/devtools/client/responsive.html/components/resizable-viewport.js
index 046dd6f67b..2214734dab 100644
--- a/devtools/client/responsive.html/components/resizable-viewport.js
+++ b/devtools/client/responsive.html/components/resizable-viewport.js
@@ -26,7 +26,9 @@ module.exports = createClass({
     location: Types.location.isRequired,
     screenshot: PropTypes.shape(Types.screenshot).isRequired,
     viewport: PropTypes.shape(Types.viewport).isRequired,
+    onBrowserMounted: PropTypes.func.isRequired,
     onChangeViewportDevice: PropTypes.func.isRequired,
+    onContentResize: PropTypes.func.isRequired,
     onResizeViewport: PropTypes.func.isRequired,
     onRotateViewport: PropTypes.func.isRequired,
   },
@@ -115,17 +117,23 @@ module.exports = createClass({
       location,
       screenshot,
       viewport,
+      onBrowserMounted,
       onChangeViewportDevice,
+      onContentResize,
       onResizeViewport,
       onRotateViewport,
     } = this.props;
 
     let resizeHandleClass = "viewport-resize-handle";
-
     if (screenshot.isCapturing) {
       resizeHandleClass += " hidden";
     }
 
+    let contentClass = "viewport-content";
+    if (this.state.isResizing) {
+      contentClass += " resizing";
+    }
+
     return dom.div(
       {
         className: "resizable-viewport",
@@ -137,12 +145,20 @@ module.exports = createClass({
         onResizeViewport,
         onRotateViewport,
       }),
-      Browser({
-        location,
-        width: viewport.width,
-        height: viewport.height,
-        isResizing: this.state.isResizing
-      }),
+      dom.div(
+        {
+          className: contentClass,
+          style: {
+            width: viewport.width + "px",
+            height: viewport.height + "px",
+          },
+        },
+        Browser({
+          location,
+          onBrowserMounted,
+          onContentResize,
+        })
+      ),
       dom.div({
         className: resizeHandleClass,
         onMouseDown: this.onResizeStart,
diff --git a/devtools/client/responsive.html/components/viewport.js b/devtools/client/responsive.html/components/viewport.js
index 7609aef053..03d9f7bb7f 100644
--- a/devtools/client/responsive.html/components/viewport.js
+++ b/devtools/client/responsive.html/components/viewport.js
@@ -20,7 +20,9 @@ module.exports = createClass({
     location: Types.location.isRequired,
     screenshot: PropTypes.shape(Types.screenshot).isRequired,
     viewport: PropTypes.shape(Types.viewport).isRequired,
+    onBrowserMounted: PropTypes.func.isRequired,
     onChangeViewportDevice: PropTypes.func.isRequired,
+    onContentResize: PropTypes.func.isRequired,
     onResizeViewport: PropTypes.func.isRequired,
     onRotateViewport: PropTypes.func.isRequired,
   },
@@ -58,6 +60,8 @@ module.exports = createClass({
       location,
       screenshot,
       viewport,
+      onContentResize,
+      onBrowserMounted,
     } = this.props;
 
     let {
@@ -75,7 +79,9 @@ module.exports = createClass({
         location,
         screenshot,
         viewport,
+        onBrowserMounted,
         onChangeViewportDevice,
+        onContentResize,
         onResizeViewport,
         onRotateViewport,
       }),
diff --git a/devtools/client/responsive.html/components/viewports.js b/devtools/client/responsive.html/components/viewports.js
index 62e6a34caf..6f04f4743a 100644
--- a/devtools/client/responsive.html/components/viewports.js
+++ b/devtools/client/responsive.html/components/viewports.js
@@ -19,7 +19,9 @@ module.exports = createClass({
     location: Types.location.isRequired,
     screenshot: PropTypes.shape(Types.screenshot).isRequired,
     viewports: PropTypes.arrayOf(PropTypes.shape(Types.viewport)).isRequired,
+    onBrowserMounted: PropTypes.func.isRequired,
     onChangeViewportDevice: PropTypes.func.isRequired,
+    onContentResize: PropTypes.func.isRequired,
     onResizeViewport: PropTypes.func.isRequired,
     onRotateViewport: PropTypes.func.isRequired,
   },
@@ -30,7 +32,9 @@ module.exports = createClass({
       location,
       screenshot,
       viewports,
+      onBrowserMounted,
       onChangeViewportDevice,
+      onContentResize,
       onResizeViewport,
       onRotateViewport,
     } = this.props;
@@ -46,7 +50,9 @@ module.exports = createClass({
           location,
           screenshot,
           viewport,
+          onBrowserMounted,
           onChangeViewportDevice,
+          onContentResize,
           onResizeViewport,
           onRotateViewport,
         });
diff --git a/devtools/client/responsive.html/index.css b/devtools/client/responsive.html/index.css
index 652761437b..729fce0958 100644
--- a/devtools/client/responsive.html/index.css
+++ b/devtools/client/responsive.html/index.css
@@ -201,19 +201,28 @@ body {
   background-image: url("./images/rotate-viewport.svg");
 }
 
+/**
+ * Viewport Content
+ */
+
+.viewport-content.resizing {
+  pointer-events: none;
+}
+
 /**
  * Viewport Browser
  */
 
+.browser-container {
+  width: inherit;
+  height: inherit;
+}
+
 .browser {
   display: block;
   border: 0;
 }
 
-.browser.resizing {
-  pointer-events: none;
-}
-
 /**
  * Viewport Resize Handles
  */
diff --git a/devtools/client/responsive.html/index.js b/devtools/client/responsive.html/index.js
index 7bf2d934b4..b80f097614 100644
--- a/devtools/client/responsive.html/index.js
+++ b/devtools/client/responsive.html/index.js
@@ -43,7 +43,6 @@ let bootstrap = {
     this.telemetry.toolOpened("responsive");
     let store = this.store = Store();
     let provider = createElement(Provider, { store }, App());
-
     ReactDOM.render(provider, document.querySelector("#root"));
     this.initDevices();
     window.postMessage({ type: "init" }, "*");
@@ -116,6 +115,14 @@ window.addInitialViewport = contentURI => {
   }
 };
 
+/**
+ * Called by manager.js when tests want to check the viewport size.
+ */
+window.getViewportSize = () => {
+  let { width, height } = bootstrap.store.getState().viewports[0];
+  return { width, height };
+};
+
 /**
  * Called by manager.js to set viewport size from GCLI.
  */
@@ -126,3 +133,13 @@ window.setViewportSize = (width, height) => {
     console.error(e);
   }
 };
+
+/**
+ * Called by manager.js when tests want to use the viewport's message manager.
+ * It is packed into an object because this is the format most easily usable
+ * with ContentTask.spawn().
+ */
+window.getViewportMessageManager = () => {
+  let { messageManager } = document.querySelector("iframe.browser").frameLoader;
+  return { messageManager };
+};
diff --git a/devtools/client/responsive.html/manager.js b/devtools/client/responsive.html/manager.js
index a7af02438a..2314cb4909 100644
--- a/devtools/client/responsive.html/manager.js
+++ b/devtools/client/responsive.html/manager.js
@@ -4,8 +4,10 @@
 
 "use strict";
 
+const { Ci, Cr } = require("chrome");
 const promise = require("promise");
 const { Task } = require("resource://gre/modules/Task.jsm");
+const { XPCOMUtils } = require("resource://gre/modules/XPCOMUtils.jsm");
 const EventEmitter = require("devtools/shared/event-emitter");
 
 const TOOL_URL = "chrome://devtools/content/responsive.html/index.xhtml";
@@ -69,14 +71,14 @@ const ResponsiveUIManager = exports.ResponsiveUIManager = {
    * @return Promise
    *         Resolved (with no value) when closing is complete.
    */
-  closeIfNeeded(window, tab) {
+  closeIfNeeded: Task.async(function*(window, tab) {
     if (this.isActiveForTab(tab)) {
-      this.activeTabs.get(tab).destroy();
+      yield this.activeTabs.get(tab).destroy();
       this.activeTabs.delete(tab);
       this.emit("off", { tab });
     }
     return promise.resolve();
-  },
+  }),
 
   /**
    * Returns true if responsive UI is active for a given tab.
@@ -195,19 +197,23 @@ ResponsiveUI.prototype = {
     tabBrowser.loadURI(TOOL_URL);
     yield tabLoaded(this.tab);
     let toolWindow = this.toolWindow = tabBrowser.contentWindow;
+    toolWindow.addEventListener("message", this);
     yield waitForMessage(toolWindow, "init");
     toolWindow.addInitialViewport(contentURI);
-    toolWindow.addEventListener("message", this);
+    yield waitForMessage(toolWindow, "browser-mounted");
   }),
 
-  destroy() {
+  destroy: Task.async(function*() {
     let tabBrowser = this.tab.linkedBrowser;
-    tabBrowser.goBack();
-    this.window = null;
+    let browserWindow = this.browserWindow;
+    this.browserWindow = null;
     this.tab = null;
     this.inited = null;
     this.toolWindow = null;
-  },
+    let loaded = waitForDocLoadComplete(browserWindow.gBrowser);
+    tabBrowser.goBack();
+    yield loaded;
+  }),
 
   handleEvent(event) {
     let { tab, window } = this;
@@ -218,6 +224,13 @@ ResponsiveUI.prototype = {
     }
 
     switch (event.data.type) {
+      case "content-resize":
+        let { width, height } = event.data;
+        this.emit("content-resize", {
+          width,
+          height,
+        });
+        break;
       case "exit":
         toolWindow.removeEventListener(event.type, this);
         ResponsiveUIManager.closeIfNeeded(window, tab);
@@ -225,13 +238,23 @@ ResponsiveUI.prototype = {
     }
   },
 
+  getViewportSize() {
+    return this.toolWindow.getViewportSize();
+  },
+
   setViewportSize: Task.async(function*(width, height) {
     yield this.inited;
     this.toolWindow.setViewportSize(width, height);
   }),
 
+  getViewportMessageManager() {
+    return this.toolWindow.getViewportMessageManager();
+  },
+
 };
 
+EventEmitter.decorate(ResponsiveUI.prototype);
+
 function waitForMessage(win, type) {
   let deferred = promise.defer();
 
@@ -262,3 +285,27 @@ function tabLoaded(tab) {
   tab.linkedBrowser.addEventListener("load", handle, true);
   return deferred.promise;
 }
+
+/**
+ * Waits for the next load to complete in the current browser.
+ */
+function waitForDocLoadComplete(gBrowser) {
+  let deferred = promise.defer();
+  let progressListener = {
+    onStateChange: function(webProgress, req, flags, status) {
+      let docStop = Ci.nsIWebProgressListener.STATE_IS_NETWORK |
+                    Ci.nsIWebProgressListener.STATE_STOP;
+
+      // When a load needs to be retargetted to a new process it is cancelled
+      // with NS_BINDING_ABORTED so ignore that case
+      if ((flags & docStop) == docStop && status != Cr.NS_BINDING_ABORTED) {
+        gBrowser.removeProgressListener(progressListener);
+        deferred.resolve();
+      }
+    },
+    QueryInterface: XPCOMUtils.generateQI([Ci.nsIWebProgressListener,
+                                           Ci.nsISupportsWeakReference])
+  };
+  gBrowser.addProgressListener(progressListener);
+  return deferred.promise;
+}
diff --git a/devtools/client/responsive.html/test/browser/browser.ini b/devtools/client/responsive.html/test/browser/browser.ini
index 26ac097305..04a53625ca 100644
--- a/devtools/client/responsive.html/test/browser/browser.ini
+++ b/devtools/client/responsive.html/test/browser/browser.ini
@@ -8,6 +8,7 @@ support-files =
   !/devtools/client/framework/test/shared-head.js
   !/devtools/client/framework/test/shared-redux-head.js
 
+[browser_device_width.js]
 [browser_exit_button.js]
 [browser_resize_cmd.js]
 [browser_screenshot_button.js]
diff --git a/devtools/client/responsive.html/test/browser/browser_device_width.js b/devtools/client/responsive.html/test/browser/browser_device_width.js
new file mode 100644
index 0000000000..f113e098ab
--- /dev/null
+++ b/devtools/client/responsive.html/test/browser/browser_device_width.js
@@ -0,0 +1,66 @@
+/* Any copyright is dedicated to the Public Domain.
+http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+const TEST_URL = "about:logo";
+
+addRDMTask(TEST_URL, function*({ ui, manager }) {
+  ok(ui, "An instance of the RDM should be attached to the tab.");
+  yield setViewportSize(ui, manager, 110, 500);
+
+  info("Checking initial width/height properties.");
+  yield doInitialChecks(ui);
+
+  info("Changing the RDM size");
+  yield setViewportSize(ui, manager, 90, 500);
+
+  info("Checking for screen props");
+  yield checkScreenProps(ui);
+
+  info("Setting docShell.deviceSizeIsPageSize to false");
+  yield ContentTask.spawn(ui.getViewportMessageManager(), {}, function*() {
+    let docShell = content.QueryInterface(Ci.nsIInterfaceRequestor)
+                          .getInterface(Ci.nsIWebNavigation)
+                          .QueryInterface(Ci.nsIDocShell);
+    docShell.deviceSizeIsPageSize = false;
+  });
+
+  info("Checking for screen props once again.");
+  yield checkScreenProps2(ui);
+});
+
+function* doInitialChecks(ui) {
+  let { innerWidth, matchesMedia } = yield grabContentInfo(ui);
+  is(innerWidth, 110, "initial width should be 110px");
+  ok(!matchesMedia, "media query shouldn't match.");
+}
+
+function* checkScreenProps(ui) {
+  let { matchesMedia, screen } = yield grabContentInfo(ui);
+  ok(matchesMedia, "media query should match");
+  isnot(window.screen.width, screen.width,
+        "screen.width should not be the size of the screen.");
+  is(screen.width, 90, "screen.width should be the page width");
+  is(screen.height, 500, "screen.height should be the page height");
+}
+
+function* checkScreenProps2(ui) {
+  let { matchesMedia, screen } = yield grabContentInfo(ui);
+  ok(!matchesMedia, "media query should be re-evaluated.");
+  is(window.screen.width, screen.width,
+     "screen.width should be the size of the screen.");
+}
+
+function grabContentInfo(ui) {
+  return ContentTask.spawn(ui.getViewportMessageManager(), {}, function*() {
+    return {
+      screen: {
+        width: content.screen.width,
+        height: content.screen.height
+      },
+      innerWidth: content.innerWidth,
+      matchesMedia: content.matchMedia("(max-device-width:100px)").matches
+    };
+  });
+}
diff --git a/devtools/client/responsive.html/test/browser/browser_exit_button.js b/devtools/client/responsive.html/test/browser/browser_exit_button.js
index 48b85b4ae0..81f5aa1148 100644
--- a/devtools/client/responsive.html/test/browser/browser_exit_button.js
+++ b/devtools/client/responsive.html/test/browser/browser_exit_button.js
@@ -14,10 +14,9 @@ addRDMTask(TEST_URL, function*({ ui, manager }) {
   // Wait until the viewport has been added
   yield waitUntilState(store, state => state.viewports.length == 1);
 
-  let browser = toolWindow.document.querySelector(".browser");
   let exitButton = toolWindow.document.getElementById("global-exit-button");
 
-  yield waitForFrameLoad(browser, TEST_URL);
+  yield waitForFrameLoad(ui, TEST_URL);
 
   ok(manager.isActiveForTab(ui.tab),
     "Responsive Design Mode active for the tab");
diff --git a/devtools/client/responsive.html/test/browser/browser_resize_cmd.js b/devtools/client/responsive.html/test/browser/browser_resize_cmd.js
index e9116f10d9..3ac6fc3065 100644
--- a/devtools/client/responsive.html/test/browser/browser_resize_cmd.js
+++ b/devtools/client/responsive.html/test/browser/browser_resize_cmd.js
@@ -15,7 +15,7 @@ add_task(function*() {
   }
 
   const TEST_URL = "data:text/html;charset=utf-8,hi";
-  return helpers.addTabWithToolbar(TEST_URL, (options) => {
+  yield helpers.addTabWithToolbar(TEST_URL, (options) => {
     return helpers.audit(options, [
       {
         setup() {
@@ -55,6 +55,10 @@ add_task(function*() {
           ok(!isOpen(), "responsive mode is closed");
         }),
       },
+    ]);
+  });
+  yield helpers.addTabWithToolbar(TEST_URL, (options) => {
+    return helpers.audit(options, [
       {
         setup() {
           done = once(manager, "on");
@@ -93,6 +97,10 @@ add_task(function*() {
           ok(!isOpen(), "responsive mode is closed");
         }),
       },
+    ]);
+  });
+  yield helpers.addTabWithToolbar(TEST_URL, (options) => {
+    return helpers.audit(options, [
       {
         setup() {
           done = once(manager, "on");
@@ -136,5 +144,5 @@ add_task(function*() {
         }),
       },
     ]);
-  }).then(finish);
+  });
 });
diff --git a/devtools/client/responsive.html/test/browser/browser_viewport_basics.js b/devtools/client/responsive.html/test/browser/browser_viewport_basics.js
index 5b34435a4e..46b153bdf0 100644
--- a/devtools/client/responsive.html/test/browser/browser_viewport_basics.js
+++ b/devtools/client/responsive.html/test/browser/browser_viewport_basics.js
@@ -17,16 +17,17 @@ addRDMTask(TEST_URL, function*({ ui }) {
   yield waitUntilState(store, state => state.viewports.length == 1);
 
   // A single viewport of default size appeared
-  let browser = ui.toolWindow.document.querySelector(".browser");
-  is(browser.width, "320", "Viewport has default width");
-  is(browser.height, "480", "Viewport has default height");
+  let viewport = ui.toolWindow.document.querySelector(".viewport-content");
+
+  is(ui.toolWindow.getComputedStyle(viewport).getPropertyValue("width"),
+     "320px", "Viewport has default width");
+  is(ui.toolWindow.getComputedStyle(viewport).getPropertyValue("height"),
+     "480px", "Viewport has default height");
 
   // Browser's location should match original tab
-  // TODO: For the moment, we have parent process <iframe>s and we can just
-  // check the location directly.  Bug 1240896 will change this to <iframe
-  // mozbrowser remote>, which is in the child process, so ContentTask or
-  // similar will be needed.
-  yield waitForFrameLoad(browser, TEST_URL);
-  is(browser.contentWindow.location.href, TEST_URL,
-     "Viewport location matches");
+  yield waitForFrameLoad(ui, TEST_URL);
+  let location = yield spawnViewportTask(ui, {}, function*() {
+    return content.location.href;
+  });
+  is(location, TEST_URL, "Viewport location matches");
 });
diff --git a/devtools/client/responsive.html/test/browser/head.js b/devtools/client/responsive.html/test/browser/head.js
index cabd290872..b8321de85c 100644
--- a/devtools/client/responsive.html/test/browser/head.js
+++ b/devtools/client/responsive.html/test/browser/head.js
@@ -54,7 +54,7 @@ var openRDM = Task.async(function*(tab) {
 var closeRDM = Task.async(function*(tab) {
   info("Closing responsive design mode");
   let manager = ResponsiveUIManager;
-  manager.closeIfNeeded(window, tab);
+  yield manager.closeIfNeeded(window, tab);
   info("Responsive design mode closed");
 });
 
@@ -85,12 +85,43 @@ function addRDMTask(url, generator) {
   });
 }
 
-var waitForFrameLoad = Task.async(function*(frame, targetURL) {
-  let window = frame.contentWindow;
-  if ((window.document.readyState == "complete" ||
-       window.document.readyState == "interactive") &&
-      window.location.href == targetURL) {
-    return;
+function spawnViewportTask(ui, args, task) {
+  return ContentTask.spawn(ui.getViewportMessageManager(), args, task);
+}
+
+function waitForFrameLoad(ui, targetURL) {
+  return spawnViewportTask(ui, { targetURL }, function*(args) {
+    if ((content.document.readyState == "complete" ||
+         content.document.readyState == "interactive") &&
+        content.location.href == args.targetURL) {
+      return;
+    }
+    yield ContentTaskUtils.waitForEvent(this, "DOMContentLoaded");
+  });
+}
+
+function waitForViewportResizeTo(ui, width, height) {
+  return new Promise(resolve => {
+    let onResize = (_, data) => {
+      if (data.width != width || data.height != height) {
+        return;
+      }
+      ui.off("content-resize", onResize);
+      info(`Got content-resize to ${width} x ${height}`);
+      resolve();
+    };
+    info(`Waiting for content-resize to ${width} x ${height}`);
+    ui.on("content-resize", onResize);
+  });
+}
+
+var setViewportSize = Task.async(function*(ui, manager, width, height) {
+  let size = ui.getViewportSize();
+  info(`Current size: ${size.width} x ${size.height}, ` +
+       `set to: ${width} x ${height}`);
+  if (size.width != width || size.height != height) {
+    let resized = waitForViewportResizeTo(ui, width, height);
+    ui.setViewportSize(width, height);
+    yield resized;
   }
-  yield once(frame, "load");
 });
diff --git a/devtools/client/responsive.html/utils/e10s.js b/devtools/client/responsive.html/utils/e10s.js
new file mode 100644
index 0000000000..d805db8a46
--- /dev/null
+++ b/devtools/client/responsive.html/utils/e10s.js
@@ -0,0 +1,23 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+const promise = require("promise");
+
+module.exports = {
+
+  waitForMessage(mm, message) {
+    let deferred = promise.defer();
+
+    let onMessage = event => {
+      mm.removeMessageListener(message, onMessage);
+      deferred.resolve();
+    };
+    mm.addMessageListener(message, onMessage);
+
+    return deferred.promise;
+  },
+
+};
diff --git a/devtools/client/responsive.html/utils/moz.build b/devtools/client/responsive.html/utils/moz.build
index b7215724e9..f04190801a 100644
--- a/devtools/client/responsive.html/utils/moz.build
+++ b/devtools/client/responsive.html/utils/moz.build
@@ -5,5 +5,6 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 DevToolsModules(
+    'e10s.js',
     'l10n.js',
 )
diff --git a/devtools/client/styleeditor/StyleEditorUI.jsm b/devtools/client/styleeditor/StyleEditorUI.jsm
index dc8f02d7ed..2e69ed82e7 100644
--- a/devtools/client/styleeditor/StyleEditorUI.jsm
+++ b/devtools/client/styleeditor/StyleEditorUI.jsm
@@ -836,7 +836,8 @@ StyleEditorUI.prototype = {
     text(summary, ".stylesheet-linked-file", linkedCSSFile);
     text(summary, ".stylesheet-title", editor.styleSheet.title || "");
     text(summary, ".stylesheet-rule-count",
-      PluralForm.get(ruleCount, _("ruleCount.label")).replace("#1", ruleCount));
+      PluralForm.get(ruleCount,
+                     getString("ruleCount.label")).replace("#1", ruleCount));
   },
 
   /**
diff --git a/devtools/client/styleeditor/StyleEditorUtil.jsm b/devtools/client/styleeditor/StyleEditorUtil.jsm
index 829e454364..5f196110cf 100644
--- a/devtools/client/styleeditor/StyleEditorUtil.jsm
+++ b/devtools/client/styleeditor/StyleEditorUtil.jsm
@@ -9,7 +9,7 @@
 "use strict";
 
 this.EXPORTED_SYMBOLS = [
-  "_",
+  "getString",
   "assert",
   "log",
   "text",
@@ -36,7 +36,7 @@ const gStringBundle = Services.strings.createBundle(PROPERTIES_URL);
  *        Optional arguments to format in the string.
  * @return string
  */
-function _(name) {
+function getString(name) {
   try {
     if (arguments.length == 1) {
       return gStringBundle.GetStringFromName(name);
@@ -226,8 +226,8 @@ function showFilePicker(path, toSave, parentWindow, callback,
     fp.defaultString = suggestedFilename;
   }
 
-  fp.init(parentWindow, _(key + ".title"), mode);
-  fp.appendFilters(_(key + ".filter"), "*.css");
+  fp.init(parentWindow, getString(key + ".title"), mode);
+  fp.appendFilters(getString(key + ".filter"), "*.css");
   fp.appendFilters(fp.filterAll);
   fp.open(fpCallback);
   return;
diff --git a/devtools/client/styleeditor/StyleSheetEditor.jsm b/devtools/client/styleeditor/StyleSheetEditor.jsm
index 13f175d579..5703c53671 100644
--- a/devtools/client/styleeditor/StyleSheetEditor.jsm
+++ b/devtools/client/styleeditor/StyleSheetEditor.jsm
@@ -184,12 +184,12 @@ StyleSheetEditor.prototype = {
 
     if (this._isNew) {
       let index = this.styleSheet.styleSheetIndex + 1;
-      return _("newStyleSheet", index);
+      return getString("newStyleSheet", index);
     }
 
     if (!this.styleSheet.href) {
       let index = this.styleSheet.styleSheetIndex + 1;
-      return _("inlineStyleSheet", index);
+      return getString("inlineStyleSheet", index);
     }
 
     if (!this._friendlyName) {
@@ -580,12 +580,8 @@ StyleSheetEditor.prototype = {
    * @param {Number} y
    */
   _highlightSelectorAt: Task.async(function*(x, y) {
-    // Need to catch parsing exceptions as long as bug 1051900 isn't fixed
-    let info;
-    try {
-      let pos = this.sourceEditor.getPositionFromCoords({left: x, top: y});
-      info = this.sourceEditor.getInfoAt(pos);
-    } catch (e) {}
+    let pos = this.sourceEditor.getPositionFromCoords({left: x, top: y});
+    let info = this.sourceEditor.getInfoAt(pos);
     if (!info || info.state !== "selector") {
       return;
     }
@@ -751,12 +747,13 @@ StyleSheetEditor.prototype = {
     */
   _getKeyBindings: function() {
     let bindings = {};
+    let keybind = Editor.accel(getString("saveStyleSheet.commandkey"));
 
-    bindings[Editor.accel(_("saveStyleSheet.commandkey"))] = () => {
+    bindings[keybind] = () => {
       this.saveToFile(this.savedFile);
     };
 
-    bindings["Shift-" + Editor.accel(_("saveStyleSheet.commandkey"))] = () => {
+    bindings["Shift-" + keybind] = () => {
       this.saveToFile();
     };
 
diff --git a/devtools/client/styleeditor/styleeditor-panel.js b/devtools/client/styleeditor/styleeditor-panel.js
index eed46e9552..d77cb8b669 100644
--- a/devtools/client/styleeditor/styleeditor-panel.js
+++ b/devtools/client/styleeditor/styleeditor-panel.js
@@ -90,7 +90,7 @@ StyleEditorPanel.prototype = {
       return;
     }
 
-    let errorMessage = _(data.key);
+    let errorMessage = getString(data.key);
     if (data.append) {
       errorMessage += " " + data.append;
     }
diff --git a/dom/ipc/TabChild.cpp b/dom/ipc/TabChild.cpp
index 5c6d4b8fb4..11e906f875 100644
--- a/dom/ipc/TabChild.cpp
+++ b/dom/ipc/TabChild.cpp
@@ -1655,13 +1655,15 @@ bool
 TabChild::RecvSizeModeChanged(const nsSizeMode& aSizeMode)
 {
   mPuppetWidget->SetSizeMode(aSizeMode);
+  if (!mPuppetWidget->IsVisible()) {
+    return true;
+  }
   nsCOMPtr<nsIDocument> document(GetDocument());
   nsCOMPtr<nsIPresShell> presShell = document->GetShell();
   if (presShell) {
     nsPresContext* presContext = presShell->GetPresContext();
     if (presContext) {
-      presContext->MediaFeatureValuesChangedAllDocuments(eRestyle_Subtree,
-                                                         NS_STYLE_HINT_REFLOW);
+      presContext->SizeModeChanged(aSizeMode);
     }
   }
   return true;
diff --git a/dom/presentation/PresentationConnection.cpp b/dom/presentation/PresentationConnection.cpp
index d23f73becf..8de4b51d18 100644
--- a/dom/presentation/PresentationConnection.cpp
+++ b/dom/presentation/PresentationConnection.cpp
@@ -118,7 +118,7 @@ PresentationConnection::State() const
 
 void
 PresentationConnection::Send(const nsAString& aData,
-                          ErrorResult& aRv)
+                             ErrorResult& aRv)
 {
   // Sending is not allowed if the session is not connected.
   if (NS_WARN_IF(mState != PresentationConnectionState::Connected)) {
@@ -126,21 +126,6 @@ PresentationConnection::Send(const nsAString& aData,
     return;
   }
 
-  nsresult rv;
-  nsCOMPtr<nsIStringInputStream> stream =
-    do_CreateInstance(NS_STRINGINPUTSTREAM_CONTRACTID, &rv);
-  if(NS_WARN_IF(NS_FAILED(rv))) {
-    aRv.Throw(NS_ERROR_DOM_INVALID_STATE_ERR);
-    return;
-  }
-
-  NS_ConvertUTF16toUTF8 msgString(aData);
-  rv = stream->SetData(msgString.BeginReading(), msgString.Length());
-  if(NS_WARN_IF(NS_FAILED(rv))) {
-    aRv.Throw(NS_ERROR_DOM_INVALID_STATE_ERR);
-    return;
-  }
-
   nsCOMPtr<nsIPresentationService> service =
     do_GetService(PRESENTATION_SERVICE_CONTRACTID);
   if(NS_WARN_IF(!service)) {
@@ -148,7 +133,7 @@ PresentationConnection::Send(const nsAString& aData,
     return;
   }
 
-  rv = service->SendSessionMessage(mId, stream);
+  nsresult rv = service->SendSessionMessage(mId, aData);
   if(NS_WARN_IF(NS_FAILED(rv))) {
     aRv.Throw(NS_ERROR_DOM_OPERATION_ERR);
   }
@@ -186,7 +171,7 @@ PresentationConnection::Terminate(ErrorResult& aRv)
 
 NS_IMETHODIMP
 PresentationConnection::NotifyStateChange(const nsAString& aSessionId,
-                                       uint16_t aState)
+                                          uint16_t aState)
 {
   if (!aSessionId.Equals(mId)) {
     return NS_ERROR_INVALID_ARG;
@@ -233,7 +218,7 @@ PresentationConnection::NotifyStateChange(const nsAString& aSessionId,
 
 NS_IMETHODIMP
 PresentationConnection::NotifyMessage(const nsAString& aSessionId,
-                                   const nsACString& aData)
+                                      const nsACString& aData)
 {
   if (!aSessionId.Equals(mId)) {
     return NS_ERROR_INVALID_ARG;
diff --git a/dom/presentation/PresentationDataChannelSessionTransport.js b/dom/presentation/PresentationDataChannelSessionTransport.js
new file mode 100644
index 0000000000..0b03bedf83
--- /dev/null
+++ b/dom/presentation/PresentationDataChannelSessionTransport.js
@@ -0,0 +1,353 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+* License, v. 2.0. If a copy of the MPL was not distributed with this file,
+* You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+const { classes: Cc, interfaces: Ci, utils: Cu, results: Cr } = Components;
+
+Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+Cu.import("resource://gre/modules/Services.jsm");
+
+// Bug 1228209 - plan to remove this eventually
+function log(aMsg) {
+  //dump("-*- PresentationDataChannelSessionTransport.js : " + aMsg + "\n");
+}
+
+const PRESENTATIONTRANSPORT_CID = Components.ID("{dd2bbf2f-3399-4389-8f5f-d382afb8b2d6}");
+const PRESENTATIONTRANSPORT_CONTRACTID = "mozilla.org/presentation/datachanneltransport;1";
+
+const PRESENTATIONTRANSPORTBUILDER_CID = Components.ID("{215b2f62-46e2-4004-a3d1-6858e56c20f3}");
+const PRESENTATIONTRANSPORTBUILDER_CONTRACTID = "mozilla.org/presentation/datachanneltransportbuilder;1";
+
+
+function PresentationDataChannelDescription(aDataChannelSDP) {
+  this._dataChannelSDP = JSON.stringify(aDataChannelSDP);
+}
+
+PresentationDataChannelDescription.prototype = {
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIPresentationChannelDescription]),
+  get type() {
+    return nsIPresentationChannelDescription.TYPE_DATACHANNEL;
+  },
+  get tcpAddress() {
+    return null;
+  },
+  get tcpPort() {
+    return null;
+  },
+  get dataChannelSDP() {
+    return this._dataChannelSDP;
+  }
+};
+
+
+function PresentationTransportBuilder() {
+  log("PresentationTransportBuilder construct");
+  this._isControlChannelNeeded = true;
+}
+
+PresentationTransportBuilder.prototype = {
+  classID: PRESENTATIONTRANSPORTBUILDER_CID,
+  contractID: PRESENTATIONTRANSPORTBUILDER_CONTRACTID,
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIPresentationDataChannelSessionTransportBuilder,
+                                         Ci.nsIPresentationControlChannelListener,
+                                         Ci.nsITimerCallback]),
+
+  buildDataChannelTransport: function(aType, aWindow, aControlChannel, aListener) {
+    if (!aType || !aWindow || !aControlChannel || !aListener) {
+      log("buildDataChannelTransport with illegal parameters");
+      throw Cr.NS_ERROR_ILLEGAL_VALUE;
+    }
+
+    if (this._window) {
+      log("buildDataChannelTransport has started.");
+      throw Cr.NS_ERROR_UNEXPECTED;
+    }
+
+    log("buildDataChannelTransport with type " + aType);
+    this._type = aType;
+    this._window = aWindow;
+    this._controlChannel = aControlChannel.QueryInterface(Ci.nsIPresentationControlChannel);
+    this._controlChannel.listener = this;
+    this._listener = aListener.QueryInterface(Ci.nsIPresentationSessionTransportBuilderListener);
+
+    // TODO bug 1227053 set iceServers from |nsIPresentationDevice|
+    this._peerConnection = new this._window.RTCPeerConnection();
+
+    // |this._controlChannel == null| will throw since the control channel is
+    // abnormally closed.
+    this._peerConnection.onicecandidate = aEvent => aEvent.candidate &&
+      this._controlChannel.sendIceCandidate(JSON.stringify(aEvent.candidate));
+
+    this._peerConnection.onnegotiationneeded = () => {
+      log("onnegotiationneeded with type " + this._type);
+      this._peerConnection.createOffer()
+          .then(aOffer => this._peerConnection.setLocalDescription(aOffer))
+          .then(() => this._controlChannel
+                          .sendOffer(new PresentationDataChannelDescription(this._peerConnection.localDescription)))
+          .catch(e => this._reportError(e));
+    }
+
+    switch (this._type) {
+      case Ci.nsIPresentationSessionTransportBuilder.TYPE_SENDER:
+        this._dataChannel = this._peerConnection.createDataChannel("presentationAPI");
+        this._setDataChannel();
+        break;
+
+      case Ci.nsIPresentationSessionTransportBuilder.TYPE_RECEIVER:
+        this._peerConnection.ondatachannel = aEvent => {
+          this._dataChannel = aEvent.channel;
+          this._setDataChannel();
+        }
+        break;
+      default:
+       throw Cr.NS_ERROR_ILLEGAL_VALUE;
+    }
+
+    // TODO bug 1228235 we should have a way to let device providers customize
+    // the time-out duration.
+    let timeout;
+    try {
+      timeout = Services.prefs.getIntPref("presentation.receiver.loading.timeout");
+    } catch (e) {
+      // This happens if the pref doesn't exist, so we have a default value.
+      timeout = 10000;
+    }
+
+    // The timer is to check if the negotiation finishes on time.
+    this._timer = Cc["@mozilla.org/timer;1"].createInstance(Ci.nsITimer);
+    this._timer.initWithCallback(this, timeout, this._timer.TYPE_ONE_SHOT);
+  },
+
+  notify: function() {
+    if (!this._sessionTransport) {
+      this._cleanup(Cr.NS_ERROR_NET_TIMEOUT);
+    }
+  },
+
+  _reportError: function(aError) {
+    log("report Error " + aError.name + ":" + aError.message);
+    this._cleanup(Cr.NS_ERROR_FAILURE);
+  },
+
+  _setDataChannel: function() {
+    this._dataChannel.onopen = () => {
+      log("data channel is open, notify the listener, type " + this._type);
+
+      // Handoff the ownership of _peerConnection and _dataChannel to
+      // _sessionTransport
+      this._sessionTransport = new PresentationTransport();
+      this._sessionTransport.init(this._peerConnection, this._dataChannel);
+      this._peerConnection = this._dataChannel = null;
+
+      this._listener.onSessionTransport(this._sessionTransport);
+      this._sessionTransport.callback.notifyTransportReady();
+
+      this._cleanup(Cr.NS_OK);
+    };
+
+    this._dataChannel.onerror = aError => {
+      log("data channel onerror " + aError.name + ":" + aError.message);
+      this._cleanup(Cr.NS_ERROR_FAILURE);
+    }
+  },
+
+  _cleanup: function(aReason) {
+    if (aReason != Cr.NS_OK) {
+      this._listener.onError(aReason);
+    }
+
+    if (this._dataChannel) {
+      this._dataChannel.close();
+      this._dataChannel = null;
+    }
+
+    if (this._peerConnection) {
+      this._peerConnection.close();
+      this._peerConnection = null;
+    }
+
+    this._type = null;
+    this._window = null;
+
+    if (this._controlChannel) {
+      this._controlChannel.close(aReason);
+      this._controlChannel = null;
+    }
+
+    this._listener = null;
+    this._sessionTransport = null;
+
+    if (this._timer) {
+      this._timer.cancel();
+      this._timer = null;
+    }
+  },
+
+  // nsIPresentationControlChannelListener
+  onOffer: function(aOffer) {
+    if (this._type !== Ci.nsIPresentationSessionTransportBuilder.TYPE_RECEIVER ||
+          this._sessionTransport) {
+      log("onOffer status error");
+      this._cleanup(Cr.NS_ERROR_FAILURE);
+    }
+
+    log("onOffer: " + aOffer.dataChannelSDP + " with type " + this._type);
+
+    let offer = new this._window
+                        .RTCSessionDescription(JSON.parse(aOffer.dataChannelSDP));
+
+    this._peerConnection.setRemoteDescription(offer)
+        .then(() => this._peerConnection.signalingState == "stable" ||
+                      this._peerConnection.createAnswer())
+        .then(aAnswer => this._peerConnection.setLocalDescription(aAnswer))
+        .then(() => {
+          this._isControlChannelNeeded = false;
+          this._controlChannel
+              .sendAnswer(new PresentationDataChannelDescription(this._peerConnection.localDescription))
+        }).catch(e => this._reportError(e));
+  },
+
+  onAnswer: function(aAnswer) {
+    if (this._type !== Ci.nsIPresentationSessionTransportBuilder.TYPE_SENDER ||
+          this._sessionTransport) {
+      log("onAnswer status error");
+      this._cleanup(Cr.NS_ERROR_FAILURE);
+    }
+
+    log("onAnswer: " + aAnswer.dataChannelSDP + " with type " + this._type);
+
+    let answer = new this._window
+                         .RTCSessionDescription(JSON.parse(aAnswer.dataChannelSDP));
+
+    this._peerConnection.setRemoteDescription(answer).catch(e => this._reportError(e));
+    this._isControlChannelNeeded = false;
+  },
+
+  onIceCandidate: function(aCandidate) {
+    log("onIceCandidate: " + aCandidate + " with type " + this._type);
+    let candidate = new this._window.RTCIceCandidate(JSON.parse(aCandidate));
+    this._peerConnection.addIceCandidate(candidate).catch(e => this._reportError(e));
+  },
+
+  notifyOpened: function() {
+    log("notifyOpened, should be opened beforehand");
+  },
+
+  notifyClosed: function(aReason) {
+    log("notifyClosed reason: " + aReason);
+
+    if (aReason != Cr.NS_OK) {
+      this._cleanup(aReason);
+    } else if (this._isControlChannelNeeded) {
+      this._cleanup(Cr.NS_ERROR_FAILURE);
+    }
+    this._controlChannel = null;
+  },
+};
+
+
+function PresentationTransport() {
+  this._messageQueue = [];
+  this._closeReason = Cr.NS_OK;
+}
+
+PresentationTransport.prototype = {
+  classID: PRESENTATIONTRANSPORT_CID,
+  contractID: PRESENTATIONTRANSPORT_CONTRACTID,
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIPresentationSessionTransport]),
+
+  init: function(aPeerConnection, aDataChannel) {
+    log("initWithDataChannel");
+    this._enableDataNotification = false;
+    this._dataChannel = aDataChannel;
+    this._peerConnection = aPeerConnection;
+
+    this._dataChannel.onopen = () => {
+      log("data channel reopen. Should never touch here");
+    };
+
+    this._dataChannel.onclose = () => {
+      log("data channel onclose");
+      if (this._callback) {
+        this._callback.notifyTransportClosed(this._closeReason);
+      }
+      this._cleanup();
+    }
+
+    this._dataChannel.onmessage = aEvent => {
+      log("data channel onmessage " + aEvent.data);
+
+      if (!this._enableDataNotification || !this._callback) {
+        log("queue message");
+        this._messageQueue.push(aEvent.data);
+        return;
+      }
+      this._callback.notifyData(aEvent.data);
+    };
+
+
+    this._dataChannel.onerror = aError => {
+      log("data channel onerror " + aError.name + ":" + aError.message);
+      if (this._callback) {
+        this._callback.notifyTransportClosed(Cr.NS_ERROR_FAILURE);
+      }
+      this._cleanup();
+    }
+  },
+
+  // nsIPresentationTransport
+  get selfAddress() {
+    throw NS_ERROR_NOT_AVAILABLE;
+  },
+
+  get callback() {
+    return this._callback;
+  },
+
+  set callback(aCallback) {
+    this._callback = aCallback;
+  },
+
+  send: function(aData) {
+    log("send " + aData);
+    this._dataChannel.send(aData);
+  },
+
+  enableDataNotification: function() {
+    log("enableDataNotification");
+    if (this._enableDataNotification) {
+      return;
+    }
+
+    if (!this._callback) {
+      throw NS_ERROR_NOT_AVAILABLE;
+    }
+
+    this._enableDataNotification = true;
+
+    this._messageQueue.forEach(aData => this._callback.notifyData(aData));
+    this._messageQueue = [];
+  },
+
+  close: function(aReason) {
+    this._closeReason = aReason;
+
+    this._dataChannel.close();
+  },
+
+  _cleanup: function() {
+    this._dataChannel = null;
+
+    if (this._peerConnection) {
+      this._peerConnection.close();
+      this._peerConnection = null;
+    }
+    this._callback = null;
+    this._messageQueue = [];
+  },
+};
+
+this.NSGetFactory = XPCOMUtils.generateNSGetFactory([PresentationTransportBuilder,
+                                                     PresentationTransport]);
diff --git a/dom/presentation/PresentationDataChannelSessionTransport.manifest b/dom/presentation/PresentationDataChannelSessionTransport.manifest
new file mode 100644
index 0000000000..6838f675fa
--- /dev/null
+++ b/dom/presentation/PresentationDataChannelSessionTransport.manifest
@@ -0,0 +1,6 @@
+# PresentationDataChannelSessionTransport.js
+component {dd2bbf2f-3399-4389-8f5f-d382afb8b2d6} PresentationDataChannelSessionTransport.js
+contract @mozilla.org/presentation/datachanneltransport;1 {dd2bbf2f-3399-4389-8f5f-d382afb8b2d6}
+
+component {215b2f62-46e2-4004-a3d1-6858e56c20f3} PresentationDataChannelSessionTransport.js
+contract @mozilla.org/presentation/datachanneltransportbuilder;1 {215b2f62-46e2-4004-a3d1-6858e56c20f3}
diff --git a/dom/presentation/PresentationLog.h b/dom/presentation/PresentationLog.h
new file mode 100644
index 0000000000..92508ca80d
--- /dev/null
+++ b/dom/presentation/PresentationLog.h
@@ -0,0 +1,26 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_dom_PresentationLog_h
+#define mozilla_dom_PresentationLog_h
+
+/*
+ * NSPR_LOG_MODULES=Presentation:5
+ * For detail, see PresentationService.cpp
+ */
+namespace mozilla {
+namespace dom {
+extern mozilla::LazyLogModule gPresentationLog;
+}
+}
+
+#undef PRES_ERROR
+#define PRES_ERROR(...) MOZ_LOG(mozilla::dom::gPresentationLog, mozilla::LogLevel::Error, (__VA_ARGS__))
+
+#undef PRES_DEBUG
+#define PRES_DEBUG(...) MOZ_LOG(mozilla::dom::gPresentationLog, mozilla::LogLevel::Debug, (__VA_ARGS__))
+
+#endif // mozilla_dom_PresentationLog_h
diff --git a/dom/presentation/PresentationRequest.cpp b/dom/presentation/PresentationRequest.cpp
index 4df3b67ec3..e64e612aa9 100644
--- a/dom/presentation/PresentationRequest.cpp
+++ b/dom/presentation/PresentationRequest.cpp
@@ -80,6 +80,13 @@ PresentationRequest::WrapObject(JSContext* aCx,
 
 already_AddRefed<Promise>
 PresentationRequest::Start(ErrorResult& aRv)
+{
+  return StartWithDevice(NullString(), aRv);
+}
+
+already_AddRefed<Promise>
+PresentationRequest::StartWithDevice(const nsAString& aDeviceId,
+                                     ErrorResult& aRv)
 {
   nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(GetOwner());
   if (NS_WARN_IF(!global)) {
@@ -124,7 +131,7 @@ PresentationRequest::Start(ErrorResult& aRv)
 
   nsCOMPtr<nsIPresentationServiceCallback> callback =
     new PresentationRequesterCallback(this, mUrl, id, promise);
-  rv = service->StartSession(mUrl, id, origin, callback);
+  rv = service->StartSession(mUrl, id, origin, aDeviceId, GetOwner()->WindowID(), callback);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     promise->MaybeReject(NS_ERROR_DOM_OPERATION_ERR);
   }
diff --git a/dom/presentation/PresentationRequest.h b/dom/presentation/PresentationRequest.h
index 929cbdad21..0278c76617 100644
--- a/dom/presentation/PresentationRequest.h
+++ b/dom/presentation/PresentationRequest.h
@@ -33,6 +33,9 @@ public:
   // WebIDL (public APIs)
   already_AddRefed<Promise> Start(ErrorResult& aRv);
 
+  already_AddRefed<Promise> StartWithDevice(const nsAString& aDeviceId,
+                                            ErrorResult& aRv);
+
   already_AddRefed<Promise> GetAvailability(ErrorResult& aRv);
 
   IMPL_EVENT_HANDLER(connectionavailable);
diff --git a/dom/presentation/PresentationService.cpp b/dom/presentation/PresentationService.cpp
index f9a44aae7f..11d706148a 100644
--- a/dom/presentation/PresentationService.cpp
+++ b/dom/presentation/PresentationService.cpp
@@ -18,6 +18,7 @@
 #include "nsServiceManagerUtils.h"
 #include "nsThreadUtils.h"
 #include "nsXULAppAPI.h"
+#include "PresentationLog.h"
 #include "PresentationService.h"
 
 using namespace mozilla;
@@ -48,6 +49,8 @@ private:
   nsString mOrigin;
 };
 
+LazyLogModule gPresentationLog("Presentation");
+
 } // namespace dom
 } // namespace mozilla
 
@@ -384,6 +387,8 @@ NS_IMETHODIMP
 PresentationService::StartSession(const nsAString& aUrl,
                                   const nsAString& aSessionId,
                                   const nsAString& aOrigin,
+                                  const nsAString& aDeviceId,
+                                  uint64_t aWindowId,
                                   nsIPresentationServiceCallback* aCallback)
 {
   MOZ_ASSERT(NS_IsMainThread());
@@ -396,28 +401,77 @@ PresentationService::StartSession(const nsAString& aUrl,
     new PresentationControllingInfo(aUrl, aSessionId, aCallback);
   mSessionInfo.Put(aSessionId, info);
 
-  // Pop up a prompt and ask user to select a device.
-  nsCOMPtr<nsIPresentationDevicePrompt> prompt =
-    do_GetService(PRESENTATION_DEVICE_PROMPT_CONTRACTID);
-  if (NS_WARN_IF(!prompt)) {
-    return info->ReplyError(NS_ERROR_DOM_OPERATION_ERR);
+  // Only track the info when an actual window ID, which would never be 0, is
+  // provided (for an in-process sender page).
+  if (aWindowId != 0) {
+    mRespondingSessionIds.Put(aWindowId, new nsString(aSessionId));
+    mRespondingWindowIds.Put(aSessionId, aWindowId);
   }
+
   nsCOMPtr<nsIPresentationDeviceRequest> request =
     new PresentationDeviceRequest(aUrl, aSessionId, aOrigin);
-  nsresult rv = prompt->PromptDeviceSelection(request);
+
+  if (aDeviceId.IsVoid()) {
+    // Pop up a prompt and ask user to select a device.
+    nsCOMPtr<nsIPresentationDevicePrompt> prompt =
+      do_GetService(PRESENTATION_DEVICE_PROMPT_CONTRACTID);
+    if (NS_WARN_IF(!prompt)) {
+      return info->ReplyError(NS_ERROR_DOM_OPERATION_ERR);
+    }
+
+    nsresult rv = prompt->PromptDeviceSelection(request);
+    if (NS_WARN_IF(NS_FAILED(rv))) {
+      return info->ReplyError(NS_ERROR_DOM_OPERATION_ERR);
+    }
+
+    return NS_OK;
+  }
+
+  // Find the designated device from available device list.
+  nsCOMPtr<nsIPresentationDeviceManager> deviceManager =
+    do_GetService(PRESENTATION_DEVICE_MANAGER_CONTRACTID);
+  if (NS_WARN_IF(!deviceManager)) {
+    return info->ReplyError(NS_ERROR_DOM_OPERATION_ERR);
+  }
+
+  nsCOMPtr<nsIArray> devices;
+  nsresult rv = deviceManager->GetAvailableDevices(getter_AddRefs(devices));
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return info->ReplyError(NS_ERROR_DOM_OPERATION_ERR);
   }
 
-  return NS_OK;
+  nsCOMPtr<nsISimpleEnumerator> enumerator;
+  rv = devices->Enumerate(getter_AddRefs(enumerator));
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return info->ReplyError(NS_ERROR_DOM_OPERATION_ERR);
+  }
+
+  NS_ConvertUTF16toUTF8 utf8DeviceId(aDeviceId);
+  bool hasMore;
+  while(NS_SUCCEEDED(enumerator->HasMoreElements(&hasMore)) && hasMore){
+    nsCOMPtr<nsISupports> isupports;
+    rv = enumerator->GetNext(getter_AddRefs(isupports));
+
+    nsCOMPtr<nsIPresentationDevice> device(do_QueryInterface(isupports));
+    MOZ_ASSERT(device);
+
+    nsAutoCString id;
+    if (NS_SUCCEEDED(device->GetId(id)) && id.Equals(utf8DeviceId)) {
+      request->Select(device);
+      return NS_OK;
+    }
+  }
+
+  // Reject if designated device is not available.
+  return info->ReplyError(NS_ERROR_DOM_NOT_FOUND_ERR);
 }
 
 NS_IMETHODIMP
 PresentationService::SendSessionMessage(const nsAString& aSessionId,
-                                        nsIInputStream* aStream)
+                                        const nsAString& aData)
 {
   MOZ_ASSERT(NS_IsMainThread());
-  MOZ_ASSERT(aStream);
+  MOZ_ASSERT(!aData.IsEmpty());
   MOZ_ASSERT(!aSessionId.IsEmpty());
 
   RefPtr<PresentationSessionInfo> info = GetSessionInfo(aSessionId);
@@ -425,7 +479,7 @@ PresentationService::SendSessionMessage(const nsAString& aSessionId,
     return NS_ERROR_NOT_AVAILABLE;
   }
 
-  return info->Send(aStream);
+  return info->Send(aData);
 }
 
 NS_IMETHODIMP
@@ -568,7 +622,7 @@ PresentationService::NotifyReceiverReady(const nsAString& aSessionId,
   // Only track the responding info when an actual window ID, which would never
   // be 0, is provided (for an in-process receiver page).
   if (aWindowId != 0) {
-    mRespondingSessionIds.Put(aWindowId, new nsAutoString(aSessionId));
+    mRespondingSessionIds.Put(aWindowId, new nsString(aSessionId));
     mRespondingWindowIds.Put(aSessionId, aWindowId);
   }
 
@@ -583,7 +637,7 @@ PresentationService::UntrackSessionInfo(const nsAString& aSessionId)
 
   // Remove the in-process responding info if there's still any.
   uint64_t windowId = 0;
-  if(mRespondingWindowIds.Get(aSessionId, &windowId)) {
+  if (mRespondingWindowIds.Get(aSessionId, &windowId)) {
     mRespondingWindowIds.Remove(aSessionId);
     mRespondingSessionIds.Remove(windowId);
   }
@@ -591,6 +645,16 @@ PresentationService::UntrackSessionInfo(const nsAString& aSessionId)
   return NS_OK;
 }
 
+NS_IMETHODIMP
+PresentationService::GetWindowIdBySessionId(const nsAString& aSessionId,
+                                            uint64_t* aWindowId)
+{
+  if (mRespondingWindowIds.Get(aSessionId, aWindowId)) {
+    return NS_OK;
+  }
+  return NS_ERROR_NOT_AVAILABLE;
+}
+
 bool
 PresentationService::IsSessionAccessible(const nsAString& aSessionId,
                                          base::ProcessId aProcessId)
diff --git a/dom/presentation/PresentationSessionInfo.cpp b/dom/presentation/PresentationSessionInfo.cpp
index 1ed4125a5e..a35bee07fd 100644
--- a/dom/presentation/PresentationSessionInfo.cpp
+++ b/dom/presentation/PresentationSessionInfo.cpp
@@ -13,6 +13,7 @@
 #include "mozilla/Preferences.h"
 #include "mozilla/Services.h"
 #include "nsContentUtils.h"
+#include "nsGlobalWindow.h"
 #include "nsIDocShell.h"
 #include "nsIFrameLoader.h"
 #include "nsIMutableArray.h"
@@ -22,6 +23,7 @@
 #include "nsNetCID.h"
 #include "nsServiceManagerUtils.h"
 #include "nsThreadUtils.h"
+#include "PresentationLog.h"
 #include "PresentationService.h"
 #include "PresentationSessionInfo.h"
 
@@ -38,13 +40,6 @@ using namespace mozilla;
 using namespace mozilla::dom;
 using namespace mozilla::services;
 
-
-static LazyLogModule gPresentationSessionInfoLog("PresentationSessionInfo");
-
-#undef LOG
-#define LOG(...) MOZ_LOG(gPresentationSessionInfoLog, mozilla::LogLevel::Error, (__VA_ARGS__))
-
-
 /*
  * Implementation of PresentationChannelDescription
  */
@@ -105,7 +100,7 @@ PresentationNetworkHelper::GetWifiIPAddress()
 NS_IMETHODIMP
 PresentationNetworkHelper::OnError(const nsACString & aReason)
 {
-  LOG("PresentationNetworkHelper::OnError: %s",
+  PRES_ERROR("PresentationNetworkHelper::OnError: %s",
     nsPromiseFlatCString(aReason).get());
   return NS_OK;
 }
@@ -127,21 +122,21 @@ PresentationNetworkHelper::OnGetWifiIPAddress(const nsACString& aIPAddress)
 
 #endif // MOZ_WIDGET_ANDROID
 
-class PresentationChannelDescription final : public nsIPresentationChannelDescription
+class TCPPresentationChannelDescription final : public nsIPresentationChannelDescription
 {
 public:
   NS_DECL_ISUPPORTS
   NS_DECL_NSIPRESENTATIONCHANNELDESCRIPTION
 
-  PresentationChannelDescription(const nsACString& aAddress,
-                                 uint16_t aPort)
+  TCPPresentationChannelDescription(const nsACString& aAddress,
+                                    uint16_t aPort)
     : mAddress(aAddress)
     , mPort(aPort)
   {
   }
 
 private:
-  ~PresentationChannelDescription() {}
+  ~TCPPresentationChannelDescription() {}
 
   nsCString mAddress;
   uint16_t mPort;
@@ -150,23 +145,21 @@ private:
 } // namespace dom
 } // namespace mozilla
 
-NS_IMPL_ISUPPORTS(PresentationChannelDescription, nsIPresentationChannelDescription)
+NS_IMPL_ISUPPORTS(TCPPresentationChannelDescription, nsIPresentationChannelDescription)
 
 NS_IMETHODIMP
-PresentationChannelDescription::GetType(uint8_t* aRetVal)
+TCPPresentationChannelDescription::GetType(uint8_t* aRetVal)
 {
   if (NS_WARN_IF(!aRetVal)) {
     return NS_ERROR_INVALID_POINTER;
   }
 
-  // TODO bug 1148307 Implement PresentationSessionTransport with DataChannel.
-  // Only support TCP socket for now.
   *aRetVal = nsIPresentationChannelDescription::TYPE_TCP;
   return NS_OK;
 }
 
 NS_IMETHODIMP
-PresentationChannelDescription::GetTcpAddress(nsIArray** aRetVal)
+TCPPresentationChannelDescription::GetTcpAddress(nsIArray** aRetVal)
 {
   if (NS_WARN_IF(!aRetVal)) {
     return NS_ERROR_INVALID_POINTER;
@@ -177,11 +170,9 @@ PresentationChannelDescription::GetTcpAddress(nsIArray** aRetVal)
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
-  // TODO bug 1148307 Implement PresentationSessionTransport with DataChannel.
-  // Ultimately we may use all the available addresses. DataChannel appears
-  // more robust upon handling ICE. And at the first stage Presentation API is
-  // only exposed on Firefox OS where the first IP appears enough for most
-  // scenarios.
+  // TODO bug 1228504 Take all IP addresses in PresentationChannelDescription
+  // into account. And at the first stage Presentation API is only exposed on
+  // Firefox OS where the first IP appears enough for most scenarios.
   nsCOMPtr<nsISupportsCString> address = do_CreateInstance(NS_SUPPORTS_CSTRING_CONTRACTID);
   if (NS_WARN_IF(!address)) {
     return NS_ERROR_OUT_OF_MEMORY;
@@ -195,7 +186,7 @@ PresentationChannelDescription::GetTcpAddress(nsIArray** aRetVal)
 }
 
 NS_IMETHODIMP
-PresentationChannelDescription::GetTcpPort(uint16_t* aRetVal)
+TCPPresentationChannelDescription::GetTcpPort(uint16_t* aRetVal)
 {
   if (NS_WARN_IF(!aRetVal)) {
     return NS_ERROR_INVALID_POINTER;
@@ -206,10 +197,8 @@ PresentationChannelDescription::GetTcpPort(uint16_t* aRetVal)
 }
 
 NS_IMETHODIMP
-PresentationChannelDescription::GetDataChannelSDP(nsAString& aDataChannelSDP)
+TCPPresentationChannelDescription::GetDataChannelSDP(nsAString& aDataChannelSDP)
 {
-  // TODO bug 1148307 Implement PresentationSessionTransport with DataChannel.
-  // Only support TCP socket for now.
   aDataChannelSDP.Truncate();
   return NS_OK;
 }
@@ -220,7 +209,8 @@ PresentationChannelDescription::GetDataChannelSDP(nsAString& aDataChannelSDP)
 
 NS_IMPL_ISUPPORTS(PresentationSessionInfo,
                   nsIPresentationSessionTransportCallback,
-                  nsIPresentationControlChannelListener);
+                  nsIPresentationControlChannelListener,
+                  nsIPresentationSessionTransportBuilderListener);
 
 /* virtual */ nsresult
 PresentationSessionInfo::Init(nsIPresentationControlChannel* aControlChannel)
@@ -246,6 +236,8 @@ PresentationSessionInfo::Shutdown(nsresult aReason)
   }
 
   mIsResponderReady = false;
+
+  mBuilder = nullptr;
 }
 
 nsresult
@@ -271,7 +263,7 @@ PresentationSessionInfo::SetListener(nsIPresentationSessionListener* aListener)
 }
 
 nsresult
-PresentationSessionInfo::Send(nsIInputStream* aData)
+PresentationSessionInfo::Send(const nsAString& aData)
 {
   if (NS_WARN_IF(!IsSessionReady())) {
     return NS_ERROR_DOM_INVALID_STATE_ERR;
@@ -338,6 +330,22 @@ PresentationSessionInfo::UntrackFromService()
   return NS_OK;
 }
 
+nsPIDOMWindowInner*
+PresentationSessionInfo::GetWindow()
+{
+  nsCOMPtr<nsIPresentationService> service =
+  do_GetService(PRESENTATION_SERVICE_CONTRACTID);
+  if (NS_WARN_IF(!service)) {
+    return nullptr;
+  }
+  uint64_t windowId = 0;
+  if (NS_WARN_IF(NS_FAILED(service->GetWindowIdBySessionId(mSessionId, &windowId)))) {
+    return nullptr;
+  }
+
+  return nsGlobalWindow::GetInnerWindowWithId(windowId)->AsInner();
+}
+
 /* virtual */ bool
 PresentationSessionInfo::IsAccessible(base::ProcessId aProcessId)
 {
@@ -412,7 +420,31 @@ PresentationSessionInfo::NotifyData(const nsACString& aData)
   return mListener->NotifyMessage(mSessionId, aData);
 }
 
-/*
+// nsIPresentationSessionTransportBuilderListener
+NS_IMETHODIMP
+PresentationSessionInfo::OnSessionTransport(nsIPresentationSessionTransport* transport)
+{
+  mTransport = transport;
+
+  nsresult rv = mTransport->SetCallback(this);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
+
+  if (mListener) {
+    mTransport->EnableDataNotification();
+  }
+
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+PresentationSessionInfo::OnError(nsresult reason)
+{
+  return ReplyError(reason);
+}
+
+/**
  * Implementation of PresentationControllingInfo
  *
  * During presentation session establishment, the sender expects the following
@@ -460,6 +492,12 @@ PresentationControllingInfo::Init(nsIPresentationControlChannel* aControlChannel
     return rv;
   }
 
+  int32_t port;
+  rv = mServerSocket->GetPort(&port);
+  if (!NS_WARN_IF(NS_FAILED(rv))) {
+    PRES_DEBUG("%s:ServerSocket created.port[%d]\n",__func__, port);
+  }
+
   return NS_OK;
 }
 
@@ -501,11 +539,10 @@ PresentationControllingInfo::GetAddress()
     return NS_ERROR_FAILURE;
   }
 
-  // TODO bug 1148307 Implement PresentationSessionTransport with DataChannel.
-  // Ultimately we may use all the available addresses. DataChannel appears
-  // more robust upon handling ICE. And at the first stage Presentation API is
-  // only exposed on Firefox OS where the first IP appears enough for most
-  // scenarios.
+  // TODO bug 1228504 Take all IP addresses in PresentationChannelDescription
+  // into account. And at the first stage Presentation API is only exposed on
+  // Firefox OS where the first IP appears enough for most scenarios.
+
   nsAutoString ip;
   ip.Assign(ips[0]);
 
@@ -530,6 +567,14 @@ PresentationControllingInfo::GetAddress()
     return rv;
   }
 
+#elif defined(MOZ_MULET)
+  // In simulator,we need to use the "127.0.0.1" as target address.
+  NS_DispatchToMainThread(
+    NS_NewRunnableMethodWithArg<nsCString>(
+      this,
+      &PresentationControllingInfo::OnGetAddress,
+      "127.0.0.1"));
+
 #else
   // TODO Get host IP via other platforms.
 
@@ -562,8 +607,8 @@ PresentationControllingInfo::OnGetAddress(const nsACString& aAddress)
     return rv;
   }
 
-  RefPtr<PresentationChannelDescription> description =
-    new PresentationChannelDescription(aAddress, static_cast<uint16_t>(port));
+  RefPtr<TCPPresentationChannelDescription> description =
+    new TCPPresentationChannelDescription(aAddress, static_cast<uint16_t>(port));
   return mControlChannel->SendOffer(description);
 }
 
@@ -599,7 +644,27 @@ NS_IMETHODIMP
 PresentationControllingInfo::NotifyOpened()
 {
   MOZ_ASSERT(NS_IsMainThread());
-  return GetAddress();
+
+  if (!Preferences::GetBool("dom.presentation.session_transport.data_channel.enable")) {
+    // Build TCP session transport
+    return GetAddress();
+  }
+
+  nsCOMPtr<nsIPresentationDataChannelSessionTransportBuilder> builder =
+    do_CreateInstance("@mozilla.org/presentation/datachanneltransportbuilder;1");
+
+  if (NS_WARN_IF(!builder)) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  mBuilder = builder;
+  mTransportType = nsIPresentationChannelDescription::TYPE_DATACHANNEL;
+
+  return builder->BuildDataChannelTransport(nsIPresentationSessionTransportBuilder::TYPE_SENDER,
+                                            GetWindow(),
+                                            mControlChannel,
+                                            this);
+
 }
 
 NS_IMETHODIMP
@@ -628,25 +693,23 @@ NS_IMETHODIMP
 PresentationControllingInfo::OnSocketAccepted(nsIServerSocket* aServerSocket,
                                             nsISocketTransport* aTransport)
 {
+  int32_t port;
+  nsresult rv = aTransport->GetPort(&port);
+  if (!NS_WARN_IF(NS_FAILED(rv))) {
+    PRES_DEBUG("%s:receive from port[%d]\n",__func__, port);
+  }
+
   MOZ_ASSERT(NS_IsMainThread());
 
-  // Initialize |mTransport| and use |this| as the callback.
-  mTransport = do_CreateInstance(PRESENTATION_SESSION_TRANSPORT_CONTRACTID);
-  if (NS_WARN_IF(!mTransport)) {
+  // Initialize session transport builder and use |this| as the callback.
+  nsCOMPtr<nsIPresentationTCPSessionTransportBuilder> builder =
+    do_CreateInstance(PRESENTATION_TCP_SESSION_TRANSPORT_CONTRACTID);
+  if (NS_WARN_IF(!builder)) {
     return ReplyError(NS_ERROR_DOM_OPERATION_ERR);
   }
 
-  nsresult rv = mTransport->InitWithSocketTransport(aTransport, this);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
-  }
-
-  // Enable data notification if the listener has been registered.
-  if (mListener) {
-    return mTransport->EnableDataNotification();
-  }
-
-  return NS_OK;
+  mTransportType = nsIPresentationChannelDescription::TYPE_TCP;
+  return builder->BuildTCPSenderTransport(aTransport, this);
 }
 
 NS_IMETHODIMP
@@ -672,7 +735,7 @@ PresentationControllingInfo::OnStopListening(nsIServerSocket* aServerSocket,
   return NS_OK;
 }
 
-/*
+/**
  * Implementation of PresentationPresentingInfo
  *
  * During presentation session establishment, the receiver expects the following
@@ -731,49 +794,106 @@ PresentationPresentingInfo::Shutdown(nsresult aReason)
   mPromise = nullptr;
 }
 
-nsresult
-PresentationPresentingInfo::InitTransportAndSendAnswer()
+// nsIPresentationSessionTransportBuilderListener
+NS_IMETHODIMP
+PresentationPresentingInfo::OnSessionTransport(nsIPresentationSessionTransport* transport)
 {
-  // Establish a data transport channel |mTransport| to the sender and use
-  // |this| as the callback.
-  mTransport = do_CreateInstance(PRESENTATION_SESSION_TRANSPORT_CONTRACTID);
-  if (NS_WARN_IF(!mTransport)) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
+  nsresult rv = PresentationSessionInfo::OnSessionTransport(transport);
 
-  nsresult rv = mTransport->InitWithChannelDescription(mRequesterDescription, this);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
-  // Enable data notification if the listener has been registered.
-  if (mListener) {
-    rv = mTransport->EnableDataNotification();
+  // send answer for TCP session transport
+  if (mTransportType == nsIPresentationChannelDescription::TYPE_TCP) {
+    // Prepare and send the answer.
+    // In the current implementation of |PresentationSessionTransport|,
+    // |GetSelfAddress| cannot return the real info when it's initialized via
+    // |buildTCPReceiverTransport|. Yet this deficiency only affects the channel
+    // description for the answer, which is not actually checked at requester side.
+    nsCOMPtr<nsINetAddr> selfAddr;
+    rv = mTransport->GetSelfAddress(getter_AddRefs(selfAddr));
+    NS_WARN_IF(NS_FAILED(rv));
+
+    nsCString address;
+    uint16_t port = 0;
+    if (NS_SUCCEEDED(rv)) {
+      selfAddr->GetAddress(address);
+      selfAddr->GetPort(&port);
+    }
+    nsCOMPtr<nsIPresentationChannelDescription> description =
+      new TCPPresentationChannelDescription(address, port);
+
+    return mControlChannel->SendAnswer(description);
+  }
+
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+PresentationPresentingInfo::OnError(nsresult reason)
+{
+  return PresentationSessionInfo::OnError(reason);
+}
+
+nsresult
+PresentationPresentingInfo::InitTransportAndSendAnswer()
+{
+  MOZ_ASSERT(NS_IsMainThread());
+
+  uint8_t type = 0;
+  nsresult rv = mRequesterDescription->GetType(&type);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
+
+  if (type == nsIPresentationChannelDescription::TYPE_TCP) {
+    // Establish a data transport channel |mTransport| to the sender and use
+    // |this| as the callback.
+    nsCOMPtr<nsIPresentationTCPSessionTransportBuilder> builder =
+      do_CreateInstance(PRESENTATION_TCP_SESSION_TRANSPORT_CONTRACTID);
+    if (NS_WARN_IF(!builder)) {
+      return NS_ERROR_NOT_AVAILABLE;
+    }
+
+    mBuilder = builder;
+    mTransportType = nsIPresentationChannelDescription::TYPE_TCP;
+    return builder->BuildTCPReceiverTransport(mRequesterDescription, this);
+  }
+
+  if (type == nsIPresentationChannelDescription::TYPE_DATACHANNEL) {
+    if (!Preferences::GetBool("dom.presentation.session_transport.data_channel.enable")) {
+      return NS_ERROR_NOT_IMPLEMENTED;
+    }
+    nsCOMPtr<nsIPresentationDataChannelSessionTransportBuilder> builder =
+      do_CreateInstance("@mozilla.org/presentation/datachanneltransportbuilder;1");
+
+    if (NS_WARN_IF(!builder)) {
+      return NS_ERROR_NOT_AVAILABLE;
+    }
+
+    mBuilder = builder;
+    mTransportType = nsIPresentationChannelDescription::TYPE_DATACHANNEL;
+    rv = builder->BuildDataChannelTransport(nsIPresentationSessionTransportBuilder::TYPE_RECEIVER,
+                                            GetWindow(),
+                                            mControlChannel,
+                                            this);
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return rv;
     }
+
+    // delegate |onOffer| to builder
+    nsCOMPtr<nsIPresentationControlChannelListener> listener(do_QueryInterface(builder));
+
+    if (NS_WARN_IF(!listener)) {
+      return NS_ERROR_NOT_AVAILABLE;
+    }
+
+    return listener->OnOffer(mRequesterDescription);
   }
 
-  // Prepare and send the answer.
-  // TODO bug 1148307 Implement PresentationSessionTransport with DataChannel.
-  // In the current implementation of |PresentationSessionTransport|,
-  // |GetSelfAddress| cannot return the real info when it's initialized via
-  // |InitWithChannelDescription|. Yet this deficiency only affects the channel
-  // description for the answer, which is not actually checked at requester side.
-  nsCOMPtr<nsINetAddr> selfAddr;
-  rv = mTransport->GetSelfAddress(getter_AddRefs(selfAddr));
-  NS_WARN_IF(NS_FAILED(rv));
-
-  nsCString address;
-  uint16_t port = 0;
-  if (NS_SUCCEEDED(rv)) {
-    selfAddr->GetAddress(address);
-    selfAddr->GetPort(&port);
-  }
-  nsCOMPtr<nsIPresentationChannelDescription> description =
-    new PresentationChannelDescription(address, port);
-
-  return mControlChannel->SendAnswer(description);
+  MOZ_ASSERT(false, "Unknown nsIPresentationChannelDescription type!");
+  return NS_ERROR_UNEXPECTED;
 }
 
 nsresult
@@ -904,7 +1024,7 @@ PresentationPresentingInfo::Notify(nsITimer* aTimer)
 // PromiseNativeHandler
 void
 PresentationPresentingInfo::ResolvedCallback(JSContext* aCx,
-                                            JS::Handle<JS::Value> aValue)
+                                             JS::Handle<JS::Value> aValue)
 {
   MOZ_ASSERT(NS_IsMainThread());
 
@@ -968,7 +1088,7 @@ PresentationPresentingInfo::ResolvedCallback(JSContext* aCx,
 
 void
 PresentationPresentingInfo::RejectedCallback(JSContext* aCx,
-                                            JS::Handle<JS::Value> aValue)
+                                             JS::Handle<JS::Value> aValue)
 {
   MOZ_ASSERT(NS_IsMainThread());
   NS_WARNING("Launching the receiver page has been rejected.");
diff --git a/dom/presentation/PresentationSessionInfo.h b/dom/presentation/PresentationSessionInfo.h
index b98877f2d6..415aae86d5 100644
--- a/dom/presentation/PresentationSessionInfo.h
+++ b/dom/presentation/PresentationSessionInfo.h
@@ -18,6 +18,7 @@
 #include "nsIPresentationListener.h"
 #include "nsIPresentationService.h"
 #include "nsIPresentationSessionTransport.h"
+#include "nsIPresentationSessionTransportBuilder.h"
 #include "nsIServerSocket.h"
 #include "nsITimer.h"
 #include "nsString.h"
@@ -28,10 +29,12 @@ namespace dom {
 
 class PresentationSessionInfo : public nsIPresentationSessionTransportCallback
                               , public nsIPresentationControlChannelListener
+                              , public nsIPresentationSessionTransportBuilderListener
 {
 public:
   NS_DECL_ISUPPORTS
   NS_DECL_NSIPRESENTATIONSESSIONTRANSPORTCALLBACK
+  NS_DECL_NSIPRESENTATIONSESSIONTRANSPORTBUILDERLISTENER
 
   PresentationSessionInfo(const nsAString& aUrl,
                           const nsAString& aSessionId,
@@ -89,7 +92,7 @@ public:
     }
   }
 
-  nsresult Send(nsIInputStream* aData);
+  nsresult Send(const nsAString& aData);
 
   nsresult Close(nsresult aReason,
                  uint32_t aState);
@@ -108,10 +111,7 @@ protected:
 
   nsresult ReplySuccess();
 
-  bool IsSessionReady()
-  {
-    return mIsResponderReady && mIsTransportReady;
-  }
+  virtual bool IsSessionReady() = 0;
 
   virtual nsresult UntrackFromService();
 
@@ -130,6 +130,11 @@ protected:
     }
   }
 
+  // Should be nsIPresentationChannelDescription::TYPE_TCP/TYPE_DATACHANNEL
+  uint8_t mTransportType = 0;
+
+  nsPIDOMWindowInner* GetWindow();
+
   nsString mUrl;
   nsString mSessionId;
   bool mIsResponderReady;
@@ -140,6 +145,7 @@ protected:
   nsCOMPtr<nsIPresentationDevice> mDevice;
   nsCOMPtr<nsIPresentationSessionTransport> mTransport;
   nsCOMPtr<nsIPresentationControlChannel> mControlChannel;
+  nsCOMPtr<nsIPresentationSessionTransportBuilder> mBuilder;
 };
 
 // Session info with controlling browsing context (sender side) behaviors.
@@ -174,6 +180,18 @@ private:
   nsresult OnGetAddress(const nsACString& aAddress);
 
   nsCOMPtr<nsIServerSocket> mServerSocket;
+
+protected:
+  bool IsSessionReady() override
+  {
+    if (mTransportType == nsIPresentationChannelDescription::TYPE_TCP) {
+      return mIsResponderReady && mIsTransportReady;
+    } else if (mTransportType == nsIPresentationChannelDescription::TYPE_DATACHANNEL) {
+      // Established RTCDataChannel implies responder is ready.
+      return mIsTransportReady;
+    }
+    return false;
+  }
 };
 
 // Session info with presenting browsing context (receiver side) behaviors.
@@ -184,6 +202,7 @@ class PresentationPresentingInfo final : public PresentationSessionInfo
 public:
   NS_DECL_ISUPPORTS_INHERITED
   NS_DECL_NSIPRESENTATIONCONTROLCHANNELLISTENER
+  NS_DECL_NSIPRESENTATIONSESSIONTRANSPORTBUILDERLISTENER
   NS_DECL_NSITIMERCALLBACK
 
   PresentationPresentingInfo(const nsAString& aUrl,
@@ -232,6 +251,12 @@ private:
   // The content parent communicating with the content process which the OOP
   // receiver page belongs to.
   nsCOMPtr<nsIContentParent> mContentParent;
+
+protected:
+  bool IsSessionReady() override
+  {
+    return mIsResponderReady && mIsTransportReady;
+  }
 };
 
 } // namespace dom
diff --git a/dom/presentation/PresentationSessionTransport.cpp b/dom/presentation/PresentationTCPSessionTransport.cpp
similarity index 60%
rename from dom/presentation/PresentationSessionTransport.cpp
rename to dom/presentation/PresentationTCPSessionTransport.cpp
index 23a74ed5d4..022c44246e 100644
--- a/dom/presentation/PresentationSessionTransport.cpp
+++ b/dom/presentation/PresentationTCPSessionTransport.cpp
@@ -16,10 +16,12 @@
 #include "nsISocketTransportService.h"
 #include "nsISupportsPrimitives.h"
 #include "nsNetUtil.h"
+#include "nsQueryObject.h"
 #include "nsServiceManagerUtils.h"
 #include "nsStreamUtils.h"
 #include "nsThreadUtils.h"
-#include "PresentationSessionTransport.h"
+#include "PresentationLog.h"
+#include "PresentationTCPSessionTransport.h"
 
 #define BUFFER_SIZE 65536
 
@@ -29,7 +31,7 @@ using namespace mozilla::dom;
 class CopierCallbacks final : public nsIRequestObserver
 {
 public:
-  explicit CopierCallbacks(PresentationSessionTransport* aTransport)
+  explicit CopierCallbacks(PresentationTCPSessionTransport* aTransport)
     : mOwner(aTransport)
   {}
 
@@ -38,7 +40,7 @@ public:
 private:
   ~CopierCallbacks() {}
 
-  RefPtr<PresentationSessionTransport> mOwner;
+  RefPtr<PresentationTCPSessionTransport> mOwner;
 };
 
 NS_IMPL_ISUPPORTS(CopierCallbacks, nsIRequestObserver)
@@ -56,76 +58,87 @@ CopierCallbacks::OnStopRequest(nsIRequest* aRequest, nsISupports* aContext, nsre
   return NS_OK;
 }
 
-NS_IMPL_CYCLE_COLLECTION(PresentationSessionTransport, mTransport,
+NS_IMPL_CYCLE_COLLECTION(PresentationTCPSessionTransport, mTransport,
                          mSocketInputStream, mSocketOutputStream,
                          mInputStreamPump, mInputStreamScriptable,
                          mMultiplexStream, mMultiplexStreamCopier, mCallback)
 
-NS_IMPL_CYCLE_COLLECTING_ADDREF(PresentationSessionTransport)
-NS_IMPL_CYCLE_COLLECTING_RELEASE(PresentationSessionTransport)
+NS_IMPL_CYCLE_COLLECTING_ADDREF(PresentationTCPSessionTransport)
+NS_IMPL_CYCLE_COLLECTING_RELEASE(PresentationTCPSessionTransport)
 
-NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(PresentationSessionTransport)
+NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(PresentationTCPSessionTransport)
   NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, nsIPresentationSessionTransport)
   NS_INTERFACE_MAP_ENTRY(nsIPresentationSessionTransport)
   NS_INTERFACE_MAP_ENTRY(nsITransportEventSink)
+  NS_INTERFACE_MAP_ENTRY(nsIPresentationTCPSessionTransportBuilder)
   NS_INTERFACE_MAP_ENTRY(nsIInputStreamCallback)
   NS_INTERFACE_MAP_ENTRY(nsIStreamListener)
   NS_INTERFACE_MAP_ENTRY(nsIRequestObserver)
 NS_INTERFACE_MAP_END
 
-PresentationSessionTransport::PresentationSessionTransport()
-  : mReadyState(CLOSED)
+PresentationTCPSessionTransport::PresentationTCPSessionTransport()
+  : mReadyState(ReadyState::CLOSED)
   , mAsyncCopierActive(false)
   , mCloseStatus(NS_OK)
   , mDataNotificationEnabled(false)
 {
 }
 
-PresentationSessionTransport::~PresentationSessionTransport()
+PresentationTCPSessionTransport::~PresentationTCPSessionTransport()
 {
 }
 
 NS_IMETHODIMP
-PresentationSessionTransport::InitWithSocketTransport(nsISocketTransport* aTransport,
-                                                      nsIPresentationSessionTransportCallback* aCallback)
+PresentationTCPSessionTransport::BuildTCPSenderTransport(nsISocketTransport* aTransport,
+                                                         nsIPresentationSessionTransportBuilderListener* aListener)
 {
-  if (NS_WARN_IF(!aCallback)) {
-    return NS_ERROR_INVALID_ARG;
-  }
-  mCallback = aCallback;
-
   if (NS_WARN_IF(!aTransport)) {
     return NS_ERROR_INVALID_ARG;
   }
   mTransport = aTransport;
 
+  if (NS_WARN_IF(!aListener)) {
+    return NS_ERROR_INVALID_ARG;
+  }
+  mListener = aListener;
+
   nsresult rv = CreateStream();
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
-  SetReadyState(OPEN);
+  mType = nsIPresentationSessionTransportBuilder::TYPE_SENDER;
 
-  if (IsReadyToNotifyData()) {
-    return CreateInputStreamPump();
-  }
+  nsCOMPtr<nsIPresentationSessionTransport> sessionTransport = do_QueryObject(this);
+  nsCOMPtr<nsIRunnable> onSessionTransportRunnable =
+    NS_NewRunnableMethodWithArgs
+      <nsIPresentationSessionTransport*>(mListener,
+                                         &nsIPresentationSessionTransportBuilderListener::OnSessionTransport,
+                                         sessionTransport);
 
-  return NS_OK;
+  NS_DispatchToCurrentThread(onSessionTransportRunnable);
+
+
+  nsCOMPtr<nsIRunnable> setReadyStateRunnable =
+    NS_NewRunnableMethodWithArgs<ReadyState>(this,
+                                             &PresentationTCPSessionTransport::SetReadyState,
+                                             ReadyState::OPEN);
+  return NS_DispatchToCurrentThread(setReadyStateRunnable);
 }
 
 NS_IMETHODIMP
-PresentationSessionTransport::InitWithChannelDescription(nsIPresentationChannelDescription* aDescription,
-                                                         nsIPresentationSessionTransportCallback* aCallback)
+PresentationTCPSessionTransport::BuildTCPReceiverTransport(nsIPresentationChannelDescription* aDescription,
+                                                           nsIPresentationSessionTransportBuilderListener* aListener)
 {
-  if (NS_WARN_IF(!aCallback)) {
-    return NS_ERROR_INVALID_ARG;
-  }
-  mCallback = aCallback;
-
   if (NS_WARN_IF(!aDescription)) {
     return NS_ERROR_INVALID_ARG;
   }
 
+  if (NS_WARN_IF(!aListener)) {
+    return NS_ERROR_INVALID_ARG;
+  }
+  mListener = aListener;
+
   uint16_t serverPort;
   nsresult rv = aDescription->GetTcpPort(&serverPort);
   if (NS_WARN_IF(NS_FAILED(rv))) {
@@ -138,11 +151,9 @@ PresentationSessionTransport::InitWithChannelDescription(nsIPresentationChannelD
     return rv;
   }
 
-  // TODO bug 1148307 Implement PresentationSessionTransport with DataChannel.
-  // Ultimately we may use all the available addresses. DataChannel appears
-  // more robust upon handling ICE. And at the first stage Presentation API is
-  // only exposed on Firefox OS where the first IP appears enough for most
-  // scenarios.
+  // TODO bug 1228504 Take all IP addresses in PresentationChannelDescription
+  // into account. And at the first stage Presentation API is only exposed on
+  // Firefox OS where the first IP appears enough for most scenarios.
   nsCOMPtr<nsISupportsCString> supportStr = do_QueryElementAt(serverHosts, 0);
   if (NS_WARN_IF(!supportStr)) {
     return NS_ERROR_INVALID_ARG;
@@ -154,7 +165,9 @@ PresentationSessionTransport::InitWithChannelDescription(nsIPresentationChannelD
     return NS_ERROR_INVALID_ARG;
   }
 
-  SetReadyState(CONNECTING);
+  PRES_DEBUG("%s:ServerHost[%s],ServerPort[%d]\n", __func__, serverHost.get(), serverPort);
+
+  SetReadyState(ReadyState::CONNECTING);
 
   nsCOMPtr<nsISocketTransportService> sts =
     do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID);
@@ -177,11 +190,19 @@ PresentationSessionTransport::InitWithChannelDescription(nsIPresentationChannelD
     return rv;
   }
 
-  return NS_OK;
+  mType = nsIPresentationSessionTransportBuilder::TYPE_RECEIVER;
+
+  nsCOMPtr<nsIPresentationSessionTransport> sessionTransport = do_QueryObject(this);
+  nsCOMPtr<nsIRunnable> runnable =
+    NS_NewRunnableMethodWithArgs
+      <nsIPresentationSessionTransport*>(mListener,
+                                         &nsIPresentationSessionTransportBuilderListener::OnSessionTransport,
+                                         sessionTransport);
+  return NS_DispatchToCurrentThread(runnable);
 }
 
 nsresult
-PresentationSessionTransport::CreateStream()
+PresentationTCPSessionTransport::CreateStream()
 {
   nsresult rv = mTransport->OpenInputStream(0, 0, 0, getter_AddRefs(mSocketInputStream));
   if (NS_WARN_IF(NS_FAILED(rv))) {
@@ -249,8 +270,12 @@ PresentationSessionTransport::CreateStream()
 }
 
 nsresult
-PresentationSessionTransport::CreateInputStreamPump()
+PresentationTCPSessionTransport::CreateInputStreamPump()
 {
+  if (NS_WARN_IF(mInputStreamPump)) {
+    return NS_OK;
+  }
+
   nsresult rv;
   mInputStreamPump = do_CreateInstance(NS_INPUTSTREAMPUMP_CONTRACTID, &rv);
   if (NS_WARN_IF(NS_FAILED(rv))) {
@@ -271,7 +296,7 @@ PresentationSessionTransport::CreateInputStreamPump()
 }
 
 NS_IMETHODIMP
-PresentationSessionTransport::EnableDataNotification()
+PresentationTCPSessionTransport::EnableDataNotification()
 {
   if (NS_WARN_IF(!mCallback)) {
     return NS_ERROR_DOM_INVALID_STATE_ERR;
@@ -290,8 +315,24 @@ PresentationSessionTransport::EnableDataNotification()
   return NS_OK;
 }
 
+// nsIPresentationSessionTransportBuilderListener
 NS_IMETHODIMP
-PresentationSessionTransport::GetSelfAddress(nsINetAddr** aSelfAddress)
+PresentationTCPSessionTransport::GetCallback(nsIPresentationSessionTransportCallback** aCallback)
+{
+  nsCOMPtr<nsIPresentationSessionTransportCallback> callback = mCallback;
+  callback.forget(aCallback);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+PresentationTCPSessionTransport::SetCallback(nsIPresentationSessionTransportCallback* aCallback)
+{
+  mCallback = aCallback;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+PresentationTCPSessionTransport::GetSelfAddress(nsINetAddr** aSelfAddress)
 {
   if (NS_WARN_IF(!mTransport)) {
     return NS_ERROR_DOM_INVALID_STATE_ERR;
@@ -301,7 +342,7 @@ PresentationSessionTransport::GetSelfAddress(nsINetAddr** aSelfAddress)
 }
 
 void
-PresentationSessionTransport::EnsureCopying()
+PresentationTCPSessionTransport::EnsureCopying()
 {
   if (mAsyncCopierActive) {
     return;
@@ -313,14 +354,14 @@ PresentationSessionTransport::EnsureCopying()
 }
 
 void
-PresentationSessionTransport::NotifyCopyComplete(nsresult aStatus)
+PresentationTCPSessionTransport::NotifyCopyComplete(nsresult aStatus)
 {
   mAsyncCopierActive = false;
   mMultiplexStream->RemoveStream(0);
   if (NS_WARN_IF(NS_FAILED(aStatus))) {
-    if (mReadyState != CLOSED) {
+    if (mReadyState != ReadyState::CLOSED) {
       mCloseStatus = aStatus;
-      SetReadyState(CLOSED);
+      SetReadyState(ReadyState::CLOSED);
     }
     return;
   }
@@ -336,21 +377,34 @@ PresentationSessionTransport::NotifyCopyComplete(nsresult aStatus)
     return;
   }
 
-  if (mReadyState == CLOSING) {
+  if (mReadyState == ReadyState::CLOSING) {
     mSocketOutputStream->Close();
     mCloseStatus = NS_OK;
-    SetReadyState(CLOSED);
+    SetReadyState(ReadyState::CLOSED);
   }
 }
 
 NS_IMETHODIMP
-PresentationSessionTransport::Send(nsIInputStream* aData)
+PresentationTCPSessionTransport::Send(const nsAString& aData)
 {
-  if (NS_WARN_IF(mReadyState != OPEN)) {
+  if (NS_WARN_IF(mReadyState != ReadyState::OPEN)) {
     return NS_ERROR_DOM_INVALID_STATE_ERR;
   }
 
-  mMultiplexStream->AppendStream(aData);
+  nsresult rv;
+  nsCOMPtr<nsIStringInputStream> stream =
+    do_CreateInstance(NS_STRINGINPUTSTREAM_CONTRACTID, &rv);
+  if(NS_WARN_IF(NS_FAILED(rv))) {
+    return NS_ERROR_DOM_INVALID_STATE_ERR;
+  }
+
+  NS_ConvertUTF16toUTF8 msgString(aData);
+  rv = stream->SetData(msgString.BeginReading(), msgString.Length());
+  if(NS_WARN_IF(NS_FAILED(rv))) {
+    return NS_ERROR_DOM_INVALID_STATE_ERR;
+  }
+
+  mMultiplexStream->AppendStream(stream);
 
   EnsureCopying();
 
@@ -358,14 +412,16 @@ PresentationSessionTransport::Send(nsIInputStream* aData)
 }
 
 NS_IMETHODIMP
-PresentationSessionTransport::Close(nsresult aReason)
+PresentationTCPSessionTransport::Close(nsresult aReason)
 {
-  if (mReadyState == CLOSED || mReadyState == CLOSING) {
+  PRES_DEBUG("%s:reason[%x]\n", __func__, aReason);
+
+  if (mReadyState == ReadyState::CLOSED || mReadyState == ReadyState::CLOSING) {
     return NS_OK;
   }
 
   mCloseStatus = aReason;
-  SetReadyState(CLOSING);
+  SetReadyState(ReadyState::CLOSING);
 
   uint32_t count = 0;
   mMultiplexStream->GetCount(&count);
@@ -376,18 +432,32 @@ PresentationSessionTransport::Close(nsresult aReason)
   mSocketInputStream->Close();
   mDataNotificationEnabled = false;
 
+  mListener = nullptr;
+
   return NS_OK;
 }
 
 void
-PresentationSessionTransport::SetReadyState(ReadyState aReadyState)
+PresentationTCPSessionTransport::SetReadyState(ReadyState aReadyState)
 {
   mReadyState = aReadyState;
 
-  if (mReadyState == OPEN && mCallback) {
+  if (mReadyState == ReadyState::OPEN) {
+    if (IsReadyToNotifyData()) {
+      CreateInputStreamPump();
+    }
+
+    if (NS_WARN_IF(!mCallback)) {
+      return;
+    }
+
     // Notify the transport channel is ready.
     NS_WARN_IF(NS_FAILED(mCallback->NotifyTransportReady()));
-  } else if (mReadyState == CLOSED && mCallback) {
+  } else if (mReadyState == ReadyState::CLOSED && mCallback) {
+    if (NS_WARN_IF(!mCallback)) {
+      return;
+    }
+
     // Notify the transport channel has been shut down.
     NS_WARN_IF(NS_FAILED(mCallback->NotifyTransportClosed(mCloseStatus)));
     mCallback = nullptr;
@@ -396,29 +466,27 @@ PresentationSessionTransport::SetReadyState(ReadyState aReadyState)
 
 // nsITransportEventSink
 NS_IMETHODIMP
-PresentationSessionTransport::OnTransportStatus(nsITransport* aTransport,
-                                                nsresult aStatus,
-                                                int64_t aProgress,
-                                                int64_t aProgressMax)
+PresentationTCPSessionTransport::OnTransportStatus(nsITransport* aTransport,
+                                                   nsresult aStatus,
+                                                   int64_t aProgress,
+                                                   int64_t aProgressMax)
 {
+  PRES_DEBUG("%s:aStatus[%x]\n", __func__, aStatus);
+
   MOZ_ASSERT(NS_IsMainThread());
 
   if (aStatus != NS_NET_STATUS_CONNECTED_TO) {
     return NS_OK;
   }
 
-  SetReadyState(OPEN);
-
-  if (IsReadyToNotifyData()) {
-    return CreateInputStreamPump();
-  }
+  SetReadyState(ReadyState::OPEN);
 
   return NS_OK;
 }
 
 // nsIInputStreamCallback
 NS_IMETHODIMP
-PresentationSessionTransport::OnInputStreamReady(nsIAsyncInputStream* aStream)
+PresentationTCPSessionTransport::OnInputStreamReady(nsIAsyncInputStream* aStream)
 {
   MOZ_ASSERT(NS_IsMainThread());
 
@@ -426,9 +494,9 @@ PresentationSessionTransport::OnInputStreamReady(nsIAsyncInputStream* aStream)
   uint64_t dummy;
   nsresult rv = aStream->Available(&dummy);
   if (NS_WARN_IF(NS_FAILED(rv))) {
-    if (mReadyState != CLOSED) {
+    if (mReadyState != ReadyState::CLOSED) {
       mCloseStatus = NS_ERROR_CONNECTION_REFUSED;
-      SetReadyState(CLOSED);
+      SetReadyState(ReadyState::CLOSED);
     }
   }
 
@@ -437,18 +505,20 @@ PresentationSessionTransport::OnInputStreamReady(nsIAsyncInputStream* aStream)
 
 // nsIRequestObserver
 NS_IMETHODIMP
-PresentationSessionTransport::OnStartRequest(nsIRequest* aRequest,
-                                             nsISupports* aContext)
+PresentationTCPSessionTransport::OnStartRequest(nsIRequest* aRequest,
+                                                nsISupports* aContext)
 {
   // Do nothing.
   return NS_OK;
 }
 
 NS_IMETHODIMP
-PresentationSessionTransport::OnStopRequest(nsIRequest* aRequest,
-                                            nsISupports* aContext,
-                                            nsresult aStatusCode)
+PresentationTCPSessionTransport::OnStopRequest(nsIRequest* aRequest,
+                                               nsISupports* aContext,
+                                               nsresult aStatusCode)
 {
+  PRES_DEBUG("%s:aStatusCode[%x]\n", __func__, aStatusCode);
+
   MOZ_ASSERT(NS_IsMainThread());
 
   uint32_t count;
@@ -468,20 +538,20 @@ PresentationSessionTransport::OnStopRequest(nsIRequest* aRequest,
   }
 
   // We call this even if there is no error.
-  if (mReadyState != CLOSED) {
+  if (mReadyState != ReadyState::CLOSED) {
     mCloseStatus = aStatusCode;
-    SetReadyState(CLOSED);
+    SetReadyState(ReadyState::CLOSED);
   }
   return NS_OK;
 }
 
 // nsIStreamListener
 NS_IMETHODIMP
-PresentationSessionTransport::OnDataAvailable(nsIRequest* aRequest,
-                                              nsISupports* aContext,
-                                              nsIInputStream* aStream,
-                                              uint64_t aOffset,
-                                              uint32_t aCount)
+PresentationTCPSessionTransport::OnDataAvailable(nsIRequest* aRequest,
+                                                 nsISupports* aContext,
+                                                 nsIInputStream* aStream,
+                                                 uint64_t aOffset,
+                                                 uint32_t aCount)
 {
   MOZ_ASSERT(NS_IsMainThread());
 
diff --git a/dom/presentation/PresentationSessionTransport.h b/dom/presentation/PresentationTCPSessionTransport.h
similarity index 74%
rename from dom/presentation/PresentationSessionTransport.h
rename to dom/presentation/PresentationTCPSessionTransport.h
index bf6d67f7ae..d5b102bb47 100644
--- a/dom/presentation/PresentationSessionTransport.h
+++ b/dom/presentation/PresentationTCPSessionTransport.h
@@ -11,6 +11,7 @@
 #include "nsCOMPtr.h"
 #include "nsIAsyncInputStream.h"
 #include "nsIPresentationSessionTransport.h"
+#include "nsIPresentationSessionTransportBuilder.h"
 #include "nsIStreamListener.h"
 #include "nsISupportsImpl.h"
 #include "nsITransport.h"
@@ -32,34 +33,32 @@ namespace dom {
  * presenting receiver side. The lifetime is managed in either
  * |PresentationControllingInfo| (sender side) or |PresentationPresentingInfo|
  * (receiver side) in PresentationSessionInfo.cpp.
- *
- * TODO bug 1148307 Implement PresentationSessionTransport with DataChannel.
- * The implementation over the TCP channel is primarily used for the early stage
- * of Presentation API (without SSL) and should be migrated to DataChannel with
- * full support soon.
  */
-class PresentationSessionTransport final : public nsIPresentationSessionTransport
-                                         , public nsITransportEventSink
-                                         , public nsIInputStreamCallback
-                                         , public nsIStreamListener
+class PresentationTCPSessionTransport final : public nsIPresentationSessionTransport
+                                            , public nsIPresentationTCPSessionTransportBuilder
+                                            , public nsITransportEventSink
+                                            , public nsIInputStreamCallback
+                                            , public nsIStreamListener
 {
 public:
   NS_DECL_CYCLE_COLLECTING_ISUPPORTS
-  NS_DECL_CYCLE_COLLECTION_CLASS_AMBIGUOUS(PresentationSessionTransport,
+  NS_DECL_CYCLE_COLLECTION_CLASS_AMBIGUOUS(PresentationTCPSessionTransport,
                                            nsIPresentationSessionTransport)
 
   NS_DECL_NSIPRESENTATIONSESSIONTRANSPORT
+  NS_DECL_NSIPRESENTATIONSESSIONTRANSPORTBUILDER
+  NS_DECL_NSIPRESENTATIONTCPSESSIONTRANSPORTBUILDER
   NS_DECL_NSITRANSPORTEVENTSINK
   NS_DECL_NSIINPUTSTREAMCALLBACK
   NS_DECL_NSIREQUESTOBSERVER
   NS_DECL_NSISTREAMLISTENER
 
-  PresentationSessionTransport();
+  PresentationTCPSessionTransport();
 
   void NotifyCopyComplete(nsresult aStatus);
 
 private:
-  ~PresentationSessionTransport();
+  ~PresentationTCPSessionTransport();
 
   nsresult CreateStream();
 
@@ -67,7 +66,7 @@ private:
 
   void EnsureCopying();
 
-  enum ReadyState {
+  enum class ReadyState {
     CONNECTING,
     OPEN,
     CLOSING,
@@ -78,7 +77,7 @@ private:
 
   bool IsReadyToNotifyData()
   {
-    return mDataNotificationEnabled && mReadyState == OPEN;
+    return mDataNotificationEnabled && mReadyState == ReadyState::OPEN;
   }
 
   ReadyState mReadyState;
@@ -86,6 +85,8 @@ private:
   nsresult mCloseStatus;
   bool mDataNotificationEnabled;
 
+  uint8_t mType = 0;
+
   // Raw socket streams
   nsCOMPtr<nsISocketTransport> mTransport;
   nsCOMPtr<nsIInputStream> mSocketInputStream;
@@ -100,6 +101,7 @@ private:
   nsCOMPtr<nsIAsyncStreamCopier> mMultiplexStreamCopier;
 
   nsCOMPtr<nsIPresentationSessionTransportCallback> mCallback;
+  nsCOMPtr<nsIPresentationSessionTransportBuilderListener> mListener;
 };
 
 } // namespace dom
diff --git a/dom/presentation/interfaces/moz.build b/dom/presentation/interfaces/moz.build
index a81e8dcbfc..2172aff5aa 100644
--- a/dom/presentation/interfaces/moz.build
+++ b/dom/presentation/interfaces/moz.build
@@ -15,6 +15,7 @@ XPIDL_SOURCES += [
     'nsIPresentationService.idl',
     'nsIPresentationSessionRequest.idl',
     'nsIPresentationSessionTransport.idl',
+    'nsIPresentationSessionTransportBuilder.idl',
     'nsITCPPresentationServer.idl',
 ]
 
diff --git a/dom/presentation/interfaces/nsIPresentationControlChannel.idl b/dom/presentation/interfaces/nsIPresentationControlChannel.idl
index b6f3ac16e9..5883470c30 100644
--- a/dom/presentation/interfaces/nsIPresentationControlChannel.idl
+++ b/dom/presentation/interfaces/nsIPresentationControlChannel.idl
@@ -67,7 +67,8 @@ interface nsIPresentationControlChannelListener: nsISupports
 
 /*
  * The control channel for establishing RTCPeerConnection for a presentation
- * session. SDP Offer/Answer will be exchanged through this interface.
+ * session. SDP Offer/Answer will be exchanged through this interface. The
+ * control channel should be in-order.
  */
 [scriptable, uuid(e60e208c-a9f5-4bc6-9a3e-47f3e4ae9c57)]
 interface nsIPresentationControlChannel: nsISupports
diff --git a/dom/presentation/interfaces/nsIPresentationListener.idl b/dom/presentation/interfaces/nsIPresentationListener.idl
index 2cfd36b760..331cf877dd 100644
--- a/dom/presentation/interfaces/nsIPresentationListener.idl
+++ b/dom/presentation/interfaces/nsIPresentationListener.idl
@@ -39,6 +39,6 @@ interface nsIPresentationRespondingListener : nsISupports
   /*
    * Called when an incoming session connects.
    */
-  void notifySessionConnect(in uint64_t windowId,
+  void notifySessionConnect(in unsigned long long windowId,
                             in DOMString sessionId);
 };
diff --git a/dom/presentation/interfaces/nsIPresentationService.idl b/dom/presentation/interfaces/nsIPresentationService.idl
index cfa18ed4bf..681b215005 100644
--- a/dom/presentation/interfaces/nsIPresentationService.idl
+++ b/dom/presentation/interfaces/nsIPresentationService.idl
@@ -33,7 +33,7 @@ interface nsIPresentationServiceCallback : nsISupports
   void notifyError(in nsresult error);
 };
 
-[scriptable, uuid(c177a13a-bf1a-48bf-8032-d415c3343c46)]
+[scriptable, uuid(de42b741-5619-4650-b961-c2cebb572c95)]
 interface nsIPresentationService : nsISupports
 {
   /*
@@ -43,6 +43,12 @@ interface nsIPresentationService : nsISupports
    * @param url: The url of presenting page.
    * @param sessionId: An ID to identify presentation session.
    * @param origin: The url of requesting page.
+   * @param deviceId: The specified device of handling this request, null string
+                      for prompt device selection dialog.
+   * @param windowId: The inner window ID associated with the presentation
+   *                  session. (0 implies no window ID since no actual window
+   *                  uses 0 as its ID. Generally it's the case the window is
+   *                  located in different process from this service)
    * @param callback: Invoke the callback when the operation is completed.
    *                  NotifySuccess() is called with |id| if a session is
    *                  established successfully with the selected device.
@@ -51,16 +57,18 @@ interface nsIPresentationService : nsISupports
   void startSession(in DOMString url,
                     in DOMString sessionId,
                     in DOMString origin,
+                    in DOMString deviceId,
+                    in unsigned long long windowId,
                     in nsIPresentationServiceCallback callback);
 
   /*
-   * Send the message wrapped with an input stream to the session.
+   * Send the message to the session.
    *
    * @param sessionId: An ID to identify presentation session.
-   * @param stream: The message is converted to an input stream.
+   * @param data: the message being sent out.
    */
   void sendSessionMessage(in DOMString sessionId,
-                          in nsIInputStream stream);
+                          in DOMString data);
 
   /*
    * Close the session.
@@ -111,14 +119,14 @@ interface nsIPresentationService : nsISupports
    * @param windowId: The window ID associated with the listener.
    * @param listener: The listener to register.
    */
-  void registerRespondingListener(in uint64_t windowId,
+  void registerRespondingListener(in unsigned long long windowId,
                                   in nsIPresentationRespondingListener listener);
 
   /*
    * Unregister a responding listener. Must be called from the main thread.
    * @param windowId: The window ID associated with the listener.
    */
-  void unregisterRespondingListener(in uint64_t windowId);
+  void unregisterRespondingListener(in unsigned long long windowId);
 
   /*
    * Check if the presentation instance has an existent session ID at launch.
@@ -128,7 +136,7 @@ interface nsIPresentationService : nsISupports
    *
    * @param windowId: The inner window ID used to look up the session ID.
    */
-  DOMString getExistentSessionIdAtLaunch(in uint64_t windowId);
+  DOMString getExistentSessionIdAtLaunch(in unsigned long long windowId);
 
   /*
    * Notify the receiver page is ready for presentation use.
@@ -136,10 +144,11 @@ interface nsIPresentationService : nsISupports
    * @param sessionId: An ID to identify presentation session.
    * @param windowId: The inner window ID associated with the presentation
    *                  session. (0 implies no window ID since no actual window
-   *                  uses 0 as its ID.)
+   *                  uses 0 as its ID. Generally it's the case the window is
+   *                  located in different process from this service)
    */
   void notifyReceiverReady(in DOMString sessionId,
-                           [optional] in uint64_t windowId);
+                           [optional] in unsigned long long windowId);
 
   /*
    * Untrack the relevant info about the presentation session if there's any.
@@ -147,4 +156,9 @@ interface nsIPresentationService : nsISupports
    * @param sessionId: An ID to identify presentation session.
    */
   void untrackSessionInfo(in DOMString sessionId);
+
+  /*
+   * The windowId for building RTCDataChannel session transport
+   */
+  unsigned long long getWindowIdBySessionId(in DOMString sessionId);
 };
diff --git a/dom/presentation/interfaces/nsIPresentationSessionTransport.idl b/dom/presentation/interfaces/nsIPresentationSessionTransport.idl
index 36cfc5bfe0..e9ebeee454 100644
--- a/dom/presentation/interfaces/nsIPresentationSessionTransport.idl
+++ b/dom/presentation/interfaces/nsIPresentationSessionTransport.idl
@@ -6,12 +6,10 @@
 
 interface nsIInputStream;
 interface nsINetAddr;
-interface nsIPresentationChannelDescription;
-interface nsISocketTransport;
 
 %{C++
-#define PRESENTATION_SESSION_TRANSPORT_CONTRACTID \
-  "@mozilla.org/presentation/presentationsessiontransport;1"
+#define PRESENTATION_TCP_SESSION_TRANSPORT_CONTRACTID \
+  "@mozilla.org/presentation/presentationtcpsessiontransport;1"
 %}
 
 /*
@@ -28,32 +26,19 @@ interface nsIPresentationSessionTransportCallback : nsISupports
 /*
  * App-to-App transport channel for the presentation session.
  */
-[scriptable, uuid(b6a416cf-03ae-4e74-9cda-88828e8ff418)]
+[scriptable, uuid(670b7e1b-65be-42b6-a596-be571907fa18)]
 interface nsIPresentationSessionTransport : nsISupports
 {
+  // Should be set once the underlying session transport is built
+  attribute nsIPresentationSessionTransportCallback callback;
+
+  // valid for TCP session transport
   readonly attribute nsINetAddr selfAddress;
 
-  /*
-   * Initialize the transport channel with an existent socket transport. (This
-   * is primarily used at the sender side.)
-   * @param transport The socket transport.
-   * @param callback The callback for followup notifications.
-   */
-  void initWithSocketTransport(in nsISocketTransport transport,
-                               in nsIPresentationSessionTransportCallback callback);
-
-  /*
-   * Initialize the transport channel with the channel description. (This is
-   * primarily used at the receiver side.)
-   * @param description The channel description.
-   * @param callback The callback for followup notifications.
-   */
-  void initWithChannelDescription(in nsIPresentationChannelDescription description,
-                                  in nsIPresentationSessionTransportCallback callback);
-
   /*
    * Enable the notification for incoming data. |notifyData| of
    * |nsIPresentationSessionTransportCallback| can start getting invoked.
+   * Should set callback before |enableDataNotification| is called.
    */
   void enableDataNotification();
 
@@ -61,7 +46,7 @@ interface nsIPresentationSessionTransport : nsISupports
    * Send message to the remote endpoint.
    * @param data The message to send.
    */
-  void send(in nsIInputStream data);
+  void send(in DOMString data);
 
   /*
    * Close this session transport.
diff --git a/dom/presentation/interfaces/nsIPresentationSessionTransportBuilder.idl b/dom/presentation/interfaces/nsIPresentationSessionTransportBuilder.idl
new file mode 100644
index 0000000000..30c288dac2
--- /dev/null
+++ b/dom/presentation/interfaces/nsIPresentationSessionTransportBuilder.idl
@@ -0,0 +1,64 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIPresentationChannelDescription;
+interface nsISocketTransport;
+interface mozIDOMWindow;
+interface nsIPresentationControlChannel;
+interface nsIPresentationSessionTransport;
+
+[scriptable, uuid(673f6de1-e253-41b8-9be8-b7ff161fa8dc)]
+interface nsIPresentationSessionTransportBuilderListener : nsISupports
+{
+  // Should set |transport.callback| in |onSessionTransport|.
+  void onSessionTransport(in nsIPresentationSessionTransport transport);
+
+  void onError(in nsresult reason);
+};
+
+[scriptable, uuid(2fdbe67d-80f9-48dc-8237-5bef8fa19801)]
+interface nsIPresentationSessionTransportBuilder : nsISupports
+{
+  const unsigned short TYPE_SENDER = 1;
+  const unsigned short TYPE_RECEIVER = 2;
+};
+
+/**
+ * Builder for TCP session transport
+ */
+[scriptable, uuid(cde36d6e-f471-4262-a70d-f932a26b21d9)]
+interface nsIPresentationTCPSessionTransportBuilder : nsIPresentationSessionTransportBuilder
+{
+  /**
+   * The following creation functions will trigger |listener.onSessionTransport|
+   * if the session transport is successfully built, |listener.onError| if some
+   * error occurs during building session transport.
+   */
+  void buildTCPSenderTransport(in nsISocketTransport aTransport,
+                               in nsIPresentationSessionTransportBuilderListener aListener);
+
+  void buildTCPReceiverTransport(in nsIPresentationChannelDescription aDescription,
+                                 in nsIPresentationSessionTransportBuilderListener aListener);
+};
+
+/**
+ * Builder for WebRTC data channel session transport
+ */
+[scriptable, uuid(8131c4e0-3a8c-4bc1-a92a-8431473d2fe8)]
+interface nsIPresentationDataChannelSessionTransportBuilder : nsIPresentationSessionTransportBuilder
+{
+  /**
+   * The following creation function will trigger |listener.onSessionTransport|
+   * if the session transport is successfully built, |listener.onError| if some
+   * error occurs during creating session transport. The |notifyOpened| of
+   * |aControlChannel| should be called before calling
+   * |buildDataChannelTransport|.
+   */
+  void buildDataChannelTransport(in uint8_t aType,
+                                 in mozIDOMWindow aWindow,
+                                 in nsIPresentationControlChannel aControlChannel,
+                                 in nsIPresentationSessionTransportBuilderListener aListener);
+};
diff --git a/dom/presentation/ipc/PPresentation.ipdl b/dom/presentation/ipc/PPresentation.ipdl
index 3ac6b729c5..7e1a659b82 100644
--- a/dom/presentation/ipc/PPresentation.ipdl
+++ b/dom/presentation/ipc/PPresentation.ipdl
@@ -17,12 +17,13 @@ struct StartSessionRequest
   nsString url;
   nsString sessionId;
   nsString origin;
+  nsString deviceId;
 };
 
 struct SendSessionMessageRequest
 {
   nsString sessionId;
-  InputStreamParams data;
+  nsString data;
 };
 
 struct CloseSessionRequest
diff --git a/dom/presentation/ipc/PresentationIPCService.cpp b/dom/presentation/ipc/PresentationIPCService.cpp
index c74b40333e..0dfb05e07d 100644
--- a/dom/presentation/ipc/PresentationIPCService.cpp
+++ b/dom/presentation/ipc/PresentationIPCService.cpp
@@ -49,25 +49,30 @@ NS_IMETHODIMP
 PresentationIPCService::StartSession(const nsAString& aUrl,
                                      const nsAString& aSessionId,
                                      const nsAString& aOrigin,
+                                     const nsAString& aDeviceId,
+                                     uint64_t aWindowId,
                                      nsIPresentationServiceCallback* aCallback)
 {
-  return SendRequest(aCallback,
-                     StartSessionRequest(nsAutoString(aUrl), nsAutoString(aSessionId), nsAutoString(aOrigin)));
+  if (aWindowId != 0) {
+    mRespondingSessionIds.Put(aWindowId, new nsString(aSessionId));
+    mRespondingWindowIds.Put(aSessionId, aWindowId);
+  }
+
+  return SendRequest(aCallback, StartSessionRequest(nsString(aUrl),
+                                                    nsString(aSessionId),
+                                                    nsString(aOrigin),
+                                                    nsString(aDeviceId)));
 }
 
 NS_IMETHODIMP
 PresentationIPCService::SendSessionMessage(const nsAString& aSessionId,
-                                           nsIInputStream* aStream)
+                                           const nsAString& aData)
 {
   MOZ_ASSERT(!aSessionId.IsEmpty());
-  MOZ_ASSERT(aStream);
+  MOZ_ASSERT(!aData.IsEmpty());
 
-  mozilla::ipc::OptionalInputStreamParams stream;
-  nsTArray<mozilla::ipc::FileDescriptor> fds;
-  SerializeInputStream(aStream, stream, fds);
-  MOZ_ASSERT(fds.IsEmpty());
-
-  return SendRequest(nullptr, SendSessionMessageRequest(nsAutoString(aSessionId), stream));
+  return SendRequest(nullptr, SendSessionMessageRequest(nsString(aSessionId),
+                                                        nsString(aData)));
 }
 
 NS_IMETHODIMP
@@ -75,7 +80,7 @@ PresentationIPCService::CloseSession(const nsAString& aSessionId)
 {
   MOZ_ASSERT(!aSessionId.IsEmpty());
 
-  return SendRequest(nullptr, CloseSessionRequest(nsAutoString(aSessionId)));
+  return SendRequest(nullptr, CloseSessionRequest(nsString(aSessionId)));
 }
 
 NS_IMETHODIMP
@@ -83,7 +88,7 @@ PresentationIPCService::TerminateSession(const nsAString& aSessionId)
 {
   MOZ_ASSERT(!aSessionId.IsEmpty());
 
-  return SendRequest(nullptr, TerminateSessionRequest(nsAutoString(aSessionId)));
+  return SendRequest(nullptr, TerminateSessionRequest(nsString(aSessionId)));
 }
 
 nsresult
@@ -132,7 +137,7 @@ PresentationIPCService::RegisterSessionListener(const nsAString& aSessionId,
 
   mSessionListeners.Put(aSessionId, aListener);
   if (sPresentationChild) {
-    NS_WARN_IF(!sPresentationChild->SendRegisterSessionHandler(nsAutoString(aSessionId)));
+    NS_WARN_IF(!sPresentationChild->SendRegisterSessionHandler(nsString(aSessionId)));
   }
   return NS_OK;
 }
@@ -146,7 +151,7 @@ PresentationIPCService::UnregisterSessionListener(const nsAString& aSessionId)
 
   mSessionListeners.Remove(aSessionId);
   if (sPresentationChild) {
-    NS_WARN_IF(!sPresentationChild->SendUnregisterSessionHandler(nsAutoString(aSessionId)));
+    NS_WARN_IF(!sPresentationChild->SendUnregisterSessionHandler(nsString(aSessionId)));
   }
   return NS_OK;
 }
@@ -176,6 +181,16 @@ PresentationIPCService::UnregisterRespondingListener(uint64_t aWindowId)
   return NS_OK;
 }
 
+NS_IMETHODIMP
+PresentationIPCService::GetWindowIdBySessionId(const nsAString& aSessionId,
+                                               uint64_t* aWindowId)
+{
+  if (mRespondingWindowIds.Get(aSessionId, aWindowId)) {
+    return NS_OK;
+  }
+  return NS_ERROR_NOT_AVAILABLE;
+}
+
 nsresult
 PresentationIPCService::NotifySessionStateChange(const nsAString& aSessionId,
                                                  uint16_t aState)
@@ -251,11 +266,14 @@ PresentationIPCService::NotifyReceiverReady(const nsAString& aSessionId,
   }
 
   // Track the responding info for an OOP receiver page.
-  mRespondingSessionIds.Put(aWindowId, new nsAutoString(aSessionId));
+  mRespondingSessionIds.Put(aWindowId, new nsString(aSessionId));
   mRespondingWindowIds.Put(aSessionId, aWindowId);
 
+  NS_WARN_IF(!sPresentationChild->SendNotifyReceiverReady(nsString(aSessionId)));
+
+  // Release mCallback after using aSessionId
+  // because aSessionId is held by mCallback.
   mCallback = nullptr;
-  NS_WARN_IF(!sPresentationChild->SendNotifyReceiverReady(nsAutoString(aSessionId)));
   return NS_OK;
 }
 
@@ -264,7 +282,7 @@ PresentationIPCService::UntrackSessionInfo(const nsAString& aSessionId)
 {
   // Remove the OOP responding info (if it has never been used).
   uint64_t windowId = 0;
-  if(mRespondingWindowIds.Get(aSessionId, &windowId)) {
+  if (mRespondingWindowIds.Get(aSessionId, &windowId)) {
     mRespondingWindowIds.Remove(aSessionId);
     mRespondingSessionIds.Remove(windowId);
   }
diff --git a/dom/presentation/ipc/PresentationParent.cpp b/dom/presentation/ipc/PresentationParent.cpp
index 4220c98535..2c59334f03 100644
--- a/dom/presentation/ipc/PresentationParent.cpp
+++ b/dom/presentation/ipc/PresentationParent.cpp
@@ -186,7 +186,7 @@ PresentationParent::NotifyStateChange(const nsAString& aSessionId,
                                       uint16_t aState)
 {
   if (NS_WARN_IF(mActorDestroyed ||
-                 !SendNotifySessionStateChange(nsAutoString(aSessionId), aState))) {
+                 !SendNotifySessionStateChange(nsString(aSessionId), aState))) {
     return NS_ERROR_FAILURE;
   }
   return NS_OK;
@@ -197,7 +197,7 @@ PresentationParent::NotifyMessage(const nsAString& aSessionId,
                                   const nsACString& aData)
 {
   if (NS_WARN_IF(mActorDestroyed ||
-                 !SendNotifyMessage(nsAutoString(aSessionId), nsAutoCString(aData)))) {
+                 !SendNotifyMessage(nsString(aSessionId), nsCString(aData)))) {
     return NS_ERROR_FAILURE;
   }
   return NS_OK;
@@ -208,7 +208,7 @@ PresentationParent::NotifySessionConnect(uint64_t aWindowId,
                                          const nsAString& aSessionId)
 {
   if (NS_WARN_IF(mActorDestroyed ||
-                 !SendNotifySessionConnect(aWindowId, nsAutoString(aSessionId)))) {
+                 !SendNotifySessionConnect(aWindowId, nsString(aSessionId)))) {
     return NS_ERROR_FAILURE;
   }
   return NS_OK;
@@ -218,6 +218,8 @@ bool
 PresentationParent::RecvNotifyReceiverReady(const nsString& aSessionId)
 {
   MOZ_ASSERT(mService);
+
+  // Set window ID to 0 since the window is from content process.
   NS_WARN_IF(NS_FAILED(mService->NotifyReceiverReady(aSessionId, 0)));
   return true;
 }
@@ -251,8 +253,10 @@ nsresult
 PresentationRequestParent::DoRequest(const StartSessionRequest& aRequest)
 {
   MOZ_ASSERT(mService);
+
+  // Set window ID to 0 since the window is from content process.
   return mService->StartSession(aRequest.url(), aRequest.sessionId(),
-                                aRequest.origin(), this);
+                                aRequest.origin(), aRequest.deviceId(), 0, this);
 }
 
 nsresult
@@ -267,13 +271,8 @@ PresentationRequestParent::DoRequest(const SendSessionMessageRequest& aRequest)
     return NotifyError(NS_ERROR_DOM_SECURITY_ERR);
   }
 
-  nsTArray<mozilla::ipc::FileDescriptor> fds;
-  nsCOMPtr<nsIInputStream> stream = DeserializeInputStream(aRequest.data(), fds);
-  if(NS_WARN_IF(!stream)) {
-    return NotifyError(NS_ERROR_NOT_AVAILABLE);
-  }
-
-  nsresult rv = mService->SendSessionMessage(aRequest.sessionId(), stream);
+  nsresult rv = mService->SendSessionMessage(aRequest.sessionId(),
+                                             aRequest.data());
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return NotifyError(rv);
   }
diff --git a/dom/presentation/moz.build b/dom/presentation/moz.build
index a79e9c2381..c6128d926b 100644
--- a/dom/presentation/moz.build
+++ b/dom/presentation/moz.build
@@ -8,6 +8,7 @@ DIRS += ['interfaces', 'provider']
 
 XPCSHELL_TESTS_MANIFESTS += ['tests/xpcshell/xpcshell.ini']
 MOCHITEST_MANIFESTS += ['tests/mochitest/mochitest.ini']
+MOCHITEST_CHROME_MANIFESTS += ['tests/mochitest/chrome.ini']
 
 EXPORTS.mozilla.dom += [
     'ipc/PresentationChild.h',
@@ -22,7 +23,7 @@ EXPORTS.mozilla.dom += [
     'PresentationRequest.h',
     'PresentationService.h',
     'PresentationSessionInfo.h',
-    'PresentationSessionTransport.h',
+    'PresentationTCPSessionTransport.h',
 ]
 
 UNIFIED_SOURCES += [
@@ -39,10 +40,12 @@ UNIFIED_SOURCES += [
     'PresentationService.cpp',
     'PresentationSessionInfo.cpp',
     'PresentationSessionRequest.cpp',
-    'PresentationSessionTransport.cpp',
+    'PresentationTCPSessionTransport.cpp',
 ]
 
 EXTRA_COMPONENTS += [
+    'PresentationDataChannelSessionTransport.js',
+    'PresentationDataChannelSessionTransport.manifest',
     'PresentationDeviceInfoManager.js',
     'PresentationDeviceInfoManager.manifest',
 ]
@@ -62,6 +65,10 @@ IPDL_SOURCES += [
     'ipc/PPresentationRequest.ipdl'
 ]
 
+LOCAL_INCLUDES += [
+    '../base'
+]
+
 include('/ipc/chromium/chromium-config.mozbuild')
 
 FINAL_LIBRARY = 'xul'
diff --git a/dom/presentation/provider/TCPPresentationServer.js b/dom/presentation/provider/TCPPresentationServer.js
index af4502451a..e6d0889a20 100644
--- a/dom/presentation/provider/TCPPresentationServer.js
+++ b/dom/presentation/provider/TCPPresentationServer.js
@@ -489,7 +489,7 @@ TCPControlChannel.prototype = {
   onStopRequest: function(aRequest, aContext, aStatus) {
     DEBUG && log("TCPControlChannel - onStopRequest: " + aStatus
                  + " with role: " + this._direction);
-    this.close(Cr.NS_OK);
+    this.close(aStatus);
     this._notifyClosed(aStatus);
   },
 
diff --git a/dom/presentation/tests/mochitest/PresentationSessionChromeScript.js b/dom/presentation/tests/mochitest/PresentationSessionChromeScript.js
index b94818e7b7..9f003f164e 100644
--- a/dom/presentation/tests/mochitest/PresentationSessionChromeScript.js
+++ b/dom/presentation/tests/mochitest/PresentationSessionChromeScript.js
@@ -6,6 +6,8 @@
 const { classes: Cc, interfaces: Ci, manager: Cm, utils: Cu, results: Cr } = Components;
 
 Cu.import('resource://gre/modules/XPCOMUtils.jsm');
+Cu.import('resource://gre/modules/Services.jsm');
+Cu.import('resource://gre/modules/Timer.jsm');
 
 function registerMockedFactory(contractId, mockedClassId, mockedFactory) {
   var originalClassId, originalFactory;
@@ -49,7 +51,12 @@ addresses.appendElement(address, false);
 
 const mockedChannelDescription = {
   QueryInterface: XPCOMUtils.generateQI([Ci.nsIPresentationChannelDescription]),
-  type: 1,
+  get type() {
+    if (Services.prefs.getBoolPref("dom.presentation.session_transport.data_channel.enable")) {
+      return Ci.nsIPresentationChannelDescription.TYPE_DATACHANNEL;
+    }
+    return Ci.nsIPresentationChannelDescription.TYPE_TCP;
+  },
   tcpAddress: addresses,
   tcpPort: 1234,
 };
@@ -198,6 +205,9 @@ const mockedDevicePrompt = {
 
 const mockedSessionTransport = {
   QueryInterface: XPCOMUtils.generateQI([Ci.nsIPresentationSessionTransport,
+                                         Ci.nsIPresentationTCPSessionTransportBuilder,
+                                         Ci.nsIPresentationDataChannelSessionTransportBuilder,
+                                         Ci.nsIPresentationControlChannelListener,
                                          Ci.nsIFactory]),
   createInstance: function(aOuter, aIID) {
     if (aOuter) {
@@ -214,13 +224,20 @@ const mockedSessionTransport = {
   get selfAddress() {
     return this._selfAddress;
   },
-  initWithSocketTransport: function(transport, callback) {
+  buildTCPSenderTransport: function(transport, listener) {
     sendAsyncMessage('data-transport-initialized');
-    this._callback = callback;
-    this.simulateTransportReady();
+    this._listener = listener;
+    this._type = Ci.nsIPresentationSessionTransportBuilder.TYPE_SENDER;
+
+    setTimeout(()=>{
+      this._listener.onSessionTransport(this);
+      this._listener = null;
+      this.simulateTransportReady();
+    }, 0);
   },
-  initWithChannelDescription: function(description, callback) {
-    this._callback = callback;
+  buildTCPReceiverTransport: function(description, listener) {
+    this._listener = listener;
+    this._type = Ci.nsIPresentationSessionTransportBuilder.TYPE_RECEIVER;
 
     var addresses = description.QueryInterface(Ci.nsIPresentationChannelDescription).tcpAddress;
     this._selfAddress = {
@@ -229,16 +246,32 @@ const mockedSessionTransport = {
                 addresses.queryElementAt(0, Ci.nsISupportsCString).data : "",
       port: description.QueryInterface(Ci.nsIPresentationChannelDescription).tcpPort,
     };
+
+    setTimeout(()=>{
+      this._listener.onSessionTransport(this);
+      this._listener = null;
+    }, 0);
+  },
+  // in-process case
+  buildDataChannelTransport: function(type, window, controlChannel, listener) {
+    dump("build data channel transport\n");
+    this._listener = listener;
+    this._type = type;
+
+    var hasNavigator = window ? (typeof window.navigator != "undefined") : false;
+    sendAsyncMessage('check-navigator', hasNavigator);
+
+    setTimeout(()=>{
+      this._listener.onSessionTransport(this);
+      this._listener = null;
+      this.simulateTransportReady();
+    }, 0);
   },
   enableDataNotification: function() {
     sendAsyncMessage('data-transport-notification-enabled');
   },
   send: function(data) {
-    var binaryStream = Cc["@mozilla.org/binaryinputstream;1"].
-                       createInstance(Ci.nsIBinaryInputStream);
-    binaryStream.setInputStream(data);
-    var message = binaryStream.readBytes(binaryStream.available());
-    sendAsyncMessage('message-sent', message);
+    sendAsyncMessage('message-sent', data);
   },
   close: function(reason) {
     sendAsyncMessage('data-transport-closed', reason);
@@ -250,6 +283,10 @@ const mockedSessionTransport = {
   simulateIncomingMessage: function(message) {
     this._callback.QueryInterface(Ci.nsIPresentationSessionTransportCallback).notifyData(message);
   },
+  onOffer: function(aOffer) {
+  },
+  onAnswer: function(aAnswer) {
+  }
 };
 
 const mockedNetworkInfo = {
@@ -302,7 +339,10 @@ originalFactoryData.push(registerMockedFactory("@mozilla.org/presentation-device
 originalFactoryData.push(registerMockedFactory("@mozilla.org/network/server-socket;1",
                                                uuidGenerator.generateUUID(),
                                                mockedServerSocket));
-originalFactoryData.push(registerMockedFactory("@mozilla.org/presentation/presentationsessiontransport;1",
+originalFactoryData.push(registerMockedFactory("@mozilla.org/presentation/presentationtcpsessiontransport;1",
+                                               uuidGenerator.generateUUID(),
+                                               mockedSessionTransport));
+originalFactoryData.push(registerMockedFactory("@mozilla.org/presentation/datachanneltransportbuilder;1",
                                                uuidGenerator.generateUUID(),
                                                mockedSessionTransport));
 originalFactoryData.push(registerMockedFactory("@mozilla.org/network/manager;1",
diff --git a/dom/presentation/tests/mochitest/chrome.ini b/dom/presentation/tests/mochitest/chrome.ini
new file mode 100644
index 0000000000..f90b77b6e9
--- /dev/null
+++ b/dom/presentation/tests/mochitest/chrome.ini
@@ -0,0 +1,4 @@
+[DEFAULT]
+skip-if = buildapp == 'b2g' || os == 'android'
+
+[test_presentation_datachannel_sessiontransport.html]
diff --git a/dom/presentation/tests/mochitest/file_presentation_receiver.html b/dom/presentation/tests/mochitest/file_presentation_receiver.html
index dd99e00e74..08d7290b5b 100644
--- a/dom/presentation/tests/mochitest/file_presentation_receiver.html
+++ b/dom/presentation/tests/mochitest/file_presentation_receiver.html
@@ -77,7 +77,7 @@ function testIncomingMessage() {
     });
 
     command({ name: 'trigger-incoming-message',
-    	      data: incomingMessage });
+    	        data: incomingMessage });
   });
 }
 
diff --git a/dom/presentation/tests/mochitest/mochitest.ini b/dom/presentation/tests/mochitest/mochitest.ini
index f94faefe66..d69e55bbf2 100644
--- a/dom/presentation/tests/mochitest/mochitest.ini
+++ b/dom/presentation/tests/mochitest/mochitest.ini
@@ -7,21 +7,28 @@ support-files =
   file_presentation_non_receiver_oop.html
   file_presentation_receiver_establish_connection_error.html
 
+
+[test_presentation_dc_sender.html]
+skip-if = (e10s || toolkit == 'gonk' || toolkit == 'android') # Bug 1129785
+[test_presentation_dc_receiver.html]
+skip-if = (e10s || toolkit == 'gonk' || toolkit == 'android') # Bug 1129785
 [test_presentation_device_info.html]
 [test_presentation_device_info_permission.html]
-[test_presentation_sender_disconnect.html]
+[test_presentation_sender_startWithDevice.html]
 skip-if = toolkit == 'android' # Bug 1129785
-[test_presentation_sender_establish_connection_error.html]
+[test_presentation_tcp_sender_disconnect.html]
 skip-if = toolkit == 'android' # Bug 1129785
-[test_presentation_sender.html]
+[test_presentation_tcp_sender_establish_connection_error.html]
 skip-if = toolkit == 'android' # Bug 1129785
-[test_presentation_sender_default_request.html]
+[test_presentation_tcp_sender.html]
 skip-if = toolkit == 'android' # Bug 1129785
-[test_presentation_receiver_establish_connection_error.html]
+[test_presentation_tcp_sender_default_request.html]
+skip-if = toolkit == 'android' # Bug 1129785
+[test_presentation_tcp_receiver_establish_connection_error.html]
 skip-if = (e10s || toolkit == 'gonk' || toolkit == 'android' || os == 'mac' || os == 'win' || buildapp == 'mulet') # Bug 1129785, Bug 1204709
-[test_presentation_receiver_establish_connection_timeout.html]
+[test_presentation_tcp_receiver_establish_connection_timeout.html]
 skip-if = (e10s || toolkit == 'gonk' || toolkit == 'android') # Bug 1129785
-[test_presentation_receiver.html]
+[test_presentation_tcp_receiver.html]
 skip-if = (e10s || toolkit == 'gonk' || toolkit == 'android') # Bug 1129785
-[test_presentation_receiver_oop.html]
+[test_presentation_tcp_receiver_oop.html]
 skip-if = (e10s || toolkit == 'gonk' || toolkit == 'android') # Bug 1129785
diff --git a/dom/presentation/tests/mochitest/test_presentation_datachannel_sessiontransport.html b/dom/presentation/tests/mochitest/test_presentation_datachannel_sessiontransport.html
new file mode 100644
index 0000000000..d950f6402f
--- /dev/null
+++ b/dom/presentation/tests/mochitest/test_presentation_datachannel_sessiontransport.html
@@ -0,0 +1,244 @@
+<!DOCTYPE HTML>
+<html>
+<!-- Any copyright is dedicated to the Public Domain.
+   - http://creativecommons.org/publicdomain/zero/1.0/ -->
+<head>
+  <meta charset="utf-8">
+  <title>Test for data channel as session transport in Presentation API</title>
+  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1148307">Test for data channel as session transport in Presentation API</a>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+"use strict";
+
+SimpleTest.waitForExplicitFinish();
+
+
+const loadingTimeoutPref = "presentation.receiver.loading.timeout";
+
+var clientBuilder;
+var serverBuilder;
+var clientTransport;
+var serverTransport;
+var clientControlChannel;
+var serverControlChannel;
+
+const clientMessage = "Client Message";
+const serverMessage = "Server Message";
+
+const { classes: Cc, interfaces: Ci, utils: Cu, results: Cr } = Components;
+const { XPCOMUtils } = Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+const { Services } = Cu.import("resource://gre/modules/Services.jsm");
+
+function TestControlChannel() {
+  this._listener = null;
+}
+
+TestControlChannel.prototype = {
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIPresentationControlChannel]),
+  set listener(aListener) {
+    this._listener = aListener;
+  },
+  get listener() {
+    return this._listener;
+  },
+  sendOffer: function(aOffer) {
+    setTimeout(()=>this._remote.listener.onOffer(aOffer), 0);
+  },
+  sendAnswer: function(aAnswer) {
+    setTimeout(()=>this._remote.listener.onAnswer(aAnswer), 0);
+  },
+  sendIceCandidate: function(aCandidate) {
+    setTimeout(()=>this._remote.listener.onIceCandidate(aCandidate), 0);
+  },
+  close: function(aReason) {
+    setTimeout(()=>this._listener.notifyClosed(aReason), 0);
+    setTimeout(()=>this._remote.listener.notifyClosed(aReason), 0);
+  },
+  set remote(aRemote) {
+    this._remote = aRemote;
+  },
+};
+
+var isClientReady = false;
+var isServerReady = false;
+var isClientClosed = false;
+var isServerClosed = false;
+
+var gResolve;
+var gReject;
+
+const clientCallback = {
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIPresentationSessionTransportCallback]),
+  notifyTransportReady: function () {
+    info("Client transport ready.");
+
+    isClientReady = true;
+    if (isClientReady && isServerReady) {
+      gResolve();
+    }
+  },
+  notifyTransportClosed: function (aReason) {
+    info("Client transport is closed.");
+
+    isClientClosed = true;
+    if (isClientClosed && isServerClosed) {
+      gResolve();
+    }
+  },
+  notifyData: function(aData) {
+    is(aData, serverMessage, "Client transport receives data.");
+    gResolve();
+  },
+};
+
+const serverCallback = {
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIPresentationSessionTransportCallback]),
+  notifyTransportReady: function () {
+    info("Server transport ready.");
+
+    isServerReady = true;
+    if (isClientReady && isServerReady) {
+      gResolve();
+    }
+  },
+  notifyTransportClosed: function (aReason) {
+    info("Server transport is closed.");
+
+    isServerClosed = true;
+    if (isClientClosed && isServerClosed) {
+      gResolve();
+    }
+  },
+  notifyData: function(aData) {
+    is(aData, clientMessage, "Server transport receives data.");
+    gResolve()
+  },
+};
+
+
+const clientListener = {
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIPresentationSessionTransportBuilderListener]),
+  onSessionTransport: function(aTransport) {
+    info("Client Transport is built.");
+    clientTransport = aTransport;
+    clientTransport.callback = clientCallback;
+  },
+  onError: function(aError)  {
+    ok(false, "client's builder reports error " + aError);
+  }
+}
+
+const serverListener = {
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIPresentationSessionTransportBuilderListener]),
+  onSessionTransport: function(aTransport) {
+    info("Server Transport is built.");
+    serverTransport = aTransport;
+    serverTransport.callback = serverCallback;
+    serverTransport.enableDataNotification();
+  },
+  onError: function(aError)  {
+    ok(false, "server's builder reports error " + aError);
+  }
+}
+
+
+function testBuilder() {
+  return new Promise(function(aResolve, aReject) {
+    gResolve = aResolve;
+    gReject = aReject;
+
+    clientControlChannel = new TestControlChannel();
+    serverControlChannel = new TestControlChannel();
+    clientControlChannel.remote = serverControlChannel;
+    serverControlChannel.remote = clientControlChannel;
+
+    clientBuilder = Cc["@mozilla.org/presentation/datachanneltransportbuilder;1"]
+                      .createInstance(Ci.nsIPresentationDataChannelSessionTransportBuilder);
+    serverBuilder = Cc["@mozilla.org/presentation/datachanneltransportbuilder;1"]
+                      .createInstance(Ci.nsIPresentationDataChannelSessionTransportBuilder);
+
+    clientBuilder
+      .buildDataChannelTransport(Ci.nsIPresentationSessionTransportBuilder.TYPE_SENDER,
+                                 window,
+                                 clientControlChannel,
+                                 clientListener);
+
+    serverBuilder
+      .buildDataChannelTransport(Ci.nsIPresentationSessionTransportBuilder.TYPE_RECEIVER,
+                                 window,
+                                 serverControlChannel,
+                                 serverListener);
+  });
+}
+
+function testClientSendMessage() {
+  return new Promise(function(aResolve, aReject) {
+    info("client sends message");
+    gResolve = aResolve;
+    gReject = aReject;
+
+    clientTransport.send(clientMessage);
+  });
+}
+
+function testServerSendMessage() {
+  return new Promise(function(aResolve, aReject) {
+    info("server sends message");
+    gResolve = aResolve;
+    gReject = aReject;
+
+    serverTransport.send(serverMessage);
+    setTimeout(()=>clientTransport.enableDataNotification(), 0);
+  });
+}
+
+function testCloseSessionTransport() {
+  return new Promise(function(aResolve, aReject) {
+    info("close session transport");
+    gResolve = aResolve;
+    gReject = aReject;
+
+    serverTransport.close(Cr.NS_OK);
+  });
+}
+
+function finish() {
+  info("test finished, teardown");
+  Services.prefs.clearUserPref(loadingTimeoutPref);
+
+  SimpleTest.finish();
+}
+
+function error(aError) {
+  ok(false, "report Error " + aError.name + ":" + aError.message);
+}
+
+function runTests() {
+  Services.prefs.setIntPref(loadingTimeoutPref, 30000);
+
+  testBuilder()
+  .then(testClientSendMessage)
+  .then(testServerSendMessage)
+  .then(testCloseSessionTransport)
+  .then(finish)
+  .catch(error);
+
+
+}
+
+window.addEventListener("load", function() {
+  runTests();
+});
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/dom/presentation/tests/mochitest/test_presentation_dc_receiver.html b/dom/presentation/tests/mochitest/test_presentation_dc_receiver.html
new file mode 100644
index 0000000000..dbf724362e
--- /dev/null
+++ b/dom/presentation/tests/mochitest/test_presentation_dc_receiver.html
@@ -0,0 +1,136 @@
+<!DOCTYPE HTML>
+<html>
+<!-- Any copyright is dedicated to the Public Domain.
+   - http://creativecommons.org/publicdomain/zero/1.0/ -->
+<head>
+  <meta charset="utf-8">
+  <title>Test for B2G PresentationConnection API at receiver side</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1148307">Test for B2G PresentationConnection API at receiver side</a>
+<p id="display"></p>
+<div id="content" style="display: none"></div>
+<pre id="test"></pre>
+<script type="application/javascript">
+
+'use strict';
+
+var gScript = SpecialPowers.loadChromeScript(SimpleTest.getTestFileURL('PresentationSessionChromeScript.js'));
+var receiverUrl = SimpleTest.getTestFileURL('file_presentation_receiver.html');
+
+var obs = SpecialPowers.Cc["@mozilla.org/observer-service;1"]
+          .getService(SpecialPowers.Ci.nsIObserverService);
+
+function setup() {
+  return new Promise(function(aResolve, aReject) {
+    gScript.sendAsyncMessage('trigger-device-add');
+
+    var iframe = document.createElement('iframe');
+    iframe.setAttribute('src', receiverUrl);
+
+    // This event is triggered when the iframe calls "postMessage".
+    window.addEventListener('message', function listener(aEvent) {
+      var message = aEvent.data;
+      if (/^OK /.exec(message)) {
+        ok(true, "Message from iframe: " + message);
+      } else if (/^KO /.exec(message)) {
+        ok(false, "Message from iframe: " + message);
+      } else if (/^INFO /.exec(message)) {
+        info("Message from iframe: " + message);
+      } else if (/^COMMAND /.exec(message)) {
+        var command = JSON.parse(message.replace(/^COMMAND /, ''));
+        gScript.sendAsyncMessage(command.name, command.data);
+      } else if (/^DONE$/.exec(message)) {
+        ok(true, "Messaging from iframe complete.");
+        window.removeEventListener('message', listener);
+
+        teardown();
+      }
+    }, false);
+
+    var promise = new Promise(function(aResolve, aReject) {
+      document.body.appendChild(iframe);
+
+      aResolve(iframe);
+    });
+    obs.notifyObservers(promise, 'setup-request-promise', null);
+
+    gScript.addMessageListener('offer-received', function offerReceivedHandler() {
+      gScript.removeMessageListener('offer-received', offerReceivedHandler);
+      info("An offer is received.");
+    });
+
+    gScript.addMessageListener('answer-sent', function answerSentHandler(aIsValid) {
+      gScript.removeMessageListener('answer-sent', answerSentHandler);
+      ok(aIsValid, "A valid answer is sent.");
+    });
+
+    gScript.addMessageListener('control-channel-closed', function controlChannelClosedHandler(aReason) {
+      gScript.removeMessageListener('control-channel-closed', controlChannelClosedHandler);
+      is(aReason, SpecialPowers.Cr.NS_OK, "The control channel is closed normally.");
+    });
+
+    gScript.addMessageListener('check-navigator', function checknavigatorHandler(aSuccess) {
+      gScript.removeMessageListener('check-navigator', checknavigatorHandler);
+      ok(aSuccess, "buildDataChannel get correct window object");
+    });
+
+    gScript.addMessageListener('data-transport-notification-enabled', function dataTransportNotificationEnabledHandler() {
+      gScript.removeMessageListener('data-transport-notification-enabled', dataTransportNotificationEnabledHandler);
+      info("Data notification is enabled for data transport channel.");
+    });
+
+    gScript.addMessageListener('data-transport-closed', function dataTransportClosedHandler(aReason) {
+      gScript.removeMessageListener('data-transport-closed', dataTransportClosedHandler);
+      is(aReason, SpecialPowers.Cr.NS_OK, "The data transport should be closed normally.");
+    });
+
+    aResolve();
+  });
+}
+
+function testIncomingSessionRequest() {
+  return new Promise(function(aResolve, aReject) {
+    gScript.addMessageListener('receiver-launching', function launchReceiverHandler(aSessionId) {
+      gScript.removeMessageListener('receiver-launching', launchReceiverHandler);
+      info("Trying to launch receiver page.");
+
+      ok(navigator.presentation, "navigator.presentation should be available in in-process pages.");
+      ok(!navigator.presentation.receiver, "Non-receiving in-process pages shouldn't get a presentation receiver instance.");
+      aResolve();
+    });
+
+    gScript.sendAsyncMessage('trigger-incoming-session-request', receiverUrl);
+  });
+}
+
+function teardown() {
+  gScript.addMessageListener('teardown-complete', function teardownCompleteHandler() {
+    gScript.removeMessageListener('teardown-complete', teardownCompleteHandler);
+    gScript.destroy();
+    SimpleTest.finish();
+  });
+
+  gScript.sendAsyncMessage('teardown');
+}
+
+function runTests() {
+  setup().
+  then(testIncomingSessionRequest);
+}
+
+SimpleTest.waitForExplicitFinish();
+SpecialPowers.pushPermissions([
+  {type: 'presentation-device-manage', allow: false, context: document},
+  {type: 'presentation', allow: true, context: document},
+], function() {
+  SpecialPowers.pushPrefEnv({ 'set': [["dom.presentation.enabled", true],
+                                      ["dom.presentation.session_transport.data_channel.enable", true]]},
+                            runTests);
+});
+
+</script>
+</body>
+</html>
diff --git a/dom/presentation/tests/mochitest/test_presentation_dc_sender.html b/dom/presentation/tests/mochitest/test_presentation_dc_sender.html
new file mode 100644
index 0000000000..2936b5891c
--- /dev/null
+++ b/dom/presentation/tests/mochitest/test_presentation_dc_sender.html
@@ -0,0 +1,208 @@
+<!DOCTYPE HTML>
+<html>
+<!-- Any copyright is dedicated to the Public Domain.
+   - http://creativecommons.org/publicdomain/zero/1.0/ -->
+<head>
+  <meta charset="utf-8">
+  <title>Test for B2G Presentation API at sender side</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1148307">Test for B2G Presentation API at sender side</a>
+<script type="application/javascript;version=1.8">
+
+'use strict';
+
+var gScript = SpecialPowers.loadChromeScript(SimpleTest.getTestFileURL('PresentationSessionChromeScript.js'));
+var request;
+var connection;
+
+function testSetup() {
+  return new Promise(function(aResolve, aReject) {
+    request = new PresentationRequest("http://example.com");
+
+    request.getAvailability().then(
+      function(aAvailability) {
+        aAvailability.onchange = function() {
+          aAvailability.onchange = null;
+          ok(aAvailability.value, "Device should be available.");
+          aResolve();
+        }
+      },
+      function(aError) {
+        ok(false, "Error occurred when getting availability: " + aError);
+        teardown();
+        aReject();
+      }
+    );
+
+    gScript.sendAsyncMessage('trigger-device-add');
+  });
+}
+
+function testStartConnection() {
+  return new Promise(function(aResolve, aReject) {
+    gScript.addMessageListener('device-prompt', function devicePromptHandler() {
+      gScript.removeMessageListener('device-prompt', devicePromptHandler);
+      info("Device prompt is triggered.");
+      gScript.sendAsyncMessage('trigger-device-prompt-select');
+    });
+
+    gScript.addMessageListener('control-channel-established', function controlChannelEstablishedHandler() {
+      gScript.removeMessageListener('control-channel-established', controlChannelEstablishedHandler);
+      info("A control channel is established.");
+      gScript.sendAsyncMessage('trigger-control-channel-open');
+    });
+
+    gScript.addMessageListener('control-channel-opened', function controlChannelOpenedHandler(aReason) {
+      gScript.removeMessageListener('control-channel-opened', controlChannelOpenedHandler);
+      info("The control channel is opened.");
+    });
+
+    gScript.addMessageListener('control-channel-closed', function controlChannelClosedHandler(aReason) {
+      gScript.removeMessageListener('control-channel-closed', controlChannelClosedHandler);
+      info("The control channel is closed. " + aReason);
+    });
+
+    gScript.addMessageListener('check-navigator', function checknavigatorHandler(aSuccess) {
+      gScript.removeMessageListener('check-navigator', checknavigatorHandler);
+      ok(aSuccess, "buildDataChannel get correct window object");
+    });
+
+    gScript.addMessageListener('offer-sent', function offerSentHandler(aIsValid) {
+      gScript.removeMessageListener('offer-sent', offerSentHandler);
+      ok(aIsValid, "A valid offer is sent out.");
+      gScript.sendAsyncMessage('trigger-incoming-transport');
+    });
+
+    gScript.addMessageListener('answer-received', function answerReceivedHandler() {
+      gScript.removeMessageListener('answer-received', answerReceivedHandler);
+      info("An answer is received.");
+    });
+
+    gScript.addMessageListener('data-transport-initialized', function dataTransportInitializedHandler() {
+      gScript.removeMessageListener('data-transport-initialized', dataTransportInitializedHandler);
+      info("Data transport channel is initialized.");
+      gScript.sendAsyncMessage('trigger-incoming-answer');
+    });
+
+    gScript.addMessageListener('data-transport-notification-enabled', function dataTransportNotificationEnabledHandler() {
+      gScript.removeMessageListener('data-transport-notification-enabled', dataTransportNotificationEnabledHandler);
+      info("Data notification is enabled for data transport channel.");
+    });
+
+    var connectionFromEvent;
+    request.onconnectionavailable = function(aEvent) {
+      request.onconnectionavailable = null;
+      connectionFromEvent = aEvent.connection;
+      ok(connectionFromEvent, "|connectionavailable| event is fired with a connection.");
+
+      if (connection) {
+        is(connection, connectionFromEvent, "The connection from promise and the one from |connectionavailable| event should be the same.");
+        aResolve();
+      }
+    };
+
+    request.start().then(
+      function(aConnection) {
+        connection = aConnection;
+        ok(connection, "Connection should be available.");
+        ok(connection.id, "Connection ID should be set.");
+        is(connection.state, "connected", "Connection state at sender side should be connected by default.");
+
+        if (connectionFromEvent) {
+          is(connection, connectionFromEvent, "The connection from promise and the one from |connectionavailable| event should be the same.");
+          aResolve();
+        }
+      },
+      function(aError) {
+        ok(false, "Error occurred when establishing a connection: " + aError);
+        teardown();
+        aReject();
+      }
+    );
+  });
+}
+
+function testSend() {
+  return new Promise(function(aResolve, aReject) {
+    const outgoingMessage = "test outgoing message";
+
+    gScript.addMessageListener('message-sent', function messageSentHandler(aMessage) {
+      gScript.removeMessageListener('message-sent', messageSentHandler);
+      is(aMessage, outgoingMessage, "The message is sent out.");
+      aResolve();
+    });
+
+    connection.send(outgoingMessage);
+  });
+}
+
+function testIncomingMessage() {
+  return new Promise(function(aResolve, aReject) {
+    const incomingMessage = "test incoming message";
+
+    connection.addEventListener('message', function messageHandler(aEvent) {
+      connection.removeEventListener('message', messageHandler);
+      is(aEvent.data, incomingMessage, "An incoming message should be received.");
+      aResolve();
+    });
+
+    gScript.sendAsyncMessage('trigger-incoming-message', incomingMessage);
+  });
+}
+
+function testTerminateConnection() {
+  return new Promise(function(aResolve, aReject) {
+    gScript.addMessageListener('data-transport-closed', function dataTransportClosedHandler(aReason) {
+      gScript.removeMessageListener('data-transport-closed', dataTransportClosedHandler);
+      info("The data transport is closed. " + aReason);
+    });
+
+    connection.onstatechange = function() {
+      connection.onstatechange = null;
+      is(connection.state, "terminated", "Connection should be terminated.");
+      aResolve();
+    };
+
+    connection.terminate();
+  });
+}
+
+function teardown() {
+  gScript.addMessageListener('teardown-complete', function teardownCompleteHandler() {
+    gScript.removeMessageListener('teardown-complete', teardownCompleteHandler);
+    gScript.destroy();
+    info('teardown-complete');
+    SimpleTest.finish();
+  });
+
+  gScript.sendAsyncMessage('teardown');
+}
+
+function runTests() {
+  ok(window.PresentationRequest, "PresentationRequest should be available.");
+
+  testSetup().
+  then(testStartConnection).
+  then(testSend).
+  then(testIncomingMessage).
+  then(testTerminateConnection).
+  then(teardown);
+}
+
+SimpleTest.expectAssertions(0, 5);
+SimpleTest.waitForExplicitFinish();
+SpecialPowers.pushPermissions([
+  {type: 'presentation-device-manage', allow: false, context: document},
+  {type: 'presentation', allow: true, context: document},
+], function() {
+  SpecialPowers.pushPrefEnv({ 'set': [["dom.presentation.enabled", true],
+                                      ["dom.presentation.session_transport.data_channel.enable", true]]},
+                            runTests);
+});
+
+</script>
+</body>
+</html>
diff --git a/dom/presentation/tests/mochitest/test_presentation_sender_startWithDevice.html b/dom/presentation/tests/mochitest/test_presentation_sender_startWithDevice.html
new file mode 100644
index 0000000000..7a7ddf298d
--- /dev/null
+++ b/dom/presentation/tests/mochitest/test_presentation_sender_startWithDevice.html
@@ -0,0 +1,172 @@
+<!DOCTYPE HTML>
+<html>
+<!-- Any copyright is dedicated to the Public Domain.
+   - http://creativecommons.org/publicdomain/zero/1.0/ -->
+<head>
+  <meta charset="utf-8">
+  <title>Test startWithDevice for B2G Presentation API at sender side</title>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1239242">Test startWithDevice for B2G Presentation API at sender side</a>
+<script type="application/javascript;version=1.8">
+
+'use strict';
+
+var gScript = SpecialPowers.loadChromeScript(SimpleTest.getTestFileURL('PresentationSessionChromeScript.js'));
+var request;
+var connection;
+
+function testSetup() {
+  return new Promise(function(aResolve, aReject) {
+    request = new PresentationRequest("http://example.com");
+
+    request.getAvailability().then(
+      function(aAvailability) {
+        aAvailability.onchange = function() {
+          aAvailability.onchange = null;
+          ok(aAvailability.value, "Device should be available.");
+          aResolve();
+        }
+      },
+      function(aError) {
+        ok(false, "Error occurred when getting availability: " + aError);
+        teardown();
+        aReject();
+      }
+    );
+
+    gScript.sendAsyncMessage('trigger-device-add');
+  });
+}
+
+function testStartConnectionWithDevice() {
+  return new Promise(function(aResolve, aReject) {
+    gScript.addMessageListener('device-prompt', function devicePromptHandler() {
+      gScript.removeMessageListener('device-prompt', devicePromptHandler);
+      ok(false, "Device prompt should not be triggered.");
+      teardown();
+      aReject();
+    });
+
+    gScript.addMessageListener('control-channel-established', function controlChannelEstablishedHandler() {
+      gScript.removeMessageListener('control-channel-established', controlChannelEstablishedHandler);
+      info("A control channel is established.");
+      gScript.sendAsyncMessage('trigger-control-channel-open');
+    });
+
+    gScript.addMessageListener('control-channel-opened', function controlChannelOpenedHandler(aReason) {
+      gScript.removeMessageListener('control-channel-opened', controlChannelOpenedHandler);
+      info("The control channel is opened.");
+    });
+
+    gScript.addMessageListener('control-channel-closed', function controlChannelClosedHandler(aReason) {
+      gScript.removeMessageListener('control-channel-closed', controlChannelClosedHandler);
+      info("The control channel is closed. " + aReason);
+    });
+
+    gScript.addMessageListener('offer-sent', function offerSentHandler(aIsValid) {
+      gScript.removeMessageListener('offer-sent', offerSentHandler);
+      ok(aIsValid, "A valid offer is sent out.");
+      gScript.sendAsyncMessage('trigger-incoming-transport');
+    });
+
+    gScript.addMessageListener('answer-received', function answerReceivedHandler() {
+      gScript.removeMessageListener('answer-received', answerReceivedHandler);
+      info("An answer is received.");
+    });
+
+    gScript.addMessageListener('data-transport-initialized', function dataTransportInitializedHandler() {
+      gScript.removeMessageListener('data-transport-initialized', dataTransportInitializedHandler);
+      info("Data transport channel is initialized.");
+      gScript.sendAsyncMessage('trigger-incoming-answer');
+    });
+
+    gScript.addMessageListener('data-transport-notification-enabled', function dataTransportNotificationEnabledHandler() {
+      gScript.removeMessageListener('data-transport-notification-enabled', dataTransportNotificationEnabledHandler);
+      info("Data notification is enabled for data transport channel.");
+    });
+
+    var connectionFromEvent;
+    request.onconnectionavailable = function(aEvent) {
+      request.onconnectionavailable = null;
+      connectionFromEvent = aEvent.connection;
+      ok(connectionFromEvent, "|connectionavailable| event is fired with a connection.");
+
+      if (connection) {
+        is(connection, connectionFromEvent, "The connection from promise and the one from |connectionavailable| event should be the same.");
+        aResolve();
+      }
+    };
+
+    request.startWithDevice('id').then(
+      function(aConnection) {
+        connection = aConnection;
+        ok(connection, "Connection should be available.");
+        ok(connection.id, "Connection ID should be set.");
+        is(connection.state, "connected", "Connection state at sender side should be connected by default.");
+
+        if (connectionFromEvent) {
+          is(connection, connectionFromEvent, "The connection from promise and the one from |connectionavailable| event should be the same.");
+          aResolve();
+        }
+      },
+      function(aError) {
+        ok(false, "Error occurred when establishing a connection: " + aError);
+        teardown();
+        aReject();
+      }
+    );
+  });
+}
+
+function testStartConnectionWithDeviceNotFoundError() {
+  return new Promise(function(aResolve, aReject) {
+    request.startWithDevice('').then(
+      function(aConnection) {
+        ok(false, "Should not establish connection to an unknown device");
+        teardown();
+        aReject();
+      },
+      function(aError) {
+        is(aError.name, 'NotFoundError', "Expect NotFoundError occurred when establishing a connection");
+        aResolve();
+      }
+    );
+  });
+}
+
+function teardown() {
+  gScript.addMessageListener('teardown-complete', function teardownCompleteHandler() {
+    gScript.removeMessageListener('teardown-complete', teardownCompleteHandler);
+    gScript.destroy();
+    SimpleTest.finish();
+  });
+
+  gScript.sendAsyncMessage('teardown');
+}
+
+function runTests() {
+  ok(window.PresentationRequest, "PresentationRequest should be available.");
+
+  testSetup().
+  then(testStartConnectionWithDevice).
+  then(testStartConnectionWithDeviceNotFoundError).
+  then(teardown);
+}
+
+SimpleTest.waitForExplicitFinish();
+SpecialPowers.pushPermissions([
+  {type: 'presentation-device-manage', allow: true, context: document},
+  {type: 'presentation', allow: true, context: document},
+], function() {
+  SpecialPowers.pushPrefEnv({ 'set': [["dom.presentation.enabled", true],
+                                      ["dom.presentation.test.enabled", true],
+                                      ["dom.presentation.test.stage", 0]]},
+                            runTests);
+});
+
+</script>
+</body>
+</html>
diff --git a/dom/presentation/tests/mochitest/test_presentation_receiver.html b/dom/presentation/tests/mochitest/test_presentation_tcp_receiver.html
similarity index 96%
rename from dom/presentation/tests/mochitest/test_presentation_receiver.html
rename to dom/presentation/tests/mochitest/test_presentation_tcp_receiver.html
index d4a3f52da2..76b8921970 100644
--- a/dom/presentation/tests/mochitest/test_presentation_receiver.html
+++ b/dom/presentation/tests/mochitest/test_presentation_tcp_receiver.html
@@ -116,15 +116,13 @@ function runTests() {
   then(testIncomingSessionRequest);
 }
 
-SimpleTest.expectAssertions(0, 5);
 SimpleTest.waitForExplicitFinish();
 SpecialPowers.pushPermissions([
   {type: 'presentation-device-manage', allow: false, context: document},
   {type: 'presentation', allow: true, context: document},
 ], function() {
   SpecialPowers.pushPrefEnv({ 'set': [["dom.presentation.enabled", true],
-                                      ["dom.presentation.test.enabled", true],
-                                      ["dom.presentation.test.stage", 0]]},
+                                      ["dom.presentation.session_transport.data_channel.enable", false]]},
                             runTests);
 });
 
diff --git a/dom/presentation/tests/mochitest/test_presentation_receiver_establish_connection_error.html b/dom/presentation/tests/mochitest/test_presentation_tcp_receiver_establish_connection_error.html
similarity index 95%
rename from dom/presentation/tests/mochitest/test_presentation_receiver_establish_connection_error.html
rename to dom/presentation/tests/mochitest/test_presentation_tcp_receiver_establish_connection_error.html
index 710f626610..a20a85032f 100644
--- a/dom/presentation/tests/mochitest/test_presentation_receiver_establish_connection_error.html
+++ b/dom/presentation/tests/mochitest/test_presentation_tcp_receiver_establish_connection_error.html
@@ -91,15 +91,13 @@ function runTests() {
   then(testIncomingSessionRequest);
 }
 
-SimpleTest.expectAssertions(0, 5);
 SimpleTest.waitForExplicitFinish();
 SpecialPowers.pushPermissions([
   {type: 'presentation-device-manage', allow: false, context: document},
   {type: 'presentation', allow: true, context: document},
 ], function() {
   SpecialPowers.pushPrefEnv({ 'set': [["dom.presentation.enabled", true],
-                                      ["dom.presentation.test.enabled", true],
-                                      ["dom.presentation.test.stage", 0]]},
+                                      ["dom.presentation.session_transport.data_channel.enable", false]]},
                             runTests);
 });
 
diff --git a/dom/presentation/tests/mochitest/test_presentation_receiver_establish_connection_timeout.html b/dom/presentation/tests/mochitest/test_presentation_tcp_receiver_establish_connection_timeout.html
similarity index 93%
rename from dom/presentation/tests/mochitest/test_presentation_receiver_establish_connection_timeout.html
rename to dom/presentation/tests/mochitest/test_presentation_tcp_receiver_establish_connection_timeout.html
index 3e243818e0..034aa270ac 100644
--- a/dom/presentation/tests/mochitest/test_presentation_receiver_establish_connection_timeout.html
+++ b/dom/presentation/tests/mochitest/test_presentation_tcp_receiver_establish_connection_timeout.html
@@ -65,15 +65,13 @@ function runTests() {
   then(teardown);
 }
 
-SimpleTest.expectAssertions(0, 5);
 SimpleTest.waitForExplicitFinish();
 SpecialPowers.pushPermissions([
   {type: 'presentation-device-manage', allow: false, context: document},
   {type: 'presentation', allow: true, context: document},
 ], function() {
   SpecialPowers.pushPrefEnv({ 'set': [["dom.presentation.enabled", true],
-                                      ["dom.presentation.test.enabled", true],
-                                      ["dom.presentation.test.stage", 0],
+                                      ["dom.presentation.session_transport.data_channel.enable", false],
                                       ["presentation.receiver.loading.timeout", 10]]},
                             runTests);
 });
diff --git a/dom/presentation/tests/mochitest/test_presentation_receiver_oop.html b/dom/presentation/tests/mochitest/test_presentation_tcp_receiver_oop.html
similarity index 97%
rename from dom/presentation/tests/mochitest/test_presentation_receiver_oop.html
rename to dom/presentation/tests/mochitest/test_presentation_tcp_receiver_oop.html
index 747fc7e3c2..3f44ad91b9 100644
--- a/dom/presentation/tests/mochitest/test_presentation_receiver_oop.html
+++ b/dom/presentation/tests/mochitest/test_presentation_tcp_receiver_oop.html
@@ -157,7 +157,6 @@ function runTests() {
   then(testIncomingSessionRequest);
 }
 
-SimpleTest.expectAssertions(0, 5);
 SimpleTest.waitForExplicitFinish();
 SpecialPowers.pushPermissions([
   {type: 'presentation-device-manage', allow: false, context: document},
@@ -165,8 +164,7 @@ SpecialPowers.pushPermissions([
   {type: 'browser', allow: true, context: document},
 ], function() {
   SpecialPowers.pushPrefEnv({ 'set': [["dom.presentation.enabled", true],
-                                      ["dom.presentation.test.enabled", true],
-                                      ["dom.presentation.test.stage", 0],
+                                      ["dom.presentation.session_transport.data_channel.enable", false],
                                       ["dom.mozBrowserFramesEnabled", true],
                                       ["dom.ipc.browser_frames.oop_by_default", true]]},
                             runTests);
diff --git a/dom/presentation/tests/mochitest/test_presentation_sender.html b/dom/presentation/tests/mochitest/test_presentation_tcp_sender.html
similarity index 97%
rename from dom/presentation/tests/mochitest/test_presentation_sender.html
rename to dom/presentation/tests/mochitest/test_presentation_tcp_sender.html
index 6006fd80a9..6c6a683236 100644
--- a/dom/presentation/tests/mochitest/test_presentation_sender.html
+++ b/dom/presentation/tests/mochitest/test_presentation_tcp_sender.html
@@ -186,15 +186,13 @@ function runTests() {
   then(teardown);
 }
 
-SimpleTest.expectAssertions(0, 5);
 SimpleTest.waitForExplicitFinish();
 SpecialPowers.pushPermissions([
   {type: 'presentation-device-manage', allow: false, context: document},
   {type: 'presentation', allow: true, context: document},
 ], function() {
   SpecialPowers.pushPrefEnv({ 'set': [["dom.presentation.enabled", true],
-                                      ["dom.presentation.test.enabled", true],
-                                      ["dom.presentation.test.stage", 0]]},
+                                      ["dom.presentation.session_transport.data_channel.enable", false]]},
                             runTests);
 });
 
diff --git a/dom/presentation/tests/mochitest/test_presentation_sender_default_request.html b/dom/presentation/tests/mochitest/test_presentation_tcp_sender_default_request.html
similarity index 96%
rename from dom/presentation/tests/mochitest/test_presentation_sender_default_request.html
rename to dom/presentation/tests/mochitest/test_presentation_tcp_sender_default_request.html
index 70f7c57533..6b8e0f1989 100644
--- a/dom/presentation/tests/mochitest/test_presentation_sender_default_request.html
+++ b/dom/presentation/tests/mochitest/test_presentation_tcp_sender_default_request.html
@@ -134,15 +134,13 @@ function runTests() {
   then(teardown);
 }
 
-SimpleTest.expectAssertions(0, 5);
 SimpleTest.waitForExplicitFinish();
 SpecialPowers.pushPermissions([
   {type: 'presentation-device-manage', allow: false, context: document},
   {type: 'presentation', allow: true, context: document},
 ], function() {
   SpecialPowers.pushPrefEnv({ 'set': [["dom.presentation.enabled", true],
-                                      ["dom.presentation.test.enabled", true],
-                                      ["dom.presentation.test.stage", 0]]},
+                                      ["dom.presentation.session_transport.data_channel.enable", false]]},
                             runTests);
 });
 
diff --git a/dom/presentation/tests/mochitest/test_presentation_sender_disconnect.html b/dom/presentation/tests/mochitest/test_presentation_tcp_sender_disconnect.html
similarity index 96%
rename from dom/presentation/tests/mochitest/test_presentation_sender_disconnect.html
rename to dom/presentation/tests/mochitest/test_presentation_tcp_sender_disconnect.html
index fc12d64349..2f67b42882 100644
--- a/dom/presentation/tests/mochitest/test_presentation_sender_disconnect.html
+++ b/dom/presentation/tests/mochitest/test_presentation_tcp_sender_disconnect.html
@@ -140,15 +140,13 @@ function runTests() {
   then(teardown);
 }
 
-SimpleTest.expectAssertions(0, 5);
 SimpleTest.waitForExplicitFinish();
 SpecialPowers.pushPermissions([
   {type: 'presentation-device-manage', allow: false, context: document},
   {type: 'presentation', allow: true, context: document},
 ], function() {
   SpecialPowers.pushPrefEnv({ 'set': [["dom.presentation.enabled", true],
-                                      ["dom.presentation.test.enabled", true],
-                                      ["dom.presentation.test.stage", 0]]},
+                                      ["dom.presentation.session_transport.data_channel.enable", false]]},
                             runTests);
 });
 
diff --git a/dom/presentation/tests/mochitest/test_presentation_sender_establish_connection_error.html b/dom/presentation/tests/mochitest/test_presentation_tcp_sender_establish_connection_error.html
similarity index 98%
rename from dom/presentation/tests/mochitest/test_presentation_sender_establish_connection_error.html
rename to dom/presentation/tests/mochitest/test_presentation_tcp_sender_establish_connection_error.html
index 1a1e6b7b8e..6f9e44e96d 100644
--- a/dom/presentation/tests/mochitest/test_presentation_sender_establish_connection_error.html
+++ b/dom/presentation/tests/mochitest/test_presentation_tcp_sender_establish_connection_error.html
@@ -344,15 +344,13 @@ function runTests() {
   then(teardown);
 }
 
-SimpleTest.expectAssertions(0, 5);
 SimpleTest.waitForExplicitFinish();
 SpecialPowers.pushPermissions([
   {type: 'presentation-device-manage', allow: false, context: document},
   {type: 'presentation', allow: true, context: document},
 ], function() {
   SpecialPowers.pushPrefEnv({ 'set': [["dom.presentation.enabled", true],
-                                      ["dom.presentation.test.enabled", true],
-                                      ["dom.presentation.test.stage", 0]]},
+                                      ["dom.presentation.session_transport.data_channel.enable", false]]},
                             runTests);
 });
 
diff --git a/dom/presentation/tests/xpcshell/test_presentation_session_transport.js b/dom/presentation/tests/xpcshell/test_presentation_session_transport.js
index 3b76319547..8e207bc22f 100644
--- a/dom/presentation/tests/xpcshell/test_presentation_session_transport.js
+++ b/dom/presentation/tests/xpcshell/test_presentation_session_transport.js
@@ -16,6 +16,9 @@ var testServer = null;
 var clientTransport = null;
 var serverTransport = null;
 
+var clientBuilder = null;
+var serverBuilder = null;
+
 const clientMessage = "Client Message";
 const serverMessage = "Server Message";
 
@@ -84,6 +87,33 @@ const serverCallback = {
   },
 };
 
+const clientListener = {
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIPresentationSessionTransportBuilderListener]),
+  onSessionTransport(aTransport) {
+    Assert.ok(true, "Client Transport is built.");
+    clientTransport = aTransport;
+    clientTransport.callback = clientCallback;
+
+    if (serverTransport) {
+      run_next_test();
+    }
+  }
+}
+
+const serverListener = {
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIPresentationSessionTransportBuilderListener]),
+  onSessionTransport(aTransport) {
+    Assert.ok(true, "Server Transport is built.");
+    serverTransport = aTransport;
+    serverTransport.callback = serverCallback;
+    serverTransport.enableDataNotification();
+
+    if (clientTransport) {
+      run_next_test();
+    }
+  }
+}
+
 function TestServer() {
   this.serverSocket = ServerSocket(-1, true, -1);
   this.serverSocket.asyncListen(this)
@@ -92,10 +122,9 @@ function TestServer() {
 TestServer.prototype = {
   onSocketAccepted: function(aSocket, aTransport) {
     print("Test server gets a client connection.");
-    serverTransport = Cc["@mozilla.org/presentation/presentationsessiontransport;1"]
-                        .createInstance(Ci.nsIPresentationSessionTransport);
-    serverTransport.initWithSocketTransport(aTransport, serverCallback);
-    serverTransport.enableDataNotification();
+    serverBuilder = Cc["@mozilla.org/presentation/presentationtcpsessiontransport;1"]
+                      .createInstance(Ci.nsIPresentationTCPSessionTransportBuilder);
+    serverBuilder.buildTCPSenderTransport(aTransport, serverListener);
   },
   onStopListening: function(aSocket) {
     print("Test server stops listening.");
@@ -111,9 +140,9 @@ TestServer.prototype = {
 // Set up the transport connection and ensure |notifyTransportReady| triggered
 // at both sides.
 function setup() {
-  clientTransport = Cc["@mozilla.org/presentation/presentationsessiontransport;1"]
-                      .createInstance(Ci.nsIPresentationSessionTransport);
-  clientTransport.initWithChannelDescription(serverChannelDescription, clientCallback);
+  clientBuilder = Cc["@mozilla.org/presentation/presentationtcpsessiontransport;1"]
+                    .createInstance(Ci.nsIPresentationTCPSessionTransportBuilder);
+  clientBuilder.buildTCPReceiverTransport(serverChannelDescription, clientListener);
 }
 
 // Test |selfAddress| attribute of |nsIPresentationSessionTransport|.
@@ -132,19 +161,13 @@ function selfAddress() {
 // Test the client sends a message and then a corresponding notification gets
 // triggered at the server side.
 function clientSendMessage() {
-  var stream = Cc["@mozilla.org/io/string-input-stream;1"]
-                 .createInstance(Ci.nsIStringInputStream);
-  stream.setData(clientMessage, clientMessage.length);
-  clientTransport.send(stream);
+  clientTransport.send(clientMessage);
 }
 
 // Test the server sends a message an then a corresponding notification gets
 // triggered at the client side.
 function serverSendMessage() {
-  var stream = Cc["@mozilla.org/io/string-input-stream;1"]
-                 .createInstance(Ci.nsIStringInputStream);
-  stream.setData(serverMessage, serverMessage.length);
-  serverTransport.send(stream);
+  serverTransport.send(serverMessage);
   // The client enables data notification even after the incoming message has
   // been sent, and should still be able to consume it.
   clientTransport.enableDataNotification();
diff --git a/dom/webidl/CaretStateChangedEvent.webidl b/dom/webidl/CaretStateChangedEvent.webidl
index d2bfd5ae73..39edd4d8f8 100644
--- a/dom/webidl/CaretStateChangedEvent.webidl
+++ b/dom/webidl/CaretStateChangedEvent.webidl
@@ -10,7 +10,8 @@ enum CaretChangedReason {
   "longpressonemptycontent",
   "taponcaret",
   "presscaret",
-  "releasecaret"
+  "releasecaret",
+  "scroll"
 };
 
 dictionary CaretStateChangedEventInit : EventInit {
diff --git a/dom/webidl/PresentationConnection.webidl b/dom/webidl/PresentationConnection.webidl
index beb69d5690..c579960a24 100644
--- a/dom/webidl/PresentationConnection.webidl
+++ b/dom/webidl/PresentationConnection.webidl
@@ -43,7 +43,7 @@ interface PresentationConnection : EventTarget {
    *
    * This function only works when the state is "connected".
    *
-   * TODO bug 1148307 Implement PresentationSessionTransport with DataChannel to
+   * TODO bug 1228474 Implement PresentationSessionTransport with DataChannel to
    * support other binary types.
    */
   [Throws]
diff --git a/dom/webidl/PresentationRequest.webidl b/dom/webidl/PresentationRequest.webidl
index cdd0c61b16..bb893cdcee 100644
--- a/dom/webidl/PresentationRequest.webidl
+++ b/dom/webidl/PresentationRequest.webidl
@@ -43,4 +43,24 @@ interface PresentationRequest : EventTarget {
    * The event is fired for all connections that are created for the controller.
    */
   attribute EventHandler onconnectionavailable;
+
+  /*
+   * A chrome page, or page which has presentation-device-manage permissiongs,
+   * uses startWithDevice() to start a new connection with specified device,
+   * and it will be returned with the promise. UA may show a prompt box with a
+   * list of available devices and ask the user to grant permission, choose a
+   * device, or cancel the operation.
+   *
+   * The promise is resolved when the presenting page is successfully loaded and
+   * the communication channel is established, i.e., the connection state is
+   * "connected".
+   *
+   * The promise may be rejected duo to one of the following reasons:
+   * - "OperationError": Unexpected error occurs.
+   * - "NotFoundError":  No available device.
+   * - "NetworkError":   Failed to establish the control channel or data channel.
+   * - "TimeoutError":   Presenting page takes too long to load.
+   */
+  [CheckAnyPermissions="presentation-device-manage", Throws]
+  Promise<PresentationConnection> startWithDevice(DOMString deviceId);
 };
diff --git a/editor/composer/nsComposeTxtSrvFilter.cpp b/editor/composer/nsComposeTxtSrvFilter.cpp
index 418e0ccaab..ba66bca953 100644
--- a/editor/composer/nsComposeTxtSrvFilter.cpp
+++ b/editor/composer/nsComposeTxtSrvFilter.cpp
@@ -45,6 +45,7 @@ nsComposeTxtSrvFilter::Skip(nsIDOMNode* aNode, bool *_retval)
     } else if (content->IsAnyOfHTMLElements(nsGkAtoms::script,
                                             nsGkAtoms::textarea,
                                             nsGkAtoms::select,
+                                            nsGkAtoms::style,
                                             nsGkAtoms::map)) {
       *_retval = true;
     } else if (content->IsHTMLElement(nsGkAtoms::table)) {
diff --git a/editor/composer/test/chrome.ini b/editor/composer/test/chrome.ini
index d57698e9e5..e22614e29d 100644
--- a/editor/composer/test/chrome.ini
+++ b/editor/composer/test/chrome.ini
@@ -6,3 +6,4 @@ skip-if = buildapp == 'b2g'
 [test_bug434998.xul]
 [test_bug678842.html]
 [test_bug717433.html]
+[test_bug1219928.html]
diff --git a/editor/composer/test/test_bug1219928.html b/editor/composer/test/test_bug1219928.html
new file mode 100644
index 0000000000..7915f61bf2
--- /dev/null
+++ b/editor/composer/test/test_bug1219928.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1219928
+-->
+<head>
+  <title>Test for Bug 1219928</title>
+  <script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1219928">Mozilla Bug 1219928</a>
+<p id="display"></p>
+
+<div contenteditable id="en-US" lang="en-US">
+<p>And here a missspelled word</p>
+<style>
+<!-- and here another onnee in a style comment -->
+</style>
+</div>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Bug 1219928 **/
+/* Very simple test to check that <style> blocks are skipped in the spell check */
+
+var spellchecker;
+
+SimpleTest.waitForExplicitFinish();
+SimpleTest.waitForFocus(function() {
+  Components.utils.import("resource://gre/modules/AsyncSpellCheckTestHelper.jsm");
+
+  var elem = document.getElementById('en-US');
+  elem.focus();
+
+  onSpellCheck(elem, function () {
+    var Ci = Components.interfaces;
+    var editingSession = window.QueryInterface(Ci.nsIInterfaceRequestor)
+                               .getInterface(Ci.nsIWebNavigation)
+                               .QueryInterface(Ci.nsIInterfaceRequestor)
+                               .getInterface(Ci.nsIEditingSession);
+    var editor = editingSession.getEditorForWindow(window);
+    var selcon = editor.selectionController;
+    var sel = selcon.getSelection(selcon.SELECTION_SPELLCHECK);
+
+    is(sel.toString(), "missspelled", "one misspelled word expected: missspelled");
+
+    spellchecker = Components.classes['@mozilla.org/editor/editorspellchecker;1'].createInstance(Components.interfaces.nsIEditorSpellCheck);
+    var filterContractId = "@mozilla.org/editor/txtsrvfilter;1";
+    spellchecker.setFilter(Components.classes[filterContractId].createInstance(Components.interfaces.nsITextServicesFilter));
+    spellchecker.InitSpellChecker(editor, false, spellCheckStarted);
+  });
+});
+
+function spellCheckStarted() {
+  var misspelledWord = spellchecker.GetNextMisspelledWord();
+  is(misspelledWord, "missspelled", "first misspelled word expected: missspelled");
+
+  // Without the fix, the next misspelled word was 'onnee', so we check that we don't get it.
+  misspelledWord = spellchecker.GetNextMisspelledWord();
+  isnot(misspelledWord, "onnee", "second misspelled word should not be: onnee");
+
+  spellchecker = "";
+
+  SimpleTest.finish();
+}
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/embedding/browser/nsIWebBrowserChrome.idl b/embedding/browser/nsIWebBrowserChrome.idl
index e7a43150a8..40f03cbe4f 100644
--- a/embedding/browser/nsIWebBrowserChrome.idl
+++ b/embedding/browser/nsIWebBrowserChrome.idl
@@ -31,8 +31,8 @@ interface nsIWebBrowserChrome : nsISupports
     /**
      * The currently loaded WebBrowser.  The browser chrome may be
      * told to set the WebBrowser object to a new object by setting this
-     * attribute.  In this case the implementer is responsible for taking the 
-     * new WebBrowser object and doing any necessary initialization or setup 
+     * attribute.  In this case the implementer is responsible for taking the
+     * new WebBrowser object and doing any necessary initialization or setup
      * as if it had created the WebBrowser itself.  This includes positioning
      * setting up listeners etc.
      */
@@ -53,7 +53,7 @@ interface nsIWebBrowserChrome : nsISupports
     const unsigned long CHROME_SCROLLBARS             = 0x00000200;
     const unsigned long CHROME_TITLEBAR               = 0x00000400;
     const unsigned long CHROME_EXTRA                  = 0x00000800;
-    
+
     // createBrowserWindow specific flags
     const unsigned long CHROME_WITH_SIZE              = 0x00001000;
     const unsigned long CHROME_WITH_POSITION          = 0x00002000;
@@ -98,12 +98,12 @@ interface nsIWebBrowserChrome : nsISupports
 
     // Note: The modal style bit just affects the way the window looks and does
     //       mean it's actually modal.
-    const unsigned long CHROME_MODAL                  = 0x20000000; 
+    const unsigned long CHROME_MODAL                  = 0x20000000;
     const unsigned long CHROME_OPENAS_DIALOG          = 0x40000000;
     const unsigned long CHROME_OPENAS_CHROME          = 0x80000000;
-    
+
     const unsigned long CHROME_ALL                    = 0x00000ffe;
-    
+
     /**
      * The chrome flags for this browser chrome. The implementation should
      * reflect the value of this attribute by hiding or showing its chrome
@@ -118,20 +118,20 @@ interface nsIWebBrowserChrome : nsISupports
     void destroyBrowserWindow();
 
     /**
-     * Tells the chrome to size itself such that the browser will be the 
+     * Tells the chrome to size itself such that the browser will be the
      * specified size.
      * @param aCX new width of the browser
      * @param aCY new height of the browser
      */
     void sizeBrowserTo(in long aCX, in long aCY);
-    
+
     /**
      * Shows the window as a modal window.
      * @return (the function error code) the status value specified by
      *         in exitModalEventLoop.
      */
     void showAsModal();
-    
+
     /**
      * Is the window modal (that is, currently executing a modal loop)?
      * @return true if it's a modal window
@@ -145,4 +145,3 @@ interface nsIWebBrowserChrome : nsISupports
      */
     void exitModalEventLoop(in nsresult aStatus);
 };
-
diff --git a/extensions/cookie/nsCookiePermission.cpp b/extensions/cookie/nsCookiePermission.cpp
index f7be1a4170..7dfc943f09 100644
--- a/extensions/cookie/nsCookiePermission.cpp
+++ b/extensions/cookie/nsCookiePermission.cpp
@@ -45,7 +45,6 @@ static const uint32_t ACCEPT_FOR_N_DAYS = 3;
 static const bool kDefaultPolicy = true;
 static const char kCookiesLifetimePolicy[] = "network.cookie.lifetimePolicy";
 static const char kCookiesLifetimeDays[] = "network.cookie.lifetime.days";
-static const char kCookiesAlwaysAcceptSession[] = "network.cookie.alwaysAcceptSessionCookies";
 
 static const char kCookiesPrefsMigrated[] = "network.cookie.prefsMigrated";
 // obsolete pref names for migration
@@ -76,7 +75,6 @@ nsCookiePermission::Init()
   if (prefBranch) {
     prefBranch->AddObserver(kCookiesLifetimePolicy, this, false);
     prefBranch->AddObserver(kCookiesLifetimeDays, this, false);
-    prefBranch->AddObserver(kCookiesAlwaysAcceptSession, this, false);
     PrefChanged(prefBranch, nullptr);
 
     // migration code for original cookie prefs
@@ -112,8 +110,7 @@ nsCookiePermission::PrefChanged(nsIPrefBranch *aPrefBranch,
 
   if (PREF_CHANGED(kCookiesLifetimePolicy) &&
       NS_SUCCEEDED(aPrefBranch->GetIntPref(kCookiesLifetimePolicy, &val))) {
-    if (val != static_cast<int32_t>(ACCEPT_SESSION) &&
-        val != static_cast<int32_t>(ACCEPT_FOR_N_DAYS)) {
+    if (val != static_cast<int32_t>(ACCEPT_SESSION) && val != static_cast<int32_t>(ACCEPT_FOR_N_DAYS)) {
       val = ACCEPT_NORMALLY;
     }
     mCookiesLifetimePolicy = val;
@@ -122,12 +119,7 @@ nsCookiePermission::PrefChanged(nsIPrefBranch *aPrefBranch,
   if (PREF_CHANGED(kCookiesLifetimeDays) &&
       NS_SUCCEEDED(aPrefBranch->GetIntPref(kCookiesLifetimeDays, &val)))
     // save cookie lifetime in seconds instead of days
-    mCookiesLifetimeSec = val * 24 * 60 * 60;
-
-  bool bval;
-  if (PREF_CHANGED(kCookiesAlwaysAcceptSession) &&
-      NS_SUCCEEDED(aPrefBranch->GetBoolPref(kCookiesAlwaysAcceptSession, &bval)))
-    mCookiesAlwaysAcceptSession = bval;
+    mCookiesLifetimeSec = (int64_t)val * 24 * 60 * 60;
 }
 
 NS_IMETHODIMP
@@ -235,23 +227,23 @@ nsCookiePermission::CanSetCookie(nsIURI     *aURI,
     break;
 
   default:
-    // The permission manager has nothing to say about this cookie
-    // so we apply the default prefs to it.
+    // the permission manager has nothing to say about this cookie -
+    // so, we apply the default prefs to it.
     NS_ASSERTION(perm == nsIPermissionManager::UNKNOWN_ACTION, "unknown permission");
 
-    // Now we need to figure out what type of accept policy we're dealing with.
-    // If we accept cookies normally, just bail and return.
+    // now we need to figure out what type of accept policy we're dealing with
+    // if we accept cookies normally, just bail and return
     if (mCookiesLifetimePolicy == ACCEPT_NORMALLY) {
       *aResult = true;
       return NS_OK;
     }
 
-    // Declare this here since it'll be used in all of the remaining cases.
+    // declare this here since it'll be used in all of the remaining cases
     int64_t currentTime = PR_Now() / PR_USEC_PER_SEC;
     int64_t delta = *aExpiry - currentTime;
 
-    // We are accepting the cookie, but if it's not a session cookie,
-    // we may have to limit its lifetime.
+    // We are accepting the cookie, but,
+    // if it's not a session cookie, we may have to limit its lifetime.
     if (!*aIsSession && delta > 0) {
       if (mCookiesLifetimePolicy == ACCEPT_SESSION) {
         // limit lifetime to session
diff --git a/extensions/cookie/nsCookiePermission.h b/extensions/cookie/nsCookiePermission.h
index d64720812f..d683f206ac 100644
--- a/extensions/cookie/nsCookiePermission.h
+++ b/extensions/cookie/nsCookiePermission.h
@@ -24,7 +24,6 @@ public:
   nsCookiePermission()
     : mCookiesLifetimeSec(INT64_MAX)
     , mCookiesLifetimePolicy(0) // ACCEPT_NORMALLY
-    , mCookiesAlwaysAcceptSession(false)
     {}
 
   bool Init();
@@ -40,7 +39,6 @@ private:
 
   int64_t      mCookiesLifetimeSec;            // lifetime limit specified in seconds
   uint8_t      mCookiesLifetimePolicy;         // pref for how long cookies are stored
-  bool mCookiesAlwaysAcceptSession;    // don't prompt for session cookies
 };
 
 // {EF565D0A-AB9A-4A13-9160-0644CDFD859A}
diff --git a/gfx/2d/JobScheduler.cpp b/gfx/2d/JobScheduler.cpp
index fad2f21560..2c687cde01 100644
--- a/gfx/2d/JobScheduler.cpp
+++ b/gfx/2d/JobScheduler.cpp
@@ -77,6 +77,14 @@ JobScheduler::SubmitJob(Job* aJob)
   GetQueueForJob(aJob)->SubmitJob(aJob);
 }
 
+void
+JobScheduler::Join(SyncObject* aCompletion)
+{
+  RefPtr<EventObject> waitForCompletion = new EventObject();
+  JobScheduler::SubmitJob(new SetEventJob(waitForCompletion, aCompletion));
+  waitForCompletion->Wait();
+}
+
 MultiThreadedJobQueue*
 JobScheduler::GetQueueForJob(Job* aJob)
 {
diff --git a/gfx/2d/JobScheduler.h b/gfx/2d/JobScheduler.h
index 55dae4e6b7..4838429042 100644
--- a/gfx/2d/JobScheduler.h
+++ b/gfx/2d/JobScheduler.h
@@ -71,6 +71,12 @@ public:
   /// The caller looses ownership of the task buffer.
   static void SubmitJob(Job* aJobs);
 
+  /// Convenience function to block the current thread until a given SyncObject
+  /// is in the signaled state.
+  ///
+  /// The current thread will first try to steal jobs before blocking.
+  static void Join(SyncObject* aCompletionSync);
+
   /// Process commands until the command buffer needs to block on a sync object,
   /// completes, yields, or encounters an error.
   ///
diff --git a/gfx/2d/JobScheduler_win32.cpp b/gfx/2d/JobScheduler_win32.cpp
index 9c8e925fd3..989965adc3 100644
--- a/gfx/2d/JobScheduler_win32.cpp
+++ b/gfx/2d/JobScheduler_win32.cpp
@@ -132,9 +132,14 @@ MultiThreadedJobQueue::RegisterThread()
 void
 MultiThreadedJobQueue::UnregisterThread()
 {
-  CriticalSectionAutoEnter lock(&mSection);
+  mSection.Enter();
   mThreadsCount -= 1;
-  if (mThreadsCount == 0) {
+  bool finishShutdown = mThreadsCount == 0;
+  mSection.Leave();
+
+  if (finishShutdown) {
+    // Can't touch mSection or any other member from now on because this object
+    // may get deleted on the main thread after mShutdownEvent is set.
     ::SetEvent(mShutdownEvent);
   }
 }
diff --git a/gfx/2d/Matrix.h b/gfx/2d/Matrix.h
index 5813a6185d..b036989da1 100644
--- a/gfx/2d/Matrix.h
+++ b/gfx/2d/Matrix.h
@@ -548,6 +548,24 @@ public:
     _33 = 1.0f;
     _43 = 0.0f;
     _34 = 0.0f;
+    // Some matrices, such as those derived from perspective transforms,
+    // can modify _44 from 1, while leaving the rest of the fourth column
+    // (_14, _24) at 0. In this case, after resetting the third row and
+    // third column above, the value of _44 functions only to scale the
+    // coordinate transform divide by W. The matrix can be converted to
+    // a true 2D matrix by normalizing out the scaling effect of _44 on
+    // the remaining components ahead of time.
+    if (_14 == 0.0f && _24 == 0.0f &&
+        _44 != 1.0f && _44 != 0.0f) {
+      Float scale = 1.0f / _44;
+      _11 *= scale;
+      _12 *= scale;
+      _21 *= scale;
+      _22 *= scale;
+      _41 *= scale;
+      _42 *= scale;
+      _44 = 1.0f;
+    }
     return *this;
   }
 
diff --git a/gfx/tests/gtest/TestJobScheduler.cpp b/gfx/tests/gtest/TestJobScheduler.cpp
index 8c18ffcaa0..4989fc7a94 100644
--- a/gfx/tests/gtest/TestJobScheduler.cpp
+++ b/gfx/tests/gtest/TestJobScheduler.cpp
@@ -48,7 +48,7 @@ struct SanityChecker {
   {
     MaybeYieldThread();
     CriticalSectionAutoEnter lock(&mSection);
-    ASSERT_EQ(mAdvancements[aJobId], aCmdId-1);
+    MOZ_RELEASE_ASSERT(mAdvancements[aJobId] == aCmdId-1);
     mAdvancements[aJobId] = aCmdId;
   }
 };
@@ -66,12 +66,12 @@ struct JoinTestSanityCheck : public SanityChecker {
   {
     // Job 0 is the special task executed when everything is joined after task 1
     if (aCmdId == 0) {
-      ASSERT_FALSE(mSpecialJobHasRun);
+      MOZ_RELEASE_ASSERT(!mSpecialJobHasRun);
       mSpecialJobHasRun = true;
       for (auto advancement : mAdvancements) {
         // Because of the synchronization point (beforeFilter), all
         // task buffers should have run task 1 when task 0 is run.
-        ASSERT_EQ(advancement, (uint32_t)1);
+        MOZ_RELEASE_ASSERT(advancement == 1);
       }
     } else {
       // This check does not apply to task 0.
@@ -79,7 +79,7 @@ struct JoinTestSanityCheck : public SanityChecker {
     }
 
     if (aCmdId == 2) {
-      ASSERT_TRUE(mSpecialJobHasRun);
+      MOZ_RELEASE_ASSERT(mSpecialJobHasRun);
     }
   }
 };
@@ -145,18 +145,12 @@ void TestSchedulerJoin(uint32_t aNumThreads, uint32_t aNumCmdBuffers)
   }
   completion->FreezePrerequisites();
 
-  RefPtr<EventObject> waitForCompletion = new EventObject();
-  auto evtJob = new SetEventJob(waitForCompletion, completion);
-  JobScheduler::SubmitJob(evtJob);
-
-  MaybeYieldThread();
-
-  waitForCompletion->Wait();
+  JobScheduler::Join(completion);
 
   MaybeYieldThread();
 
   for (auto advancement : check.mAdvancements) {
-    ASSERT_TRUE(advancement == 2);
+    EXPECT_TRUE(advancement == 2);
   }
 }
 
@@ -205,21 +199,25 @@ void TestSchedulerChain(uint32_t aNumThreads, uint32_t aNumCmdBuffers)
   }
   completion->FreezePrerequisites();
 
-  RefPtr<EventObject> waitForCompletion = new EventObject();
-  auto evtJob = new SetEventJob(waitForCompletion, completion);
-  JobScheduler::SubmitJob(evtJob);
-
-  MaybeYieldThread();
-
-  waitForCompletion->Wait();
+  JobScheduler::Join(completion);
 
   for (auto advancement : check.mAdvancements) {
-    ASSERT_TRUE(advancement == numJobs);
+    EXPECT_TRUE(advancement == numJobs);
   }
 }
 
 } // namespace test_scheduler
 
+TEST(Moz2D, JobScheduler_Shutdown) {
+  srand(time(nullptr));
+  for (uint32_t threads = 1; threads < 16; ++threads) {
+    for (uint32_t i = 1; i < 1000; ++i) {
+      mozilla::gfx::JobScheduler::Init(threads, threads);
+      mozilla::gfx::JobScheduler::ShutDown();
+    }
+  }
+}
+
 TEST(Moz2D, JobScheduler_Join) {
   srand(time(nullptr));
   for (uint32_t threads = 1; threads < 8; ++threads) {
diff --git a/gfx/thebes/gfxAndroidPlatform.cpp b/gfx/thebes/gfxAndroidPlatform.cpp
index 77b612ee68..43120d595b 100644
--- a/gfx/thebes/gfxAndroidPlatform.cpp
+++ b/gfx/thebes/gfxAndroidPlatform.cpp
@@ -361,23 +361,6 @@ gfxAndroidPlatform::RequiresLinearZoom()
     return gfxPlatform::RequiresLinearZoom();
 }
 
-bool
-gfxAndroidPlatform::UseAcceleratedSkiaCanvas()
-{
-    return HaveChoiceOfHWAndSWCanvas() && gfxPlatform::UseAcceleratedSkiaCanvas();
-}
-
-bool gfxAndroidPlatform::HaveChoiceOfHWAndSWCanvas()
-{
-#ifdef MOZ_WIDGET_ANDROID
-    if (!AndroidBridge::Bridge() || AndroidBridge::Bridge()->GetAPIVersion() < 11) {
-        // It's slower than software due to not having a compositing fast path
-        return false;
-    }
-#endif
-    return gfxPlatform::HaveChoiceOfHWAndSWCanvas();
-}
-
 #ifdef MOZ_WIDGET_GONK
 class GonkVsyncSource final : public VsyncSource
 {
diff --git a/gfx/thebes/gfxAndroidPlatform.h b/gfx/thebes/gfxAndroidPlatform.h
index f5f4b2b2e3..d6ffdf8b43 100644
--- a/gfx/thebes/gfxAndroidPlatform.h
+++ b/gfx/thebes/gfxAndroidPlatform.h
@@ -66,8 +66,6 @@ public:
       return true;
     }
 
-    virtual bool HaveChoiceOfHWAndSWCanvas() override;
-    virtual bool UseAcceleratedSkiaCanvas() override;
     virtual already_AddRefed<mozilla::gfx::VsyncSource> CreateHardwareVsyncSource() override;
 
 #ifdef MOZ_WIDGET_GONK
diff --git a/layout/base/AccessibleCaretManager.cpp b/layout/base/AccessibleCaretManager.cpp
index e563e8ec26..d799abf2d3 100644
--- a/layout/base/AccessibleCaretManager.cpp
+++ b/layout/base/AccessibleCaretManager.cpp
@@ -23,6 +23,9 @@
 #include "nsFrameSelection.h"
 #include "nsGenericHTMLElement.h"
 #include "nsIHapticFeedback.h"
+#ifdef MOZ_WIDGET_ANDROID
+#include "nsWindow.h"
+#endif
 
 namespace mozilla {
 
@@ -69,13 +72,17 @@ AccessibleCaretManager::sSelectionBarEnabled = false;
 /*static*/ bool
 AccessibleCaretManager::sCaretShownWhenLongTappingOnEmptyContent = false;
 /*static*/ bool
-AccessibleCaretManager::sCaretsExtendedVisibility = false;
-/*static*/ bool
 AccessibleCaretManager::sCaretsAlwaysTilt = false;
 /*static*/ bool
+AccessibleCaretManager::sCaretsAlwaysShowWhenScrolling = true;
+/*static*/ bool
 AccessibleCaretManager::sCaretsScriptUpdates = false;
 /*static*/ bool
+AccessibleCaretManager::sCaretsAllowDraggingAcrossOtherCaret = true;
+/*static*/ bool
 AccessibleCaretManager::sHapticFeedback = false;
+/*static*/ bool
+AccessibleCaretManager::sExtendSelectionForPhoneNumber = false;
 
 AccessibleCaretManager::AccessibleCaretManager(nsIPresShell* aPresShell)
   : mPresShell(aPresShell)
@@ -95,14 +102,18 @@ AccessibleCaretManager::AccessibleCaretManager(nsIPresShell* aPresShell)
                                  "layout.accessiblecaret.bar.enabled");
     Preferences::AddBoolVarCache(&sCaretShownWhenLongTappingOnEmptyContent,
       "layout.accessiblecaret.caret_shown_when_long_tapping_on_empty_content");
-    Preferences::AddBoolVarCache(&sCaretsExtendedVisibility,
-                                 "layout.accessiblecaret.extendedvisibility");
     Preferences::AddBoolVarCache(&sCaretsAlwaysTilt,
                                  "layout.accessiblecaret.always_tilt");
+    Preferences::AddBoolVarCache(&sCaretsAlwaysShowWhenScrolling,
+      "layout.accessiblecaret.always_show_when_scrolling", true);
     Preferences::AddBoolVarCache(&sCaretsScriptUpdates,
       "layout.accessiblecaret.allow_script_change_updates");
+    Preferences::AddBoolVarCache(&sCaretsAllowDraggingAcrossOtherCaret,
+      "layout.accessiblecaret.allow_dragging_across_other_caret", true);
     Preferences::AddBoolVarCache(&sHapticFeedback,
                                  "layout.accessiblecaret.hapticfeedback");
+    Preferences::AddBoolVarCache(&sExtendSelectionForPhoneNumber,
+      "layout.accessiblecaret.extend_selection_for_phone_number");
     addedPrefs = true;
   }
 }
@@ -197,18 +208,6 @@ AccessibleCaretManager::HideCarets()
   }
 }
 
-void
-AccessibleCaretManager::DoNotShowCarets()
-{
-  if (mFirstCaret->IsLogicallyVisible() || mSecondCaret->IsLogicallyVisible()) {
-    AC_LOG("%s", __FUNCTION__);
-    mFirstCaret->SetAppearance(Appearance::NormalNotShown);
-    mSecondCaret->SetAppearance(Appearance::NormalNotShown);
-    DispatchCaretStateChangedEvent(CaretChangedReason::Visibilitychange);
-    CancelCaretTimeoutTimer();
-  }
-}
-
 void
 AccessibleCaretManager::UpdateCarets(UpdateCaretsHint aHint)
 {
@@ -345,10 +344,12 @@ AccessibleCaretManager::UpdateCaretsForSelectionMode(UpdateCaretsHint aHint)
   AC_LOG("%s: selection: %p", __FUNCTION__, GetSelection());
 
   int32_t startOffset = 0;
-  nsIFrame* startFrame = FindFirstNodeWithFrame(false, &startOffset);
+  nsIFrame* startFrame =
+    GetFrameForFirstRangeStartOrLastRangeEnd(eDirNext, &startOffset);
 
   int32_t endOffset = 0;
-  nsIFrame* endFrame = FindFirstNodeWithFrame(true, &endOffset);
+  nsIFrame* endFrame =
+    GetFrameForFirstRangeStartOrLastRangeEnd(eDirPrevious, &endOffset);
 
   if (!CompareTreePosition(startFrame, endFrame)) {
     // XXX: Do we really have to hide carets if this condition isn't satisfied?
@@ -620,14 +621,19 @@ AccessibleCaretManager::OnScrollStart()
 {
   AC_LOG("%s", __FUNCTION__);
 
-  mFirstCaretAppearanceOnScrollStart = mFirstCaret->GetAppearance();
-  mSecondCaretAppearanceOnScrollStart = mSecondCaret->GetAppearance();
-
-  // Hide the carets. (Extended visibility makes them "NormalNotShown").
-  if (sCaretsExtendedVisibility) {
-    DoNotShowCarets();
-  } else {
+  if (!sCaretsAlwaysShowWhenScrolling) {
+    // Backup the appearance so that we can restore them after the scrolling
+    // ends.
+    mFirstCaretAppearanceOnScrollStart = mFirstCaret->GetAppearance();
+    mSecondCaretAppearanceOnScrollStart = mSecondCaret->GetAppearance();
     HideCarets();
+    return;
+  }
+
+  if (mFirstCaret->IsLogicallyVisible() || mSecondCaret->IsLogicallyVisible()) {
+    // Dispatch the event only if one of the carets is logically visible like in
+    // HideCarets().
+    DispatchCaretStateChangedEvent(CaretChangedReason::Scroll);
   }
 }
 
@@ -638,8 +644,11 @@ AccessibleCaretManager::OnScrollEnd()
     return;
   }
 
-  mFirstCaret->SetAppearance(mFirstCaretAppearanceOnScrollStart);
-  mSecondCaret->SetAppearance(mSecondCaretAppearanceOnScrollStart);
+  if (!sCaretsAlwaysShowWhenScrolling) {
+    // Restore the appearance which is saved before the scrolling is started.
+    mFirstCaret->SetAppearance(mFirstCaretAppearanceOnScrollStart);
+    mSecondCaret->SetAppearance(mSecondCaretAppearanceOnScrollStart);
+  }
 
   if (GetCaretMode() == CaretMode::Cursor) {
     if (!mFirstCaret->IsLogicallyVisible()) {
@@ -818,6 +827,11 @@ AccessibleCaretManager::SelectWord(nsIFrame* aFrame, const nsPoint& aPoint) cons
   SetSelectionDragState(false);
   ClearMaintainedSelection();
 
+  // Smart-select phone numbers if possible.
+  if (sExtendSelectionForPhoneNumber) {
+    SelectMoreIfPhoneNumber();
+  }
+
   return rs;
 }
 
@@ -828,6 +842,62 @@ AccessibleCaretManager::SetSelectionDragState(bool aState) const
   if (fs) {
     fs->SetDragState(aState);
   }
+
+  // Pin Fennecs DynamicToolbarAnimator in place before/after dragging,
+  // to avoid co-incident screen scrolling.
+  #ifdef MOZ_WIDGET_ANDROID
+    nsIDocument* doc = mPresShell->GetDocument();
+    MOZ_ASSERT(doc);
+    nsIWidget* widget = nsContentUtils::WidgetForDocument(doc);
+    static_cast<nsWindow*>(widget)->SetSelectionDragState(aState);
+  #endif
+}
+
+void
+AccessibleCaretManager::SelectMoreIfPhoneNumber() const
+{
+  SetSelectionDirection(eDirNext);
+  ExtendPhoneNumberSelection(NS_LITERAL_STRING("forward"));
+
+  SetSelectionDirection(eDirPrevious);
+  ExtendPhoneNumberSelection(NS_LITERAL_STRING("backward"));
+}
+
+void
+AccessibleCaretManager::ExtendPhoneNumberSelection(const nsAString& aDirection) const
+{
+  nsIDocument* doc = mPresShell->GetDocument();
+
+  // Extend the phone number selection until we find a boundary.
+  Selection* selection = GetSelection();
+
+  while (selection) {
+    // Save current Focus position, and extend the selection one char.
+    nsINode* focusNode = selection->GetFocusNode();
+    uint32_t focusOffset = selection->FocusOffset();
+    selection->Modify(NS_LITERAL_STRING("extend"),
+                      aDirection,
+                      NS_LITERAL_STRING("character"));
+
+    // If the selection didn't change, (can't extend further), we're done.
+    if (selection->GetFocusNode() == focusNode &&
+        selection->FocusOffset() == focusOffset) {
+      return;
+    }
+
+    // If the changed selection isn't a valid phone number, we're done.
+    nsAutoString selectedText;
+    selection->Stringify(selectedText);
+    nsAutoString phoneRegex(NS_LITERAL_STRING("(^\\+)?[0-9\\s,\\-.()*#pw]{1,30}$"));
+
+    if (!nsContentUtils::IsPatternMatching(selectedText, phoneRegex, doc)) {
+      // Backout the undesired selection extend, (collapse to original
+      // Anchor, extend to original Focus), before exit.
+      selection->Collapse(selection->GetAnchorNode(), selection->AnchorOffset());
+      selection->Extend(focusNode, focusOffset);
+      return;
+    }
+  }
 }
 
 void
@@ -859,41 +929,51 @@ AccessibleCaretManager::FlushLayout() const
 }
 
 nsIFrame*
-AccessibleCaretManager::FindFirstNodeWithFrame(bool aBackward,
-                                               int32_t* aOutOffset) const
+AccessibleCaretManager::GetFrameForFirstRangeStartOrLastRangeEnd(
+  nsDirection aDirection, int32_t* aOutOffset, nsINode** aOutNode,
+  int32_t* aOutNodeOffset) const
 {
   if (!mPresShell) {
     return nullptr;
   }
 
+  MOZ_ASSERT(GetCaretMode() == CaretMode::Selection);
+
+  nsRange* range = nullptr;
+  RefPtr<nsINode> startNode;
+  RefPtr<nsINode> endNode;
+  int32_t nodeOffset = 0;
+  CaretAssociationHint hint;
+
   RefPtr<Selection> selection = GetSelection();
-  if (!selection) {
-    return nullptr;
+  bool findInFirstRangeStart = aDirection == eDirNext;
+
+  if (findInFirstRangeStart) {
+    range = selection->GetRangeAt(0);
+    startNode = range->GetStartParent();
+    endNode = range->GetEndParent();
+    nodeOffset = range->StartOffset();
+    hint = CARET_ASSOCIATE_AFTER;
+  } else {
+    range = selection->GetRangeAt(selection->RangeCount() - 1);
+    startNode = range->GetEndParent();
+    endNode = range->GetStartParent();
+    nodeOffset = range->EndOffset();
+    hint = CARET_ASSOCIATE_BEFORE;
   }
 
-  RefPtr<nsFrameSelection> fs = GetFrameSelection();
-  if (!fs) {
-    return nullptr;
-  }
-
-  uint32_t rangeCount = selection->RangeCount();
-  if (rangeCount <= 0) {
-    return nullptr;
-  }
-
-  nsRange* range = selection->GetRangeAt(aBackward ? rangeCount - 1 : 0);
-  RefPtr<nsINode> startNode =
-    aBackward ? range->GetEndParent() : range->GetStartParent();
-  RefPtr<nsINode> endNode =
-    aBackward ? range->GetStartParent() : range->GetEndParent();
-  int32_t offset = aBackward ? range->EndOffset() : range->StartOffset();
   nsCOMPtr<nsIContent> startContent = do_QueryInterface(startNode);
-  CaretAssociationHint hintStart =
-    aBackward ? CARET_ASSOCIATE_BEFORE : CARET_ASSOCIATE_AFTER;
+  RefPtr<nsFrameSelection> fs = GetFrameSelection();
   nsIFrame* startFrame =
-    fs->GetFrameForNodeOffset(startContent, offset, hintStart, aOutOffset);
+    fs->GetFrameForNodeOffset(startContent, nodeOffset, hint, aOutOffset);
 
   if (startFrame) {
+    if (aOutNode) {
+      *aOutNode = startNode.get();
+    }
+    if (aOutNodeOffset) {
+      *aOutNodeOffset = nodeOffset;
+    }
     return startFrame;
   }
 
@@ -907,7 +987,8 @@ AccessibleCaretManager::FindFirstNodeWithFrame(bool aBackward,
 
   startFrame = startContent ? startContent->GetPrimaryFrame() : nullptr;
   while (!startFrame && startNode != endNode) {
-    startNode = aBackward ? walker->PreviousNode(err) : walker->NextNode(err);
+    startNode = findInFirstRangeStart ? walker->NextNode(err)
+                                      : walker->PreviousNode(err);
 
     if (!startNode) {
       break;
@@ -920,78 +1001,86 @@ AccessibleCaretManager::FindFirstNodeWithFrame(bool aBackward,
 }
 
 bool
-AccessibleCaretManager::CompareRangeWithContentOffset(nsIFrame::ContentOffsets& aOffsets)
+AccessibleCaretManager::RestrictCaretDraggingOffsets(
+  nsIFrame::ContentOffsets& aOffsets)
 {
-  Selection* selection = GetSelection();
-  if (!selection) {
+  if (!mPresShell) {
     return false;
   }
 
-  uint32_t rangeCount = selection->RangeCount();
-  MOZ_ASSERT(rangeCount > 0);
-
-  int32_t rangeIndex = (mActiveCaret == mFirstCaret.get() ? rangeCount - 1 : 0);
-  RefPtr<nsRange> range = selection->GetRangeAt(rangeIndex);
+  MOZ_ASSERT(GetCaretMode() == CaretMode::Selection);
 
+  nsDirection dir = mActiveCaret == mFirstCaret.get() ? eDirPrevious : eDirNext;
+  int32_t offset = 0;
   nsINode* node = nullptr;
-  int32_t nodeOffset = 0;
-  CaretAssociationHint hint;
-  nsDirection dir;
+  int32_t contentOffset = 0;
+  nsIFrame* frame =
+    GetFrameForFirstRangeStartOrLastRangeEnd(dir, &offset, &node, &contentOffset);
 
-  if (mActiveCaret == mFirstCaret.get()) {
-    // Check previous character of end node offset
-    node = range->GetEndParent();
-    nodeOffset = range->EndOffset();
-    hint = CARET_ASSOCIATE_BEFORE;
-    dir = eDirPrevious;
-  } else {
-    // Check next character of start node offset
-    node = range->GetStartParent();
-    nodeOffset = range->StartOffset();
-    hint = CARET_ASSOCIATE_AFTER;
-    dir = eDirNext;
+  if (!frame) {
+    return false;
   }
+
   nsCOMPtr<nsIContent> content = do_QueryInterface(node);
 
-  RefPtr<nsFrameSelection> fs = GetFrameSelection();
-  if (!fs) {
-    return false;
-  }
+  // Compare the active caret's new position (aOffsets) to the inactive caret's
+  // position.
+  int32_t cmpToInactiveCaretPos =
+    nsContentUtils::ComparePoints(aOffsets.content, aOffsets.StartOffset(),
+                                  content, contentOffset);
 
-  int32_t offset = 0;
-  nsIFrame* theFrame =
-    fs->GetFrameForNodeOffset(content, nodeOffset, hint, &offset);
-
-  if (!theFrame) {
-    return false;
-  }
-
-  // Move one character forward/backward from point and get offset
-  nsPeekOffsetStruct pos(eSelectCluster,
-                         dir,
-                         offset,
-                         nsPoint(0, 0),
-                         true,
-                         true,  //limit on scrolled views
-                         false,
-                         false,
-                         false);
-  nsresult rv = theFrame->PeekOffset(&pos);
+  // Move one character (in the direction of dir) from the inactive caret's
+  // position. This is the limit for the active caret's new position.
+  nsPeekOffsetStruct limit(eSelectCluster, dir, offset, nsPoint(0, 0), true, true,
+                           false, false, false);
+  nsresult rv = frame->PeekOffset(&limit);
   if (NS_FAILED(rv)) {
-    pos.mResultContent = content;
-    pos.mContentOffset = nodeOffset;
+    limit.mResultContent = content;
+    limit.mContentOffset = contentOffset;
   }
 
-  // Compare with current point
-  int32_t result = nsContentUtils::ComparePoints(aOffsets.content,
-                                                 aOffsets.StartOffset(),
-                                                 pos.mResultContent,
-                                                 pos.mContentOffset);
-  if ((mActiveCaret == mFirstCaret.get() && result == 1) ||
-      (mActiveCaret == mSecondCaret.get() && result == -1)) {
-    aOffsets.content = pos.mResultContent;
-    aOffsets.offset = pos.mContentOffset;
-    aOffsets.secondaryOffset = pos.mContentOffset;
+  // Compare the active caret's new position (aOffsets) to the limit.
+  int32_t cmpToLimit =
+    nsContentUtils::ComparePoints(aOffsets.content, aOffsets.StartOffset(),
+                                  limit.mResultContent, limit.mContentOffset);
+
+  auto SetOffsetsToLimit = [&aOffsets, &limit] () {
+    aOffsets.content = limit.mResultContent;
+    aOffsets.offset = limit.mContentOffset;
+    aOffsets.secondaryOffset = limit.mContentOffset;
+  };
+
+  if (!sCaretsAllowDraggingAcrossOtherCaret) {
+    if ((mActiveCaret == mFirstCaret.get() && cmpToLimit == 1) ||
+        (mActiveCaret == mSecondCaret.get() && cmpToLimit == -1)) {
+      // The active caret's position is past the limit, which we don't allow
+      // here. So set it to the limit, resulting in one character being
+      // selected.
+      SetOffsetsToLimit();
+    }
+  } else {
+    switch (cmpToInactiveCaretPos) {
+      case 0:
+        // The active caret's position is the same as the position of the
+        // inactive caret. So set it to the limit to prevent the selection from
+        // being collapsed, resulting in one character being selected.
+        SetOffsetsToLimit();
+        break;
+      case 1:
+        if (mActiveCaret == mFirstCaret.get()) {
+          // First caret was moved across the second caret. After making change
+          // to the selection, the user will drag the second caret.
+          mActiveCaret = mSecondCaret.get();
+        }
+        break;
+      case -1:
+        if (mActiveCaret == mSecondCaret.get()) {
+          // Second caret was moved across the first caret. After making change
+          // to the selection, the user will drag the first caret.
+          mActiveCaret = mFirstCaret.get();
+        }
+        break;
+    }
   }
 
   return true;
@@ -1051,7 +1140,7 @@ AccessibleCaretManager::DragCaretInternal(const nsPoint& aPoint)
 
   nsIFrame::ContentOffsets offsets =
     newFrame->GetContentOffsetsFromPoint(newPoint);
-  if (!offsets.content) {
+  if (offsets.IsNull()) {
     return NS_ERROR_FAILURE;
   }
 
@@ -1061,7 +1150,7 @@ AccessibleCaretManager::DragCaretInternal(const nsPoint& aPoint)
   }
 
   if (GetCaretMode() == CaretMode::Selection &&
-      !CompareRangeWithContentOffset(offsets)) {
+      !RestrictCaretDraggingOffsets(offsets)) {
     return NS_ERROR_FAILURE;
   }
 
@@ -1154,7 +1243,8 @@ AccessibleCaretManager::AdjustDragBoundary(const nsPoint& aPoint) const
     }
   }
 
-  if (GetCaretMode() == CaretMode::Selection) {
+  if (GetCaretMode() == CaretMode::Selection &&
+      !sCaretsAllowDraggingAcrossOtherCaret) {
     // Bug 1068474: Adjust the Y-coordinate so that the carets won't be in tilt
     // mode when a caret is being dragged surpass the other caret.
     //
diff --git a/layout/base/AccessibleCaretManager.h b/layout/base/AccessibleCaretManager.h
index 9572c8b9c1..8a05c72959 100644
--- a/layout/base/AccessibleCaretManager.h
+++ b/layout/base/AccessibleCaretManager.h
@@ -135,10 +135,6 @@ protected:
   // Force hiding all carets regardless of the current selection status.
   void HideCarets();
 
-  // Force carets to be "present" logically, but not visible. Allows ActionBar
-  // to stay open when carets visibility is supressed during scroll.
-  void DoNotShowCarets();
-
   void UpdateCaretsForCursorMode(UpdateCaretsHint aHint);
   void UpdateCaretsForSelectionMode(UpdateCaretsHint aHint);
 
@@ -155,12 +151,21 @@ protected:
 
   nsresult SelectWord(nsIFrame* aFrame, const nsPoint& aPoint) const;
   void SetSelectionDragState(bool aState) const;
+
+  // Called to extend a selection if possible that it's a phone number.
+  void SelectMoreIfPhoneNumber() const;
+  // Extend the current phone number selection in the requested direction.
+  void ExtendPhoneNumberSelection(const nsAString& aDirection) const;
+
   void SetSelectionDirection(nsDirection aDir) const;
 
-  // If aBackward is false, find the first node from the first range in current
-  // selection, and return the frame and the offset into that frame. If aBackward
-  // is true, find the last node from the last range instead.
-  nsIFrame* FindFirstNodeWithFrame(bool aBackward, int32_t* aOutOffset) const;
+  // If aDirection is eDirNext, get the frame for the range start in the first
+  // range from the current selection, and return the offset into that frame as
+  // well as the range start node and the node offset. Otherwise, get the frame
+  // and offset for the range end in the last range instead.
+  nsIFrame* GetFrameForFirstRangeStartOrLastRangeEnd(
+    nsDirection aDirection, int32_t* aOutOffset, nsINode** aOutNode = nullptr,
+    int32_t* aOutNodeOffset = nullptr) const;
 
   nsresult DragCaretInternal(const nsPoint& aPoint);
   nsPoint AdjustDragBoundary(const nsPoint& aPoint) const;
@@ -179,11 +184,18 @@ protected:
   // be dragged. Returns the rect relative to aFrame.
   nsRect GetAllChildFrameRectsUnion(nsIFrame* aFrame) const;
 
-  // If we're dragging the first caret, we do not want to drag it over the
-  // previous character of the second caret. Same as the second caret. So we
-  // check if content offset exceeds the previous/next character of second/first
-  // caret base the active caret.
-  bool CompareRangeWithContentOffset(nsIFrame::ContentOffsets& aOffsets);
+  // Restrict the active caret's dragging position based on
+  // sCaretsAllowDraggingAcrossOtherCaret. If the active caret is the first
+  // caret, the `limit` will be the previous character of the second caret.
+  // Otherwise, the `limit` will be the next character of the first caret.
+  //
+  // @param aOffsets is the new position of the active caret, and it will be set
+  // to the `limit` when 1) sCaretsAllowDraggingAcrossOtherCaret is false and
+  // it's being dragged past the limit. 2) sCaretsAllowDraggingAcrossOtherCaret
+  // is true and the active caret's position is the same as the inactive's
+  // position.
+  // @return true if the aOffsets is suitable for changing the selection.
+  bool RestrictCaretDraggingOffsets(nsIFrame::ContentOffsets& aOffsets);
 
   // Timeout in milliseconds to hide the AccessibleCaret under cursor mode while
   // no one touches it.
@@ -272,25 +284,35 @@ protected:
   // selection bar is always disabled in cursor mode.
   static bool sSelectionBarEnabled;
 
+  // Preference to allow smarter selection of phone numbers,
+  // when user long presses text to start.
+  static bool sExtendSelectionForPhoneNumber;
+
   // Preference to show caret in cursor mode when long tapping on an empty
   // content. This also changes the default update behavior in cursor mode,
   // which is based on the emptiness of the content, into something more
   // heuristic. See UpdateCaretsForCursorMode() for the details.
   static bool sCaretShownWhenLongTappingOnEmptyContent;
 
-  // Android specific visibility extensions correct compatibility issues
-  // with ActionBar visibility during page scroll.
-  static bool sCaretsExtendedVisibility;
-
   // Preference to make carets always tilt in selection mode. By default, the
   // carets become tilt only when they are overlapping.
   static bool sCaretsAlwaysTilt;
 
+  // Preference to allow carets always show when scrolling (either panning or
+  // zooming) the page. When set to false, carets will hide during scrolling,
+  // and show again after the user lifts the finger off the screen.
+  static bool sCaretsAlwaysShowWhenScrolling;
+
   // By default, javascript content selection changes closes AccessibleCarets and
   // UI interactions. Optionally, we can try to maintain the active UI, keeping
   // carets and ActionBar available.
   static bool sCaretsScriptUpdates;
 
+  // Preference to allow one caret to be dragged across the other caret without
+  // any limitation. When set to false, one caret cannot be dragged across the
+  // other one.
+  static bool sCaretsAllowDraggingAcrossOtherCaret;
+
   // AccessibleCaret pref for haptic feedback behaviour on longPress.
   static bool sHapticFeedback;
 };
diff --git a/layout/base/ActiveLayerTracker.cpp b/layout/base/ActiveLayerTracker.cpp
index cd071b739a..6ae671f096 100644
--- a/layout/base/ActiveLayerTracker.cpp
+++ b/layout/base/ActiveLayerTracker.cpp
@@ -20,6 +20,7 @@
 #include "nsStyleTransformMatrix.h"
 #include "nsTransitionManager.h"
 #include "nsDisplayList.h"
+#include "nsDOMCSSDeclaration.h"
 
 namespace mozilla {
 
@@ -311,12 +312,21 @@ ActiveLayerTracker::NotifyOffsetRestyle(nsIFrame* aFrame)
 }
 
 /* static */ void
-ActiveLayerTracker::NotifyAnimated(nsIFrame* aFrame, nsCSSProperty aProperty)
+ActiveLayerTracker::NotifyAnimated(nsIFrame* aFrame,
+                                   nsCSSProperty aProperty,
+                                   const nsAString& aNewValue,
+                                   nsDOMCSSDeclaration* aDOMCSSDecl)
 {
   LayerActivity* layerActivity = GetLayerActivityForUpdate(aFrame);
   uint8_t& mutationCount = layerActivity->RestyleCountForProperty(aProperty);
-  // We know this is animated, so just hack the mutation count.
-  mutationCount = 0xFF;
+  if (mutationCount != 0xFF) {
+    nsAutoString oldValue;
+    aDOMCSSDecl->GetPropertyValue(aProperty, oldValue);
+    if (aNewValue != oldValue) {
+      // We know this is animated, so just hack the mutation count.
+      mutationCount = 0xFF;
+    }
+  }
 }
 
 /* static */ void
@@ -354,10 +364,12 @@ IsPresContextInScriptAnimationCallback(nsPresContext* aPresContext)
 
 /* static */ void
 ActiveLayerTracker::NotifyInlineStyleRuleModified(nsIFrame* aFrame,
-                                                  nsCSSProperty aProperty)
+                                                  nsCSSProperty aProperty,
+                                                  const nsAString& aNewValue,
+                                                  nsDOMCSSDeclaration* aDOMCSSDecl)
 {
   if (IsPresContextInScriptAnimationCallback(aFrame->PresContext())) {
-    NotifyAnimated(aFrame, aProperty);
+    NotifyAnimated(aFrame, aProperty, aNewValue, aDOMCSSDecl);
   }
   if (gLayerActivityTracker &&
       gLayerActivityTracker->mCurrentScrollHandlerFrame.IsAlive()) {
diff --git a/layout/base/ActiveLayerTracker.h b/layout/base/ActiveLayerTracker.h
index 302b0ba13d..479fb89a1f 100644
--- a/layout/base/ActiveLayerTracker.h
+++ b/layout/base/ActiveLayerTracker.h
@@ -10,6 +10,7 @@
 class nsIFrame;
 class nsIContent;
 class nsDisplayListBuilder;
+class nsDOMCSSDeclaration;
 
 namespace mozilla {
 
@@ -47,8 +48,12 @@ public:
   /**
    * Mark aFrame as being known to have an animation of aProperty.
    * Any such marking will time out after a short period.
+   * aNewValue and aDOMCSSDecl are used to determine whether the property's
+   * value has changed.
    */
-  static void NotifyAnimated(nsIFrame* aFrame, nsCSSProperty aProperty);
+  static void NotifyAnimated(nsIFrame* aFrame, nsCSSProperty aProperty,
+                             const nsAString& aNewValue,
+                             nsDOMCSSDeclaration* aDOMCSSDecl);
   /**
    * Notify aFrame as being known to have an animation of aProperty through an
    * inline style modification during aScrollFrame's scroll event handler.
@@ -60,8 +65,12 @@ public:
    * has been modified.
    * This notification is incomplete --- not all modifications to inline
    * style will trigger this.
+   * aNewValue and aDOMCSSDecl are used to determine whether the property's
+   * value has changed.
    */
-  static void NotifyInlineStyleRuleModified(nsIFrame* aFrame, nsCSSProperty aProperty);
+  static void NotifyInlineStyleRuleModified(nsIFrame* aFrame, nsCSSProperty aProperty,
+                                            const nsAString& aNewValue,
+                                            nsDOMCSSDeclaration* aDOMCSSDecl);
   /**
    * Return true if aFrame's aProperty style should be considered as being animated
    * for pre-rendering.
diff --git a/layout/base/GeometryUtils.cpp b/layout/base/GeometryUtils.cpp
index 74776eeb56..fc320607cf 100644
--- a/layout/base/GeometryUtils.cpp
+++ b/layout/base/GeometryUtils.cpp
@@ -140,8 +140,8 @@ GetBoxRectForFrame(nsIFrame** aFrame, CSSBoxType aType)
 {
   nsRect r;
   nsIFrame* f = nsSVGUtils::GetOuterSVGFrameAndCoveredRegion(*aFrame, &r);
-  if (f) {
-    // For SVG, the BoxType is ignored.
+  if (f && f != *aFrame) {
+    // For non-outer SVG frames, the BoxType is ignored.
     *aFrame = f;
     return r;
   }
diff --git a/layout/base/gtest/TestAccessibleCaretManager.cpp b/layout/base/gtest/TestAccessibleCaretManager.cpp
index 3a90a5d5c4..78ec6eea99 100644
--- a/layout/base/gtest/TestAccessibleCaretManager.cpp
+++ b/layout/base/gtest/TestAccessibleCaretManager.cpp
@@ -60,8 +60,8 @@ public:
     using AccessibleCaretManager::UpdateCarets;
     using AccessibleCaretManager::HideCarets;
     using AccessibleCaretManager::sCaretShownWhenLongTappingOnEmptyContent;
-    using AccessibleCaretManager::sCaretsExtendedVisibility;
     using AccessibleCaretManager::sCaretsAlwaysTilt;
+    using AccessibleCaretManager::sCaretsAlwaysShowWhenScrolling;
 
     MockAccessibleCaretManager()
       : AccessibleCaretManager(nullptr)
@@ -350,6 +350,11 @@ TEST_F(AccessibleCaretManagerTester, TestTypingAtEndOfInput)
 
 TEST_F(AccessibleCaretManagerTester, TestScrollInSelectionMode)
 {
+  // Simulate B2G preference.
+  AutoRestore<bool> savesCaretsAlwaysShowWhenScrolling(
+    MockAccessibleCaretManager::sCaretsAlwaysShowWhenScrolling);
+  MockAccessibleCaretManager::sCaretsAlwaysShowWhenScrolling = false;
+
   EXPECT_CALL(mManager, GetCaretMode())
     .WillRepeatedly(Return(CaretMode::Selection));
 
@@ -422,9 +427,13 @@ TEST_F(AccessibleCaretManagerTester, TestScrollInSelectionMode)
   check.Call("scrollend2");
 }
 
-TEST_F(AccessibleCaretManagerTester,
-       TestScrollInSelectionModeWithExtendedVisibilityAndAlwaysTilt)
+TEST_F(AccessibleCaretManagerTester, TestScrollInSelectionModeWithAlwaysTiltPref)
 {
+  // Simulate Firefox Android preference.
+  AutoRestore<bool> saveCaretsAlwaysTilt(
+    MockAccessibleCaretManager::sCaretsAlwaysTilt);
+  MockAccessibleCaretManager::sCaretsAlwaysTilt = true;
+
   EXPECT_CALL(mManager, GetCaretMode())
     .WillRepeatedly(Return(CaretMode::Selection));
 
@@ -441,7 +450,7 @@ TEST_F(AccessibleCaretManagerTester,
     EXPECT_CALL(check, Call("updatecarets"));
 
     EXPECT_CALL(mManager, DispatchCaretStateChangedEvent(
-                  CaretChangedReason::Visibilitychange));
+                  CaretChangedReason::Scroll));
     EXPECT_CALL(check, Call("scrollstart1"));
 
     EXPECT_CALL(mManager, DispatchCaretStateChangedEvent(
@@ -458,7 +467,7 @@ TEST_F(AccessibleCaretManagerTester,
     EXPECT_CALL(check, Call("scrollend1"));
 
     EXPECT_CALL(mManager, DispatchCaretStateChangedEvent(
-                  CaretChangedReason::Visibilitychange));
+                  CaretChangedReason::Scroll));
     EXPECT_CALL(check, Call("scrollstart2"));
 
     EXPECT_CALL(mManager, DispatchCaretStateChangedEvent(
@@ -471,14 +480,6 @@ TEST_F(AccessibleCaretManagerTester,
     EXPECT_CALL(check, Call("scrollend2"));
   }
 
-  // Simulate Firefox Android preferences.
-  AutoRestore<bool> saveCaretsExtendedVisibility(
-    MockAccessibleCaretManager::sCaretsExtendedVisibility);
-  MockAccessibleCaretManager::sCaretsExtendedVisibility = true;
-  AutoRestore<bool> saveCaretsAlwaysTilt(
-    MockAccessibleCaretManager::sCaretsAlwaysTilt);
-  MockAccessibleCaretManager::sCaretsAlwaysTilt = true;
-
   mManager.UpdateCarets();
   EXPECT_EQ(FirstCaretAppearance(), Appearance::NormalNotShown);
   EXPECT_EQ(SecondCaretAppearance(), Appearance::Right);
@@ -486,12 +487,12 @@ TEST_F(AccessibleCaretManagerTester,
 
   mManager.OnScrollStart();
   EXPECT_EQ(FirstCaretAppearance(), Appearance::NormalNotShown);
-  EXPECT_EQ(SecondCaretAppearance(), Appearance::NormalNotShown);
+  EXPECT_EQ(SecondCaretAppearance(), Appearance::Right);
   check.Call("scrollstart1");
 
   mManager.OnReflow();
   EXPECT_EQ(FirstCaretAppearance(), Appearance::NormalNotShown);
-  EXPECT_EQ(SecondCaretAppearance(), Appearance::NormalNotShown);
+  EXPECT_EQ(SecondCaretAppearance(), Appearance::Right);
   check.Call("reflow1");
 
   mManager.OnScrollEnd();
@@ -500,12 +501,12 @@ TEST_F(AccessibleCaretManagerTester,
   check.Call("scrollend1");
 
   mManager.OnScrollStart();
-  EXPECT_EQ(FirstCaretAppearance(), Appearance::NormalNotShown);
+  EXPECT_EQ(FirstCaretAppearance(), Appearance::Left);
   EXPECT_EQ(SecondCaretAppearance(), Appearance::NormalNotShown);
   check.Call("scrollstart2");
 
   mManager.OnReflow();
-  EXPECT_EQ(FirstCaretAppearance(), Appearance::NormalNotShown);
+  EXPECT_EQ(FirstCaretAppearance(), Appearance::Left);
   EXPECT_EQ(SecondCaretAppearance(), Appearance::NormalNotShown);
   check.Call("reflow2");
 
@@ -517,6 +518,11 @@ TEST_F(AccessibleCaretManagerTester,
 
 TEST_F(AccessibleCaretManagerTester, TestScrollInCursorModeWhenLogicallyVisible)
 {
+  // Simulate B2G preference.
+  AutoRestore<bool> savesCaretsAlwaysShowWhenScrolling(
+    MockAccessibleCaretManager::sCaretsAlwaysShowWhenScrolling);
+  MockAccessibleCaretManager::sCaretsAlwaysShowWhenScrolling = false;
+
   EXPECT_CALL(mManager, GetCaretMode())
     .WillRepeatedly(Return(CaretMode::Cursor));
 
@@ -577,6 +583,11 @@ TEST_F(AccessibleCaretManagerTester, TestScrollInCursorModeWhenLogicallyVisible)
 
 TEST_F(AccessibleCaretManagerTester, TestScrollInCursorModeWhenHidden)
 {
+  // Simulate B2G preference.
+  AutoRestore<bool> savesCaretsAlwaysShowWhenScrolling(
+    MockAccessibleCaretManager::sCaretsAlwaysShowWhenScrolling);
+  MockAccessibleCaretManager::sCaretsAlwaysShowWhenScrolling = false;
+
   EXPECT_CALL(mManager, GetCaretMode())
     .WillRepeatedly(Return(CaretMode::Cursor));
 
@@ -631,6 +642,11 @@ TEST_F(AccessibleCaretManagerTester, TestScrollInCursorModeWhenHidden)
 
 TEST_F(AccessibleCaretManagerTester, TestScrollInCursorModeOnEmptyContent)
 {
+  // Simulate B2G preference.
+  AutoRestore<bool> savesCaretsAlwaysShowWhenScrolling(
+    MockAccessibleCaretManager::sCaretsAlwaysShowWhenScrolling);
+  MockAccessibleCaretManager::sCaretsAlwaysShowWhenScrolling = false;
+
   EXPECT_CALL(mManager, GetCaretMode())
     .WillRepeatedly(Return(CaretMode::Cursor));
 
@@ -700,8 +716,13 @@ TEST_F(AccessibleCaretManagerTester, TestScrollInCursorModeOnEmptyContent)
 }
 
 TEST_F(AccessibleCaretManagerTester,
-       TestScrollInCursorModeOnEmptyContentWithSpecialPreference)
+       TestScrollInCursorModeWithCaretShownWhenLongTappingOnEmptyContentPref)
 {
+  // Simulate Firefox Android preference.
+  AutoRestore<bool> savesCaretShownWhenLongTappingOnEmptyContent(
+    MockAccessibleCaretManager::sCaretShownWhenLongTappingOnEmptyContent);
+  MockAccessibleCaretManager::sCaretShownWhenLongTappingOnEmptyContent = true;
+
   EXPECT_CALL(mManager, GetCaretMode())
     .WillRepeatedly(Return(CaretMode::Cursor));
 
@@ -721,7 +742,7 @@ TEST_F(AccessibleCaretManagerTester,
     EXPECT_CALL(check, Call("longtap updatecarets"));
 
     EXPECT_CALL(mManager, DispatchCaretStateChangedEvent(
-                  CaretChangedReason::Visibilitychange));
+                  CaretChangedReason::Scroll));
     EXPECT_CALL(check, Call("longtap scrollstart1"));
 
     EXPECT_CALL(mManager.FirstCaret(), SetPosition(_, _))
@@ -731,7 +752,7 @@ TEST_F(AccessibleCaretManagerTester,
     EXPECT_CALL(check, Call("longtap scrollend1"));
 
     EXPECT_CALL(mManager, DispatchCaretStateChangedEvent(
-                  CaretChangedReason::Visibilitychange));
+                  CaretChangedReason::Scroll));
     EXPECT_CALL(check, Call("longtap scrollstart2"));
 
     EXPECT_CALL(mManager, DispatchCaretStateChangedEvent(
@@ -739,7 +760,7 @@ TEST_F(AccessibleCaretManagerTester,
     EXPECT_CALL(check, Call("longtap scrollend2"));
 
     EXPECT_CALL(mManager, DispatchCaretStateChangedEvent(
-                  CaretChangedReason::Visibilitychange));
+                  CaretChangedReason::Scroll));
     EXPECT_CALL(check, Call("longtap scrollstart3"));
 
     EXPECT_CALL(mManager, DispatchCaretStateChangedEvent(
@@ -747,10 +768,6 @@ TEST_F(AccessibleCaretManagerTester,
     EXPECT_CALL(check, Call("longtap scrollend3"));
   }
 
-  AutoRestore<bool> savePref(
-    MockAccessibleCaretManager::sCaretShownWhenLongTappingOnEmptyContent);
-  MockAccessibleCaretManager::sCaretShownWhenLongTappingOnEmptyContent = true;
-
   // Simulate a single tap on an empty input.
   mManager.FirstCaret().SetAppearance(Appearance::None);
   mManager.UpdateCarets();
diff --git a/layout/base/moz.build b/layout/base/moz.build
index a1b42b7d98..d778e061a1 100644
--- a/layout/base/moz.build
+++ b/layout/base/moz.build
@@ -190,6 +190,11 @@ LOCAL_INCLUDES += [
     '/view',
 ]
 
+if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'android':
+    LOCAL_INCLUDES += [
+        '/widget/android',
+    ]
+
 FINAL_LIBRARY = 'xul'
 
 MOCHITEST_MANIFESTS += ['tests/mochitest.ini']
diff --git a/layout/base/tests/marionette/test_accessiblecaret_selection_mode.py b/layout/base/tests/marionette/test_accessiblecaret_selection_mode.py
index f404dcf7f0..2441a53596 100644
--- a/layout/base/tests/marionette/test_accessiblecaret_selection_mode.py
+++ b/layout/base/tests/marionette/test_accessiblecaret_selection_mode.py
@@ -208,6 +208,42 @@ class AccessibleCaretSelectionModeTestCase(MarionetteTestCase):
 
         self.assertEqual(target_content, sel.selected_content)
 
+    @parameterized(_input_id, el_id=_input_id)
+    @parameterized(_textarea_id, el_id=_textarea_id)
+    @parameterized(_textarea_rtl_id, el_id=_textarea_rtl_id)
+    @parameterized(_contenteditable_id, el_id=_contenteditable_id)
+    @parameterized(_content_id, el_id=_content_id)
+    def test_drag_swappable_carets(self, el_id):
+        self.open_test_html(self._selection_html)
+        el = self.marionette.find_element(By.ID, el_id)
+        sel = SelectionManager(el)
+        original_content = sel.content
+        words = original_content.split()
+        self.assertTrue(len(words) >= 1, 'Expect at least one word in the content.')
+
+        target_content1 = words[0]
+        target_content2 = original_content[len(words[0]):]
+
+        # Get the location of the carets at the end of the content for later
+        # use.
+        el.tap()
+        sel.select_all()
+        end_caret_x, end_caret_y = sel.second_caret_location()
+
+        self.long_press_on_word(el, 0)
+
+        # Drag the first caret to the end and back to where it was
+        # immediately. The selection range should not be collapsed.
+        caret1_x, caret1_y = sel.first_caret_location()
+        self.actions.flick(el, caret1_x, caret1_y, end_caret_x, end_caret_y)\
+                    .flick(el, end_caret_x, end_caret_y, caret1_x, caret1_y).perform()
+        self.assertEqual(target_content1, sel.selected_content)
+
+        # Drag the first caret to the end.
+        caret1_x, caret1_y = sel.first_caret_location()
+        self.actions.flick(el, caret1_x, caret1_y, end_caret_x, end_caret_y).perform()
+        self.assertEqual(target_content2, sel.selected_content)
+
     @parameterized(_input_id, el_id=_input_id)
     @parameterized(_textarea_id, el_id=_textarea_id)
     @parameterized(_textarea_rtl_id, el_id=_textarea_rtl_id)
@@ -414,6 +450,29 @@ class AccessibleCaretSelectionModeTestCase(MarionetteTestCase):
         self.assertEqual(self.to_unix_line_ending(sel.selected_content.strip()),
                          '4\nuser can select this 5\nuser')
 
+    def test_drag_swappable_caret_over_non_selectable_field(self):
+        self.open_test_html(self._multiplerange_html)
+        body = self.marionette.find_element(By.ID, 'bd')
+        sel3 = self.marionette.find_element(By.ID, 'sel3')
+        sel4 = self.marionette.find_element(By.ID, 'sel4')
+        sel = SelectionManager(body)
+
+        self.long_press_on_word(sel4, 3)
+        (end_caret1_x, end_caret1_y), (end_caret2_x, end_caret2_y) = sel.carets_location()
+
+        self.long_press_on_word(sel3, 3)
+        (caret1_x, caret1_y), (caret2_x, caret2_y) = sel.carets_location()
+
+        # Drag the first caret down, which will across the second caret.
+        self.actions.flick(body, caret1_x, caret1_y, end_caret1_x, end_caret1_y).perform()
+        self.assertEqual(self.to_unix_line_ending(sel.selected_content.strip()),
+                         '3\nuser can select')
+
+        # The old second caret becomes the first caret. Drag it down again.
+        self.actions.flick(body, caret2_x, caret2_y, end_caret2_x, end_caret2_y).perform()
+        self.assertEqual(self.to_unix_line_ending(sel.selected_content.strip()),
+                         'this')
+
     def test_drag_caret_to_beginning_of_a_line(self):
         '''Bug 1094056
         Test caret visibility when caret is dragged to beginning of a line
diff --git a/layout/base/tests/test_getBoxQuads_convertPointRectQuad.html b/layout/base/tests/test_getBoxQuads_convertPointRectQuad.html
index 295c0b392f..7ec4f7b56d 100644
--- a/layout/base/tests/test_getBoxQuads_convertPointRectQuad.html
+++ b/layout/base/tests/test_getBoxQuads_convertPointRectQuad.html
@@ -336,7 +336,7 @@ TextTextTextTextTextTextTextTextTextTextTextTextTextTextTextTextTextTextTextText
 </div>
 
 <div id="svgContainer">
-  <svg id="svg" style="width:200px; height:200px; background:lightgray;">
+  <svg id="svg" style="width:200px; height:200px; background:lightgray; border:7px solid blue; padding:4px">
     <circle id="circle" cx="50" cy="50" r="20" fill="red" style="margin:20px; padding:10px; border:15px solid black"></circle>
     <g transform="scale(2)">
       <foreignObject x="50" y="20">
@@ -660,19 +660,26 @@ function runTest() {
   var svgContainerX = svgContainer.getBoundingClientRect().left;
   var svgContainerY = svgContainer.getBoundingClientRect().top;
   checkQuadIsRect("circle", {},
-                  svgContainerX + 30, svgContainerY + 30, 40, 40);
+                  svgContainerX + 41, svgContainerY + 41, 40, 40);
   // Box types are ignored for SVG elements.
   checkQuadIsRect("circle", {box:"content"},
-                  svgContainerX + 30, svgContainerY + 30, 40, 40);
+                  svgContainerX + 41, svgContainerY + 41, 40, 40);
   checkQuadIsRect("circle", {box:"padding"},
-                  svgContainerX + 30, svgContainerY + 30, 40, 40);
+                  svgContainerX + 41, svgContainerY + 41, 40, 40);
   checkQuadIsRect("circle", {box:"margin"},
-                  svgContainerX + 30, svgContainerY + 30, 40, 40);
+                  svgContainerX + 41, svgContainerY + 41, 40, 40);
   checkQuadIsRect("d", {toStr:"circle"},
-                  dX - (svgContainerX + 30), dY - (svgContainerY + 30), dW, dH);
+                  dX - (svgContainerX + 41), dY - (svgContainerY + 41), dW, dH);
   // Test foreignObject inside an SVG transform.
   checkQuadIsRect("foreign", {},
-                  svgContainerX + 100, svgContainerY + 40, 200, 120);
+                  svgContainerX + 111, svgContainerY + 51, 200, 120);
+  // Outer <svg> elements support padding and content boxes
+  checkQuadIsRect("svg", {box:"border"},
+                  svgContainerX, svgContainerY, 222, 222);
+  checkQuadIsRect("svg", {box:"padding"},
+                  svgContainerX + 7, svgContainerY + 7, 208, 208);
+  checkQuadIsRect("svg", {box:"content"},
+                  svgContainerX + 11, svgContainerY + 11, 200, 200);
 
   // XXX Test SVG text (probably broken; unclear what the best way is to handle it)
 
diff --git a/layout/build/nsLayoutModule.cpp b/layout/build/nsLayoutModule.cpp
index 02b91db928..6eaa57095d 100644
--- a/layout/build/nsLayoutModule.cpp
+++ b/layout/build/nsLayoutModule.cpp
@@ -263,7 +263,7 @@ static void Shutdown();
 #include "GMPService.h"
 
 #include "mozilla/dom/PresentationDeviceManager.h"
-#include "mozilla/dom/PresentationSessionTransport.h"
+#include "mozilla/dom/PresentationTCPSessionTransport.h"
 
 #include "mozilla/TextInputProcessor.h"
 
@@ -298,7 +298,7 @@ using mozilla::dom::NotificationTelemetryService;
 #define PRESENTATION_DEVICE_MANAGER_CID \
 { 0xe1e79dec, 0x4085, 0x4994, { 0xac, 0x5b, 0x74, 0x4b, 0x01, 0x66, 0x97, 0xe6 } }
 
-#define PRESENTATION_SESSION_TRANSPORT_CID \
+#define PRESENTATION_TCP_SESSION_TRANSPORT_CID \
 { 0xc9d023f4, 0x6228, 0x4c07, { 0x8b, 0x1d, 0x9c, 0x19, 0x57, 0x3f, 0xaa, 0x27 } }
 
 already_AddRefed<nsIPresentationService> NS_CreatePresentationService();
@@ -405,7 +405,7 @@ NS_GENERIC_FACTORY_SINGLETON_CONSTRUCTOR(FakeInputPortService,
 NS_GENERIC_FACTORY_CONSTRUCTOR(InputPortData)
 NS_GENERIC_FACTORY_SINGLETON_CONSTRUCTOR(nsIPresentationService,
                                          NS_CreatePresentationService)
-NS_GENERIC_FACTORY_CONSTRUCTOR(PresentationSessionTransport)
+NS_GENERIC_FACTORY_CONSTRUCTOR(PresentationTCPSessionTransport)
 NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(NotificationTelemetryService, Init)
 
 #ifndef MOZ_SIMPLEPUSH
@@ -872,7 +872,7 @@ NS_DEFINE_NAMED_CID(GECKO_MEDIA_PLUGIN_SERVICE_CID);
 
 NS_DEFINE_NAMED_CID(PRESENTATION_SERVICE_CID);
 NS_DEFINE_NAMED_CID(PRESENTATION_DEVICE_MANAGER_CID);
-NS_DEFINE_NAMED_CID(PRESENTATION_SESSION_TRANSPORT_CID);
+NS_DEFINE_NAMED_CID(PRESENTATION_TCP_SESSION_TRANSPORT_CID);
 
 NS_DEFINE_NAMED_CID(TEXT_INPUT_PROCESSOR_CID);
 
@@ -1171,7 +1171,7 @@ static const mozilla::Module::CIDEntry kLayoutCIDs[] = {
   { &kTV_PROGRAM_DATA_CID, false, nullptr, TVProgramDataConstructor },
   { &kPRESENTATION_SERVICE_CID, false, nullptr, nsIPresentationServiceConstructor },
   { &kPRESENTATION_DEVICE_MANAGER_CID, false, nullptr, PresentationDeviceManagerConstructor },
-  { &kPRESENTATION_SESSION_TRANSPORT_CID, false, nullptr, PresentationSessionTransportConstructor },
+  { &kPRESENTATION_TCP_SESSION_TRANSPORT_CID, false, nullptr, PresentationTCPSessionTransportConstructor },
   { &kTEXT_INPUT_PROCESSOR_CID, false, nullptr, TextInputProcessorConstructor },
   { &kFAKE_INPUTPORT_SERVICE_CID, false, nullptr, FakeInputPortServiceConstructor },
   { &kINPUTPORT_DATA_CID, false, nullptr, InputPortDataConstructor },
@@ -1340,7 +1340,7 @@ static const mozilla::Module::ContractIDEntry kLayoutContracts[] = {
   { NS_VOICEMAIL_SERVICE_CONTRACTID, &kNS_VOICEMAIL_SERVICE_CID },
   { PRESENTATION_SERVICE_CONTRACTID, &kPRESENTATION_SERVICE_CID },
   { PRESENTATION_DEVICE_MANAGER_CONTRACTID, &kPRESENTATION_DEVICE_MANAGER_CID },
-  { PRESENTATION_SESSION_TRANSPORT_CONTRACTID, &kPRESENTATION_SESSION_TRANSPORT_CID },
+  { PRESENTATION_TCP_SESSION_TRANSPORT_CONTRACTID, &kPRESENTATION_TCP_SESSION_TRANSPORT_CID },
   { "@mozilla.org/text-input-processor;1", &kTEXT_INPUT_PROCESSOR_CID },
   { FAKE_INPUTPORT_SERVICE_CONTRACTID, &kFAKE_INPUTPORT_SERVICE_CID },
   { INPUTPORT_DATA_CONTRACTID, &kINPUTPORT_DATA_CID },
diff --git a/layout/printing/nsPrintEngine.cpp b/layout/printing/nsPrintEngine.cpp
index 2305f53743..0e5e3437d5 100644
--- a/layout/printing/nsPrintEngine.cpp
+++ b/layout/printing/nsPrintEngine.cpp
@@ -1508,6 +1508,10 @@ void
 nsPrintEngine::FirePrintingErrorEvent(nsresult aPrintError)
 {
   nsCOMPtr<nsIContentViewer> cv = do_QueryInterface(mDocViewerPrint);
+  if (NS_WARN_IF(!cv)) {
+    return;
+  }
+
   nsCOMPtr<nsIDocument> doc = cv->GetDocument();
   RefPtr<CustomEvent> event =
     NS_NewDOMCustomEvent(doc, nullptr, nullptr);
diff --git a/layout/reftests/css-parsing/reftest.list b/layout/reftests/css-parsing/reftest.list
index bc869a1cfe..0044b6150e 100644
--- a/layout/reftests/css-parsing/reftest.list
+++ b/layout/reftests/css-parsing/reftest.list
@@ -6,3 +6,4 @@
 == at-rule-error-handling-media-1.html at-rule-error-handling-ref.html
 == invalid-font-face-descriptor-1.html invalid-font-face-descriptor-1-ref.html
 == two-dash-identifiers.html two-dash-identifiers-ref.html
+== supports-moz-bool-pref.html supports-moz-bool-pref-ref.html
diff --git a/layout/reftests/css-parsing/supports-moz-bool-pref-ref.html b/layout/reftests/css-parsing/supports-moz-bool-pref-ref.html
new file mode 100644
index 0000000000..4f067bbbfc
--- /dev/null
+++ b/layout/reftests/css-parsing/supports-moz-bool-pref-ref.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<!-- Any copyright is dedicated to the Public Domain.
+   - http://creativecommons.org/publicdomain/zero/1.0/ -->
+
+<html>
+  <body>
+    <p>This text should not have background color.</p>
+  </body>
+</html>
+
diff --git a/layout/reftests/css-parsing/supports-moz-bool-pref.html b/layout/reftests/css-parsing/supports-moz-bool-pref.html
new file mode 100644
index 0000000000..fe58ab766d
--- /dev/null
+++ b/layout/reftests/css-parsing/supports-moz-bool-pref.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<!-- Any copyright is dedicated to the Public Domain.
+   - http://creativecommons.org/publicdomain/zero/1.0/ -->
+
+<html>
+  <style>
+  /* This is not a user agent style sheet, so the style will be ignored.
+     "testing.supports.moz-bool-pref" is set to true in
+     layout/tools/reftest/reftest-preferences.js. */
+  @supports -moz-bool-pref("testing.supports.moz-bool-pref") {
+    p {
+      background-color: red;
+    }
+  }
+  </style>
+  <body>
+    <p>This text should not have background color.</p>
+  </body>
+</html>
+
diff --git a/layout/reftests/svg/mask-and-clipPath-ref.html b/layout/reftests/svg/mask-and-clipPath-ref.html
new file mode 100644
index 0000000000..86098fa835
--- /dev/null
+++ b/layout/reftests/svg/mask-and-clipPath-ref.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+ <head>
+  <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
+ </head>
+ <body>
+   <svg height="100%" preserveAspectRatio="none meet" viewBox="0 0 1070 462" width="100%">
+    <g height="462" width="1070">
+     <g mask="url(#mask-1)"  transform="translate(0,10)">
+      <g>
+       <path class="data-line" d="M30,260L61,266.5L900,266.5" fill="none" stroke="#cc0000" stroke-width="20" visibility="visible">
+       </path>
+      </g>
+     </g>
+    </g>
+    <g>
+     <g>
+      <mask id="mask-1">
+       <rect fill="#000" height="100%" width="100%" x="0" y="0">
+       </rect>
+       <rect fill="#fff" height="462" width="400" x="40" y="-10">
+       </rect>
+       <rect fill="#fff" height="460" width="100" x="800" y="-10">
+       </rect>
+       <rect fill="#000" height="447" offset="164" width="60" x="164" y="0">
+       </rect>
+       <rect fill="#000" height="447" offset="376" width="56" x="376" y="0">
+       </rect>
+      </mask>
+     </g>
+    </g>
+   </svg>
+ </body>
+</html>
diff --git a/layout/reftests/svg/mask-and-clipPath.html b/layout/reftests/svg/mask-and-clipPath.html
new file mode 100644
index 0000000000..19759a6a31
--- /dev/null
+++ b/layout/reftests/svg/mask-and-clipPath.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+ <head>
+  <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
+ </head>
+ <body>
+   <svg height="100%" preserveAspectRatio="none meet" viewBox="0 0 1070 462" width="100%">
+    <g height="462" width="1070">
+     <g clip-path="url(#clip-1)" mask="url(#mask-1)"  transform="translate(0,10)">
+      <g>
+       <path class="data-line" d="M30,260L61,266.5L900,266.5" fill="none" stroke="#cc0000" stroke-width="20" visibility="visible">
+       </path>
+      </g>
+     </g>
+    </g>
+    <g>
+     <clipPath id="clip-1">
+      <rect height="462" width="400" x="40" y="-10">
+      </rect>
+      <rect height="460" width="100" x="800" y="-10">
+      </rect>
+     </clipPath>
+     <g>
+      <mask id="mask-1">
+       <rect fill="#fff" height="100%" width="100%" x="0" y="0">
+       </rect>
+       <rect fill="#000" height="447" offset="164" width="60" x="164" y="0">
+       </rect>
+       <rect fill="#000" height="447" offset="376" width="56" x="376" y="0">
+       </rect>
+      </mask>
+     </g>
+    </g>
+   </svg>
+ </body>
+</html>
diff --git a/layout/reftests/xul/reftest.list b/layout/reftests/xul/reftest.list
index 17f43731d9..15d6982048 100644
--- a/layout/reftests/xul/reftest.list
+++ b/layout/reftests/xul/reftest.list
@@ -5,10 +5,11 @@ random-if(Android||B2G) fails-if(winWidget) skip-if((B2G&&browserIsRemote)||Mule
 skip-if((B2G&&browserIsRemote)||Mulet) == textbox-overflow-1.xul textbox-overflow-1-ref.xul # for bug 749658 # Initial mulet triage: parity with B2G/B2G Desktop
 # accesskeys are not normally displayed on Mac, so skip this test
 skip-if(cocoaWidget) skip-if((B2G&&browserIsRemote)||Mulet) == accesskey.xul accesskey-ref.xul # Initial mulet triage: parity with B2G/B2G Desktop
-fails-if(cocoaWidget) fuzzy-if(xulRuntime.widgetToolkit=="gtk3",1,11) skip-if((B2G&&browserIsRemote)||Mulet) == tree-row-outline-1.xul tree-row-outline-1-ref.xul # Initial mulet triage: parity with B2G/B2G Desktop
+fails-if(cocoaWidget) fails-if(browserIsRemote&&d2d) fuzzy-if(xulRuntime.widgetToolkit=="gtk3",1,11) skip-if((B2G&&browserIsRemote)||Mulet) == tree-row-outline-1.xul tree-row-outline-1-ref.xul # Initial mulet triage: parity with B2G/B2G Desktop, win8: bug 1254832
 skip-if((B2G&&browserIsRemote)||Mulet) != tree-row-outline-1.xul tree-row-outline-1-notref.xul # Initial mulet triage: parity with B2G/B2G Desktop
 skip-if((B2G&&browserIsRemote)||Mulet) == text-small-caps-1.xul text-small-caps-1-ref.xul # Initial mulet triage: parity with B2G/B2G Desktop
-skip-if((B2G&&browserIsRemote)||Mulet) fuzzy-if(skiaContent,1,60) == inactive-fixed-bg-bug1205630.xul inactive-fixed-bg-bug1205630-ref.html
+skip-if((B2G&&browserIsRemote)||Mulet) fuzzy-if(skiaContent,1,60) fuzzy-if(cocoaWidget&&browserIsRemote&&!skiaContent,1,31) fuzzy-if(winWidget&&browserIsRemote&&layersGPUAccelerated,1,50) == inactive-fixed-bg-bug1205630.xul inactive-fixed-bg-bug1205630-ref.html
+
 
 # Tests for XUL <image> with 'object-fit' & 'object-position':
 # These tests should be very similar to tests in our w3c-css/submitted/images3
@@ -43,8 +44,8 @@ skip-if((B2G&&browserIsRemote)||Mulet) == object-fit-fill-svg-001.xul object-fit
 skip-if((B2G&&browserIsRemote)||Mulet) == object-fit-fill-svg-002.xul object-fit-fill-svg-002-ref.html
 skip-if((B2G&&browserIsRemote)||Mulet) == object-fit-fill-svg-003.xul object-fit-fill-svg-003-ref.html
 skip-if((B2G&&browserIsRemote)||Mulet) == object-fit-fill-svg-004.xul object-fit-fill-svg-004-ref.html
-skip-if((B2G&&browserIsRemote)||Mulet) fails == object-fit-fill-svg-005.xul object-fit-fill-svg-005-ref.html # bug 1092436
-skip-if((B2G&&browserIsRemote)||Mulet) fails == object-fit-fill-svg-006.xul object-fit-fill-svg-006-ref.html # bug 1092436
+fails skip-if((B2G&&browserIsRemote)||Mulet) == object-fit-fill-svg-005.xul object-fit-fill-svg-005-ref.html # bug 1092436
+fails skip-if((B2G&&browserIsRemote)||Mulet) == object-fit-fill-svg-006.xul object-fit-fill-svg-006-ref.html # bug 1092436
 skip-if((B2G&&browserIsRemote)||Mulet) == object-fit-none-png-001.xul object-fit-none-png-001-ref.html
 skip-if((B2G&&browserIsRemote)||Mulet) == object-fit-none-png-002.xul object-fit-none-png-002-ref.html
 skip-if((B2G&&browserIsRemote)||Mulet) == object-fit-none-svg-001.xul object-fit-none-svg-001-ref.html
@@ -64,4 +65,10 @@ skip-if((B2G&&browserIsRemote)||Mulet) == object-fit-scale-down-svg-006.xul obje
 skip-if((B2G&&browserIsRemote)||Mulet) == object-position-png-001.xul object-position-png-001-ref.html
 skip-if((B2G&&browserIsRemote)||Mulet) == object-position-png-002.xul object-position-png-002-ref.html
 
-skip-if((B2G&&browserIsRemote)||Mulet) == inactive-fixed-bg-bug1205630.xul inactive-fixed-bg-bug1205630-ref.html
+# Tests for rendering SVG images in a XUL <treecell>:
+# XXXdholbert: These are marked as "random" right now, since they might not
+# render the images they trying to test in time for the reftest snapshot, per
+# bug 1218954. Once that bug is fixed, we should replace the "random"
+# annotation with "skip-if((B2G&&browserIsRemote)||Mulet)", like above tests.
+skip == treecell-image-svg-1a.xul treecell-image-svg-1-ref.xul # bug 1218954
+skip == treecell-image-svg-1b.xul treecell-image-svg-1-ref.xul # bug 1218954
diff --git a/layout/reftests/xul/treecell-image-svg-1-ref.xul b/layout/reftests/xul/treecell-image-svg-1-ref.xul
new file mode 100644
index 0000000000..029b140f01
--- /dev/null
+++ b/layout/reftests/xul/treecell-image-svg-1-ref.xul
@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<?xml-stylesheet href="chrome://global/skin" type="text/css"?>
+
+<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+  <tree seltype="single" flex="1">
+    <treecols>
+      <treecol flex="1"/>
+    </treecols>
+    <treechildren>
+      <treeitem>
+        <treerow>
+          <treecell src="colors-16x8.png"/>
+        </treerow>
+      </treeitem>
+    </treechildren>
+  </tree>
+</window>
diff --git a/layout/reftests/xul/treecell-image-svg-1a.xul b/layout/reftests/xul/treecell-image-svg-1a.xul
new file mode 100644
index 0000000000..d481190345
--- /dev/null
+++ b/layout/reftests/xul/treecell-image-svg-1a.xul
@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<?xml-stylesheet href="chrome://global/skin" type="text/css"?>
+
+<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+  <tree seltype="single" flex="1">
+    <treecols>
+      <treecol flex="1"/>
+    </treecols>
+    <treechildren>
+      <treeitem>
+        <treerow>
+          <treecell src="colors-16x8.svg"/>
+        </treerow>
+      </treeitem>
+    </treechildren>
+  </tree>
+</window>
diff --git a/layout/reftests/xul/treecell-image-svg-1b.xul b/layout/reftests/xul/treecell-image-svg-1b.xul
new file mode 100644
index 0000000000..f13c138fda
--- /dev/null
+++ b/layout/reftests/xul/treecell-image-svg-1b.xul
@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<?xml-stylesheet href="chrome://global/skin" type="text/css"?>
+
+<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+  <tree seltype="single" flex="1">
+    <treecols>
+      <treecol flex="1"/>
+    </treecols>
+    <treechildren>
+      <treeitem>
+        <treerow>
+          <treecell src="colors-16x8-noSize.svg"/>
+        </treerow>
+      </treeitem>
+    </treechildren>
+  </tree>
+</window>
diff --git a/layout/style/crashtests/1245260-1.html b/layout/style/crashtests/1245260-1.html
new file mode 100644
index 0000000000..6f2dda9955
--- /dev/null
+++ b/layout/style/crashtests/1245260-1.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<html>
+<head lang="en">
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>Bug 1245260</title>
+</head>
+<body>
+<style>
+body {
+  color: blue;
+}
+
+div {
+  transition: text-emphasis-color 0.1s;
+}
+
+.hide {
+  display: none;
+}
+
+a {
+  color: red;
+  transition: text-emphasis-color 0.1s;
+}
+
+span {
+  transition: text-emphasis-color 0.1s;
+}
+
+@font-face {
+  font-family: "icon-fonts";
+  src: url(x);
+}
+</style>
+
+<div>
+<span><a>Shows</a></span>
+<span><a>Video</a></span>
+<span><a>Schedule</a></span>
+<span><a>Topics</a></span>
+<span><a>Games</a></span>
+<span><a>Shop</a></span>
+<span><a>This Day In History</a></span>
+<span><a>Ask History</a></span>
+<span><a>History Lists</a></span>
+<span><a>Hungry History</a></span>
+<span><a>Speeches &amp; Audio</a></span>
+<span class="hide"><a>Sign In</a></span>
+<span><a class="hide">Sign Out</a></span>
+</div>
+<script/>
+</body>
+</html>
diff --git a/layout/style/crashtests/1264396-1.html b/layout/style/crashtests/1264396-1.html
new file mode 100644
index 0000000000..abba4de3b5
--- /dev/null
+++ b/layout/style/crashtests/1264396-1.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<meta charset="utf-8" />
+<style>
+@keyframes bug {
+  from {display:none}
+  to {display:inline-block}
+}
+body {
+  animation-name: bug;
+  animation-duration: 1s;
+}
+</style>
+</html>
diff --git a/layout/style/crashtests/460209-1.html b/layout/style/crashtests/460209-1.html
new file mode 100644
index 0000000000..d78235738a
--- /dev/null
+++ b/layout/style/crashtests/460209-1.html
@@ -0,0 +1,9 @@
+<html>
+<head>
+<style>
+@import "404.css" s x
+</style>
+</head>
+<body>
+</body>
+</html>
diff --git a/layout/style/crashtests/474377-1.xhtml b/layout/style/crashtests/474377-1.xhtml
new file mode 100644
index 0000000000..519a753cfa
--- /dev/null
+++ b/layout/style/crashtests/474377-1.xhtml
@@ -0,0 +1,18 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<style type="text/css">
+
+#q:after {
+  content: 'A';
+}
+
+</style>
+</head>
+<body>
+
+<mrow xmlns="http://www.w3.org/1998/Math/MathML"></mrow>
+<span id="q"><span><div></div></span></span>
+
+</body>
+</html>
+
diff --git a/layout/style/crashtests/crashtests.list b/layout/style/crashtests/crashtests.list
index 0fd1efed26..769896f7c6 100644
--- a/layout/style/crashtests/crashtests.list
+++ b/layout/style/crashtests/crashtests.list
@@ -35,6 +35,7 @@ load 448161-1.html
 load 448161-2.html
 load 452150-1.xhtml
 load 456196.html
+load 460209-1.html
 load 460217-1.html
 load 460323-1.html
 load 466845-1.html
@@ -45,6 +46,7 @@ HTTP(..) load 472237-1.html
 load 473720-1.html
 load 473892-1.html
 load 473914-1.html
+load 474377-1.xhtml
 load 478321-1.xhtml
 load 495269-1.html
 load 495269-2.html
@@ -52,10 +54,10 @@ load 498036-1.html
 load 509155-1.html
 load 509156-1.html
 load 509569-1.html
+load 512851-1.xhtml
 load 524252-1.html
-load font-face-truncated-src.html 
 load 536789-1.html
-load 565248-1.html
+load 539613-1.xhtml
 load 558943-1.xhtml
 load 559491.html
 load 565248-1.html
@@ -132,7 +134,9 @@ load 1230408-1.html
 load 1233135-1.html
 load 1233135-2.html
 load 1238660-1.html
+load 1245260-1.html
 load 1247865-1.html
+load 1264396-1.html
 load border-image-visited-link.html
 load font-face-truncated-src.html 
 load large_border_image_width.html
diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp
index 0ce4add09a..1772572276 100644
--- a/layout/style/nsCSSParser.cpp
+++ b/layout/style/nsCSSParser.cpp
@@ -348,6 +348,9 @@ public:
   bool AgentRulesEnabled() const {
     return mParsingMode == css::eAgentSheetFeatures;
   }
+  bool ChromeRulesEnabled() const {
+    return mIsChrome;
+  }
   bool UserRulesEnabled() const {
     return mParsingMode == css::eAgentSheetFeatures ||
            mParsingMode == css::eUserSheetFeatures;
@@ -692,6 +695,7 @@ protected:
   bool ParseSupportsCondition(bool& aConditionMet);
   bool ParseSupportsConditionNegation(bool& aConditionMet);
   bool ParseSupportsConditionInParens(bool& aConditionMet);
+  bool ParseSupportsMozBoolPrefName(bool& aConditionMet);
   bool ParseSupportsConditionInParensInsideParens(bool& aConditionMet);
   bool ParseSupportsConditionTerms(bool& aConditionMet);
   enum SupportsConditionTermOperator { eAnd, eOr };
@@ -2134,7 +2138,10 @@ CSSParserImpl::ParseSourceSizeList(const nsAString& aBuffer,
       query->SetNegated();
     }
 
-    if (ParseNonNegativeVariant(value, VARIANT_LPCALC, nullptr) !=
+    // https://html.spec.whatwg.org/multipage/embedded-content.html#source-size-value
+    // Percentages are not allowed in a <source-size-value>, to avoid
+    // confusion about what it would be relative to.
+    if (ParseNonNegativeVariant(value, VARIANT_LCALC, nullptr) !=
         CSSParseResult::Ok) {
       hitError = true;
       break;
@@ -4525,6 +4532,7 @@ CSSParserImpl::ParseSupportsConditionNegation(bool& aConditionMet)
 
 // supports_condition_in_parens
 //   : '(' S* supports_condition_in_parens_inside_parens ')' S*
+//   | supports_condition_pref
 //   | general_enclosed
 //   ;
 bool
@@ -4540,6 +4548,12 @@ CSSParserImpl::ParseSupportsConditionInParens(bool& aConditionMet)
     return true;
   }
 
+  if (AgentRulesEnabled() &&
+      mToken.mType == eCSSToken_Function &&
+      mToken.mIdent.LowerCaseEqualsLiteral("-moz-bool-pref")) {
+    return ParseSupportsMozBoolPrefName(aConditionMet);
+  }
+
   if (mToken.mType == eCSSToken_Function ||
       mToken.mType == eCSSToken_Bad_URL) {
     if (!SkipUntil(')')) {
@@ -4574,6 +4588,32 @@ CSSParserImpl::ParseSupportsConditionInParens(bool& aConditionMet)
   return true;
 }
 
+// supports_condition_pref
+//   : '-moz-bool-pref(' bool_pref_name ')'
+//   ;
+bool
+CSSParserImpl::ParseSupportsMozBoolPrefName(bool& aConditionMet)
+{
+  if (!GetToken(true)) {
+    return false;
+  }
+
+  if (mToken.mType != eCSSToken_String) {
+    SkipUntil(')');
+    return false;
+  }
+
+  aConditionMet = Preferences::GetBool(
+    NS_ConvertUTF16toUTF8(mToken.mIdent).get());
+
+  if (!ExpectSymbol(')', true)) {
+    SkipUntil(')');
+    return false;
+  }
+
+  return true;
+}
+
 // supports_condition_in_parens_inside_parens
 //   : core_declaration
 //   | supports_condition_negation
@@ -5879,7 +5919,10 @@ CSSParserImpl::ParsePseudoSelector(int32_t&       aDataMask,
       ((pseudoElementType < CSSPseudoElementType::Count &&
         nsCSSPseudoElements::PseudoElementIsUASheetOnly(pseudoElementType)) ||
        (pseudoClassType != nsCSSPseudoClasses::ePseudoClass_NotPseudoClass &&
-        nsCSSPseudoClasses::PseudoClassIsUASheetOnly(pseudoClassType)))) {
+        nsCSSPseudoClasses::PseudoClassIsUASheetOnly(pseudoClassType)) ||
+       (!ChromeRulesEnabled() &&
+        (pseudoClassType != nsCSSPseudoClasses::ePseudoClass_NotPseudoClass &&
+         nsCSSPseudoClasses::PseudoClassIsUASheetAndChromeOnly(pseudoClassType))))) {
     // This pseudo-element or pseudo-class is not exposed to content.
     REPORT_UNEXPECTED_TOKEN(PEPseudoSelUnknown);
     UngetToken();
@@ -15860,11 +15903,11 @@ bool CSSParserImpl::ParseClipPath()
       return false;
     }
 
-    nsCSSValueList* cur = value.SetListValue();
-
     nsCSSValue referenceBox;
     bool hasBox = ParseEnum(referenceBox, nsCSSProps::kClipShapeSizingKTable);
 
+    const bool boxCameFirst = hasBox;
+
     nsCSSValue basicShape;
     bool basicShapeConsumedTokens = false;
     bool hasShape = ParseBasicShape(basicShape, &basicShapeConsumedTokens);
@@ -15875,26 +15918,25 @@ bool CSSParserImpl::ParseClipPath()
       return false;
     }
 
-    // We need to preserve the specified order of arguments for inline style.
-    if (hasBox) {
-      cur->mValue = referenceBox;
-    }
-
-    if (hasShape) {
-      if (hasBox) {
-        cur->mNext = new nsCSSValueList;
-        cur = cur->mNext;
-      }
-      cur->mValue = basicShape;
-    }
-
     // Check if the second argument is a reference box if the first wasn't.
-    if (!hasBox &&
-        ParseEnum(referenceBox, nsCSSProps::kClipShapeSizingKTable)) {
-        cur->mNext = new nsCSSValueList;
-        cur = cur->mNext;
-        cur->mValue = referenceBox;
+    if (!hasBox) {
+      hasBox = ParseEnum(referenceBox, nsCSSProps::kClipShapeSizingKTable);
     }
+
+    RefPtr<nsCSSValue::Array> fullValue =
+      nsCSSValue::Array::Create((hasBox && hasShape) ? 2 : 1);
+
+    if (hasBox && hasShape) {
+      fullValue->Item(boxCameFirst ? 0 : 1) = referenceBox;
+      fullValue->Item(boxCameFirst ? 1 : 0) = basicShape;
+    } else if (hasBox) {
+      fullValue->Item(0) = referenceBox;
+    } else {
+      MOZ_ASSERT(hasShape, "should've bailed if we got neither box nor shape");
+      fullValue->Item(0) = basicShape;
+    }
+
+    value.SetArrayValue(fullValue, eCSSUnit_Array);
   }
 
   AppendValue(eCSSProperty_clip_path, value);
diff --git a/layout/style/nsCSSPropList.h b/layout/style/nsCSSPropList.h
index 5173605b5b..2c8355648c 100644
--- a/layout/style/nsCSSPropList.h
+++ b/layout/style/nsCSSPropList.h
@@ -522,7 +522,7 @@ CSS_PROP_BACKGROUND(
         CSS_PROPERTY_VALUE_LIST_USES_COMMAS,
     "",
     VARIANT_KEYWORD, // used by list parsing
-    kImageLayerOriginKTable,
+    kBackgroundClipKTable,
     CSS_PROP_NO_OFFSET,
     eStyleAnimType_None)
 CSS_PROP_BACKGROUND(
@@ -1644,7 +1644,7 @@ CSS_PROP_DISPLAY(
     VARIANT_HK,
     kDisplayKTable,
     offsetof(nsStyleDisplay, mDisplay),
-    eStyleAnimType_EnumU8)
+    eStyleAnimType_None)
 CSS_PROP_SVGRESET(
     dominant-baseline,
     dominant_baseline,
diff --git a/layout/style/nsCSSPseudoClassList.h b/layout/style/nsCSSPseudoClassList.h
index 7dcc8e390f..ef01cb964b 100644
--- a/layout/style/nsCSSPseudoClassList.h
+++ b/layout/style/nsCSSPseudoClassList.h
@@ -123,7 +123,8 @@ CSS_PSEUDO_CLASS(mozWindowInactive, ":-moz-window-inactive", 0, "")
 CSS_PSEUDO_CLASS(mozTableBorderNonzero, ":-moz-table-border-nonzero", 0, "")
 
 // Matches HTML frame/iframe elements which are mozbrowser.
-CSS_PSEUDO_CLASS(mozBrowserFrame, ":-moz-browser-frame", 0, "")
+CSS_PSEUDO_CLASS(mozBrowserFrame, ":-moz-browser-frame",
+                 CSS_PSEUDO_CLASS_UA_SHEET_AND_CHROME, "")
 
 // Matches whatever the contextual reference elements are for the
 // matching operation.
diff --git a/layout/style/nsCSSRules.h b/layout/style/nsCSSRules.h
index ca337f93ca..a5bd033b8c 100644
--- a/layout/style/nsCSSRules.h
+++ b/layout/style/nsCSSRules.h
@@ -371,7 +371,7 @@ protected:
 
   // This reference is not reference-counted. The rule object tells us
   // when it's about to go away.
-  nsCSSKeyframeRule *mRule;
+  nsCSSKeyframeRule* MOZ_NON_OWNING_REF mRule;
 };
 
 class nsCSSKeyframeRule final : public mozilla::css::Rule,
@@ -501,7 +501,7 @@ protected:
 
   // This reference is not reference-counted. The rule object tells us
   // when it's about to go away.
-  nsCSSPageRule *mRule;
+  nsCSSPageRule* MOZ_NON_OWNING_REF mRule;
 };
 
 class nsCSSPageRule final : public mozilla::css::Rule,
diff --git a/layout/style/nsCSSValue.cpp b/layout/style/nsCSSValue.cpp
index 91566c3bbc..25ad7d38a7 100644
--- a/layout/style/nsCSSValue.cpp
+++ b/layout/style/nsCSSValue.cpp
@@ -2170,9 +2170,13 @@ nsCSSValueList::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) const
 size_t
 nsCSSValueList_heap::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) const
 {
-  size_t n = aMallocSizeOf(this);
-  n += mValue.SizeOfExcludingThis(aMallocSizeOf);
-  n += mNext ? mNext->SizeOfIncludingThis(aMallocSizeOf) : 0;
+  // Only measure it if it's unshared, to avoid double-counting.
+  size_t n = 0;
+  if (mRefCnt <= 1) {
+    n += aMallocSizeOf(this);
+    n += mValue.SizeOfExcludingThis(aMallocSizeOf);
+    n += mNext ? mNext->SizeOfIncludingThis(aMallocSizeOf) : 0;
+  }
   return n;
 }
 
@@ -2205,9 +2209,12 @@ nsCSSValueSharedList::operator==(const nsCSSValueSharedList& aOther) const
 size_t
 nsCSSValueSharedList::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) const
 {
+  // Only measure it if it's unshared, to avoid double-counting.
   size_t n = 0;
-  n += aMallocSizeOf(this);
-  n += mHead->SizeOfIncludingThis(aMallocSizeOf);
+  if (mRefCnt <= 1) {
+    n += aMallocSizeOf(this);
+    n += mHead->SizeOfIncludingThis(aMallocSizeOf);
+  }
   return n;
 }
 
@@ -2280,11 +2287,15 @@ void nsCSSRect::SetAllSidesTo(const nsCSSValue& aValue)
 size_t
 nsCSSRect_heap::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) const
 {
-  size_t n = aMallocSizeOf(this);
-  n += mTop   .SizeOfExcludingThis(aMallocSizeOf);
-  n += mRight .SizeOfExcludingThis(aMallocSizeOf);
-  n += mBottom.SizeOfExcludingThis(aMallocSizeOf);
-  n += mLeft  .SizeOfExcludingThis(aMallocSizeOf);
+  // Only measure it if it's unshared, to avoid double-counting.
+  size_t n = 0;
+  if (mRefCnt <= 1) {
+    n += aMallocSizeOf(this);
+    n += mTop   .SizeOfExcludingThis(aMallocSizeOf);
+    n += mRight .SizeOfExcludingThis(aMallocSizeOf);
+    n += mBottom.SizeOfExcludingThis(aMallocSizeOf);
+    n += mLeft  .SizeOfExcludingThis(aMallocSizeOf);
+  }
   return n;
 }
 
@@ -2325,9 +2336,13 @@ nsCSSValuePair::SizeOfExcludingThis(mozilla::MallocSizeOf aMallocSizeOf) const
 size_t
 nsCSSValuePair_heap::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) const
 {
-  size_t n = aMallocSizeOf(this);
-  n += mXValue.SizeOfExcludingThis(aMallocSizeOf);
-  n += mYValue.SizeOfExcludingThis(aMallocSizeOf);
+  // Only measure it if it's unshared, to avoid double-counting.
+  size_t n = 0;
+  if (mRefCnt <= 1) {
+    n += aMallocSizeOf(this);
+    n += mXValue.SizeOfExcludingThis(aMallocSizeOf);
+    n += mYValue.SizeOfExcludingThis(aMallocSizeOf);
+  }
   return n;
 }
 
@@ -2352,10 +2367,14 @@ nsCSSValueTriplet::AppendToString(nsCSSProperty aProperty,
 size_t
 nsCSSValueTriplet_heap::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) const
 {
-  size_t n = aMallocSizeOf(this);
-  n += mXValue.SizeOfExcludingThis(aMallocSizeOf);
-  n += mYValue.SizeOfExcludingThis(aMallocSizeOf);
-  n += mZValue.SizeOfExcludingThis(aMallocSizeOf);
+  // Only measure it if it's unshared, to avoid double-counting.
+  size_t n = 0;
+  if (mRefCnt <= 1) {
+    n += aMallocSizeOf(this);
+    n += mXValue.SizeOfExcludingThis(aMallocSizeOf);
+    n += mYValue.SizeOfExcludingThis(aMallocSizeOf);
+    n += mZValue.SizeOfExcludingThis(aMallocSizeOf);
+  }
   return n;
 }
 
@@ -2446,10 +2465,14 @@ nsCSSValuePairList::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) con
 size_t
 nsCSSValuePairList_heap::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) const
 {
-  size_t n = aMallocSizeOf(this);
-  n += mXValue.SizeOfExcludingThis(aMallocSizeOf);
-  n += mYValue.SizeOfExcludingThis(aMallocSizeOf);
-  n += mNext ? mNext->SizeOfIncludingThis(aMallocSizeOf) : 0;
+  // Only measure it if it's unshared, to avoid double-counting.
+  size_t n = 0;
+  if (mRefCnt <= 1) {
+    n += aMallocSizeOf(this);
+    n += mXValue.SizeOfExcludingThis(aMallocSizeOf);
+    n += mYValue.SizeOfExcludingThis(aMallocSizeOf);
+    n += mNext ? mNext->SizeOfIncludingThis(aMallocSizeOf) : 0;
+  }
   return n;
 }
 
@@ -2536,16 +2559,18 @@ css::URLValue::GetURI() const
 size_t
 css::URLValue::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) const
 {
-  size_t n = aMallocSizeOf(this);
-
-  n += mString->SizeOfIncludingThisIfUnshared(aMallocSizeOf);
-
-  // Measurement of the following members may be added later if DMD finds it is
-  // worthwhile:
-  // - mURI
-  // - mReferrer
-  // - mOriginPrincipal
+  // Only measure it if it's unshared, to avoid double-counting.
+  size_t n = 0;
+  if (mRefCnt <= 1) {
+    n += aMallocSizeOf(this);
+    n += mString->SizeOfIncludingThisIfUnshared(aMallocSizeOf);
 
+    // Measurement of the following members may be added later if DMD finds it
+    // is worthwhile:
+    // - mURI
+    // - mReferrer
+    // - mOriginPrincipal
+  }
   return n;
 }
 
@@ -2638,14 +2663,18 @@ nsCSSValueGradient::nsCSSValueGradient(bool aIsRadial,
 size_t
 nsCSSValueGradient::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) const
 {
-  size_t n = aMallocSizeOf(this);
-  n += mBgPos.SizeOfExcludingThis(aMallocSizeOf);
-  n += mAngle.SizeOfExcludingThis(aMallocSizeOf);
-  n += mRadialValues[0].SizeOfExcludingThis(aMallocSizeOf);
-  n += mRadialValues[1].SizeOfExcludingThis(aMallocSizeOf);
-  n += mStops.ShallowSizeOfExcludingThis(aMallocSizeOf);
-  for (uint32_t i = 0; i < mStops.Length(); i++) {
-    n += mStops[i].SizeOfExcludingThis(aMallocSizeOf);
+  // Only measure it if it's unshared, to avoid double-counting.
+  size_t n = 0;
+  if (mRefCnt <= 1) {
+    n += aMallocSizeOf(this);
+    n += mBgPos.SizeOfExcludingThis(aMallocSizeOf);
+    n += mAngle.SizeOfExcludingThis(aMallocSizeOf);
+    n += mRadialValues[0].SizeOfExcludingThis(aMallocSizeOf);
+    n += mRadialValues[1].SizeOfExcludingThis(aMallocSizeOf);
+    n += mStops.ShallowSizeOfExcludingThis(aMallocSizeOf);
+    for (uint32_t i = 0; i < mStops.Length(); i++) {
+      n += mStops[i].SizeOfExcludingThis(aMallocSizeOf);
+    }
   }
   return n;
 }
@@ -2668,8 +2697,12 @@ nsCSSValueTokenStream::~nsCSSValueTokenStream()
 size_t
 nsCSSValueTokenStream::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) const
 {
-  size_t n = aMallocSizeOf(this);
-  n += mTokenStream.SizeOfExcludingThisIfUnshared(aMallocSizeOf);
+  // Only measure it if it's unshared, to avoid double-counting.
+  size_t n = 0;
+  if (mRefCnt <= 1) {
+    n += aMallocSizeOf(this);
+    n += mTokenStream.SizeOfExcludingThisIfUnshared(aMallocSizeOf);
+  }
   return n;
 }
 
@@ -2756,7 +2789,11 @@ size_t
 nsCSSValueFloatColor::SizeOfIncludingThis(
                                       mozilla::MallocSizeOf aMallocSizeOf) const
 {
-  size_t n = aMallocSizeOf(this);
+  // Only measure it if it's unshared, to avoid double-counting.
+  size_t n = 0;
+  if (mRefCnt <= 1) {
+    n += aMallocSizeOf(this);
+  }
   return n;
 }
 
@@ -2804,7 +2841,12 @@ nsCSSCornerSizes::corners[4] = {
 size_t
 mozilla::css::GridTemplateAreasValue::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) const
 {
-  size_t n = mNamedAreas.ShallowSizeOfExcludingThis(aMallocSizeOf);
-  n += mTemplates.ShallowSizeOfExcludingThis(aMallocSizeOf);
+  // Only measure it if it's unshared, to avoid double-counting.
+  size_t n = 0;
+  if (mRefCnt <= 1) {
+    n += aMallocSizeOf(this);
+    n += mNamedAreas.ShallowSizeOfExcludingThis(aMallocSizeOf);
+    n += mTemplates.ShallowSizeOfExcludingThis(aMallocSizeOf);
+  }
   return n;
 }
diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp
index 481b9d46f9..346892ec39 100644
--- a/layout/style/nsComputedDOMStyle.cpp
+++ b/layout/style/nsComputedDOMStyle.cpp
@@ -453,7 +453,7 @@ nsComputedDOMStyle::GetStyleContextForElementNoFlush(Element* aElement,
   }
 
   // XXX the !aElement->IsHTMLElement(nsGkAtoms::area)
-  // check is needed due to bug 135040 (to avoid using 
+  // check is needed due to bug 135040 (to avoid using
   // mPrimaryFrame). Remove it once that's fixed.
   if (!aPseudo && aStyleType == eAll && inDocWithShell &&
       !aElement->IsHTMLElement(nsGkAtoms::area)) {
@@ -1117,7 +1117,7 @@ nsComputedDOMStyle::DoGetContent()
     switch (data.mType) {
       case eStyleContentType_String:
         {
-          nsString str;
+          nsAutoString str;
           nsStyleUtil::AppendEscapedCSSString(
             nsDependentString(data.mContent.mString), str);
           val->SetString(str);
@@ -1491,7 +1491,7 @@ nsComputedDOMStyle::DoGetQuotes()
     RefPtr<nsROCSSPrimitiveValue> openVal = new nsROCSSPrimitiveValue;
     RefPtr<nsROCSSPrimitiveValue> closeVal = new nsROCSSPrimitiveValue;
 
-    nsString s;
+    nsAutoString s;
     nsStyleUtil::AppendEscapedCSSString(quotePair.first, s);
     openVal->SetString(s);
     s.Truncate();
@@ -1628,7 +1628,7 @@ nsComputedDOMStyle::DoGetFontLanguageOverride()
   if (font->mFont.languageOverride.IsEmpty()) {
     val->SetIdent(eCSSKeyword_normal);
   } else {
-    nsString str;
+    nsAutoString str;
     nsStyleUtil::AppendEscapedCSSString(font->mFont.languageOverride, str);
     val->SetString(str);
   }
@@ -3430,7 +3430,7 @@ nsComputedDOMStyle::DoGetListStyleType()
   RefPtr<nsROCSSPrimitiveValue> val = new nsROCSSPrimitiveValue;
   CounterStyle* style = StyleList()->GetCounterStyle();
   AnonymousCounterStyle* anonymous = style->AsAnonymous();
-  nsString tmp;
+  nsAutoString tmp;
   if (!anonymous) {
     // want SetIdent
     nsString type;
@@ -3722,7 +3722,7 @@ nsComputedDOMStyle::DoGetTextEmphasisStyle()
   }
   if (style == NS_STYLE_TEXT_EMPHASIS_STYLE_STRING) {
     RefPtr<nsROCSSPrimitiveValue> val = new nsROCSSPrimitiveValue;
-    nsString tmp;
+    nsAutoString tmp;
     nsStyleUtil::AppendEscapedCSSString(
       StyleText()->mTextEmphasisStyleString, tmp);
     val->SetString(tmp);
@@ -3776,7 +3776,7 @@ nsComputedDOMStyle::DoGetTextOverflow()
   RefPtr<nsROCSSPrimitiveValue> first = new nsROCSSPrimitiveValue;
   const nsStyleTextOverflowSide *side = style->mTextOverflow.GetFirstValue();
   if (side->mType == NS_STYLE_TEXT_OVERFLOW_STRING) {
-    nsString str;
+    nsAutoString str;
     nsStyleUtil::AppendEscapedCSSString(side->mString, str);
     first->SetString(str);
   } else {
@@ -3790,7 +3790,7 @@ nsComputedDOMStyle::DoGetTextOverflow()
   }
   RefPtr<nsROCSSPrimitiveValue> second = new nsROCSSPrimitiveValue;
   if (side->mType == NS_STYLE_TEXT_OVERFLOW_STRING) {
-    nsString str;
+    nsAutoString str;
     nsStyleUtil::AppendEscapedCSSString(side->mString, str);
     second->SetString(str);
   } else {
diff --git a/layout/style/nsDOMCSSAttrDeclaration.cpp b/layout/style/nsDOMCSSAttrDeclaration.cpp
index b1af98fd3d..96f24e810a 100644
--- a/layout/style/nsDOMCSSAttrDeclaration.cpp
+++ b/layout/style/nsDOMCSSAttrDeclaration.cpp
@@ -186,7 +186,7 @@ nsDOMCSSAttributeDeclaration::SetPropertyValue(const nsCSSProperty aPropID,
       aPropID == eCSSProperty_background_position) {
     nsIFrame* frame = mElement->GetPrimaryFrame();
     if (frame) {
-      ActiveLayerTracker::NotifyInlineStyleRuleModified(frame, aPropID);
+      ActiveLayerTracker::NotifyInlineStyleRuleModified(frame, aPropID, aValue, this);
     }
   }
   return nsDOMCSSDeclaration::SetPropertyValue(aPropID, aValue);
diff --git a/layout/style/nsDOMCSSDeclaration.cpp b/layout/style/nsDOMCSSDeclaration.cpp
index a8ab190c19..da39b44df6 100644
--- a/layout/style/nsDOMCSSDeclaration.cpp
+++ b/layout/style/nsDOMCSSDeclaration.cpp
@@ -85,10 +85,15 @@ nsDOMCSSDeclaration::SetPropertyValue(const nsCSSProperty aPropID,
     case eCSSProperty_left:
     case eCSSProperty_bottom:
     case eCSSProperty_right:
+    case eCSSProperty_margin:
     case eCSSProperty_margin_top:
     case eCSSProperty_margin_left:
     case eCSSProperty_margin_bottom:
     case eCSSProperty_margin_right:
+    case eCSSProperty_margin_inline_start:
+    case eCSSProperty_margin_inline_end:
+    case eCSSProperty_margin_block_start:
+    case eCSSProperty_margin_block_end:
       mozilla::layers::ScrollLinkedEffectDetector::PositioningPropertyMutated();
       break;
     default:
diff --git a/layout/style/nsLayoutStylesheetCache.cpp b/layout/style/nsLayoutStylesheetCache.cpp
index 2d2ffb1494..66f25ac34f 100644
--- a/layout/style/nsLayoutStylesheetCache.cpp
+++ b/layout/style/nsLayoutStylesheetCache.cpp
@@ -75,7 +75,7 @@ nsLayoutStylesheetCache::ScrollbarsSheet()
   if (!mScrollbarsSheet) {
     // Scrollbars don't need access to unsafe rules
     LoadSheetURL("chrome://global/skin/scrollbars.css",
-                 mScrollbarsSheet, eAuthorSheetFeatures);
+                 &mScrollbarsSheet, eAuthorSheetFeatures);
   }
 
   return mScrollbarsSheet;
@@ -87,7 +87,7 @@ nsLayoutStylesheetCache::FormsSheet()
   if (!mFormsSheet) {
     // forms.css needs access to unsafe rules
     LoadSheetURL("resource://gre-resources/forms.css",
-                 mFormsSheet, eAgentSheetFeatures);
+                 &mFormsSheet, eAgentSheetFeatures);
   }
 
   return mFormsSheet;
@@ -102,7 +102,7 @@ nsLayoutStylesheetCache::NumberControlSheet()
 
   if (!mNumberControlSheet) {
     LoadSheetURL("resource://gre-resources/number-control.css",
-                 mNumberControlSheet, eAgentSheetFeatures);
+                 &mNumberControlSheet, eAgentSheetFeatures);
   }
 
   return mNumberControlSheet;
@@ -125,7 +125,7 @@ nsLayoutStylesheetCache::UASheet()
 {
   if (!mUASheet) {
     LoadSheetURL("resource://gre-resources/ua.css",
-                 mUASheet, eAgentSheetFeatures);
+                 &mUASheet, eAgentSheetFeatures);
   }
 
   return mUASheet;
@@ -136,7 +136,7 @@ nsLayoutStylesheetCache::HTMLSheet()
 {
   if (!mHTMLSheet) {
     LoadSheetURL("resource://gre-resources/html.css",
-                 mHTMLSheet, eAgentSheetFeatures);
+                 &mHTMLSheet, eAgentSheetFeatures);
   }
 
   return mHTMLSheet;
@@ -171,7 +171,7 @@ nsLayoutStylesheetCache::MathMLSheet()
 {
   if (!mMathMLSheet) {
     LoadSheetURL("resource://gre-resources/mathml.css",
-                 mMathMLSheet, eAgentSheetFeatures);
+                 &mMathMLSheet, eAgentSheetFeatures);
   }
 
   return mMathMLSheet;
@@ -188,7 +188,7 @@ nsLayoutStylesheetCache::NoScriptSheet()
 {
   if (!mNoScriptSheet) {
     LoadSheetURL("resource://gre-resources/noscript.css",
-                 mNoScriptSheet, eAgentSheetFeatures);
+                 &mNoScriptSheet, eAgentSheetFeatures);
   }
 
   return mNoScriptSheet;
@@ -199,7 +199,7 @@ nsLayoutStylesheetCache::NoFramesSheet()
 {
   if (!mNoFramesSheet) {
     LoadSheetURL("resource://gre-resources/noframes.css",
-                 mNoFramesSheet, eAgentSheetFeatures);
+                 &mNoFramesSheet, eAgentSheetFeatures);
   }
 
   return mNoFramesSheet;
@@ -209,7 +209,7 @@ StyleSheetHandle
 nsLayoutStylesheetCache::ChromePreferenceSheet(nsPresContext* aPresContext)
 {
   if (!mChromePreferenceSheet) {
-    BuildPreferenceSheet(mChromePreferenceSheet, aPresContext);
+    BuildPreferenceSheet(&mChromePreferenceSheet, aPresContext);
   }
 
   return mChromePreferenceSheet;
@@ -219,7 +219,7 @@ StyleSheetHandle
 nsLayoutStylesheetCache::ContentPreferenceSheet(nsPresContext* aPresContext)
 {
   if (!mContentPreferenceSheet) {
-    BuildPreferenceSheet(mContentPreferenceSheet, aPresContext);
+    BuildPreferenceSheet(&mContentPreferenceSheet, aPresContext);
   }
 
   return mContentPreferenceSheet;
@@ -230,7 +230,7 @@ nsLayoutStylesheetCache::ContentEditableSheet()
 {
   if (!mContentEditableSheet) {
     LoadSheetURL("resource://gre/res/contenteditable.css",
-                 mContentEditableSheet, eAgentSheetFeatures);
+                 &mContentEditableSheet, eAgentSheetFeatures);
   }
 
   return mContentEditableSheet;
@@ -241,7 +241,7 @@ nsLayoutStylesheetCache::DesignModeSheet()
 {
   if (!mDesignModeSheet) {
     LoadSheetURL("resource://gre/res/designmode.css",
-                 mDesignModeSheet, eAgentSheetFeatures);
+                 &mDesignModeSheet, eAgentSheetFeatures);
   }
 
   return mDesignModeSheet;
@@ -323,15 +323,15 @@ nsLayoutStylesheetCache::nsLayoutStylesheetCache(StyleBackendType aType)
   // And make sure that we load our UA sheets.  No need to do this
   // per-profile, since they're profile-invariant.
   LoadSheetURL("resource://gre-resources/counterstyles.css",
-               mCounterStylesSheet, eAgentSheetFeatures);
+               &mCounterStylesSheet, eAgentSheetFeatures);
   LoadSheetURL("chrome://global/content/minimal-xul.css",
-               mMinimalXULSheet, eAgentSheetFeatures);
+               &mMinimalXULSheet, eAgentSheetFeatures);
   LoadSheetURL("resource://gre-resources/quirk.css",
-               mQuirkSheet, eAgentSheetFeatures);
+               &mQuirkSheet, eAgentSheetFeatures);
   LoadSheetURL("resource://gre/res/svg.css",
-               mSVGSheet, eAgentSheetFeatures);
+               &mSVGSheet, eAgentSheetFeatures);
   LoadSheetURL("chrome://global/content/xul.css",
-               mXULSheet, eAgentSheetFeatures);
+               &mXULSheet, eAgentSheetFeatures);
 
   // The remaining sheets are created on-demand do to their use being rarer
   // (which helps save memory for Firefox OS apps) or because they need to
@@ -411,13 +411,13 @@ nsLayoutStylesheetCache::InitFromProfile()
   contentFile->Append(NS_LITERAL_STRING("userContent.css"));
   chromeFile->Append(NS_LITERAL_STRING("userChrome.css"));
 
-  LoadSheetFile(contentFile, mUserContentSheet, eUserSheetFeatures);
-  LoadSheetFile(chromeFile, mUserChromeSheet, eUserSheetFeatures);
+  LoadSheetFile(contentFile, &mUserContentSheet, eUserSheetFeatures);
+  LoadSheetFile(chromeFile, &mUserChromeSheet, eUserSheetFeatures);
 }
 
 void
 nsLayoutStylesheetCache::LoadSheetURL(const char* aURL,
-                                      StyleSheetHandle::RefPtr& aSheet,
+                                      StyleSheetHandle::RefPtr* aSheet,
                                       SheetParsingMode aParsingMode)
 {
   nsCOMPtr<nsIURI> uri;
@@ -430,7 +430,7 @@ nsLayoutStylesheetCache::LoadSheetURL(const char* aURL,
 
 void
 nsLayoutStylesheetCache::LoadSheetFile(nsIFile* aFile,
-                                       StyleSheetHandle::RefPtr& aSheet,
+                                       StyleSheetHandle::RefPtr* aSheet,
                                        SheetParsingMode aParsingMode)
 {
   bool exists = false;
@@ -736,7 +736,7 @@ ErrorLoadingBuiltinSheet(nsIURI* aURI, const char* aMsg)
 
 void
 nsLayoutStylesheetCache::LoadSheet(nsIURI* aURI,
-                                   StyleSheetHandle::RefPtr& aSheet,
+                                   StyleSheetHandle::RefPtr* aSheet,
                                    SheetParsingMode aParsingMode)
 {
   if (!aURI) {
@@ -759,7 +759,7 @@ nsLayoutStylesheetCache::LoadSheet(nsIURI* aURI,
 #ifdef MOZ_CRASHREPORTER
   nsZipArchive::sFileCorruptedReason = nullptr;
 #endif
-  nsresult rv = loader->LoadSheetSync(aURI, aParsingMode, true, &aSheet);
+  nsresult rv = loader->LoadSheetSync(aURI, aParsingMode, true, aSheet);
   if (NS_FAILED(rv)) {
     ErrorLoadingBuiltinSheet(aURI,
       nsPrintfCString("LoadSheetSync failed with error %x", rv).get());
@@ -773,18 +773,21 @@ nsLayoutStylesheetCache::InvalidateSheet(StyleSheetHandle::RefPtr* aGeckoSheet,
   MOZ_ASSERT(gCSSLoader_Gecko || gCSSLoader_Servo,
              "pref changed before we loaded a sheet?");
 
+  const bool gotGeckoSheet = aGeckoSheet && *aGeckoSheet;
+  const bool gotServoSheet = aServoSheet && *aServoSheet;
+
   // Make sure sheets have the expected types
-  MOZ_ASSERT(!aGeckoSheet || (*aGeckoSheet)->IsGecko());
-  MOZ_ASSERT(!aServoSheet || (*aServoSheet)->IsServo());
+  MOZ_ASSERT(!gotGeckoSheet || (*aGeckoSheet)->IsGecko());
+  MOZ_ASSERT(!gotServoSheet || (*aServoSheet)->IsServo());
   // Make sure the URIs match
-  MOZ_ASSERT(!aGeckoSheet || !aServoSheet ||
+  MOZ_ASSERT(!gotServoSheet || !gotGeckoSheet ||
              (*aGeckoSheet)->GetSheetURI() == (*aServoSheet)->GetSheetURI(),
              "Sheets passed should have the same URI");
 
   nsIURI* uri;
-  if (aGeckoSheet && *aGeckoSheet) {
+  if (gotGeckoSheet) {
     uri = (*aGeckoSheet)->GetSheetURI();
-  } else if (aServoSheet && *aServoSheet) {
+  } else if (gotServoSheet) {
     uri = (*aServoSheet)->GetSheetURI();
   } else {
     return;
@@ -796,10 +799,10 @@ nsLayoutStylesheetCache::InvalidateSheet(StyleSheetHandle::RefPtr* aGeckoSheet,
   if (gCSSLoader_Servo) {
     gCSSLoader_Servo->ObsoleteSheet(uri);
   }
-  if (aGeckoSheet) {
+  if (gotGeckoSheet) {
     *aGeckoSheet = nullptr;
   }
-  if (aServoSheet) {
+  if (gotServoSheet) {
     *aServoSheet = nullptr;
   }
 }
@@ -839,24 +842,26 @@ nsLayoutStylesheetCache::InvalidatePreferenceSheets()
 }
 
 void
-nsLayoutStylesheetCache::BuildPreferenceSheet(StyleSheetHandle::RefPtr& aSheet,
+nsLayoutStylesheetCache::BuildPreferenceSheet(StyleSheetHandle::RefPtr* aSheet,
                                               nsPresContext* aPresContext)
 {
   if (mBackendType == StyleBackendType::Gecko) {
-    aSheet = new CSSStyleSheet(CORS_NONE, mozilla::net::RP_Default);
+    *aSheet = new CSSStyleSheet(CORS_NONE, mozilla::net::RP_Default);
   } else {
-    aSheet = new ServoStyleSheet(CORS_NONE, mozilla::net::RP_Default,
-                                 dom::SRIMetadata());
+    *aSheet = new ServoStyleSheet(CORS_NONE, mozilla::net::RP_Default,
+                                  dom::SRIMetadata());
   }
 
-  aSheet->SetParsingMode(eAgentSheetFeatures);
+  StyleSheetHandle sheet = *aSheet;
+
+  sheet->SetParsingMode(eAgentSheetFeatures);
 
   nsCOMPtr<nsIURI> uri;
   NS_NewURI(getter_AddRefs(uri), "about:PreferenceStyleSheet", nullptr);
   MOZ_ASSERT(uri, "URI creation shouldn't fail");
 
-  aSheet->SetURIs(uri, uri, uri);
-  aSheet->AsStyleSheet()->SetComplete();
+  sheet->SetURIs(uri, uri, uri);
+  sheet->AsStyleSheet()->SetComplete();
 
   static const uint32_t kPreallocSize = 1024;
 
@@ -943,11 +948,11 @@ nsLayoutStylesheetCache::BuildPreferenceSheet(StyleSheetHandle::RefPtr& aSheet,
                "kPreallocSize should be big enough to build preference style "
                "sheet without reallocation");
 
-  if (aSheet->IsGecko()) {
-    aSheet->AsGecko()->ReparseSheet(sheetText);
+  if (sheet->IsGecko()) {
+    sheet->AsGecko()->ReparseSheet(sheetText);
   } else {
-    aSheet->AsServo()->ParseSheet(sheetText, uri, uri, nullptr, 0,
-                                  SheetParsingMode::eAuthorSheetFeatures);
+    sheet->AsServo()->ParseSheet(sheetText, uri, uri, nullptr, 0,
+                                 SheetParsingMode::eAuthorSheetFeatures);
   }
 
 #undef NS_GET_R_G_B
diff --git a/layout/style/nsLayoutStylesheetCache.h b/layout/style/nsLayoutStylesheetCache.h
index 3d7ff1cd3c..eb9f0ad112 100644
--- a/layout/style/nsLayoutStylesheetCache.h
+++ b/layout/style/nsLayoutStylesheetCache.h
@@ -76,17 +76,17 @@ private:
   void InitFromProfile();
   void InitMemoryReporter();
   void LoadSheetURL(const char* aURL,
-                    mozilla::StyleSheetHandle::RefPtr& aSheet,
+                    mozilla::StyleSheetHandle::RefPtr* aSheet,
                     mozilla::css::SheetParsingMode aParsingMode);
   void LoadSheetFile(nsIFile* aFile,
-                     mozilla::StyleSheetHandle::RefPtr& aSheet,
+                     mozilla::StyleSheetHandle::RefPtr* aSheet,
                      mozilla::css::SheetParsingMode aParsingMode);
-  void LoadSheet(nsIURI* aURI, mozilla::StyleSheetHandle::RefPtr& aSheet,
+  void LoadSheet(nsIURI* aURI, mozilla::StyleSheetHandle::RefPtr* aSheet,
                  mozilla::css::SheetParsingMode aParsingMode);
   static void InvalidateSheet(mozilla::StyleSheetHandle::RefPtr* aGeckoSheet,
                               mozilla::StyleSheetHandle::RefPtr* aServoSheet);
   static void DependentPrefChanged(const char* aPref, void* aData);
-  void BuildPreferenceSheet(mozilla::StyleSheetHandle::RefPtr& aSheet,
+  void BuildPreferenceSheet(mozilla::StyleSheetHandle::RefPtr* aSheet,
                             nsPresContext* aPresContext);
 
   static mozilla::StaticRefPtr<nsLayoutStylesheetCache> gStyleCache_Gecko;
diff --git a/layout/style/nsMediaFeatures.cpp b/layout/style/nsMediaFeatures.cpp
index 0bd1b0cfef..075e1b2519 100644
--- a/layout/style/nsMediaFeatures.cpp
+++ b/layout/style/nsMediaFeatures.cpp
@@ -328,6 +328,9 @@ GetDisplayMode(nsPresContext* aPresContext, const nsMediaFeature*,
   baseWindow->GetMainWidget(getter_AddRefs(mainWidget));
   int32_t displayMode;
   nsSizeMode mode = mainWidget ? mainWidget->SizeMode() : nsSizeMode_Normal;
+  // Background tabs are always in 'browser' mode for now.
+  // If new modes are supported, please ensure not cause the regression in
+  // Bug 1259641.
   switch (mode) {
     case nsSizeMode_Fullscreen:
       displayMode = NS_STYLE_DISPLAY_MODE_FULLSCREEN;
diff --git a/layout/style/nsRuleNode.cpp b/layout/style/nsRuleNode.cpp
index 19aee50a9d..3984f56d30 100644
--- a/layout/style/nsRuleNode.cpp
+++ b/layout/style/nsRuleNode.cpp
@@ -9407,20 +9407,26 @@ nsRuleNode::SetStyleClipPathToCSSValue(nsStyleClipPath* aStyleClipPath,
                                        nsPresContext* aPresContext,
                                        RuleNodeCacheConditions& aConditions)
 {
-  MOZ_ASSERT(aValue->GetUnit() != eCSSUnit_ListDep ||
-             aValue->GetUnit() != eCSSUnit_List,
+  MOZ_ASSERT(aValue->GetUnit() == eCSSUnit_Array,
              "expected a basic shape or reference box");
 
-  const nsCSSValueList* cur = aValue->GetListValue();
+  const nsCSSValue::Array* array = aValue->GetArrayValue();
+  MOZ_ASSERT(array->Count() == 1 || array->Count() == 2,
+             "Expect one or both of a shape function and geometry-box");
 
   uint8_t sizingBox = NS_STYLE_CLIP_SHAPE_SIZING_NOBOX;
-  nsStyleBasicShape* basicShape = nullptr;
-  for (unsigned i = 0; i < 2; ++i) {
-    if (!cur) {
-      break;
-    }
-    if (cur->mValue.GetUnit() == eCSSUnit_Function) {
-      nsCSSValue::Array* shapeFunction = cur->mValue.GetArrayValue();
+  RefPtr<nsStyleBasicShape> basicShape;
+  for (size_t i = 0; i < array->Count(); ++i) {
+    if (array->Item(i).GetUnit() == eCSSUnit_Enumerated) {
+      int32_t type = array->Item(i).GetIntValue();
+      if (type > NS_STYLE_CLIP_SHAPE_SIZING_VIEW ||
+          type < NS_STYLE_CLIP_SHAPE_SIZING_NOBOX) {
+        NS_NOTREACHED("unexpected reference box");
+        return;
+      }
+      sizingBox = (uint8_t)type;
+    } else if (array->Item(i).GetUnit() == eCSSUnit_Function) {
+      nsCSSValue::Array* shapeFunction = array->Item(i).GetArrayValue();
       nsCSSKeyword functionName =
         (nsCSSKeyword)shapeFunction->Item(0).GetIntValue();
       if (functionName == eCSSKeyword_polygon) {
@@ -9557,19 +9563,10 @@ nsRuleNode::SetStyleClipPathToCSSValue(nsStyleClipPath* aStyleClipPath,
         NS_NOTREACHED("unexpected basic shape function");
         return;
       }
-    } else if (cur->mValue.GetUnit() == eCSSUnit_Enumerated) {
-      int32_t type = cur->mValue.GetIntValue();
-      if (type > NS_STYLE_CLIP_SHAPE_SIZING_VIEW ||
-          type < NS_STYLE_CLIP_SHAPE_SIZING_NOBOX) {
-        NS_NOTREACHED("unexpected reference box");
-        return;
-      }
-      sizingBox = (uint8_t)type;
     } else {
       NS_NOTREACHED("unexpected value");
       return;
     }
-    cur = cur->mNext;
   }
 
   if (basicShape) {
@@ -9704,8 +9701,7 @@ nsRuleNode::ComputeSVGResetData(void* aStartStruct,
       }
       break;
     }
-    case eCSSUnit_List:
-    case eCSSUnit_ListDep: {
+    case eCSSUnit_Array: {
       svgReset->mClipPath = nsStyleClipPath();
       SetStyleClipPathToCSSValue(&svgReset->mClipPath, clipPathValue, aContext,
                                  mPresContext, conditions);
diff --git a/layout/style/nsStyleContext.cpp b/layout/style/nsStyleContext.cpp
index 6e2ecd9b5e..b36fed5825 100644
--- a/layout/style/nsStyleContext.cpp
+++ b/layout/style/nsStyleContext.cpp
@@ -346,17 +346,23 @@ nsStyleContext::MoveTo(nsStyleContext* aNewParent)
   MOZ_ASSERT(aNewParent != mParent);
 
   // This function shouldn't be getting called if the parents have different
-  // values for some flags in mBits, because if that were the case we would need
-  // to recompute those bits for |this|.
-  DebugOnly<uint64_t> mask = NS_STYLE_HAS_PSEUDO_ELEMENT_DATA |
-                             NS_STYLE_IN_DISPLAY_NONE_SUBTREE;
-  MOZ_ASSERT((mParent->mBits & mask) == (aNewParent->mBits & mask));
-  MOZ_ASSERT((mParent->mBits & NS_STYLE_HAS_TEXT_DECORATION_LINES) ==
-             (aNewParent->mBits & NS_STYLE_HAS_TEXT_DECORATION_LINES) ||
-             StyleTextReset()->HasTextDecorationLines());
-  MOZ_ASSERT((mParent->mBits & NS_STYLE_RELEVANT_LINK_VISITED) ==
-             (aNewParent->mBits & NS_STYLE_RELEVANT_LINK_VISITED) ||
-             IsLinkContext());
+  // values for some flags in mBits (unless the flag is also set on this style
+  // context) because if that were the case we would need to recompute those
+  // bits for |this|.
+
+#define CHECK_FLAG(bit_) \
+  MOZ_ASSERT((mParent->mBits & (bit_)) == (aNewParent->mBits & (bit_)) ||     \
+             (mBits & (bit_)),                                                \
+             "MoveTo cannot be called if " #bit_ " value on old and new "     \
+             "style context parents do not match, unless the flag is set "    \
+             "on this style context");
+
+  CHECK_FLAG(NS_STYLE_HAS_PSEUDO_ELEMENT_DATA)
+  CHECK_FLAG(NS_STYLE_IN_DISPLAY_NONE_SUBTREE)
+  CHECK_FLAG(NS_STYLE_HAS_TEXT_DECORATION_LINES)
+  CHECK_FLAG(NS_STYLE_RELEVANT_LINK_VISITED)
+
+#undef CHECK_FLAG
 
   // Assertions checking for visited style are just to avoid some tricky
   // cases we can't be bothered handling at the moment.
diff --git a/layout/style/res/ua.css b/layout/style/res/ua.css
index c52c3303fd..ccc7170c0f 100644
--- a/layout/style/res/ua.css
+++ b/layout/style/res/ua.css
@@ -341,6 +341,12 @@ parsererror|sourcetext {
   font-size: 12pt;
 }
 
+div:-moz-native-anonymous.moz-accessiblecaret {
+  /* Add transition effect to make caret size changing smoother. */
+  transition-duration: 250ms;
+  transition-property: width, height, margin-left;
+}
+
 div:-moz-native-anonymous.moz-accessiblecaret,
 div:-moz-native-anonymous.moz-accessiblecaret > div.image,
 div:-moz-native-anonymous.moz-accessiblecaret > div.bar {
diff --git a/layout/style/test/test_selectors.html b/layout/style/test/test_selectors.html
index f5b413b44e..09fe4c9079 100644
--- a/layout/style/test/test_selectors.html
+++ b/layout/style/test/test_selectors.html
@@ -1097,6 +1097,9 @@ function run() {
     test_parseable(":-moz-window-inactive");
     test_parseable("div p:-moz-window-inactive:hover span");
 
+    // Chrome-only
+    test_unbalanced_unparseable(":-moz-browser-frame");
+
     // Plugin pseudoclasses are chrome-only:
     test_unbalanced_unparseable(":-moz-type-unsupported");
     test_unbalanced_unparseable(":-moz-user-disabled");
diff --git a/layout/svg/SVGFEUnstyledLeafFrame.cpp b/layout/svg/SVGFEUnstyledLeafFrame.cpp
index ec25270513..f3e92263f0 100644
--- a/layout/svg/SVGFEUnstyledLeafFrame.cpp
+++ b/layout/svg/SVGFEUnstyledLeafFrame.cpp
@@ -10,15 +10,13 @@
 #include "nsSVGEffects.h"
 #include "nsSVGFilters.h"
 
-typedef nsFrame SVGFEUnstyledLeafFrameBase;
-
-class SVGFEUnstyledLeafFrame : public SVGFEUnstyledLeafFrameBase
+class SVGFEUnstyledLeafFrame : public nsFrame
 {
   friend nsIFrame*
   NS_NewSVGFEUnstyledLeafFrame(nsIPresShell* aPresShell, nsStyleContext* aContext);
 protected:
   explicit SVGFEUnstyledLeafFrame(nsStyleContext* aContext)
-    : SVGFEUnstyledLeafFrameBase(aContext)
+    : nsFrame(aContext)
   {
     AddStateBits(NS_FRAME_SVG_LAYOUT | NS_FRAME_IS_NONDISPLAY);
   }
@@ -32,7 +30,7 @@ public:
 
   virtual bool IsFrameOfType(uint32_t aFlags) const override
   {
-    return SVGFEUnstyledLeafFrameBase::IsFrameOfType(aFlags & ~(nsIFrame::eSVG));
+    return nsFrame::IsFrameOfType(aFlags & ~(nsIFrame::eSVG));
   }
 
 #ifdef DEBUG_FRAME_DUMP
@@ -85,6 +83,5 @@ SVGFEUnstyledLeafFrame::AttributeChanged(int32_t  aNameSpaceID,
     nsSVGEffects::InvalidateDirectRenderingObservers(GetParent()->GetParent());
   }
 
-  return SVGFEUnstyledLeafFrameBase::AttributeChanged(aNameSpaceID,
-                                                        aAttribute, aModType);
+  return nsFrame::AttributeChanged(aNameSpaceID, aAttribute, aModType);
 }
diff --git a/layout/svg/SVGTextFrame.cpp b/layout/svg/SVGTextFrame.cpp
index fc54fb50c6..cc7a82dd6b 100644
--- a/layout/svg/SVGTextFrame.cpp
+++ b/layout/svg/SVGTextFrame.cpp
@@ -3250,6 +3250,10 @@ SVGTextFrame::BuildDisplayList(nsDisplayListBuilder* aBuilder,
     // painting.
     return;
   }
+  if (!IsVisibleForPainting(aBuilder) &&
+      aBuilder->IsForPainting()) {
+    return;
+  }
   aLists.Content()->AppendNewToTop(
     new (aBuilder) nsDisplaySVGText(aBuilder, this));
 }
@@ -3732,8 +3736,8 @@ SVGTextFrame::PaintSVG(gfxContext& aContext,
 
     SVGTextContextPaint contextPaint;
     DrawMode drawMode =
-      SetupContextPaint(&aDrawTarget, aContext.CurrentMatrix(),
-                        frame, outerContextPaint, &contextPaint);
+      nsSVGUtils::SetupContextPaint(&aDrawTarget, aContext.CurrentMatrix(),
+                                    frame, outerContextPaint, &contextPaint);
 
     if (drawMode & DrawMode::GLYPH_STROKE) {
       // This may change the gfxContext's transform (for non-scaling stroke),
@@ -5718,109 +5722,3 @@ SVGTextFrame::TransformFrameRectFromTextChild(const nsRect& aRect,
   return result - framePosition;
 }
 
-/**
- * Stores in |aTargetPaint| information on how to reconstruct the current
- * fill or stroke pattern. Will also set the paint opacity to transparent if
- * the paint is set to "none".
- * @param aOuterContextPaint pattern information from the outer text context
- * @param aTargetPaint where to store the current pattern information
- * @param aFillOrStroke member pointer to the paint we are setting up
- * @param aProperty the frame property descriptor of the fill or stroke paint
- *   server frame
- */
-static void
-SetupInheritablePaint(const DrawTarget* aDrawTarget,
-                      const gfxMatrix& aContextMatrix,
-                      nsIFrame* aFrame,
-                      float& aOpacity,
-                      gfxTextContextPaint* aOuterContextPaint,
-                      SVGTextContextPaint::Paint& aTargetPaint,
-                      nsStyleSVGPaint nsStyleSVG::*aFillOrStroke,
-                      nsSVGEffects::ObserverPropertyDescriptor aProperty)
-{
-  const nsStyleSVG *style = aFrame->StyleSVG();
-  nsSVGPaintServerFrame *ps =
-    nsSVGEffects::GetPaintServer(aFrame, &(style->*aFillOrStroke), aProperty);
-
-  if (ps) {
-    RefPtr<gfxPattern> pattern =
-      ps->GetPaintServerPattern(aFrame, aDrawTarget, aContextMatrix,
-                                aFillOrStroke, aOpacity);
-    if (pattern) {
-      aTargetPaint.SetPaintServer(aFrame, aContextMatrix, ps);
-      return;
-    }
-  }
-  if (aOuterContextPaint) {
-    RefPtr<gfxPattern> pattern;
-    switch ((style->*aFillOrStroke).mType) {
-    case eStyleSVGPaintType_ContextFill:
-      pattern = aOuterContextPaint->GetFillPattern(aDrawTarget, aOpacity,
-                                                   aContextMatrix);
-      break;
-    case eStyleSVGPaintType_ContextStroke:
-      pattern = aOuterContextPaint->GetStrokePattern(aDrawTarget, aOpacity,
-                                                     aContextMatrix);
-      break;
-    default:
-      ;
-    }
-    if (pattern) {
-      aTargetPaint.SetContextPaint(aOuterContextPaint, (style->*aFillOrStroke).mType);
-      return;
-    }
-  }
-  nscolor color =
-    nsSVGUtils::GetFallbackOrPaintColor(aFrame->StyleContext(), aFillOrStroke);
-  aTargetPaint.SetColor(color);
-}
-
-DrawMode
-SVGTextFrame::SetupContextPaint(const DrawTarget* aDrawTarget,
-                                const gfxMatrix& aContextMatrix,
-                                nsIFrame* aFrame,
-                                gfxTextContextPaint* aOuterContextPaint,
-                                SVGTextContextPaint* aThisContextPaint)
-{
-  DrawMode toDraw = DrawMode(0);
-
-  const nsStyleSVG *style = aFrame->StyleSVG();
-
-  // fill:
-  if (style->mFill.mType == eStyleSVGPaintType_None) {
-    aThisContextPaint->SetFillOpacity(0.0f);
-  } else {
-    float opacity = nsSVGUtils::GetOpacity(style->mFillOpacitySource,
-                                           style->mFillOpacity,
-                                           aOuterContextPaint);
-
-    SetupInheritablePaint(aDrawTarget, aContextMatrix, aFrame,
-                          opacity, aOuterContextPaint,
-                          aThisContextPaint->mFillPaint, &nsStyleSVG::mFill,
-                          nsSVGEffects::FillProperty());
-
-    aThisContextPaint->SetFillOpacity(opacity);
-
-    toDraw |= DrawMode::GLYPH_FILL;
-  }
-
-  // stroke:
-  if (style->mStroke.mType == eStyleSVGPaintType_None) {
-    aThisContextPaint->SetStrokeOpacity(0.0f);
-  } else {
-    float opacity = nsSVGUtils::GetOpacity(style->mStrokeOpacitySource,
-                                           style->mStrokeOpacity,
-                                           aOuterContextPaint);
-
-    SetupInheritablePaint(aDrawTarget, aContextMatrix, aFrame,
-                          opacity, aOuterContextPaint,
-                          aThisContextPaint->mStrokePaint, &nsStyleSVG::mStroke,
-                          nsSVGEffects::StrokeProperty());
-
-    aThisContextPaint->SetStrokeOpacity(opacity);
-
-    toDraw |= DrawMode::GLYPH_STROKE;
-  }
-
-  return toDraw;
-}
diff --git a/layout/svg/SVGTextFrame.h b/layout/svg/SVGTextFrame.h
index 90213fa8f0..bc29685309 100644
--- a/layout/svg/SVGTextFrame.h
+++ b/layout/svg/SVGTextFrame.h
@@ -211,8 +211,7 @@ public:
 } // namespace mozilla
 
 /**
- * Frame class for SVG <text> elements, used when the
- * layout.svg.css-text.enabled is true.
+ * Frame class for SVG <text> elements.
  *
  * An SVGTextFrame manages SVG text layout, painting and interaction for
  * all descendent text content elements.  The frame tree will look like this:
@@ -609,12 +608,6 @@ private:
   gfxFloat GetOffsetScale(nsIFrame* aTextPathFrame);
   gfxFloat GetStartOffset(nsIFrame* aTextPathFrame);
 
-  DrawMode SetupContextPaint(const DrawTarget* aDrawTarget,
-                             const gfxMatrix& aContextMatrix,
-                             nsIFrame* aFrame,
-                             gfxTextContextPaint* aOuterContextPaint,
-                             SVGTextContextPaint* aThisContextPaint);
-
   /**
    * The MutationObserver we have registered for the <text> element subtree.
    */
diff --git a/layout/svg/nsSVGClipPathFrame.cpp b/layout/svg/nsSVGClipPathFrame.cpp
index 39f0a672bd..0f4d34843b 100644
--- a/layout/svg/nsSVGClipPathFrame.cpp
+++ b/layout/svg/nsSVGClipPathFrame.cpp
@@ -236,16 +236,20 @@ nsSVGClipPathFrame::GetClipMask(gfxContext& aReferenceContext,
   mat.Invert();
 
   if (aExtraMask) {
-    MOZ_ASSERT(!aExtraMasksTransform.HasNonTranslation());
-
+    // We could potentially due this more efficiently with OPERATOR_IN
+    // but that operator does not work well on CG or D2D
     RefPtr<SourceSurface> currentMask = maskDT->Snapshot();
+    Matrix transform = maskDT->GetTransform();
     maskDT->SetTransform(Matrix());
     maskDT->ClearRect(Rect(0, 0,
                            devSpaceClipExtents.width,
                            devSpaceClipExtents.height));
-    maskDT->MaskSurface(SurfacePattern(currentMask, ExtendMode::CLAMP),
+    maskDT->SetTransform(aExtraMasksTransform * transform);
+    // draw currentMask with the inverse of the transform that we just so that
+    // it ends up in the same spot with aExtraMask transformed by aExtraMasksTransform
+    maskDT->MaskSurface(SurfacePattern(currentMask, ExtendMode::CLAMP, aExtraMasksTransform.Inverse() * ToMatrix(mat)),
                         aExtraMask,
-                        Point(aExtraMasksTransform._31, aExtraMasksTransform._32));
+                        Point(0, 0));
   }
 
   *aMaskTransform = ToMatrix(mat);
diff --git a/layout/svg/nsSVGMaskFrameNEON.cpp b/layout/svg/nsSVGMaskFrameNEON.cpp
index ed324609b8..f690b8164d 100644
--- a/layout/svg/nsSVGMaskFrameNEON.cpp
+++ b/layout/svg/nsSVGMaskFrameNEON.cpp
@@ -7,6 +7,8 @@
 #include "nsSVGMaskFrame.h"
 #include <arm_neon.h>
 
+using namespace mozilla::gfx;
+
 void
 ComputesRGBLuminanceMask_NEON(const uint8_t *aSourceData,
                               int32_t aSourceStride,
diff --git a/layout/svg/nsSVGMaskFrameNEON.h b/layout/svg/nsSVGMaskFrameNEON.h
index 29dc9fab03..1da901ba7f 100644
--- a/layout/svg/nsSVGMaskFrameNEON.h
+++ b/layout/svg/nsSVGMaskFrameNEON.h
@@ -6,16 +6,14 @@
 #ifndef __NS_SVGMASKFRAMENEON_H__
 #define __NS_SVGMASKFRAMENEON_H__
 
-#include "mozilla/gfx/2D.h"
-
-using namespace mozilla::gfx;
+#include "mozilla/gfx/Point.h"
 
 void
 ComputesRGBLuminanceMask_NEON(const uint8_t *aSourceData,
                               int32_t aSourceStride,
                               uint8_t *aDestData,
                               int32_t aDestStride,
-                              const IntSize &aSize,
+                              const mozilla::gfx::IntSize &aSize,
                               float aOpacity);
 
 #endif /* __NS_SVGMASKFRAMENEON_H__ */
diff --git a/layout/svg/nsSVGOuterSVGFrame.cpp b/layout/svg/nsSVGOuterSVGFrame.cpp
index a00ecc2011..d517f293ef 100644
--- a/layout/svg/nsSVGOuterSVGFrame.cpp
+++ b/layout/svg/nsSVGOuterSVGFrame.cpp
@@ -166,15 +166,33 @@ nsSVGOuterSVGFrame::GetPrefISize(nsRenderingContext *aRenderingContext)
   DISPLAY_PREF_WIDTH(this, result);
 
   SVGSVGElement *svg = static_cast<SVGSVGElement*>(mContent);
-  nsSVGLength2 &width = svg->mLengthAttributes[SVGSVGElement::ATTR_WIDTH];
+  WritingMode wm = GetWritingMode();
+  const nsSVGLength2& isize = wm.IsVertical()
+    ? svg->mLengthAttributes[SVGSVGElement::ATTR_HEIGHT]
+    : svg->mLengthAttributes[SVGSVGElement::ATTR_WIDTH];
 
-  if (width.IsPercentage()) {
-    // It looks like our containing block's width may depend on our width. In
-    // that case our behavior is undefined according to CSS 2.1 section 10.3.2,
-    // so return zero.
+  if (isize.IsPercentage()) {
+    // It looks like our containing block's isize may depend on our isize. In
+    // that case our behavior is undefined according to CSS 2.1 section 10.3.2.
+    // As a last resort, we'll fall back to returning zero.
     result = nscoord(0);
+
+    // Returning zero may be unhelpful, however, as it leads to unexpected
+    // disappearance of %-sized SVGs in orthogonal contexts, where our
+    // containing block wants to shrink-wrap. So let's look for an ancestor
+    // with non-zero size in this dimension, and use that as a (somewhat
+    // arbitrary) result instead.
+    nsIFrame *parent = GetParent();
+    while (parent) {
+      nscoord parentISize = parent->GetLogicalSize(wm).ISize(wm);
+      if (parentISize > 0 && parentISize != NS_UNCONSTRAINEDSIZE) {
+        result = parentISize;
+        break;
+      }
+      parent = parent->GetParent();
+    }
   } else {
-    result = nsPresContext::CSSPixelsToAppUnits(width.GetAnimValue(svg));
+    result = nsPresContext::CSSPixelsToAppUnits(isize.GetAnimValue(svg));
     if (result < 0) {
       result = nscoord(0);
     }
@@ -727,7 +745,7 @@ nsSVGOuterSVGFrame::BuildDisplayList(nsDisplayListBuilder*   aBuilder,
     nsDisplayListSet set(contentList, contentList, contentList,
                          contentList, contentList, contentList);
     BuildDisplayListForNonBlockChildren(aBuilder, aDirtyRect, set);
-  } else {
+  } else if (IsVisibleForPainting(aBuilder) || !aBuilder->IsForPainting()) {
     aLists.Content()->AppendNewToTop(
       new (aBuilder) nsDisplayOuterSVG(aBuilder, this));
   }
diff --git a/layout/svg/nsSVGPathGeometryFrame.cpp b/layout/svg/nsSVGPathGeometryFrame.cpp
index cd418a2c43..04392f46cc 100644
--- a/layout/svg/nsSVGPathGeometryFrame.cpp
+++ b/layout/svg/nsSVGPathGeometryFrame.cpp
@@ -231,7 +231,8 @@ nsSVGPathGeometryFrame::BuildDisplayList(nsDisplayListBuilder*   aBuilder,
                                          const nsRect&           aDirtyRect,
                                          const nsDisplayListSet& aLists)
 {
-  if (!static_cast<const nsSVGElement*>(mContent)->HasValidDimensions()) {
+  if (!static_cast<const nsSVGElement*>(mContent)->HasValidDimensions() ||
+      (!IsVisibleForPainting(aBuilder) && aBuilder->IsForPainting())) {
     return;
   }
   aLists.Content()->AppendNewToTop(
diff --git a/layout/svg/nsSVGUtils.cpp b/layout/svg/nsSVGUtils.cpp
index 4f0c775233..1407b94d6f 100644
--- a/layout/svg/nsSVGUtils.cpp
+++ b/layout/svg/nsSVGUtils.cpp
@@ -52,6 +52,7 @@
 #include "mozilla/dom/SVGSVGElement.h"
 #include "nsTextFrame.h"
 #include "SVGContentUtils.h"
+#include "SVGTextFrame.h"
 #include "mozilla/unused.h"
 
 using namespace mozilla;
@@ -384,8 +385,10 @@ nsSVGUtils::GetOuterSVGFrameAndCoveredRegion(nsIFrame* aFrame, nsRect* aRect)
   if (outer == svg) {
     return nullptr;
   }
-  *aRect = (aFrame->GetStateBits() & NS_FRAME_IS_NONDISPLAY) ?
-             nsRect(0, 0, 0, 0) : svg->GetCoveredRegion();
+  nsMargin bp = outer->GetUsedBorderAndPadding();
+  *aRect = ((aFrame->GetStateBits() & NS_FRAME_IS_NONDISPLAY) ?
+             nsRect(0, 0, 0, 0) : svg->GetCoveredRegion()) +
+                 nsPoint(bp.left, bp.top);
   return outer;
 }
 
@@ -1294,6 +1297,113 @@ nsSVGUtils::GetFallbackOrPaintColor(nsStyleContext *aStyleContext,
   return color;
 }
 
+/**
+ * Stores in |aTargetPaint| information on how to reconstruct the current
+ * fill or stroke pattern. Will also set the paint opacity to transparent if
+ * the paint is set to "none".
+ * @param aOuterContextPaint pattern information from the outer text context
+ * @param aTargetPaint where to store the current pattern information
+ * @param aFillOrStroke member pointer to the paint we are setting up
+ * @param aProperty the frame property descriptor of the fill or stroke paint
+ *   server frame
+ */
+static void
+SetupInheritablePaint(const DrawTarget* aDrawTarget,
+                      const gfxMatrix& aContextMatrix,
+                      nsIFrame* aFrame,
+                      float& aOpacity,
+                      gfxTextContextPaint* aOuterContextPaint,
+                      SVGTextContextPaint::Paint& aTargetPaint,
+                      nsStyleSVGPaint nsStyleSVG::*aFillOrStroke,
+                      nsSVGEffects::ObserverPropertyDescriptor aProperty)
+{
+  const nsStyleSVG *style = aFrame->StyleSVG();
+  nsSVGPaintServerFrame *ps =
+    nsSVGEffects::GetPaintServer(aFrame, &(style->*aFillOrStroke), aProperty);
+
+  if (ps) {
+    RefPtr<gfxPattern> pattern =
+      ps->GetPaintServerPattern(aFrame, aDrawTarget, aContextMatrix,
+                                aFillOrStroke, aOpacity);
+    if (pattern) {
+      aTargetPaint.SetPaintServer(aFrame, aContextMatrix, ps);
+      return;
+    }
+  }
+  if (aOuterContextPaint) {
+    RefPtr<gfxPattern> pattern;
+    switch ((style->*aFillOrStroke).mType) {
+    case eStyleSVGPaintType_ContextFill:
+      pattern = aOuterContextPaint->GetFillPattern(aDrawTarget, aOpacity,
+                                                   aContextMatrix);
+      break;
+    case eStyleSVGPaintType_ContextStroke:
+      pattern = aOuterContextPaint->GetStrokePattern(aDrawTarget, aOpacity,
+                                                     aContextMatrix);
+      break;
+    default:
+      ;
+    }
+    if (pattern) {
+      aTargetPaint.SetContextPaint(aOuterContextPaint, (style->*aFillOrStroke).mType);
+      return;
+    }
+  }
+  nscolor color =
+    nsSVGUtils::GetFallbackOrPaintColor(aFrame->StyleContext(), aFillOrStroke);
+  aTargetPaint.SetColor(color);
+}
+
+/* static */ DrawMode
+nsSVGUtils::SetupContextPaint(const DrawTarget* aDrawTarget,
+                              const gfxMatrix& aContextMatrix,
+                              nsIFrame* aFrame,
+                              gfxTextContextPaint* aOuterContextPaint,
+                              SVGTextContextPaint* aThisContextPaint)
+{
+  DrawMode toDraw = DrawMode(0);
+
+  const nsStyleSVG *style = aFrame->StyleSVG();
+
+  // fill:
+  if (style->mFill.mType == eStyleSVGPaintType_None) {
+    aThisContextPaint->SetFillOpacity(0.0f);
+  } else {
+    float opacity = nsSVGUtils::GetOpacity(style->mFillOpacitySource,
+                                           style->mFillOpacity,
+                                           aOuterContextPaint);
+
+    SetupInheritablePaint(aDrawTarget, aContextMatrix, aFrame,
+                          opacity, aOuterContextPaint,
+                          aThisContextPaint->mFillPaint, &nsStyleSVG::mFill,
+                          nsSVGEffects::FillProperty());
+
+    aThisContextPaint->SetFillOpacity(opacity);
+
+    toDraw |= DrawMode::GLYPH_FILL;
+  }
+
+  // stroke:
+  if (style->mStroke.mType == eStyleSVGPaintType_None) {
+    aThisContextPaint->SetStrokeOpacity(0.0f);
+  } else {
+    float opacity = nsSVGUtils::GetOpacity(style->mStrokeOpacitySource,
+                                           style->mStrokeOpacity,
+                                           aOuterContextPaint);
+
+    SetupInheritablePaint(aDrawTarget, aContextMatrix, aFrame,
+                          opacity, aOuterContextPaint,
+                          aThisContextPaint->mStrokePaint, &nsStyleSVG::mStroke,
+                          nsSVGEffects::StrokeProperty());
+
+    aThisContextPaint->SetStrokeOpacity(opacity);
+
+    toDraw |= DrawMode::GLYPH_STROKE;
+  }
+
+  return toDraw;
+}
+
 static float
 MaybeOptimizeOpacity(nsIFrame *aFrame, float aFillOrStrokeOpacity)
 {
diff --git a/layout/svg/nsSVGUtils.h b/layout/svg/nsSVGUtils.h
index c570af435a..dac477d324 100644
--- a/layout/svg/nsSVGUtils.h
+++ b/layout/svg/nsSVGUtils.h
@@ -9,6 +9,7 @@
 // include math.h to pick up definition of M_ maths defines e.g. M_PI
 #include <math.h>
 
+#include "DrawMode.h"
 #include "gfx2DGlue.h"
 #include "gfxMatrix.h"
 #include "gfxPoint.h"
@@ -46,6 +47,7 @@ struct nsStyleSVGPaint;
 struct nsRect;
 
 namespace mozilla {
+struct SVGTextContextPaint;
 namespace dom {
 class Element;
 class UserSpaceMetrics;
@@ -53,7 +55,7 @@ class UserSpaceMetrics;
 namespace gfx {
 class DrawTarget;
 class GeneralPattern;
-}
+} // namespace gfx
 } // namespace mozilla
 
 // maximum dimension of an offscreen surface - choose so that
@@ -178,9 +180,11 @@ class nsSVGUtils
 public:
   typedef mozilla::dom::Element Element;
   typedef mozilla::gfx::AntialiasMode AntialiasMode;
+  typedef mozilla::gfx::DrawTarget DrawTarget;
   typedef mozilla::gfx::FillRule FillRule;
   typedef mozilla::gfx::GeneralPattern GeneralPattern;
   typedef mozilla::gfx::Size Size;
+  typedef mozilla::SVGTextContextPaint SVGTextContextPaint;
 
   static void Init();
 
@@ -492,6 +496,13 @@ public:
   static nscolor GetFallbackOrPaintColor(nsStyleContext *aStyleContext,
                                          nsStyleSVGPaint nsStyleSVG::*aFillOrStroke);
 
+  static DrawMode
+  SetupContextPaint(const DrawTarget* aDrawTarget,
+                    const gfxMatrix& aContextMatrix,
+                    nsIFrame* aFrame,
+                    gfxTextContextPaint* aOuterContextPaint,
+                    SVGTextContextPaint* aThisContextPaint);
+
   static void
   MakeFillPatternFor(nsIFrame *aFrame,
                      gfxContext* aContext,
diff --git a/layout/tables/crashtests/1243623-1.html b/layout/tables/crashtests/1243623-1.html
new file mode 100644
index 0000000000..9fd97b3688
--- /dev/null
+++ b/layout/tables/crashtests/1243623-1.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<style>
+p {
+  writing-mode:tb;
+  float:right;
+  font-size:2000px;
+}
+#bb {
+  position:sticky;
+  display:table-footer-group;
+}
+#dd {
+  transition:2s ease-in;
+}
+</style>
+<body>
+<div id="dd"></div>
+<div id="bb">
+  <p>grilling it up
+</div>
+</body>
+<script>
+document.body.offsetTop;
+dd.style.marginTop = "100px";
+</script>
+</html>
diff --git a/layout/tables/crashtests/crashtests.list b/layout/tables/crashtests/crashtests.list
index efa5f574a7..8c9e38ade4 100644
--- a/layout/tables/crashtests/crashtests.list
+++ b/layout/tables/crashtests/crashtests.list
@@ -151,3 +151,4 @@ load 1027611-1.html
 load 1031934.html
 load 1183896.html
 load 1223232.html
+load 1243623-1.html
diff --git a/layout/tables/nsTableFrame.cpp b/layout/tables/nsTableFrame.cpp
index 3ac5b95ae9..9e023a03b3 100644
--- a/layout/tables/nsTableFrame.cpp
+++ b/layout/tables/nsTableFrame.cpp
@@ -289,11 +289,14 @@ nsTableFrame::RegisterPositionedTablePart(nsIFrame* aFrame)
 nsTableFrame::UnregisterPositionedTablePart(nsIFrame* aFrame,
                                             nsIFrame* aDestructRoot)
 {
-  // Retrieve the table frame, and ensure that we hit aDestructRoot on the way.
-  // If we don't, that means that the table frame will be destroyed, so we don't
-  // need to bother with unregistering this frame.
-  nsTableFrame* tableFrame = GetTableFramePassingThrough(aDestructRoot, aFrame);
-  if (!tableFrame) {
+  // Retrieve the table frame, and check if we hit aDestructRoot on the way.
+  bool didPassThrough;
+  nsTableFrame* tableFrame = GetTableFramePassingThrough(aDestructRoot, aFrame,
+      &didPassThrough);
+  if (!didPassThrough && !tableFrame->GetPrevContinuation()) {
+    // The table frame will be destroyed, and it's the first im flow (and thus
+    // owning the PositionedTablePartArray), so we don't need to do
+    // anything.
     return;
   }
   tableFrame = static_cast<nsTableFrame*>(tableFrame->FirstContinuation());
@@ -3829,19 +3832,20 @@ nsTableFrame::GetTableFrame(nsIFrame* aFrame)
 
 nsTableFrame*
 nsTableFrame::GetTableFramePassingThrough(nsIFrame* aMustPassThrough,
-                                          nsIFrame* aFrame)
+                                          nsIFrame* aFrame,
+                                          bool* aDidPassThrough)
 {
   MOZ_ASSERT(aMustPassThrough == aFrame ||
              nsLayoutUtils::IsProperAncestorFrame(aMustPassThrough, aFrame),
              "aMustPassThrough should be an ancestor");
 
-  // Retrieve the table frame, and ensure that we hit aMustPassThrough on the
-  // way.  If we don't, just return null.
-  bool hitPassThroughFrame = false;
+  // Retrieve the table frame, and check if we hit aMustPassThrough on the
+  // way.
+  *aDidPassThrough = false;
   nsTableFrame* tableFrame = nullptr;
   for (nsIFrame* ancestor = aFrame; ancestor; ancestor = ancestor->GetParent()) {
     if (ancestor == aMustPassThrough) {
-      hitPassThroughFrame = true;
+      *aDidPassThrough = true;
     }
     if (nsGkAtoms::tableFrame == ancestor->GetType()) {
       tableFrame = static_cast<nsTableFrame*>(ancestor);
@@ -3850,7 +3854,7 @@ nsTableFrame::GetTableFramePassingThrough(nsIFrame* aMustPassThrough,
   }
 
   MOZ_ASSERT(tableFrame, "Should have a table frame here");
-  return hitPassThroughFrame ? tableFrame : nullptr;
+  return tableFrame;
 }
 
 bool
diff --git a/layout/tables/nsTableFrame.h b/layout/tables/nsTableFrame.h
index 711b316bdf..683975ce33 100644
--- a/layout/tables/nsTableFrame.h
+++ b/layout/tables/nsTableFrame.h
@@ -218,11 +218,12 @@ public:
   /** helper method to find the table parent of any table frame object */
   static nsTableFrame* GetTableFrame(nsIFrame* aSourceFrame);
 
-  /* Like GetTableFrame, but will return nullptr if we don't pass through
-   * aMustPassThrough on the way to the table.
+  /* Like GetTableFrame, but will set *aDidPassThrough to false if we don't
+   * pass through aMustPassThrough on the way to the table.
    */
   static nsTableFrame* GetTableFramePassingThrough(nsIFrame* aMustPassThrough,
-                                                   nsIFrame* aSourceFrame);
+                                                   nsIFrame* aSourceFrame,
+                                                   bool* aDidPassThrough);
 
   typedef void (* DisplayGenericTablePartTraversal)
       (nsDisplayListBuilder* aBuilder, nsFrame* aFrame,
diff --git a/layout/tables/nsTablePainter.cpp b/layout/tables/nsTablePainter.cpp
index 50a0e07ecb..cf0565a91b 100644
--- a/layout/tables/nsTablePainter.cpp
+++ b/layout/tables/nsTablePainter.cpp
@@ -230,7 +230,7 @@ TableBackgroundPainter::PaintTableFrame(nsTableFrame*         aTableFrame,
   DrawResult result = DrawResult::SUCCESS;
 
   if (tableData.IsVisible()) {
-    result =
+    result &=
       nsCSSRendering::PaintBackgroundWithSC(mPresContext, mRenderingContext,
                                             tableData.mFrame, mDirtyRect,
                                             tableData.mRect + mRenderPt,
@@ -276,15 +276,16 @@ TableBackgroundPainter::PaintTable(nsTableFrame*   aTableFrame,
 
   if (rowGroups.Length() < 1) { //degenerate case
     if (aPaintTableBackground) {
-      PaintTableFrame(aTableFrame, nullptr, nullptr, nsMargin(0,0,0,0));
+      result &= PaintTableFrame(aTableFrame, nullptr, nullptr, nsMargin(0,0,0,0));
     }
     /* No cells; nothing else to paint */
     return result;
   }
 
   if (aPaintTableBackground) {
-    PaintTableFrame(aTableFrame, rowGroups[0], rowGroups[rowGroups.Length() - 1],
-                    aDeflate);
+    result &=
+      PaintTableFrame(aTableFrame, rowGroups[0], rowGroups[rowGroups.Length() - 1],
+                      aDeflate);
   }
 
   /*Set up column background/border data*/
diff --git a/layout/tools/recording/recording.js b/layout/tools/recording/recording.js
index 5d329e6060..552423c9fd 100644
--- a/layout/tools/recording/recording.js
+++ b/layout/tools/recording/recording.js
@@ -4,7 +4,7 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-const CC = Components.classes;
+var CC = Components.classes;
 const CI = Components.interfaces;
 
 const NS_GFXINFO_CONTRACTID = "@mozilla.org/gfx/info;1";
diff --git a/layout/tools/reftest/reftest-preferences.js b/layout/tools/reftest/reftest-preferences.js
index a3278b0279..087cd1a85c 100644
--- a/layout/tools/reftest/reftest-preferences.js
+++ b/layout/tools/reftest/reftest-preferences.js
@@ -113,3 +113,6 @@ user_pref("startup.homepage_override_url", "");
 user_pref("browser.usedOnWindows10.introURL", "");
 
 user_pref("media.gmp-manager.url.override", "http://localhost/dummy-gmp-manager.xml");
+
+// A fake bool pref for "@supports -moz-bool-pref" sanify test.
+user_pref("testing.supports.moz-bool-pref", true);
diff --git a/layout/xul/nsMenuBarListener.cpp b/layout/xul/nsMenuBarListener.cpp
index f600389b3c..0879b2cd5e 100644
--- a/layout/xul/nsMenuBarListener.cpp
+++ b/layout/xul/nsMenuBarListener.cpp
@@ -408,6 +408,11 @@ nsMenuBarListener::MouseDown(nsIDOMEvent* aMouseEvent)
 nsresult
 nsMenuBarListener::HandleEvent(nsIDOMEvent* aEvent)
 {
+  // If the menu bar is collapsed, don't do anything.
+  if (!mMenuBarFrame->StyleVisibility()->IsVisible()) {
+    return NS_OK;
+  }
+
   nsAutoString eventType;
   aEvent->GetType(eventType);
   
diff --git a/layout/xul/nsMenuFrame.cpp b/layout/xul/nsMenuFrame.cpp
index 3abe06f6b2..0624a35e95 100644
--- a/layout/xul/nsMenuFrame.cpp
+++ b/layout/xul/nsMenuFrame.cpp
@@ -418,6 +418,7 @@ nsMenuFrame::HandleEvent(nsPresContext* aPresContext,
     }
     else {
       if (!IsOpen()) {
+        menuParent->ChangeMenuItem(this, false, false);
         OpenMenu(false);
       }
     }
@@ -466,7 +467,11 @@ nsMenuFrame::HandleEvent(nsPresContext* aPresContext,
         if (IsMenu() && !onmenubar && IsOpen()) {
           // Submenus don't get closed up immediately.
         }
-        else if (this == menuParent->GetCurrentMenuItem()) {
+        else if (this == menuParent->GetCurrentMenuItem()
+#ifdef XP_WIN
+                 && GetParentMenuListType() == eNotMenuList
+#endif
+        ) {
           menuParent->ChangeMenuItem(nullptr, false, false);
         }
       }
diff --git a/layout/xul/test/chrome.ini b/layout/xul/test/chrome.ini
index a3b151e016..b227ccd584 100644
--- a/layout/xul/test/chrome.ini
+++ b/layout/xul/test/chrome.ini
@@ -22,5 +22,6 @@ skip-if = os == 'linux' # No native mousedown event on Linux
 [test_popupZoom.xul]
 [test_resizer.xul]
 [test_stack.xul]
+[test_submenuClose.xul]
 [test_windowminmaxsize.xul]
 skip-if = buildapp == 'mulet'
diff --git a/layout/xul/test/mochitest.ini b/layout/xul/test/mochitest.ini
index 41d1df97f2..dc166ae1ed 100644
--- a/layout/xul/test/mochitest.ini
+++ b/layout/xul/test/mochitest.ini
@@ -9,3 +9,5 @@ skip-if = toolkit == 'android' #bug 798806
 [test_resizer_incontent.xul]
 [test_splitter.xul]
 skip-if = toolkit == 'android' # no XUL theme
+[test_bug1197913.xul]
+skip-if = toolkit == 'android'
diff --git a/layout/xul/test/test_bug1197913.xul b/layout/xul/test/test_bug1197913.xul
new file mode 100644
index 0000000000..5665e0c2ca
--- /dev/null
+++ b/layout/xul/test/test_bug1197913.xul
@@ -0,0 +1,67 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/css" href="chrome://global/skin"?>
+<?xml-stylesheet type="text/css" href="/tests/SimpleTest/test.css"?>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1197913
+-->
+<window title="Mozilla Bug 1197913"
+        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+        onload="SimpleTest.waitForFocus(nextTest, window)">
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"/>
+  <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"/>
+
+
+  <!-- test results are displayed in the html:body -->
+  <body xmlns="http://www.w3.org/1999/xhtml">
+  <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1197913"
+     target="_blank">Mozilla Bug 1197913</a>
+  </body>
+
+  <menulist>
+    <menupopup>
+      <menuitem label="Car" />
+      <menuitem label="Taxi" id="target" />
+      <menuitem label="Bus" />
+    </menupopup>
+  </menulist>
+
+  <!-- test code goes here -->
+  <script type="application/javascript">
+  <![CDATA[
+  SimpleTest.waitForExplicitFinish();
+
+  let menulist = document.getElementsByTagName("menulist")[0];
+  let menuitem = document.getElementById("target");
+
+  function onDOMMenuItemActive(e) {
+    menuitem.removeEventListener("DOMMenuItemActive", onDOMMenuItemActive);
+
+    synthesizeMouse(menuitem, 0, 0, { type: "mousemove" });
+    synthesizeMouse(menuitem, -1, 0, { type: "mousemove" });
+
+    setTimeout(() => {
+      if (navigator.platform.toLowerCase().startsWith("win")) {
+        ok(menuitem.getAttribute("_moz-menuactive"));
+      } else {
+        ok(!menuitem.getAttribute("_moz-menuactive"));
+      }
+
+      SimpleTest.finish();
+    });
+  }
+
+  function onPopupShown(e) {
+    menulist.removeEventListener("popupshown", onPopupShown);
+    menuitem.addEventListener("DOMMenuItemActive", onDOMMenuItemActive);
+    synthesizeMouse(menuitem, 0, 0, { type: "mousemove" });
+    synthesizeMouse(menuitem, 1, 0, { type: "mousemove" });
+  }
+
+  function nextTest(e) {
+    menulist.addEventListener("popupshown", onPopupShown);
+    synthesizeMouseAtCenter(menulist, {});
+  }
+
+  ]]>
+  </script>
+</window>
diff --git a/layout/xul/test/test_submenuClose.xul b/layout/xul/test/test_submenuClose.xul
new file mode 100644
index 0000000000..907736d999
--- /dev/null
+++ b/layout/xul/test/test_submenuClose.xul
@@ -0,0 +1,91 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/css" href="chrome://global/skin"?>
+<?xml-stylesheet type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"?>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1181560
+-->
+<window title="Mozilla Bug 1181560"
+        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+        onload="SimpleTest.waitForFocus(nextTest, window)">
+  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"/>
+  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/EventUtils.js"/>
+
+
+  <!-- test results are displayed in the html:body -->
+  <body xmlns="http://www.w3.org/1999/xhtml">
+  <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1181560"
+     target="_blank">Mozilla Bug 1181560</a>
+  </body>
+
+  <vbox>
+    <menubar>
+      <menu id="menu" label="MyMenu">
+        <menupopup>
+          <menuitem label="A"/>
+          <menu id="b" label="B">
+            <menupopup>
+              <menuitem label="B1"/>
+            </menupopup>
+          </menu>
+          <menu id="c" label="C">
+            <menupopup>
+              <menuitem label="C1"/>
+            </menupopup>
+          </menu>
+        </menupopup>
+      </menu>
+    </menubar>
+  </vbox>
+
+  <!-- test code goes here -->
+  <script type="application/javascript">
+  <![CDATA[
+  /** Test for Bug 1181560 **/
+  SimpleTest.waitForExplicitFinish();
+
+  let menuB, menuC, mainMenu, menuBOpen, menuCOpen;
+  let menuBOpenCount = 0;
+
+  function handleBOpens() {
+    menuBOpenCount++;
+    menuBOpen = true;
+    ok(!menuCOpen, "Menu C should not be open when menu B has opened");
+    if (menuBOpenCount >= 2) {
+      SimpleTest.finish();
+      return;
+    }
+    sendKey("LEFT", window);
+    sendKey("DOWN", window);
+    sendKey("RIGHT", window);
+  }
+
+  function handleBCloses() {
+    menuBOpen = false;
+  }
+
+  function handleCOpens() {
+    menuCOpen = true;
+    ok(!menuBOpen, "Menu B should not be open when menu C has opened");
+    synthesizeMouseAtCenter(menuB, {}, window);
+  }
+
+  function handleCCloses() {
+    menuCOpen = false;
+  }
+
+  function nextTest(e) {
+    mainMenu = document.getElementById("menu");
+    menuB = document.getElementById("b");
+    menuC = document.getElementById("c");
+    menuB.firstChild.addEventListener("popupshown", handleBOpens, false);
+    menuB.firstChild.addEventListener("popuphidden", handleBCloses, false);
+    menuC.firstChild.addEventListener("popupshown", handleCOpens, false);
+    menuC.firstChild.addEventListener("popuphidden", handleCCloses, false);
+    mainMenu.addEventListener("popupshown", ev => {
+      synthesizeMouseAtCenter(menuB, {}, window);
+    });
+    mainMenu.open = true;
+  }
+  ]]>
+  </script>
+</window>
diff --git a/layout/xul/tree/nsTreeBodyFrame.cpp b/layout/xul/tree/nsTreeBodyFrame.cpp
index 823a97dfbf..fa34c6614f 100644
--- a/layout/xul/tree/nsTreeBodyFrame.cpp
+++ b/layout/xul/tree/nsTreeBodyFrame.cpp
@@ -1192,7 +1192,7 @@ nsTreeBodyFrame::GetCoordsForCellItem(int32_t aRow, nsITreeColumn* aCol, const n
       nsRect twistyRect(cellRect);
       nsStyleContext* twistyContext = GetPseudoStyleContext(nsCSSAnonBoxes::moztreetwisty);
       GetTwistyRect(aRow, currCol, imageRect, twistyRect, presContext,
-                    rc, twistyContext);
+                    twistyContext);
 
       if (NS_LITERAL_CSTRING("twisty").Equals(aElement)) {
         // If we're looking for the twisty Rect, just return the size
@@ -1557,7 +1557,7 @@ nsTreeBodyFrame::GetItemWithinCellAt(nscoord aX, const nsRect& aCellRect,
 
     nsRect imageSize;
     GetTwistyRect(aRowIndex, aColumn, imageSize, twistyRect, presContext,
-                  rc, twistyContext);
+                  twistyContext);
 
     // We will treat a click as hitting the twisty if it happens on the margins, borders, padding,
     // or content of the twisty object.  By allowing a "slop" into the margin, we make it a little
@@ -1716,7 +1716,7 @@ nsTreeBodyFrame::GetCellWidth(int32_t aRow, nsTreeColumn* aCol,
     nsRect imageSize;
     nsRect twistyRect(cellRect);
     GetTwistyRect(aRow, aCol, imageSize, twistyRect, PresContext(),
-                  *aRenderingContext, twistyContext);
+                  twistyContext);
 
     // Add in the margins of the twisty element.
     nsMargin twistyMargin;
@@ -2060,7 +2060,6 @@ nsTreeBodyFrame::GetTwistyRect(int32_t aRowIndex,
                                nsRect& aImageRect,
                                nsRect& aTwistyRect,
                                nsPresContext* aPresContext,
-                               nsRenderingContext& aRenderingContext,
                                nsStyleContext* aTwistyContext)
 {
   // The twisty rect extends all the way to the end of the cell.  This is incorrect.  We need to
@@ -3262,7 +3261,7 @@ nsTreeBodyFrame::PaintCell(int32_t              aRowIndex,
       nsRect imageSize;
       nsRect twistyRect(aCellRect);
       GetTwistyRect(aRowIndex, aColumn, imageSize, twistyRect, aPresContext,
-                    aRenderingContext, twistyContext);
+                    twistyContext);
 
       nsMargin twistyMargin;
       twistyContext->StyleMargin()->GetMargin(twistyMargin);
@@ -3368,7 +3367,8 @@ nsTreeBodyFrame::PaintCell(int32_t              aRowIndex,
       switch (aColumn->GetType()) {
         case nsITreeColumn::TYPE_TEXT:
         case nsITreeColumn::TYPE_PASSWORD:
-          PaintText(aRowIndex, aColumn, elementRect, aPresContext, aRenderingContext, aDirtyRect, currX);
+          result &= PaintText(aRowIndex, aColumn, elementRect, aPresContext,
+                              aRenderingContext, aDirtyRect, currX);
           break;
         case nsITreeColumn::TYPE_CHECKBOX:
           result &= PaintCheckbox(aRowIndex, aColumn, elementRect, aPresContext,
@@ -3386,7 +3386,8 @@ nsTreeBodyFrame::PaintCell(int32_t              aRowIndex,
               break;
             case nsITreeView::PROGRESS_NONE:
             default:
-              PaintText(aRowIndex, aColumn, elementRect, aPresContext, aRenderingContext, aDirtyRect, currX);
+              result &= PaintText(aRowIndex, aColumn, elementRect, aPresContext,
+                                  aRenderingContext, aDirtyRect, currX);
               break;
           }
           break;
@@ -3436,7 +3437,7 @@ nsTreeBodyFrame::PaintTwisty(int32_t              aRowIndex,
 
   nsRect imageSize;
   nsITheme* theme = GetTwistyRect(aRowIndex, aColumn, imageSize, twistyRect,
-                                  aPresContext, aRenderingContext, twistyContext);
+                                  aPresContext, twistyContext);
 
   // Subtract out the remaining width.  This is done even when we don't actually paint a twisty in 
   // this cell, so that cells in different rows still line up.
@@ -3611,26 +3612,44 @@ nsTreeBodyFrame::PaintImage(int32_t              aRowIndex,
     // Deflate destRect for the border and padding.
     destRect.Deflate(bp);
 
-    // Get the image source rectangle - the rectangle containing the part of
-    // the image that we are going to display.
-    // sourceRect will be passed as the aSrcRect argument in the DrawImage method.
-    nsRect sourceRect = GetImageSourceRect(imageContext, useImageRegion, image);
-
-    // Let's say that the image is 100 pixels tall and
-    // that the CSS has specified that the destination height should be 50
-    // pixels tall. Let's say that the cell height is only 20 pixels. So, in
-    // those 20 visible pixels, we want to see the top 20/50ths of the image.
-    // So, the sourceRect.height should be 100 * 20 / 50, which is 40 pixels.
-    // Essentially, we are scaling the image as dictated by the CSS destination
-    // height and width, and we are then clipping the scaled image by the cell
-    // width and height.
+    // Compute the area where our whole image would be mapped, to get the
+    // desired subregion onto our actual destRect:
+    nsRect wholeImageDest;
     CSSIntSize rawImageCSSIntSize;
-    image->GetWidth(&rawImageCSSIntSize.width);
-    image->GetHeight(&rawImageCSSIntSize.height);
-    nsSize rawImageSize(CSSPixel::ToAppUnits(rawImageCSSIntSize));
-    nsRect wholeImageDest =
-      nsLayoutUtils::GetWholeImageDestination(rawImageSize, sourceRect,
-          nsRect(destRect.TopLeft(), imageDestSize));
+    if (NS_SUCCEEDED(image->GetWidth(&rawImageCSSIntSize.width)) &&
+        NS_SUCCEEDED(image->GetHeight(&rawImageCSSIntSize.height))) {
+      // Get the image source rectangle - the rectangle containing the part of
+      // the image that we are going to display.  sourceRect will be passed as
+      // the aSrcRect argument in the DrawImage method.
+      nsRect sourceRect = GetImageSourceRect(imageContext, useImageRegion, image);
+
+      // Let's say that the image is 100 pixels tall and that the CSS has
+      // specified that the destination height should be 50 pixels tall. Let's
+      // say that the cell height is only 20 pixels. So, in those 20 visible
+      // pixels, we want to see the top 20/50ths of the image.  So, the
+      // sourceRect.height should be 100 * 20 / 50, which is 40 pixels.
+      // Essentially, we are scaling the image as dictated by the CSS
+      // destination height and width, and we are then clipping the scaled
+      // image by the cell width and height.
+      nsSize rawImageSize(CSSPixel::ToAppUnits(rawImageCSSIntSize));
+      wholeImageDest =
+        nsLayoutUtils::GetWholeImageDestination(rawImageSize, sourceRect,
+                                                nsRect(destRect.TopLeft(),
+                                                       imageDestSize));
+    } else {
+      // GetWidth/GetHeight failed, so we can't easily map a subregion of the
+      // source image onto the destination area.
+      // * If this happens with a RasterImage, it probably means the image is
+      // in an error state, and we shouldn't draw anything. Hence, we leave
+      // wholeImageDest as an empty rect (its initial state).
+      // * If this happens with a VectorImage, it probably means the image has
+      // no explicit width or height attribute -- but we can still proceed and
+      // just treat the destination area as our whole SVG image area. Hence, we
+      // set wholeImageDest to the full destRect.
+      if (image->GetType() == imgIContainer::TYPE_VECTOR) {
+        wholeImageDest = destRect;
+      }
+    }
 
     gfxContext* ctx = aRenderingContext.ThebesContext();
     if (opacity != 1.0f) {
@@ -3658,7 +3677,7 @@ nsTreeBodyFrame::PaintImage(int32_t              aRowIndex,
   return result;
 }
 
-void
+DrawResult
 nsTreeBodyFrame::PaintText(int32_t              aRowIndex,
                            nsTreeColumn*        aColumn,
                            const nsRect&        aTextRect,
@@ -3683,8 +3702,12 @@ nsTreeBodyFrame::PaintText(int32_t              aRowIndex,
   // necessary
   CheckTextForBidi(text);
 
-  if (text.Length() == 0)
-    return; // Don't paint an empty string. XXX What about background/borders? Still paint?
+  DrawResult result = DrawResult::SUCCESS;
+
+  if (text.Length() == 0) {
+    // Don't paint an empty string. XXX What about background/borders? Still paint?
+    return result;
+  }
 
   int32_t appUnitsPerDevPixel = PresContext()->AppUnitsPerDevPixel();
   DrawTarget* drawTarget = aRenderingContext.GetDrawTarget();
@@ -3729,7 +3752,8 @@ nsTreeBodyFrame::PaintText(int32_t              aRowIndex,
   if (!isRTL)
     aCurrX += textRect.width + textMargin.LeftRight();
 
-  PaintBackgroundLayer(textContext, aPresContext, aRenderingContext, textRect, aDirtyRect);
+  result &= PaintBackgroundLayer(textContext, aPresContext, aRenderingContext,
+                                 textRect, aDirtyRect);
 
   // Time to paint our text.
   textRect.Deflate(bp);
@@ -3783,6 +3807,7 @@ nsTreeBodyFrame::PaintText(int32_t              aRowIndex,
     ctx->PopGroupAndBlend();
   }
 
+  return result;
 }
 
 DrawResult
@@ -4016,8 +4041,8 @@ nsTreeBodyFrame::PaintDropFeedback(const nsRect&        aDropFeedbackRect,
       nsStyleContext* twistyContext = GetPseudoStyleContext(nsCSSAnonBoxes::moztreetwisty);
       nsRect imageSize;
       nsRect twistyRect;
-      GetTwistyRect(mSlots->mDropRow, primaryCol, imageSize, twistyRect, aPresContext,
-                    aRenderingContext, twistyContext);
+      GetTwistyRect(mSlots->mDropRow, primaryCol, imageSize, twistyRect,
+                    aPresContext, twistyContext);
       nsMargin twistyMargin;
       twistyContext->StyleMargin()->GetMargin(twistyMargin);
       twistyRect.Inflate(twistyMargin);
diff --git a/layout/xul/tree/nsTreeBodyFrame.h b/layout/xul/tree/nsTreeBodyFrame.h
index 0e344731a1..bf7a2fcba6 100644
--- a/layout/xul/tree/nsTreeBodyFrame.h
+++ b/layout/xul/tree/nsTreeBodyFrame.h
@@ -262,13 +262,13 @@ protected:
                         nscoord&             aCurrX);
 
   // This method paints the text string inside a particular cell of the tree.
-  void PaintText(int32_t              aRowIndex, 
-                 nsTreeColumn*        aColumn,
-                 const nsRect&        aTextRect,
-                 nsPresContext*      aPresContext,
-                 nsRenderingContext& aRenderingContext,
-                 const nsRect&        aDirtyRect,
-                 nscoord&             aCurrX);
+  DrawResult PaintText(int32_t             aRowIndex,
+                       nsTreeColumn*       aColumn,
+                       const nsRect&       aTextRect,
+                       nsPresContext*      aPresContext,
+                       nsRenderingContext& aRenderingContext,
+                       const nsRect&       aDirtyRect,
+                       nscoord&            aCurrX);
 
   // This method paints the checkbox inside a particular cell of the tree.
   DrawResult PaintCheckbox(int32_t              aRowIndex, 
@@ -332,7 +332,6 @@ protected:
                           nsRect& aImageRect,
                           nsRect& aTwistyRect,
                           nsPresContext* aPresContext,
-                          nsRenderingContext& aRenderingContext,
                           nsStyleContext* aTwistyContext);
 
   // Fetch an image from the image cache.
diff --git a/layout/xul/tree/nsTreeColumns.cpp b/layout/xul/tree/nsTreeColumns.cpp
index 0d344ee964..45e5a8adaf 100644
--- a/layout/xul/tree/nsTreeColumns.cpp
+++ b/layout/xul/tree/nsTreeColumns.cpp
@@ -395,8 +395,7 @@ nsTreeColumn::Invalidate(mozilla::ErrorResult& aRv)
 }
 
 nsTreeColumns::nsTreeColumns(nsTreeBodyFrame* aTree)
-  : mTree(aTree),
-    mFirstColumn(nullptr)
+  : mTree(aTree)
 {
 }
 
@@ -671,7 +670,7 @@ nsTreeColumns::InvalidateColumns()
        currCol = currCol->GetNext()) {
     currCol->SetColumns(nullptr);
   }
-  NS_IF_RELEASE(mFirstColumn);
+  mFirstColumn = nullptr;
   return NS_OK;
 }
 
@@ -761,7 +760,7 @@ nsTreeColumns::EnsureColumns()
           col->SetPrevious(currCol);
         }
         else {
-          NS_ADDREF(mFirstColumn = col);
+          mFirstColumn = col;
         }
         currCol = col;
       }
diff --git a/layout/xul/tree/nsTreeColumns.h b/layout/xul/tree/nsTreeColumns.h
index 00f77f7be5..54fed19663 100644
--- a/layout/xul/tree/nsTreeColumns.h
+++ b/layout/xul/tree/nsTreeColumns.h
@@ -211,7 +211,7 @@ private:
    * XXX this means that new nsTreeColumn objects are unnecessarily created
    *     for untouched columns.
    */
-  nsTreeColumn* mFirstColumn;
+  RefPtr<nsTreeColumn> mFirstColumn;
 };
 
 #endif // nsTreeColumns_h__
diff --git a/layout/xul/tree/nsTreeContentView.cpp b/layout/xul/tree/nsTreeContentView.cpp
index 3dfbb2c201..66cc0072ff 100644
--- a/layout/xul/tree/nsTreeContentView.cpp
+++ b/layout/xul/tree/nsTreeContentView.cpp
@@ -171,7 +171,7 @@ nsTreeContentView::GetRowProperties(int32_t aIndex, nsAString& aProps)
   if (aIndex < 0 || aIndex >= int32_t(mRows.Length()))
     return NS_ERROR_INVALID_ARG;   
 
-  Row* row = mRows[aIndex];
+  Row* row = mRows[aIndex].get();
   nsIContent* realRow;
   if (row->IsSeparator())
     realRow = row->mContent;
@@ -194,7 +194,7 @@ nsTreeContentView::GetCellProperties(int32_t aRow, nsITreeColumn* aCol,
   if (aRow < 0 || aRow >= int32_t(mRows.Length()))
     return NS_ERROR_INVALID_ARG;   
 
-  Row* row = mRows[aRow];
+  Row* row = mRows[aRow].get();
   nsIContent* realRow =
     nsTreeUtils::GetImmediateChild(row->mContent, nsGkAtoms::treerow);
   if (realRow) {
@@ -323,10 +323,10 @@ nsTreeContentView::HasNextSibling(int32_t aRowIndex, int32_t aAfterIndex, bool*
   if (parentIndex >= 0) {
     // Compute the last index in this subtree.
     int32_t lastIndex = parentIndex + (mRows[parentIndex])->mSubtreeSize;
-    Row* row = mRows[lastIndex];
+    Row* row = mRows[lastIndex].get();
     while (row->mParentIndex != parentIndex) {
       lastIndex = row->mParentIndex;
-      row = mRows[lastIndex];
+      row = mRows[lastIndex].get();
     }
 
     *_retval = aRowIndex < lastIndex;
@@ -346,10 +346,10 @@ nsTreeContentView::GetLevel(int32_t aIndex, int32_t* _retval)
     return NS_ERROR_INVALID_ARG;   
 
   int32_t level = 0;
-  Row* row = mRows[aIndex];
+  Row* row = mRows[aIndex].get();
   while (row->mParentIndex >= 0) {
     level++;
-    row = mRows[row->mParentIndex];
+    row = mRows[row->mParentIndex].get();
   }
   *_retval = level;
 
@@ -365,7 +365,7 @@ nsTreeContentView::GetImageSrc(int32_t aRow, nsITreeColumn* aCol, nsAString& _re
   if (aRow < 0 || aRow >= int32_t(mRows.Length()))
     return NS_ERROR_INVALID_ARG;   
 
-  Row* row = mRows[aRow];
+  Row* row = mRows[aRow].get();
 
   nsIContent* realRow =
     nsTreeUtils::GetImmediateChild(row->mContent, nsGkAtoms::treerow);
@@ -388,7 +388,7 @@ nsTreeContentView::GetProgressMode(int32_t aRow, nsITreeColumn* aCol, int32_t* _
 
   *_retval = nsITreeView::PROGRESS_NONE;
 
-  Row* row = mRows[aRow];
+  Row* row = mRows[aRow].get();
 
   nsIContent* realRow =
     nsTreeUtils::GetImmediateChild(row->mContent, nsGkAtoms::treerow);
@@ -417,7 +417,7 @@ nsTreeContentView::GetCellValue(int32_t aRow, nsITreeColumn* aCol, nsAString& _r
   if (aRow < 0 || aRow >= int32_t(mRows.Length()))
     return NS_ERROR_INVALID_ARG;   
 
-  Row* row = mRows[aRow];
+  Row* row = mRows[aRow].get();
 
   nsIContent* realRow =
     nsTreeUtils::GetImmediateChild(row->mContent, nsGkAtoms::treerow);
@@ -441,7 +441,7 @@ nsTreeContentView::GetCellText(int32_t aRow, nsITreeColumn* aCol, nsAString& _re
   if (aRow < 0 || aRow >= int32_t(mRows.Length()) || !aCol)
     return NS_ERROR_INVALID_ARG;
 
-  Row* row = mRows[aRow];
+  Row* row = mRows[aRow].get();
 
   // Check for a "label" attribute - this is valid on an <treeitem>
   // with a single implied column.
@@ -512,7 +512,7 @@ nsTreeContentView::ToggleOpenState(int32_t aIndex)
 
   // We don't serialize content right here, since content might be generated
   // lazily.
-  Row* row = mRows[aIndex];
+  Row* row = mRows[aIndex].get();
 
   if (row->IsOpen())
     row->mContent->SetAttr(kNameSpaceID_None, nsGkAtoms::open, NS_LITERAL_STRING("false"), true);
@@ -587,7 +587,7 @@ nsTreeContentView::IsEditable(int32_t aRow, nsITreeColumn* aCol, bool* _retval)
 
   *_retval = true;
 
-  Row* row = mRows[aRow];
+  Row* row = mRows[aRow].get();
 
   nsIContent* realRow =
     nsTreeUtils::GetImmediateChild(row->mContent, nsGkAtoms::treerow);
@@ -612,7 +612,7 @@ nsTreeContentView::IsSelectable(int32_t aRow, nsITreeColumn* aCol, bool* _retval
 
   *_retval = true;
 
-  Row* row = mRows[aRow];
+  Row* row = mRows[aRow].get();
 
   nsIContent* realRow =
     nsTreeUtils::GetImmediateChild(row->mContent, nsGkAtoms::treerow);
@@ -635,7 +635,7 @@ nsTreeContentView::SetCellValue(int32_t aRow, nsITreeColumn* aCol, const nsAStri
   if (aRow < 0 || aRow >= int32_t(mRows.Length()))
     return NS_ERROR_INVALID_ARG;   
 
-  Row* row = mRows[aRow];
+  Row* row = mRows[aRow].get();
 
   nsIContent* realRow =
     nsTreeUtils::GetImmediateChild(row->mContent, nsGkAtoms::treerow);
@@ -656,7 +656,7 @@ nsTreeContentView::SetCellText(int32_t aRow, nsITreeColumn* aCol, const nsAStrin
   if (aRow < 0 || aRow >= int32_t(mRows.Length()))
     return NS_ERROR_INVALID_ARG;   
 
-  Row* row = mRows[aRow];
+  Row* row = mRows[aRow].get();
 
   nsIContent* realRow =
     nsTreeUtils::GetImmediateChild(row->mContent, nsGkAtoms::treerow);
@@ -695,7 +695,7 @@ nsTreeContentView::GetItemAtIndex(int32_t aIndex, nsIDOMElement** _retval)
   if (aIndex < 0 || aIndex >= int32_t(mRows.Length()))
     return NS_ERROR_INVALID_ARG;   
 
-  Row* row = mRows[aIndex];
+  Row* row = mRows[aIndex].get();
   row->mContent->QueryInterface(NS_GET_IID(nsIDOMElement), (void**)_retval);
 
   return NS_OK;
@@ -796,7 +796,7 @@ nsTreeContentView::AttributeChanged(nsIDocument*  aDocument,
   else if (aElement->IsXULElement(nsGkAtoms::treeitem)) {
     int32_t index = FindContent(aElement);
     if (index >= 0) {
-      Row* row = mRows[index];
+      Row* row = mRows[index].get();
       if (aAttribute == nsGkAtoms::container) {
         bool isContainer =
           aElement->AttrValueIs(kNameSpaceID_None, nsGkAtoms::container,
@@ -917,7 +917,7 @@ nsTreeContentView::ContentInserted(nsIDocument *aDocument,
   if (aChild->IsXULElement(nsGkAtoms::treechildren)) {
     int32_t index = FindContent(aContainer);
     if (index >= 0) {
-      Row* row = mRows[index];
+      Row* row = mRows[index].get();
       row->SetEmpty(false);
       if (mBoxObject)
         mBoxObject->InvalidateRow(index);
@@ -987,7 +987,7 @@ nsTreeContentView::ContentRemoved(nsIDocument *aDocument,
   if (aChild->IsXULElement(nsGkAtoms::treechildren)) {
     int32_t index = FindContent(aContainer);
     if (index >= 0) {
-      Row* row = mRows[index];
+      Row* row = mRows[index].get();
       row->SetEmpty(true);
       int32_t count = RemoveSubtree(index);
       // Invalidate also the row to update twisty.
@@ -1033,7 +1033,7 @@ nsTreeContentView::NodeWillBeDestroyed(const nsINode* aNode)
 // Recursively serialize content, starting with aContent.
 void
 nsTreeContentView::Serialize(nsIContent* aContent, int32_t aParentIndex,
-                             int32_t* aIndex, nsTArray<nsAutoPtr<Row> >& aRows)
+                             int32_t* aIndex, nsTArray<UniquePtr<Row>>& aRows)
 {
   // Don't allow non-XUL nodes.
   if (!aContent->IsXULElement())
@@ -1055,14 +1055,14 @@ nsTreeContentView::Serialize(nsIContent* aContent, int32_t aParentIndex,
 
 void
 nsTreeContentView::SerializeItem(nsIContent* aContent, int32_t aParentIndex,
-                                 int32_t* aIndex, nsTArray<nsAutoPtr<Row> >& aRows)
+                                 int32_t* aIndex, nsTArray<UniquePtr<Row>>& aRows)
 {
   if (aContent->AttrValueIs(kNameSpaceID_None, nsGkAtoms::hidden,
                             nsGkAtoms::_true, eCaseMatters))
     return;
 
-  Row* row = new Row(aContent, aParentIndex);
-  aRows.AppendElement(row);
+  aRows.AppendElement(MakeUnique<Row>(aContent, aParentIndex));
+  Row* row = aRows.LastElement().get();
 
   if (aContent->AttrValueIs(kNameSpaceID_None, nsGkAtoms::container,
                             nsGkAtoms::_true, eCaseMatters)) {
@@ -1091,15 +1091,15 @@ nsTreeContentView::SerializeItem(nsIContent* aContent, int32_t aParentIndex,
 void
 nsTreeContentView::SerializeSeparator(nsIContent* aContent,
                                       int32_t aParentIndex, int32_t* aIndex,
-                                      nsTArray<nsAutoPtr<Row> >& aRows)
+                                      nsTArray<UniquePtr<Row>>& aRows)
 {
   if (aContent->AttrValueIs(kNameSpaceID_None, nsGkAtoms::hidden,
                             nsGkAtoms::_true, eCaseMatters))
     return;
 
-  Row* row = new Row(aContent, aParentIndex);
+  auto row = MakeUnique<Row>(aContent, aParentIndex);
   row->SetSeparator(true);
-  aRows.AppendElement(row);
+  aRows.AppendElement(Move(row));
 }
 
 void
@@ -1143,7 +1143,7 @@ nsTreeContentView::GetIndexInSubtree(nsIContent* aContainer,
 int32_t
 nsTreeContentView::EnsureSubtree(int32_t aIndex)
 {
-  Row* row = mRows[aIndex];
+  Row* row = mRows[aIndex].get();
 
   nsIContent* child;
   child = nsTreeUtils::GetImmediateChild(row->mContent, nsGkAtoms::treechildren);
@@ -1151,14 +1151,17 @@ nsTreeContentView::EnsureSubtree(int32_t aIndex)
     return 0;
   }
 
-  AutoTArray<nsAutoPtr<Row>, 8> rows;
+  AutoTArray<UniquePtr<Row>, 8> rows;
   int32_t index = 0;
   Serialize(child, aIndex, &index, rows);
-  // We can't use InsertElementsAt since the destination can't steal
-  // ownership from its const source argument.
+  // Insert |rows| into |mRows| at position |aIndex|, by first creating empty
+  // UniquePtr entries and then Move'ing |rows|'s entries into them. (Note
+  // that we can't simply use InsertElementsAt with an array argument, since
+  // the destination can't steal ownership from its const source argument.)
+  UniquePtr<Row>* newRows = mRows.InsertElementsAt(aIndex + 1,
+                                                   rows.Length());
   for (nsTArray<Row>::index_type i = 0; i < rows.Length(); i++) {
-    nsAutoPtr<Row>* newRow = mRows.InsertElementAt(aIndex + i + 1);
-    *newRow = rows[i];
+    newRows[i] = Move(rows[i]);
   }
   int32_t count = rows.Length();
 
@@ -1175,7 +1178,7 @@ nsTreeContentView::EnsureSubtree(int32_t aIndex)
 int32_t
 nsTreeContentView::RemoveSubtree(int32_t aIndex)
 {
-  Row* row = mRows[aIndex];
+  Row* row = mRows[aIndex].get();
   int32_t count = row->mSubtreeSize;
 
   mRows.RemoveElementsAt(aIndex + 1, count);
@@ -1226,7 +1229,7 @@ nsTreeContentView::InsertRowFor(nsIContent* aParent, nsIContent* aChild)
 int32_t
 nsTreeContentView::InsertRow(int32_t aParentIndex, int32_t aIndex, nsIContent* aContent)
 {
-  AutoTArray<nsAutoPtr<Row>, 8> rows;
+  AutoTArray<UniquePtr<Row>, 8> rows;
   if (aContent->IsXULElement(nsGkAtoms::treeitem)) {
     SerializeItem(aContent, aParentIndex, &aIndex, rows);
   } else if (aContent->IsXULElement(nsGkAtoms::treeseparator)) {
@@ -1235,11 +1238,10 @@ nsTreeContentView::InsertRow(int32_t aParentIndex, int32_t aIndex, nsIContent* a
 
   // We can't use InsertElementsAt since the destination can't steal
   // ownership from its const source argument.
-  for (nsTArray<Row>::index_type i = 0; i < rows.Length(); i++) {
-    nsAutoPtr<Row>* newRow = mRows.InsertElementAt(aParentIndex + aIndex + i + 1);
-    *newRow = rows[i];
-  }
   int32_t count = rows.Length();
+  for (nsTArray<Row>::index_type i = 0; i < size_t(count); i++) {
+    mRows.InsertElementAt(aParentIndex + aIndex + i + 1, Move(rows[i]));
+  }
 
   UpdateSubtreeSizes(aParentIndex, count);
 
@@ -1253,7 +1255,7 @@ nsTreeContentView::InsertRow(int32_t aParentIndex, int32_t aIndex, nsIContent* a
 int32_t
 nsTreeContentView::RemoveRow(int32_t aIndex)
 {
-  Row* row = mRows[aIndex];
+  Row* row = mRows[aIndex].get();
   int32_t count = row->mSubtreeSize + 1;
   int32_t parentIndex = row->mParentIndex;
 
@@ -1282,7 +1284,7 @@ nsTreeContentView::ClearRows()
 void
 nsTreeContentView::OpenContainer(int32_t aIndex)
 {
-  Row* row = mRows[aIndex];
+  Row* row = mRows[aIndex].get();
   row->SetOpen(true);
 
   int32_t count = EnsureSubtree(aIndex);
@@ -1295,7 +1297,7 @@ nsTreeContentView::OpenContainer(int32_t aIndex)
 void
 nsTreeContentView::CloseContainer(int32_t aIndex)
 {
-  Row* row = mRows[aIndex];
+  Row* row = mRows[aIndex].get();
   row->SetOpen(false);
 
   int32_t count = RemoveSubtree(aIndex);
@@ -1321,7 +1323,7 @@ void
 nsTreeContentView::UpdateSubtreeSizes(int32_t aParentIndex, int32_t count)
 {
   while (aParentIndex >= 0) {
-    Row* row = mRows[aParentIndex];
+    Row* row = mRows[aParentIndex].get();
     row->mSubtreeSize += count;
     aParentIndex = row->mParentIndex;
   }
@@ -1332,7 +1334,7 @@ nsTreeContentView::UpdateParentIndexes(int32_t aIndex, int32_t aSkip, int32_t aC
 {
   int32_t count = mRows.Length();
   for (int32_t i = aIndex + aSkip; i < count; i++) {
-    Row* row = mRows[i];
+    Row* row = mRows[i].get();
     if (row->mParentIndex > aIndex) {
       row->mParentIndex += aCount;
     }
diff --git a/layout/xul/tree/nsTreeContentView.h b/layout/xul/tree/nsTreeContentView.h
index d0898c9f2e..8f85b65074 100644
--- a/layout/xul/tree/nsTreeContentView.h
+++ b/layout/xul/tree/nsTreeContentView.h
@@ -16,6 +16,7 @@
 #include "nsITreeContentView.h"
 #include "nsITreeSelection.h"
 #include "mozilla/Attributes.h"
+#include "mozilla/UniquePtr.h"
 
 class nsIDocument;
 class Row;
@@ -53,13 +54,13 @@ class nsTreeContentView final : public nsINativeTreeView,
 
     // Recursive methods which deal with serializing of nested content.
     void Serialize(nsIContent* aContent, int32_t aParentIndex, int32_t* aIndex,
-                   nsTArray<nsAutoPtr<Row> >& aRows);
+                   nsTArray<mozilla::UniquePtr<Row>>& aRows);
 
     void SerializeItem(nsIContent* aContent, int32_t aParentIndex,
-                       int32_t* aIndex, nsTArray<nsAutoPtr<Row> >& aRows);
+                       int32_t* aIndex, nsTArray<mozilla::UniquePtr<Row>>& aRows);
 
     void SerializeSeparator(nsIContent* aContent, int32_t aParentIndex,
-                            int32_t* aIndex, nsTArray<nsAutoPtr<Row> >& aRows);
+                            int32_t* aIndex, nsTArray<mozilla::UniquePtr<Row>>& aRows);
 
     void GetIndexInSubtree(nsIContent* aContainer, nsIContent* aContent, int32_t* aResult);
     
@@ -95,7 +96,7 @@ class nsTreeContentView final : public nsINativeTreeView,
     nsCOMPtr<nsIContent>                mRoot;
     nsCOMPtr<nsIContent>                mBody;
     nsIDocument*                        mDocument;      // WEAK
-    nsTArray<nsAutoPtr<Row> >           mRows;
+    nsTArray<mozilla::UniquePtr<Row>>   mRows;
 };
 
 #endif // nsTreeContentView_h__
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index 2439b57b54..ba2c497dfc 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -549,9 +549,6 @@ pref("media.video-queue.send-to-compositor-size", 9999);
 // Whether to disable the video stats to prevent fingerprinting
 pref("media.video_stats.enabled", true);
 
-// Whether to enable the audio writing APIs on the audio element
-pref("media.audio_data.enabled", false);
-
 // Weather we allow AMD switchable graphics
 pref("layers.amd-switchable-gfx.enabled", true);
 
@@ -624,10 +621,10 @@ pref("apz.touch_start_tolerance", "0.2222222");  // 0.2222222 came from 1.0/4.5
 pref("apz.touch_move_tolerance", "0.0");
 pref("apz.velocity_bias", "1.0");
 pref("apz.velocity_relevance_time_ms", 150);
-pref("apz.x_stationary_size_multiplier", "3.0");
-pref("apz.y_stationary_size_multiplier", "3.5");
 pref("apz.x_skate_highmem_adjust", "0.0");
 pref("apz.y_skate_highmem_adjust", "0.0");
+pref("apz.x_stationary_size_multiplier", "3.0");
+pref("apz.y_stationary_size_multiplier", "3.5");
 pref("apz.zoom_animation_duration_ms", 250);
 
 #ifdef XP_MACOSX
@@ -652,8 +649,7 @@ pref("gfx.hidpi.enabled", 2);
 #endif
 
 #if !defined(MOZ_WIDGET_GONK) && !defined(MOZ_WIDGET_ANDROID)
-// Containerless scrolling for root frames does not yet pass tests on Android
-// or B2G.
+// Use containerless scrolling for now on desktop.
 pref("layout.scroll.root-frame-containers", false);
 #endif
 
@@ -897,6 +893,7 @@ sticky_pref("devtools.chrome.enabled", false);
 // Disable remote debugging protocol logging
 pref("devtools.debugger.log", false);
 pref("devtools.debugger.log.verbose", false);
+
 // Disable remote debugging connections
 #ifdef MOZ_DEV_EDITION
 sticky_pref("devtools.debugger.remote-enabled", true);
@@ -1244,6 +1241,9 @@ pref("nglayout.debug.paint_flashing_chrome", false);
 // BasicLayers (other layer managers always update the entire widget area)
 pref("nglayout.debug.widget_update_flashing", false);
 
+// Enable/disable display list invalidation logging --- useful for debugging.
+pref("nglayout.debug.invalidation", false);
+
 // Whether frame visibility tracking is enabled globally.
 pref("layout.framevisibility.enabled", true);
 
@@ -1319,7 +1319,7 @@ pref("print.print_edge_right", 0);
 pref("print.print_edge_bottom", 0);
 
 // Print via the parent process. This is only used when e10s is enabled.
-#if defined(XP_WIN)
+#if defined(XP_WIN) && defined(NIGHTLY_BUILD)
 pref("print.print_via_parent", true);
 #else
 pref("print.print_via_parent", false);
@@ -1330,9 +1330,6 @@ pref("print.print_via_parent", false);
 // in a document.
 pref("extensions.spellcheck.inline.max-misspellings", 500);
 
-// Predefined convenience pref for overriding the dictionary
-pref("spellchecker.dictionary.override", "");
-
 // Prefs used by libeditor. Prefs specific to seamonkey composer
 // belong in comm-central/editor/ui/composer.js
 
@@ -1396,6 +1393,10 @@ pref("dom.forms.autocomplete.experimental", false);
 // Enables requestAutocomplete DOM API on forms.
 pref("dom.forms.requestAutocomplete", false);
 
+#ifdef NIGHTLY_BUILD
+pref("dom.input.dirpicker", true);
+#endif
+
 // Enables system messages and activities
 pref("dom.sysmsg.enabled", false);
 
@@ -1492,15 +1493,15 @@ pref("javascript.options.mem.gc_max_empty_chunk_count", 30);
 
 pref("javascript.options.showInConsole", false);
 
-pref("javascript.options.throw_on_debuggee_would_run", false);
-pref("javascript.options.dump_stack_on_debuggee_would_run", false);
-
 #ifdef NIGHTLY_BUILD
 pref("javascript.options.shared_memory", true);
 #else
 pref("javascript.options.shared_memory", false);
 #endif
 
+pref("javascript.options.throw_on_debuggee_would_run", false);
+pref("javascript.options.dump_stack_on_debuggee_would_run", false);
+
 // advanced prefs
 pref("advanced.mailftp",                    false);
 pref("image.animation_mode",                "normal");
@@ -2187,7 +2188,6 @@ pref("network.cookie.cookieBehavior",       0); // Keep the old default of accep
 #endif
 pref("network.cookie.thirdparty.sessionOnly", false);
 pref("network.cookie.lifetimePolicy",       0); // 0-accept, 2-acceptForSession, 3-acceptForNDays
-pref("network.cookie.alwaysAcceptSessionCookies", false);
 pref("network.cookie.prefsMigrated",        false);
 pref("network.cookie.lifetime.days",        90);
 
@@ -2623,9 +2623,6 @@ pref("layout.css.isolation.enabled", true);
 // Is support for CSS Filters enabled?
 pref("layout.css.filters.enabled", true);
 
-// Is support for scroll-snap enabled?
-pref("layout.css.scroll-snap.enabled", false);
-
 // Set the threshold distance in CSS pixels below which scrolling will snap to
 // an edge, when scroll snapping is set to "proximity".
 pref("layout.css.scroll-snap.proximity-threshold", 200);
@@ -2790,6 +2787,9 @@ pref("layout.css.scroll-behavior.spring-constant", "250.0");
 // at the greatest speed without overshooting.
 pref("layout.css.scroll-behavior.damping-ratio", "1.0");
 
+// Is support for scroll-snap enabled?
+pref("layout.css.scroll-snap.enabled", true);
+
 // Is support for document.fonts enabled?
 //
 // Don't enable the pref for the CSS Font Loading API until bug 1072101 is
@@ -2878,7 +2878,6 @@ pref("editor.positioning.offset",            0);
 
 pref("dom.use_watchdog", true);
 pref("dom.max_chrome_script_run_time", 20);
-pref("dom.max_child_script_run_time", 10);
 pref("dom.max_script_run_time", 10);
 
 // Stop all scripts in a compartment when the "Stop script" button on the
@@ -3916,22 +3915,22 @@ pref("font.name.serif.zh-CN", "Times");
 pref("font.name.sans-serif.zh-CN", "Helvetica");
 pref("font.name.monospace.zh-CN", "Courier");
 pref("font.name-list.serif.zh-CN", "Times,STSong,Heiti SC");
-pref("font.name-list.sans-serif.zh-CN", "Helvetica,STHeiti,Heiti SC");
-pref("font.name-list.monospace.zh-CN", "Courier,STHeiti,Heiti SC");
+pref("font.name-list.sans-serif.zh-CN", "Helvetica,PingFang SC,STHeiti,Heiti SC");
+pref("font.name-list.monospace.zh-CN", "Courier,PingFang SC,STHeiti,Heiti SC");
 
 pref("font.name.serif.zh-TW", "Times");
 pref("font.name.sans-serif.zh-TW", "Helvetica");
 pref("font.name.monospace.zh-TW", "Courier");
 pref("font.name-list.serif.zh-TW", "Times,LiSong Pro,Heiti TC");
-pref("font.name-list.sans-serif.zh-TW", "Helvetica,Heiti TC,LiHei Pro");
-pref("font.name-list.monospace.zh-TW", "Courier,Heiti TC,LiHei Pro");
+pref("font.name-list.sans-serif.zh-TW", "Helvetica,PingFang TC,Heiti TC,LiHei Pro");
+pref("font.name-list.monospace.zh-TW", "Courier,PingFang TC,Heiti TC,LiHei Pro");
 
 pref("font.name.serif.zh-HK", "Times");
 pref("font.name.sans-serif.zh-HK", "Helvetica");
 pref("font.name.monospace.zh-HK", "Courier");
 pref("font.name-list.serif.zh-HK", "Times,LiSong Pro,Heiti TC");
-pref("font.name-list.sans-serif.zh-HK", "Helvetica,Heiti TC,LiHei Pro");
-pref("font.name-list.monospace.zh-HK", "Courier,Heiti TC,LiHei Pro");
+pref("font.name-list.sans-serif.zh-HK", "Helvetica,PingFang TC,Heiti TC,LiHei Pro");
+pref("font.name-list.monospace.zh-HK", "Courier,PingFang TC,Heiti TC,LiHei Pro");
 
 // XP_MACOSX changes to default font sizes
 pref("font.minimum-size.th", 10);
@@ -4050,12 +4049,16 @@ pref("print.print_paper_size", 0);
 // around the content of the page for Print Preview only
 pref("print.print_extra_margin", 0); // twips
 
-// CSSOM-View scroll-behavior smooth scrolling requires the C++ APZC
+// CSSOM-View scroll-behavior smooth scrolling and scroll snap requires the C++ APZC
+#ifdef MOZ_ANDROID_APZ
+pref("layout.css.scroll-behavior.enabled", true);
+pref("layout.css.scroll-behavior.property-enabled", true);
+pref("layout.css.scroll-snap.enabled", true);
+#else
 pref("layout.css.scroll-behavior.enabled", false);
 pref("layout.css.scroll-behavior.property-enabled", false);
-
-// CSS Scroll Snapping requires the C++ APZC
 pref("layout.css.scroll-snap.enabled", false);
+#endif
 
 /* PostScript print module prefs */
 // pref("print.postscript.enabled",      true);
@@ -4146,14 +4149,78 @@ pref("font.name.monospace.ko", "monospace");
 
 pref("font.name.serif.th", "serif");
 pref("font.name.sans-serif.th", "sans-serif");
-pref("font.minimum-size.th", 13);
 pref("font.name.monospace.th", "monospace");
+pref("font.minimum-size.th", 13);
+
+pref("font.name.serif.x-armn", "serif");
+pref("font.name.sans-serif.x-armn", "sans-serif");
+pref("font.name.monospace.x-armn", "monospace");
+
+pref("font.name.serif.x-beng", "serif");
+pref("font.name.sans-serif.x-beng", "sans-serif");
+pref("font.name.monospace.x-beng", "monospace");
+
+pref("font.name.serif.x-cans", "serif");
+pref("font.name.sans-serif.x-cans", "sans-serif");
+pref("font.name.monospace.x-cans", "monospace");
 
 pref("font.name.serif.x-cyrillic", "serif");
 pref("font.name.sans-serif.x-cyrillic", "sans-serif");
 pref("font.name.monospace.x-cyrillic", "monospace");
 pref("font.size.fixed.x-cyrillic", 12);
 
+pref("font.name.serif.x-devanagari", "serif");
+pref("font.name.sans-serif.x-devanagari", "sans-serif");
+pref("font.name.monospace.x-devanagari", "monospace");
+
+pref("font.name.serif.x-ethi", "serif");
+pref("font.name.sans-serif.x-ethi", "sans-serif");
+pref("font.name.monospace.x-ethi", "monospace");
+
+pref("font.name.serif.x-geor", "serif");
+pref("font.name.sans-serif.x-geor", "sans-serif");
+pref("font.name.monospace.x-geor", "monospace");
+
+pref("font.name.serif.x-gujr", "serif");
+pref("font.name.sans-serif.x-gujr", "sans-serif");
+pref("font.name.monospace.x-gujr", "monospace");
+
+pref("font.name.serif.x-guru", "serif");
+pref("font.name.sans-serif.x-guru", "sans-serif");
+pref("font.name.monospace.x-guru", "monospace");
+
+pref("font.name.serif.x-khmr", "serif");
+pref("font.name.sans-serif.x-khmr", "sans-serif");
+pref("font.name.monospace.x-khmr", "monospace");
+
+pref("font.name.serif.x-knda", "serif");
+pref("font.name.sans-serif.x-knda", "sans-serif");
+pref("font.name.monospace.x-knda", "monospace");
+
+pref("font.name.serif.x-mlym", "serif");
+pref("font.name.sans-serif.x-mlym", "sans-serif");
+pref("font.name.monospace.x-mlym", "monospace");
+
+pref("font.name.serif.x-orya", "serif");
+pref("font.name.sans-serif.x-orya", "sans-serif");
+pref("font.name.monospace.x-orya", "monospace");
+
+pref("font.name.serif.x-sinh", "serif");
+pref("font.name.sans-serif.x-sinh", "sans-serif");
+pref("font.name.monospace.x-sinh", "monospace");
+
+pref("font.name.serif.x-tamil", "serif");
+pref("font.name.sans-serif.x-tamil", "sans-serif");
+pref("font.name.monospace.x-tamil", "monospace");
+
+pref("font.name.serif.x-telu", "serif");
+pref("font.name.sans-serif.x-telu", "sans-serif");
+pref("font.name.monospace.x-telu", "monospace");
+
+pref("font.name.serif.x-tibt", "serif");
+pref("font.name.sans-serif.x-tibt", "sans-serif");
+pref("font.name.monospace.x-tibt", "monospace");
+
 pref("font.name.serif.x-unicode", "serif");
 pref("font.name.sans-serif.x-unicode", "sans-serif");
 pref("font.name.monospace.x-unicode", "monospace");
@@ -4168,8 +4235,6 @@ pref("font.name.serif.zh-CN", "serif");
 pref("font.name.sans-serif.zh-CN", "sans-serif");
 pref("font.name.monospace.zh-CN", "monospace");
 
-// ming_uni.ttf (HKSCS-2001)
-// http://www.info.gov.hk/digital21/eng/hkscs/download/uime.exe
 pref("font.name.serif.zh-HK", "serif");
 pref("font.name.sans-serif.zh-HK", "sans-serif");
 pref("font.name.monospace.zh-HK", "monospace");
@@ -4314,68 +4379,70 @@ pref("font.name.monospace.x-math", "Fira Mono");
 pref("font.name.serif.el", "Droid Serif"); // not Charis SIL Compact, only has a few Greek chars
 pref("font.name.sans-serif.el", "Clear Sans");
 pref("font.name.monospace.el", "Droid Sans Mono");
+pref("font.name-list.serif.el", "Noto Serif");
 pref("font.name-list.sans-serif.el", "Clear Sans, Roboto, Droid Sans");
 
 pref("font.name.serif.he", "Droid Serif");
 pref("font.name.sans-serif.he", "Clear Sans");
 pref("font.name.monospace.he", "Droid Sans Mono");
+pref("font.name-list.serif.he", "Noto Serif");
 pref("font.name-list.sans-serif.he", "Droid Sans Hebrew, Clear Sans, Droid Sans");
 
 pref("font.name.serif.ja", "Charis SIL Compact");
 pref("font.name.sans-serif.ja", "Clear Sans");
 pref("font.name.monospace.ja", "MotoyaLMaru");
-pref("font.name-list.serif.ja", "Droid Serif");
+pref("font.name-list.serif.ja", "Noto Serif, Droid Serif");
 pref("font.name-list.sans-serif.ja", "Clear Sans, Roboto, Droid Sans, MotoyaLMaru, MotoyaLCedar, Noto Sans JP, Droid Sans Japanese");
 pref("font.name-list.monospace.ja", "MotoyaLMaru, MotoyaLCedar, Droid Sans Mono");
 
 pref("font.name.serif.ko", "Charis SIL Compact");
 pref("font.name.sans-serif.ko", "Clear Sans");
 pref("font.name.monospace.ko", "Droid Sans Mono");
-pref("font.name-list.serif.ko", "Droid Serif, HYSerif");
+pref("font.name-list.serif.ko", "Noto Serif, Droid Serif, HYSerif");
 pref("font.name-list.sans-serif.ko", "SmartGothic, NanumGothic, Noto Sans KR, DroidSansFallback, Droid Sans Fallback");
 
 pref("font.name.serif.th", "Charis SIL Compact");
 pref("font.name.sans-serif.th", "Clear Sans");
 pref("font.name.monospace.th", "Droid Sans Mono");
-pref("font.name-list.serif.th", "Droid Serif");
+pref("font.name-list.serif.th", "Noto Serif, Droid Serif");
 pref("font.name-list.sans-serif.th", "Droid Sans Thai, Clear Sans, Droid Sans");
 
 pref("font.name.serif.x-cyrillic", "Charis SIL Compact");
 pref("font.name.sans-serif.x-cyrillic", "Clear Sans");
 pref("font.name.monospace.x-cyrillic", "Droid Sans Mono");
-pref("font.name-list.serif.x-cyrillic", "Droid Serif");
+pref("font.name-list.serif.x-cyrillic", "Noto Serif, Droid Serif");
 pref("font.name-list.sans-serif.x-cyrillic", "Clear Sans, Roboto, Droid Sans");
 
 pref("font.name.serif.x-unicode", "Charis SIL Compact");
 pref("font.name.sans-serif.x-unicode", "Clear Sans");
 pref("font.name.monospace.x-unicode", "Droid Sans Mono");
-pref("font.name-list.serif.x-unicode", "Droid Serif");
+pref("font.name-list.serif.x-unicode", "Noto Serif, Droid Serif");
 pref("font.name-list.sans-serif.x-unicode", "Clear Sans, Roboto, Droid Sans");
 
 pref("font.name.serif.x-western", "Charis SIL Compact");
 pref("font.name.sans-serif.x-western", "Clear Sans");
 pref("font.name.monospace.x-western", "Droid Sans Mono");
-pref("font.name-list.serif.x-western", "Droid Serif");
+pref("font.name-list.serif.x-western", "Noto Serif, Droid Serif");
 pref("font.name-list.sans-serif.x-western", "Clear Sans, Roboto, Droid Sans");
 
 pref("font.name.serif.zh-CN", "Charis SIL Compact");
 pref("font.name.sans-serif.zh-CN", "Clear Sans");
 pref("font.name.monospace.zh-CN", "Droid Sans Mono");
-pref("font.name-list.serif.zh-CN", "Droid Serif, Droid Sans Fallback");
+pref("font.name-list.serif.zh-CN", "Noto Serif, Droid Serif, Droid Sans Fallback");
 pref("font.name-list.sans-serif.zh-CN", "Roboto, Droid Sans, Noto Sans SC, Droid Sans Fallback");
 pref("font.name-list.monospace.zh-CN", "Droid Sans Fallback");
 
 pref("font.name.serif.zh-HK", "Charis SIL Compact");
 pref("font.name.sans-serif.zh-HK", "Clear Sans");
 pref("font.name.monospace.zh-HK", "Droid Sans Mono");
-pref("font.name-list.serif.zh-HK", "Droid Serif, Droid Sans Fallback");
+pref("font.name-list.serif.zh-HK", "Noto Serif, Droid Serif, Droid Sans Fallback");
 pref("font.name-list.sans-serif.zh-HK", "Roboto, Droid Sans, Noto Sans TC, Noto Sans SC, Droid Sans Fallback");
 pref("font.name-list.monospace.zh-HK", "Droid Sans Fallback");
 
 pref("font.name.serif.zh-TW", "Charis SIL Compact");
 pref("font.name.sans-serif.zh-TW", "Clear Sans");
 pref("font.name.monospace.zh-TW", "Droid Sans Mono");
-pref("font.name-list.serif.zh-TW", "Droid Serif, Droid Sans Fallback");
+pref("font.name-list.serif.zh-TW", "Noto Serif, Droid Serif, Droid Sans Fallback");
 pref("font.name-list.sans-serif.zh-TW", "Roboto, Droid Sans, Noto Sans TC, Noto Sans SC, Droid Sans Fallback");
 pref("font.name-list.monospace.zh-TW", "Droid Sans Fallback");
 
@@ -5271,16 +5338,21 @@ pref("layout.accessiblecaret.timeout_ms", 3000);
 // or long tap events does not fired by APZ.
 pref("layout.accessiblecaret.use_long_tap_injector", true);
 
-// Use AccessibleCaret default behaviours.
-pref("layout.accessiblecaret.extendedvisibility", false);
-
 // By default, carets become tilt only when they are overlapping.
 pref("layout.accessiblecaret.always_tilt", false);
 
+// By default, carets always show when scrolling (either panning for zooming)
+// the page.
+pref("layout.accessiblecaret.always_show_when_scrolling", true);
+
 // Selection change notifications generated by Javascript hide
 // AccessibleCarets and close UI interaction by default.
 pref("layout.accessiblecaret.allow_script_change_updates", false);
 
+// Allow one caret to be dragged across the other caret without any limitation.
+// This matches the built-in convention for all desktop platforms.
+pref("layout.accessiblecaret.allow_dragging_across_other_caret", true);
+
 // Optionally provide haptic feedback on longPress selection events.
 pref("layout.accessiblecaret.hapticfeedback", false);
 
@@ -5334,6 +5406,7 @@ pref("dom.presentation.tcp_server.debug", false);
 pref("dom.presentation.discovery.enabled", false);
 pref("dom.presentation.discovery.timeout_ms", 10000);
 pref("dom.presentation.discoverable", false);
+pref("dom.presentation.session_transport.data_channel.enable", false);
 
 #ifdef XP_MACOSX
 // Use raw ICU instead of CoreServices API in Unicode collation
@@ -5439,27 +5512,6 @@ pref("media.gmp-manager.certs.2.commonName", "aus5.mozilla.org");
 // If this pref is disabled, we will never show a reader mode icon in the toolbar.
 pref("reader.parse-on-load.enabled", true);
 
-// Force-enables reader mode parsing, even on low-memory platforms, where it
-// is disabled by default.
-pref("reader.parse-on-load.force-enabled", false);
-
-// The default relative font size in reader mode (1-5)
-pref("reader.font_size", 3);
-
-// The default color scheme in reader mode (light, dark, auto)
-// auto = color automatically adjusts according to ambient light level
-pref("reader.color_scheme", "auto");
-
-// The font type in reader (sans-serif, serif)
-pref("reader.font_type", "sans-serif");
-
-// Whether or not the user has interacted with the reader mode toolbar.
-// This is used to show a first-launch tip in reader mode.
-pref("reader.has_used_toolbar", false);
-// Whether or not to perform reader mode article parsing on page load.
-// If this pref is disabled, we will never show a reader mode icon in the toolbar.
-pref("reader.parse-on-load.enabled", true);
-
 // After what size document we don't bother running Readability on it
 // because it'd slow things down too much
 pref("reader.parse-node-limit", 3000);
diff --git a/netwerk/base/nsAutodialWin.cpp b/netwerk/base/nsAutodialWin.cpp
index b18ae50fd3..da7525c9ff 100644
--- a/netwerk/base/nsAutodialWin.cpp
+++ b/netwerk/base/nsAutodialWin.cpp
@@ -14,6 +14,7 @@
 #include "nsAutodialWin.h"
 #include "mozilla/Logging.h"
 #include "nsWindowsHelpers.h"
+#include "mozilla/Telemetry.h"
 
 #define AUTODIAL_DEFAULT AUTODIAL_NEVER
 
@@ -187,6 +188,9 @@ int nsAutodial::QueryAutodialBehavior()
     }
 }
 
+// only do telemetry once per session
+static bool reportedAutoDial = false;
+
 // If the RAS autodial service is running, use it. Otherwise, dial
 // the default RAS connection. There are two possible RAS dialogs:
 // one that dials a single entry, and one that lets the user choose which
@@ -267,6 +271,10 @@ nsresult nsAutodial::DialDefault(const char16_t* hostName)
                 return NS_ERROR_FAILURE;    // don't retry
             }
 
+            if (!reportedAutoDial) {
+                reportedAutoDial = true;
+                mozilla::Telemetry::Accumulate(mozilla::Telemetry::NETWORK_AUTODIAL, true);
+            }
             LOGD(("Autodial: RAS dialup connection successful."));
         }
 
@@ -298,6 +306,10 @@ nsresult nsAutodial::DialDefault(const char16_t* hostName)
                 return NS_ERROR_FAILURE;    // don't retry
             }
 
+            if (!reportedAutoDial) {
+                reportedAutoDial = true;
+                mozilla::Telemetry::Accumulate(mozilla::Telemetry::NETWORK_AUTODIAL, true);
+            }
             LOGD(("Autodial: RAS dialup connection successful."));
         }
     }
diff --git a/netwerk/base/nsChannelClassifier.cpp b/netwerk/base/nsChannelClassifier.cpp
index c1e97e72db..b6c0ba3100 100644
--- a/netwerk/base/nsChannelClassifier.cpp
+++ b/netwerk/base/nsChannelClassifier.cpp
@@ -7,6 +7,7 @@
 #include "nsChannelClassifier.h"
 
 #include "mozIThirdPartyUtil.h"
+#include "nsCharSeparatedTokenizer.h"
 #include "nsContentUtils.h"
 #include "nsICacheEntry.h"
 #include "nsICachingChannel.h"
@@ -313,6 +314,18 @@ nsChannelClassifier::StartInternal()
     NS_ENSURE_SUCCESS(rv, rv);
     if (hasFlags) return NS_ERROR_UNEXPECTED;
 
+    // Skip whitelisted hostnames.
+    nsAutoCString whitelisted;
+    Preferences::GetCString("urlclassifier.skipHostnames", &whitelisted);
+    if (!whitelisted.IsEmpty()) {
+      ToLowerCase(whitelisted);
+      LOG(("nsChannelClassifier[%p]:StartInternal whitelisted hostnames = %s",
+           this, whitelisted.get()));
+      if (IsHostnameWhitelisted(uri, whitelisted)) {
+        return NS_ERROR_UNEXPECTED;
+      }
+    }
+
     nsCOMPtr<nsIURIClassifier> uriClassifier =
         do_GetService(NS_URICLASSIFIERSERVICE_CONTRACTID, &rv);
     if (rv == NS_ERROR_FACTORY_NOT_REGISTERED ||
@@ -372,6 +385,30 @@ nsChannelClassifier::StartInternal()
     return NS_OK;
 }
 
+bool
+nsChannelClassifier::IsHostnameWhitelisted(nsIURI *aUri,
+                                           const nsACString &aWhitelisted)
+{
+  nsAutoCString host;
+  nsresult rv = aUri->GetHost(host);
+  if (NS_FAILED(rv) || host.IsEmpty()) {
+    return false;
+  }
+  ToLowerCase(host);
+
+  nsCCharSeparatedTokenizer tokenizer(aWhitelisted, ',');
+  while (tokenizer.hasMoreTokens()) {
+    const nsCSubstring& token = tokenizer.nextToken();
+    if (token.Equals(host)) {
+      LOG(("nsChannelClassifier[%p]:StartInternal skipping %s (whitelisted)",
+           this, host.get()));
+      return true;
+    }
+  }
+
+  return false;
+}
+
 // Note in the cache entry that this URL was classified, so that future
 // cached loads don't need to be checked.
 void
@@ -385,6 +422,17 @@ nsChannelClassifier::MarkEntryClassified(nsresult status)
         return;
     }
 
+    if (LOG_ENABLED()) {
+      nsAutoCString errorName;
+      mozilla::GetErrorName(status, errorName);
+      nsCOMPtr<nsIURI> uri;
+      mChannel->GetURI(getter_AddRefs(uri));
+      nsAutoCString spec;
+      uri->GetAsciiSpec(spec);
+      LOG(("nsChannelClassifier::MarkEntryClassified[%s] %s",
+           errorName.get(), spec.get()));
+    }
+
     nsCOMPtr<nsICachingChannel> cachingChannel = do_QueryInterface(mChannel);
     if (!cachingChannel) {
         return;
diff --git a/netwerk/base/nsChannelClassifier.h b/netwerk/base/nsChannelClassifier.h
index 8a047c2193..fef275bb1e 100644
--- a/netwerk/base/nsChannelClassifier.h
+++ b/netwerk/base/nsChannelClassifier.h
@@ -44,6 +44,8 @@ private:
     nsresult StartInternal();
     // Helper function to check a tracking URI against the whitelist
     nsresult IsTrackerWhitelisted();
+    // Helper function to check a URI against the hostname whitelist
+    bool IsHostnameWhitelisted(nsIURI *aUri, const nsACString &aWhitelisted);
     // Checks that the channel was loaded by the URI currently loaded in aDoc
     static bool SameLoadingURI(nsIDocument *aDoc, nsIChannel *aChannel);
 
diff --git a/netwerk/base/nsFileStreams.cpp b/netwerk/base/nsFileStreams.cpp
index cff38d324a..6684f766bb 100644
--- a/netwerk/base/nsFileStreams.cpp
+++ b/netwerk/base/nsFileStreams.cpp
@@ -323,6 +323,8 @@ nsFileStreamBase::MaybeOpen(nsIFile* aFile, int32_t aIoFlags,
 
     mOpenParams.localFile = aFile;
 
+    // Following call open() at main thread.
+    // Main thread might be blocked, while open a remote file.
     return DoOpen();
 }
 
@@ -432,19 +434,23 @@ nsFileInputStream::Open(nsIFile* aFile, int32_t aIOFlags, int32_t aPerm)
 
     rv = MaybeOpen(aFile, aIOFlags, aPerm,
                    mBehaviorFlags & nsIFileInputStream::DEFER_OPEN);
+
     if (NS_FAILED(rv)) return rv;
 
-    if (mBehaviorFlags & DELETE_ON_CLOSE) {
-        // POSIX compatible filesystems allow a file to be unlinked while a
-        // file descriptor is still referencing the file.  since we've already
-        // opened the file descriptor, we'll try to remove the file.  if that
-        // fails, then we'll just remember the nsIFile and remove it after we
-        // close the file descriptor.
-        rv = aFile->Remove(false);
-        if (NS_SUCCEEDED(rv)) {
-          // No need to remove it later. Clear the flag.
-          mBehaviorFlags &= ~DELETE_ON_CLOSE;
-        }
+    // if defer open is set, do not remove the file here.
+    // remove the file while Close() is called.
+    if ((mBehaviorFlags & DELETE_ON_CLOSE) &&
+        !(mBehaviorFlags & nsIFileInputStream::DEFER_OPEN)) {
+      // POSIX compatible filesystems allow a file to be unlinked while a
+      // file descriptor is still referencing the file.  since we've already
+      // opened the file descriptor, we'll try to remove the file.  if that
+      // fails, then we'll just remember the nsIFile and remove it after we
+      // close the file descriptor.
+      rv = aFile->Remove(false);
+      if (NS_SUCCEEDED(rv)) {
+        // No need to remove it later. Clear the flag.
+        mBehaviorFlags &= ~DELETE_ON_CLOSE;
+      }
     }
 
     return NS_OK;
@@ -514,9 +520,6 @@ nsFileInputStream::Read(char* aBuf, uint32_t aCount, uint32_t* _retval)
 NS_IMETHODIMP
 nsFileInputStream::ReadLine(nsACString& aLine, bool* aResult)
 {
-    nsresult rv = DoPendingOpen();
-    NS_ENSURE_SUCCESS(rv, rv);
-
     if (!mLineBuffer) {
       mLineBuffer = new nsLineBuffer<char>;
     }
@@ -525,11 +528,19 @@ nsFileInputStream::ReadLine(nsACString& aLine, bool* aResult)
 
 NS_IMETHODIMP
 nsFileInputStream::Seek(int32_t aWhence, int64_t aOffset)
+{
+  return SeekInternal(aWhence, aOffset);
+}
+
+nsresult
+nsFileInputStream::SeekInternal(int32_t aWhence, int64_t aOffset, bool aClearBuf)
 {
     nsresult rv = DoPendingOpen();
     NS_ENSURE_SUCCESS(rv, rv);
 
-    mLineBuffer = nullptr;
+    if (aClearBuf) {
+        mLineBuffer = nullptr;
+    }
     if (!mFD) {
         if (mBehaviorFlags & REOPEN_ON_REWIND) {
             rv = Open(mFile, mIOFlags, mPerm);
@@ -699,19 +710,28 @@ nsPartialFileInputStream::Init(nsIFile* aFile, uint64_t aStart,
 
     nsresult rv = nsFileInputStream::Init(aFile, aIOFlags, aPerm,
                                           aBehaviorFlags);
+
+    // aFile is a partial file, it must exist.
     NS_ENSURE_SUCCESS(rv, rv);
 
-    return nsFileInputStream::Seek(NS_SEEK_SET, mStart);
+    mDeferredSeek = true;
+
+    return rv;
 }
 
 NS_IMETHODIMP
 nsPartialFileInputStream::Tell(int64_t *aResult)
 {
     int64_t tell = 0;
-    nsresult rv = nsFileInputStream::Tell(&tell);
-    if (NS_SUCCEEDED(rv)) {
-        *aResult = tell - mStart;
-    }
+
+    nsresult rv = DoPendingSeek();
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = nsFileInputStream::Tell(&tell);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+
+    *aResult = tell - mStart;
     return rv;
 }
 
@@ -719,16 +739,23 @@ NS_IMETHODIMP
 nsPartialFileInputStream::Available(uint64_t* aResult)
 {
     uint64_t available = 0;
-    nsresult rv = nsFileInputStream::Available(&available);
-    if (NS_SUCCEEDED(rv)) {
-        *aResult = TruncateSize(available);
-    }
+
+    nsresult rv = DoPendingSeek();
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = nsFileInputStream::Available(&available);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    *aResult = TruncateSize(available);
     return rv;
 }
 
 NS_IMETHODIMP
 nsPartialFileInputStream::Read(char* aBuf, uint32_t aCount, uint32_t* aResult)
 {
+    nsresult rv = DoPendingSeek();
+    NS_ENSURE_SUCCESS(rv, rv);
+
     uint32_t readsize = (uint32_t) TruncateSize(aCount);
     if (readsize == 0 && mBehaviorFlags & CLOSE_ON_EOF) {
         Close();
@@ -736,16 +763,19 @@ nsPartialFileInputStream::Read(char* aBuf, uint32_t aCount, uint32_t* aResult)
         return NS_OK;
     }
 
-    nsresult rv = nsFileInputStream::Read(aBuf, readsize, aResult);
-    if (NS_SUCCEEDED(rv)) {
-        mPosition += readsize;
-    }
+    rv = nsFileInputStream::Read(aBuf, readsize, aResult);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    mPosition += readsize;
     return rv;
 }
 
 NS_IMETHODIMP
 nsPartialFileInputStream::Seek(int32_t aWhence, int64_t aOffset)
 {
+    nsresult rv = DoPendingSeek();
+    NS_ENSURE_SUCCESS(rv, rv);
+
     int64_t offset;
     switch (aWhence) {
         case NS_SEEK_SET:
@@ -765,10 +795,10 @@ nsPartialFileInputStream::Seek(int32_t aWhence, int64_t aOffset)
         return NS_ERROR_INVALID_ARG;
     }
 
-    nsresult rv = nsFileInputStream::Seek(NS_SEEK_SET, offset);
-    if (NS_SUCCEEDED(rv)) {
-        mPosition = offset - mStart;
-    }
+    rv = nsFileInputStream::Seek(NS_SEEK_SET, offset);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    mPosition = offset - mStart;
     return rv;
 }
 
@@ -828,6 +858,19 @@ nsPartialFileInputStream::Deserialize(
     return NS_SUCCEEDED(nsFileInputStream::Seek(NS_SEEK_SET, mStart));
 }
 
+nsresult
+nsPartialFileInputStream::DoPendingSeek()
+{
+    if (!mDeferredSeek) {
+       return NS_OK;
+    }
+
+    mDeferredSeek = false;
+
+    // This is the first time to open the file, don't clear mLinebuffer.
+    // mLineBuffer might be already initialized by ReadLine().
+    return nsFileInputStream::SeekInternal(NS_SEEK_SET, mStart, false);
+}
 ////////////////////////////////////////////////////////////////////////////////
 // nsFileOutputStream
 
diff --git a/netwerk/base/nsFileStreams.h b/netwerk/base/nsFileStreams.h
index ad2c3c3b6a..00a020012c 100644
--- a/netwerk/base/nsFileStreams.h
+++ b/netwerk/base/nsFileStreams.h
@@ -143,6 +143,8 @@ protected:
         Close();
     }
 
+    nsresult SeekInternal(int32_t aWhence, int64_t aOffset, bool aClearBuf=true);
+
     nsAutoPtr<nsLineBuffer<char> > mLineBuffer;
 
     /**
@@ -184,7 +186,7 @@ public:
     NS_DECL_NSIIPCSERIALIZABLEINPUTSTREAM
 
     nsPartialFileInputStream()
-      : mStart(0), mLength(0), mPosition(0)
+      : mStart(0), mLength(0), mPosition(0), mDeferredSeek(false)
     { }
 
     NS_IMETHOD Tell(int64_t *aResult) override;
@@ -199,6 +201,8 @@ protected:
     ~nsPartialFileInputStream()
     { }
 
+    inline nsresult DoPendingSeek();
+
 private:
     uint64_t TruncateSize(uint64_t aSize) {
           return std::min<uint64_t>(mLength - mPosition, aSize);
@@ -207,6 +211,7 @@ private:
     uint64_t mStart;
     uint64_t mLength;
     uint64_t mPosition;
+    bool mDeferredSeek;
 };
 
 ////////////////////////////////////////////////////////////////////////////////
diff --git a/netwerk/base/nsIMIMEInputStream.idl b/netwerk/base/nsIMIMEInputStream.idl
index 73b1e5fb67..82992d939b 100644
--- a/netwerk/base/nsIMIMEInputStream.idl
+++ b/netwerk/base/nsIMIMEInputStream.idl
@@ -39,4 +39,9 @@ interface nsIMIMEInputStream : nsIInputStream
      * @param stream  stream containing the data for the stream
      */
     void setData(in nsIInputStream stream);
+
+    /**
+     * Get the wrapped data stream
+     */
+    readonly attribute nsIInputStream data;
 };
diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp
index d5656caae5..bf735da66f 100644
--- a/netwerk/base/nsIOService.cpp
+++ b/netwerk/base/nsIOService.cpp
@@ -1057,9 +1057,6 @@ nsIOService::SetOffline(bool offline)
                                                  NS_IOSERVICE_GOING_OFFLINE_TOPIC,
                                                  offlineString.get());
 
-            if (mDNSService)
-                mDNSService->SetOffline(true);
-
             if (mSocketTransportService)
                 mSocketTransportService->SetOffline(true);
 
@@ -1071,7 +1068,6 @@ nsIOService::SetOffline(bool offline)
         else if (!offline && mOffline) {
             // go online
             if (mDNSService) {
-                mDNSService->SetOffline(false);
                 DebugOnly<nsresult> rv = mDNSService->Init();
                 NS_ASSERTION(NS_SUCCEEDED(rv), "DNS service init failed");
             }
diff --git a/netwerk/base/nsMIMEInputStream.cpp b/netwerk/base/nsMIMEInputStream.cpp
index 7a65ac8b1b..da7c8aa661 100644
--- a/netwerk/base/nsMIMEInputStream.cpp
+++ b/netwerk/base/nsMIMEInputStream.cpp
@@ -159,6 +159,15 @@ nsMIMEInputStream::SetData(nsIInputStream *aStream)
     return NS_OK;
 }
 
+NS_IMETHODIMP
+nsMIMEInputStream::GetData(nsIInputStream **aStream)
+{
+  NS_ENSURE_ARG_POINTER(aStream);
+  *aStream = mData;
+  NS_IF_ADDREF(*aStream);
+  return NS_OK;
+}
+
 // set up the internal streams
 void nsMIMEInputStream::InitStreams()
 {
diff --git a/netwerk/base/nsPACMan.cpp b/netwerk/base/nsPACMan.cpp
index 98b3deaaca..a524fca614 100644
--- a/netwerk/base/nsPACMan.cpp
+++ b/netwerk/base/nsPACMan.cpp
@@ -361,8 +361,11 @@ nsPACMan::AsyncGetProxyForURI(nsIURI *uri, uint32_t appId,
 
   // Maybe Reload PAC
   if (!mPACURISpec.IsEmpty() && !mScheduledReload.IsNull() &&
-      TimeStamp::Now() > mScheduledReload)
+      TimeStamp::Now() > mScheduledReload) {
+    LOG(("nsPACMan::AsyncGetProxyForURI reload as scheduled\n"));
+
     LoadPACFromURI(EmptyCString());
+  }
 
   RefPtr<PendingPACQuery> query =
     new PendingPACQuery(this, uri, appId, isInIsolatedMozBrowser, callback,
@@ -404,6 +407,7 @@ nsPACMan::LoadPACFromURI(const nsCString &spec)
       do_CreateInstance(NS_STREAMLOADER_CONTRACTID);
   NS_ENSURE_STATE(loader);
 
+  LOG(("nsPACMan::LoadPACFromURI %s\n", spec.get()));
   // Since we might get called from nsProtocolProxyService::Init, we need to
   // post an event back to the main thread before we try to use the IO service.
   //
@@ -506,6 +510,9 @@ nsPACMan::OnLoadFailure()
 
   mScheduledReload = TimeStamp::Now() + TimeDuration::FromSeconds(interval);
 
+  LOG(("OnLoadFailure: retry in %d seconds (%d fails)\n",
+       interval, mLoadFailureCount));
+
   // while we wait for the retry queued members should try direct
   // even if that means fast failure.
   PostCancelPendingQ(NS_ERROR_NOT_AVAILABLE);
@@ -603,6 +610,7 @@ nsPACMan::ProcessPending()
       !PACURI.IsEmpty() &&
       !PACURI.Equals(mPACURISpec)) {
     query->UseAlternatePACFile(PACURI);
+    LOG(("Use PAC from system settings: %s\n", PACURI.get()));
     completed = true;
   }
 
@@ -613,6 +621,7 @@ nsPACMan::ProcessPending()
                    GetProxyForURI(query->mSpec, query->mScheme,
                                   query->mHost, query->mPort,
                                   pacString))) {
+    LOG(("Use proxy from system settings: %s\n", pacString.get()));
     query->Complete(NS_OK, pacString);
     completed = true;
   }
@@ -623,6 +632,7 @@ nsPACMan::ProcessPending()
                                           query->mAppId, query->mAppOrigin,
                                           query->mIsInIsolatedMozBrowser,
                                           pacString);
+    LOG(("Use proxy from PAC: %s\n", pacString.get()));
     query->Complete(status, pacString);
   }
 
@@ -646,10 +656,13 @@ nsPACMan::OnStreamComplete(nsIStreamLoader *loader,
     // than once before the initial call completed.  In this case, status
     // should be NS_ERROR_ABORT, and if so, then we know that we can and
     // should delay any processing.
+    LOG(("OnStreamComplete: called more than once\n"));
     if (status == NS_ERROR_ABORT)
       return NS_OK;
   }
 
+  LOG(("OnStreamComplete: entry\n"));
+
   if (NS_SUCCEEDED(status) && HttpRequestSucceeded(loader)) {
     // Get the URI spec used to load this PAC script.
     nsAutoCString pacURI;
@@ -681,12 +694,15 @@ nsPACMan::OnStreamComplete(nsIStreamLoader *loader,
     if (mPACThread)
       mPACThread->Dispatch(pending, nsIEventTarget::DISPATCH_NORMAL);
 
+    LOG(("OnStreamComplete: process the PAC contents\n"));
+
     // Even if the PAC file could not be parsed, we did succeed in loading the
     // data for it.
     mLoadFailureCount = 0;
   } else {
     // We were unable to load the PAC file (presumably because of a network
     // failure).  Try again a little later.
+    LOG(("OnStreamComplete: unable to load PAC, retry later\n"));
     OnLoadFailure();
   }
 
diff --git a/netwerk/base/nsProtocolProxyService.cpp b/netwerk/base/nsProtocolProxyService.cpp
index 097130b2ab..19249361c4 100644
--- a/netwerk/base/nsProtocolProxyService.cpp
+++ b/netwerk/base/nsProtocolProxyService.cpp
@@ -216,12 +216,16 @@ private:
 
     void DoCallback()
     {
+        bool pacAvailable = true;
         if (mStatus == NS_ERROR_NOT_AVAILABLE && !mProxyInfo) {
             // If the PAC service is not avail (e.g. failed pac load
             // or shutdown) then we will be going direct. Make that
             // mapping now so that any filters are still applied.
             mPACString = NS_LITERAL_CSTRING("DIRECT;");
             mStatus = NS_OK;
+
+            LOG(("pac not available, use DIRECT\n"));
+            pacAvailable = false;
         }
 
         // Generate proxy info from the PAC string if appropriate
@@ -239,7 +243,10 @@ private:
             else
                 mProxyInfo = nullptr;
 
-            LOG(("pac thread callback %s\n", mPACString.get()));
+            if(pacAvailable) {
+                // if !pacAvailable, it was already logged above
+                LOG(("pac thread callback %s\n", mPACString.get()));
+            }
             if (NS_SUCCEEDED(mStatus))
                 mPPS->MaybeDisableDNSPrefetch(mProxyInfo);
             mCallback->OnProxyAvailable(this, mChannel, mProxyInfo, mStatus);
diff --git a/netwerk/base/nsSocketTransport2.cpp b/netwerk/base/nsSocketTransport2.cpp
index b1df84b615..71e89f6151 100644
--- a/netwerk/base/nsSocketTransport2.cpp
+++ b/netwerk/base/nsSocketTransport2.cpp
@@ -1420,6 +1420,20 @@ nsSocketTransport::InitiateSocket()
 
     NetAddrToPRNetAddr(&mNetAddr, &prAddr);
 
+#ifdef XP_WIN
+    // Find the real tcp socket and set non-blocking once again!
+    // Bug 1158189.
+    PRFileDesc *bottom = PR_GetIdentitiesLayer(fd, PR_NSPR_IO_LAYER);
+    if (bottom) {
+      PROsfd osfd = PR_FileDesc2NativeHandle(bottom);
+      u_long nonblocking = 1;
+      if (ioctlsocket(osfd, FIONBIO, &nonblocking) != 0) {
+        NS_WARNING("Socket could not be set non-blocking!");
+        return NS_ERROR_FAILURE;
+      }
+    }
+#endif
+
     // We use PRIntervalTime here because we need
     // nsIOService::LastOfflineStateChange time and
     // nsIOService::LastConectivityChange time to be atomic.
@@ -2972,10 +2986,10 @@ nsSocketTransport::PRFileDescAutoLock::SetKeepaliveVals(bool aEnabled,
 #if defined(XP_WIN)
     // Windows allows idle time and retry interval to be set; NOT ping count.
     struct tcp_keepalive keepalive_vals = {
-        (int)aEnabled,
+        (u_long)aEnabled,
         // Windows uses msec.
-        aIdleTime * 1000,
-        aRetryInterval * 1000
+        (u_long)(aIdleTime * 1000UL),
+        (u_long)(aRetryInterval * 1000UL)
     };
     DWORD bytes_returned;
     int err = WSAIoctl(sock, SIO_KEEPALIVE_VALS, &keepalive_vals,
diff --git a/netwerk/base/nsSocketTransportService2.cpp b/netwerk/base/nsSocketTransportService2.cpp
index 74232200c1..f7aaf2dc60 100644
--- a/netwerk/base/nsSocketTransportService2.cpp
+++ b/netwerk/base/nsSocketTransportService2.cpp
@@ -819,26 +819,29 @@ nsSocketTransportService::Run()
 
     gSocketThread = PR_GetCurrentThread();
 
-    mPollableEvent.reset(new PollableEvent());
-    //
-    // NOTE: per bug 190000, this failure could be caused by Zone-Alarm
-    // or similar software.
-    //
-    // NOTE: per bug 191739, this failure could also be caused by lack
-    // of a loopback device on Windows and OS/2 platforms (it creates
-    // a loopback socket pair on these platforms to implement a pollable
-    // event object).  if we can't create a pollable event, then we'll
-    // have to "busy wait" to implement the socket event queue :-(
-    //
-    if (!mPollableEvent->Valid()) {
-        mPollableEvent = nullptr;
-        NS_WARNING("running socket transport thread without a pollable event");
-        SOCKET_LOG(("running socket transport thread without a pollable event"));
-    }
+    {
+        DebugMutexAutoLock lock(mLock);
+        mPollableEvent.reset(new PollableEvent());
+        //
+        // NOTE: per bug 190000, this failure could be caused by Zone-Alarm
+        // or similar software.
+        //
+        // NOTE: per bug 191739, this failure could also be caused by lack
+        // of a loopback device on Windows and OS/2 platforms (it creates
+        // a loopback socket pair on these platforms to implement a pollable
+        // event object).  if we can't create a pollable event, then we'll
+        // have to "busy wait" to implement the socket event queue :-(
+        //
+        if (!mPollableEvent->Valid()) {
+            mPollableEvent = nullptr;
+            NS_WARNING("running socket transport thread without a pollable event");
+            SOCKET_LOG(("running socket transport thread without a pollable event"));
+        }
 
-    mPollList[0].fd = mPollableEvent ? mPollableEvent->PollableFD() : nullptr;
-    mPollList[0].in_flags = PR_POLL_READ | PR_POLL_EXCEPT;
-    mPollList[0].out_flags = 0;
+        mPollList[0].fd = mPollableEvent ? mPollableEvent->PollableFD() : nullptr;
+        mPollList[0].in_flags = PR_POLL_READ | PR_POLL_EXCEPT;
+        mPollList[0].out_flags = 0;
+    }
 
     mRawThread = NS_GetCurrentThread();
 
diff --git a/netwerk/base/nsStandardURL.cpp b/netwerk/base/nsStandardURL.cpp
index fba326ca0d..c1216f2d57 100644
--- a/netwerk/base/nsStandardURL.cpp
+++ b/netwerk/base/nsStandardURL.cpp
@@ -1261,6 +1261,29 @@ nsStandardURL::GetOriginCharset(nsACString &result)
     return NS_OK;
 }
 
+static bool
+IsSpecialProtocol(const nsACString &input)
+{
+    nsACString::const_iterator start, end;
+    input.BeginReading(start);
+    nsACString::const_iterator iterator(start);
+    input.EndReading(end);
+
+    while (iterator != end && *iterator != ':') {
+        iterator++;
+    }
+
+    nsAutoCString protocol(nsDependentCSubstring(start.get(), iterator.get()));
+
+    return protocol.LowerCaseEqualsLiteral("http") ||
+           protocol.LowerCaseEqualsLiteral("https") ||
+           protocol.LowerCaseEqualsLiteral("ftp") ||
+           protocol.LowerCaseEqualsLiteral("ws") ||
+           protocol.LowerCaseEqualsLiteral("wss") ||
+           protocol.LowerCaseEqualsLiteral("file") ||
+           protocol.LowerCaseEqualsLiteral("gopher");
+}
+
 NS_IMETHODIMP
 nsStandardURL::SetSpec(const nsACString &input)
 {
@@ -1291,12 +1314,35 @@ nsStandardURL::SetSpec(const nsACString &input)
     Clear();
 
     // filter out unexpected chars "\r\n\t" if necessary
-    nsAutoCString buf1;
-    if (net_FilterURIString(spec, buf1)) {
-        spec = buf1.get();
-        specLength = buf1.Length();
+    nsAutoCString filteredURI;
+    if (!net_FilterURIString(spec, filteredURI)) {
+        // Copy the content into filteredURI even if no whitespace was stripped.
+        // We need a non-const buffer to perform backslash replacement.
+        filteredURI = input;
     }
 
+    if (IsSpecialProtocol(filteredURI)) {
+        // Bug 652186: Replace all backslashes with slashes when parsing paths
+        // Stop when we reach the query or the hash.
+        nsAutoCString::iterator start;
+        nsAutoCString::iterator end;
+        filteredURI.BeginWriting(start);
+        filteredURI.EndWriting(end);
+        while (start != end) {
+            if (*start == '?' || *start == '#') {
+                break;
+            }
+            if (*start == '\\') {
+                *start = '/';
+            }
+            start++;
+        }
+    }
+
+    spec = filteredURI.get();
+    specLength = filteredURI.Length();
+
+
     // parse the given URL...
     nsresult rv = ParseURL(spec, specLength);
     if (NS_SUCCEEDED(rv)) {
@@ -2078,12 +2124,15 @@ nsStandardURL::Resolve(const nsACString &in, nsACString &out)
     // filter out unexpected chars "\r\n\t" if necessary
     nsAutoCString buf;
     int32_t relpathLen;
-    if (net_FilterURIString(relpath, buf)) {
-        relpath = buf.get();
-        relpathLen = buf.Length();
-    } else
-        relpathLen = flat.Length();
-    
+    if (!net_FilterURIString(relpath, buf)) {
+        // Copy the content into filteredURI even if no whitespace was stripped.
+        // We need a non-const buffer to perform backslash replacement.
+        buf = in;
+    }
+
+    relpath = buf.get();
+    relpathLen = buf.Length();
+
     char *result = nullptr;
 
     LOG(("nsStandardURL::Resolve [this=%p spec=%s relpath=%s]\n",
@@ -2120,6 +2169,30 @@ nsStandardURL::Resolve(const nsACString &in, nsACString &out)
     // reset the scheme and assume a relative url
     if (NS_FAILED(rv)) scheme.Reset(); 
 
+    nsAutoCString protocol(Segment(scheme));
+    nsAutoCString baseProtocol(Scheme());
+
+    // We need to do backslash replacement for the following cases:
+    // 1. The input is an absolute path with a http/https/ftp scheme
+    // 2. The input is a relative path, and the base URL has a http/https/ftp scheme
+    if ((protocol.IsEmpty() && IsSpecialProtocol(baseProtocol)) ||
+         IsSpecialProtocol(protocol)) {
+
+        nsAutoCString::iterator start;
+        nsAutoCString::iterator end;
+        buf.BeginWriting(start);
+        buf.EndWriting(end);
+        while (start != end) {
+            if (*start == '?' || *start == '#') {
+                break;
+            }
+            if (*start == '\\') {
+                *start = '/';
+            }
+            start++;
+        }
+    }
+
     if (scheme.mLen >= 0) {
         // add some flags to coalesceFlag if it is an ftp-url
         // need this later on when coalescing the resulting URL
diff --git a/netwerk/base/nsURLHelper.cpp b/netwerk/base/nsURLHelper.cpp
index e6c43842f3..e2fffeb28d 100644
--- a/netwerk/base/nsURLHelper.cpp
+++ b/netwerk/base/nsURLHelper.cpp
@@ -236,7 +236,7 @@ net_CoalesceDirs(netCoalesceFlags flags, char* path)
      */
     char *fwdPtr = path;
     char *urlPtr = path;
-    char *lastslash = path;
+    char *endPath = path;
     uint32_t traversal = 0;
     uint32_t special_ftp_len = 0;
 
@@ -253,34 +253,18 @@ net_CoalesceDirs(netCoalesceFlags flags, char* path)
             special_ftp_len = 2; 
     }
 
-    /* find the last slash before # or ? */
-    for(; (*fwdPtr != '\0') && 
-            (*fwdPtr != '?') && 
+    /* find the end of the path - places the cursor on \0, ? or # */
+    for(; (*fwdPtr != '\0') &&
+            (*fwdPtr != '?') &&
             (*fwdPtr != '#'); ++fwdPtr)
     {
     }
 
-    /* found nothing, but go back one only */
-    /* if there is something to go back to */
-    if (fwdPtr != path && *fwdPtr == '\0')
-    {
-        --fwdPtr;
-    }
-
-    /* search the slash */
-    for(; (fwdPtr != path) && 
-            (*fwdPtr != '/'); --fwdPtr)
-    {
-    }
-    lastslash = fwdPtr;
+    endPath = fwdPtr;
     fwdPtr = path;
 
     /* replace all %2E or %2e with . in the path */
-    /* but stop at lastchar if non null */
-    for(; (*fwdPtr != '\0') && 
-            (*fwdPtr != '?') && 
-            (*fwdPtr != '#') &&
-            (*lastslash == '\0' || fwdPtr != lastslash); ++fwdPtr)
+    for(; fwdPtr != endPath; ++fwdPtr)
     {
         if (*fwdPtr == '%' && *(fwdPtr+1) == '2' && 
             (*(fwdPtr+2) == 'E' || *(fwdPtr+2) == 'e'))
diff --git a/netwerk/base/nsURLParsers.cpp b/netwerk/base/nsURLParsers.cpp
index a024174f04..ac22ae7540 100644
--- a/netwerk/base/nsURLParsers.cpp
+++ b/netwerk/base/nsURLParsers.cpp
@@ -62,17 +62,21 @@ nsBaseURLParser::ParseURL(const char *spec, int32_t specLen,
     const char *stop = nullptr;
     const char *colon = nullptr;
     const char *slash = nullptr;
-    const char *p;
+    const char *p = spec;
     uint32_t offset = 0;
     int32_t len = specLen;
-    for (p = spec; len && *p && !colon && !slash; ++p, --len) {
-        // skip leading whitespace
-        if (*p == ' ' || *p == '\n' || *p == '\r' || *p == '\t') {
-            spec++;
-            specLen--;
-            offset++;
-            continue;
-        }
+
+    // skip leading whitespace
+    while (*p == ' ' || *p == '\n' || *p == '\r' || *p == '\t') {
+        spec++;
+        specLen--;
+        offset++;
+
+        p++;
+        len--;
+    }
+
+    for (; len && *p && !colon && !slash; ++p, --len) {
         switch (*p) {
             case ':':
                 if (!colon)
diff --git a/netwerk/cache/nsDiskCacheDeviceSQL.cpp b/netwerk/cache/nsDiskCacheDeviceSQL.cpp
index 512ef984bb..c649dc8aff 100644
--- a/netwerk/cache/nsDiskCacheDeviceSQL.cpp
+++ b/netwerk/cache/nsDiskCacheDeviceSQL.cpp
@@ -1,4 +1,4 @@
-/* -*- Mode: C++; indent-tab-mode: nil; c-basic-offset: 2 -*- */
+/* -*- Mode: C++; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim:set ts=2 sw=2 sts=2 et cin: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
diff --git a/netwerk/cache2/CacheEntry.cpp b/netwerk/cache2/CacheEntry.cpp
index 0b041db17e..92179e200d 100644
--- a/netwerk/cache2/CacheEntry.cpp
+++ b/netwerk/cache2/CacheEntry.cpp
@@ -908,56 +908,61 @@ void CacheEntry::OnHandleClosed(CacheEntryHandle const* aHandle)
 {
   LOG(("CacheEntry::OnHandleClosed [this=%p, state=%s, handle=%p]", this, StateString(mState), aHandle));
 
-  nsCOMPtr<nsIOutputStream> outputStream;
+  mozilla::MutexAutoLock lock(mLock);
 
-  {
-    mozilla::MutexAutoLock lock(mLock);
-
-    if (mWriter != aHandle) {
-      LOG(("  not the writer"));
-      return;
-    }
-
-    if (mOutputStream) {
-      // No one took our internal output stream, so there are no data
-      // and output stream has to be open symultaneously with input stream
-      // on this entry again.
-      mHasData = false;
-    }
-
-    outputStream.swap(mOutputStream);
-    mWriter = nullptr;
-
-    if (mState == WRITING) {
-      LOG(("  reverting to state EMPTY - write failed"));
-      mState = EMPTY;
-    }
-    else if (mState == REVALIDATING) {
-      LOG(("  reverting to state READY - reval failed"));
-      mState = READY;
-    }
-
-    if (mState == READY && !mHasData) {
-      // We may get to this state when following steps happen:
-      // 1. a new entry is given to a consumer
-      // 2. the consumer calls MetaDataReady(), we transit to READY
-      // 3. abandons the entry w/o opening the output stream, mHasData left false
-      //
-      // In this case any following consumer will get a ready entry (with metadata)
-      // but in state like the entry data write was still happening (was in progress)
-      // and will indefinitely wait for the entry data or even the entry itself when
-      // RECHECK_AFTER_WRITE is returned from onCacheEntryCheck.
-      LOG(("  we are in READY state, pretend we have data regardless it"
-            " has actully been never touched"));
-      mHasData = true;
-    }
-
-    InvokeCallbacks();
+  if (IsDoomed() && mHandlesCount == 0 && NS_SUCCEEDED(mFileStatus)) {
+    // This entry is no longer referenced from outside and is doomed.
+    // Tell the file to kill the handle, i.e. bypass any I/O operations
+    // on it except removing the file.
+    mFile->Kill();
   }
 
-  if (outputStream) {
+  if (mWriter != aHandle) {
+    LOG(("  not the writer"));
+    return;
+  }
+
+  if (mOutputStream) {
     LOG(("  abandoning phantom output stream"));
-    outputStream->Close();
+    // No one took our internal output stream, so there are no data
+    // and output stream has to be open symultaneously with input stream
+    // on this entry again.
+    mHasData = false;
+    // This asynchronously ends up invoking callbacks on this entry
+    // through OnOutputClosed() call.
+    mOutputStream->Close();
+    mOutputStream = nullptr;
+  } else {
+    // We must always redispatch, otherwise there is a risk of stack
+    // overflow.  This code can recurse deeply.  It won't execute sooner
+    // than we release mLock.
+    BackgroundOp(Ops::CALLBACKS, true);
+  }
+
+  mWriter = nullptr;
+
+  if (mState == WRITING) {
+    LOG(("  reverting to state EMPTY - write failed"));
+    mState = EMPTY;
+  }
+  else if (mState == REVALIDATING) {
+    LOG(("  reverting to state READY - reval failed"));
+    mState = READY;
+  }
+
+  if (mState == READY && !mHasData) {
+    // We may get to this state when following steps happen:
+    // 1. a new entry is given to a consumer
+    // 2. the consumer calls MetaDataReady(), we transit to READY
+    // 3. abandons the entry w/o opening the output stream, mHasData left false
+    //
+    // In this case any following consumer will get a ready entry (with metadata)
+    // but in state like the entry data write was still happening (was in progress)
+    // and will indefinitely wait for the entry data or even the entry itself when
+    // RECHECK_AFTER_WRITE is returned from onCacheEntryCheck.
+    LOG(("  we are in READY state, pretend we have data regardless it"
+          " has actully been never touched"));
+    mHasData = true;
   }
 }
 
@@ -1101,8 +1106,10 @@ NS_IMETHODIMP CacheEntry::OpenInputStream(int64_t offset, nsIInputStream * *_ret
 
   nsresult rv;
 
+  RefPtr<CacheEntryHandle> selfHandle = NewHandle();
+
   nsCOMPtr<nsIInputStream> stream;
-  rv = mFile->OpenInputStream(getter_AddRefs(stream));
+  rv = mFile->OpenInputStream(selfHandle, getter_AddRefs(stream));
   NS_ENSURE_SUCCESS(rv, rv);
 
   nsCOMPtr<nsISeekableStream> seekable =
diff --git a/netwerk/cache2/CacheFile.cpp b/netwerk/cache2/CacheFile.cpp
index c42b57f1f5..75eb1ab6e3 100644
--- a/netwerk/cache2/CacheFile.cpp
+++ b/netwerk/cache2/CacheFile.cpp
@@ -193,6 +193,7 @@ CacheFile::CacheFile()
   , mPreloadChunkCount(0)
   , mStatus(NS_OK)
   , mDataSize(-1)
+  , mKill(false)
   , mOutput(nullptr)
 {
   LOG(("CacheFile::CacheFile() [this=%p]", this));
@@ -203,7 +204,7 @@ CacheFile::~CacheFile()
   LOG(("CacheFile::~CacheFile() [this=%p]", this));
 
   MutexAutoLock lock(mLock);
-  if (!mMemoryOnly && mReady) {
+  if (!mMemoryOnly && mReady && !mKill) {
     // mReady flag indicates we have metadata plus in a valid state.
     WriteMetadataIfNeededLocked(true);
   }
@@ -702,8 +703,18 @@ CacheFile::OnFileRenamed(CacheFileHandle *aHandle, nsresult aResult)
   return NS_ERROR_UNEXPECTED;
 }
 
+bool CacheFile::IsKilled()
+{
+  bool killed = mKill;
+  if (killed) {
+    LOG(("CacheFile is killed, this=%p", this));
+  }
+
+  return killed;
+}
+
 nsresult
-CacheFile::OpenInputStream(nsIInputStream **_retval)
+CacheFile::OpenInputStream(nsICacheEntry *aEntryHandle, nsIInputStream **_retval)
 {
   CacheFileAutoLock lock(this);
 
@@ -734,7 +745,7 @@ CacheFile::OpenInputStream(nsIInputStream **_retval)
   // the last input stream is closed.
   mPreloadWithoutInputStreams = false;
 
-  CacheFileInputStream *input = new CacheFileInputStream(this);
+  CacheFileInputStream *input = new CacheFileInputStream(this, aEntryHandle);
 
   LOG(("CacheFile::OpenInputStream() - Creating new input stream %p [this=%p]",
        input, this));
@@ -906,6 +917,9 @@ nsresult
 CacheFile::SetElement(const char *aKey, const char *aValue)
 {
   CacheFileAutoLock lock(this);
+
+  LOG(("CacheFile::SetElement() this=%p", this));
+
   MOZ_ASSERT(mMetadata);
   NS_ENSURE_TRUE(mMetadata, NS_ERROR_UNEXPECTED);
 
@@ -940,6 +954,10 @@ nsresult
 CacheFile::SetExpirationTime(uint32_t aExpirationTime)
 {
   CacheFileAutoLock lock(this);
+
+  LOG(("CacheFile::SetExpirationTime() this=%p, expiration=%u",
+       this, aExpirationTime));
+
   MOZ_ASSERT(mMetadata);
   NS_ENSURE_TRUE(mMetadata, NS_ERROR_UNEXPECTED);
 
@@ -965,6 +983,10 @@ nsresult
 CacheFile::SetFrecency(uint32_t aFrecency)
 {
   CacheFileAutoLock lock(this);
+
+  LOG(("CacheFile::SetFrecency() this=%p, frecency=%u",
+       this, aFrecency));
+
   MOZ_ASSERT(mMetadata);
   NS_ENSURE_TRUE(mMetadata, NS_ERROR_UNEXPECTED);
 
@@ -1020,6 +1042,9 @@ nsresult
 CacheFile::OnFetched()
 {
   CacheFileAutoLock lock(this);
+
+  LOG(("CacheFile::OnFetched() this=%p", this));
+
   MOZ_ASSERT(mMetadata);
   NS_ENSURE_TRUE(mMetadata, NS_ERROR_UNEXPECTED);
 
diff --git a/netwerk/cache2/CacheFile.h b/netwerk/cache2/CacheFile.h
index d6de9401a0..54b61dd52f 100644
--- a/netwerk/cache2/CacheFile.h
+++ b/netwerk/cache2/CacheFile.h
@@ -74,15 +74,17 @@ public:
   NS_IMETHOD OnFileDoomed(CacheFileHandle *aHandle, nsresult aResult) override;
   NS_IMETHOD OnEOFSet(CacheFileHandle *aHandle, nsresult aResult) override;
   NS_IMETHOD OnFileRenamed(CacheFileHandle *aHandle, nsresult aResult) override;
+  virtual bool IsKilled() override;
 
   NS_IMETHOD OnMetadataRead(nsresult aResult) override;
   NS_IMETHOD OnMetadataWritten(nsresult aResult) override;
 
-  NS_IMETHOD OpenInputStream(nsIInputStream **_retval);
+  NS_IMETHOD OpenInputStream(nsICacheEntry *aCacheEntryHandle, nsIInputStream **_retval);
   NS_IMETHOD OpenOutputStream(CacheOutputCloseListener *aCloseListener, nsIOutputStream **_retval);
   NS_IMETHOD SetMemoryOnly();
   NS_IMETHOD Doom(CacheFileListener *aCallback);
 
+  void Kill() { mKill = true; }
   nsresult   ThrowMemoryCachedData();
 
   // metadata forwarders
@@ -198,6 +200,7 @@ private:
   RefPtr<CacheFileMetadata>    mMetadata;
   nsCOMPtr<CacheFileListener>  mListener;
   nsCOMPtr<CacheFileIOListener>   mDoomAfterOpenListener;
+  Atomic<bool, Relaxed>        mKill;
 
   nsRefPtrHashtable<nsUint32HashKey, CacheFileChunk> mChunks;
   nsClassHashtable<nsUint32HashKey, ChunkListeners> mChunkListeners;
diff --git a/netwerk/cache2/CacheFileChunk.cpp b/netwerk/cache2/CacheFileChunk.cpp
index bef03b153d..97987f645d 100644
--- a/netwerk/cache2/CacheFileChunk.cpp
+++ b/netwerk/cache2/CacheFileChunk.cpp
@@ -594,6 +594,12 @@ CacheFileChunk::OnFileRenamed(CacheFileHandle *aHandle, nsresult aResult)
   return NS_ERROR_UNEXPECTED;
 }
 
+bool
+CacheFileChunk::IsKilled()
+{
+  return mFile->IsKilled();
+}
+
 bool
 CacheFileChunk::IsReady() const
 {
diff --git a/netwerk/cache2/CacheFileChunk.h b/netwerk/cache2/CacheFileChunk.h
index 55ee9d3b55..b8ad92dad6 100644
--- a/netwerk/cache2/CacheFileChunk.h
+++ b/netwerk/cache2/CacheFileChunk.h
@@ -94,6 +94,7 @@ public:
   NS_IMETHOD OnFileDoomed(CacheFileHandle *aHandle, nsresult aResult) override;
   NS_IMETHOD OnEOFSet(CacheFileHandle *aHandle, nsresult aResult) override;
   NS_IMETHOD OnFileRenamed(CacheFileHandle *aHandle, nsresult aResult) override;
+  virtual bool IsKilled() override;
 
   bool   IsReady() const;
   bool   IsDirty() const;
diff --git a/netwerk/cache2/CacheFileIOManager.cpp b/netwerk/cache2/CacheFileIOManager.cpp
index dafa653ca5..60e5a60013 100644
--- a/netwerk/cache2/CacheFileIOManager.cpp
+++ b/netwerk/cache2/CacheFileIOManager.cpp
@@ -662,7 +662,7 @@ public:
   {
     nsresult rv;
 
-    if (mHandle->IsClosed()) {
+    if (mHandle->IsClosed() || (mCallback && mCallback->IsKilled())) {
       rv = NS_ERROR_NOT_INITIALIZED;
     } else {
       rv = CacheFileIOManager::gInstance->ReadInternal(
@@ -712,7 +712,7 @@ public:
   {
     nsresult rv;
 
-    if (mHandle->IsClosed()) {
+    if (mHandle->IsClosed() || (mCallback && mCallback->IsKilled())) {
       // We usually get here only after the internal shutdown
       // (i.e. mShuttingDown == true).  Pretend write has succeeded
       // to avoid any past-shutdown file dooming.
@@ -885,7 +885,7 @@ public:
   {
     nsresult rv;
 
-    if (mHandle->IsClosed()) {
+    if (mHandle->IsClosed() || (mCallback && mCallback->IsKilled())) {
       rv = NS_ERROR_NOT_INITIALIZED;
     } else {
       rv = CacheFileIOManager::gInstance->TruncateSeekSetEOFInternal(
@@ -1913,7 +1913,7 @@ CacheFileIOManager::Write(CacheFileHandle *aHandle, int64_t aOffset,
   nsresult rv;
   RefPtr<CacheFileIOManager> ioMan = gInstance;
 
-  if (aHandle->IsClosed() || !ioMan) {
+  if (aHandle->IsClosed() || (aCallback && aCallback->IsKilled()) || !ioMan) {
     if (!aCallback) {
       // When no callback is provided, CacheFileIOManager is responsible for
       // releasing the buffer. We must release it even in case of failure.
@@ -2317,7 +2317,7 @@ CacheFileIOManager::TruncateSeekSetEOF(CacheFileHandle *aHandle,
   nsresult rv;
   RefPtr<CacheFileIOManager> ioMan = gInstance;
 
-  if (aHandle->IsClosed() || !ioMan) {
+  if (aHandle->IsClosed() || (aCallback && aCallback->IsKilled()) || !ioMan) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
@@ -3750,6 +3750,8 @@ CacheFileIOManager::CreateCacheTree()
 nsresult
 CacheFileIOManager::OpenNSPRHandle(CacheFileHandle *aHandle, bool aCreate)
 {
+  LOG(("CacheFileIOManager::OpenNSPRHandle BEGIN, handle=%p", aHandle));
+
   MOZ_ASSERT(CacheFileIOManager::IsOnIOThreadOrCeased());
   MOZ_ASSERT(!aHandle->mFD);
   MOZ_ASSERT(mHandlesByLastUsed.IndexOf(aHandle) == mHandlesByLastUsed.NoIndex);
@@ -3807,6 +3809,9 @@ CacheFileIOManager::OpenNSPRHandle(CacheFileHandle *aHandle, bool aCreate)
   }
 
   mHandlesByLastUsed.AppendElement(aHandle);
+
+  LOG(("CacheFileIOManager::OpenNSPRHandle END, handle=%p", aHandle));
+
   return NS_OK;
 }
 
diff --git a/netwerk/cache2/CacheFileIOManager.h b/netwerk/cache2/CacheFileIOManager.h
index 8f0f6d34d5..7a2c9eca15 100644
--- a/netwerk/cache2/CacheFileIOManager.h
+++ b/netwerk/cache2/CacheFileIOManager.h
@@ -234,6 +234,8 @@ public:
   NS_IMETHOD OnFileDoomed(CacheFileHandle *aHandle, nsresult aResult) = 0;
   NS_IMETHOD OnEOFSet(CacheFileHandle *aHandle, nsresult aResult) = 0;
   NS_IMETHOD OnFileRenamed(CacheFileHandle *aHandle, nsresult aResult) = 0;
+
+  virtual bool IsKilled() { return false; }
 };
 
 NS_DEFINE_STATIC_IID_ACCESSOR(CacheFileIOListener, CACHEFILEIOLISTENER_IID)
diff --git a/netwerk/cache2/CacheFileInputStream.cpp b/netwerk/cache2/CacheFileInputStream.cpp
index 108a681da6..5d6e976237 100644
--- a/netwerk/cache2/CacheFileInputStream.cpp
+++ b/netwerk/cache2/CacheFileInputStream.cpp
@@ -42,7 +42,7 @@ NS_INTERFACE_MAP_BEGIN(CacheFileInputStream)
   NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, nsIInputStream)
 NS_INTERFACE_MAP_END_THREADSAFE
 
-CacheFileInputStream::CacheFileInputStream(CacheFile *aFile)
+CacheFileInputStream::CacheFileInputStream(CacheFile *aFile, nsISupports *aEntry)
   : mFile(aFile)
   , mPos(0)
   , mClosed(false)
@@ -50,6 +50,7 @@ CacheFileInputStream::CacheFileInputStream(CacheFile *aFile)
   , mWaitingForUpdate(false)
   , mListeningForChunk(-1)
   , mCallbackFlags(0)
+  , mCacheEntryHandle(aEntry)
 {
   LOG(("CacheFileInputStream::CacheFileInputStream() [this=%p]", this));
   MOZ_COUNT_CTOR(CacheFileInputStream);
@@ -240,6 +241,8 @@ CacheFileInputStream::CloseWithStatusLocked(nsresult aStatus)
 
   MaybeNotifyListener();
 
+  mFile->ReleaseOutsideLock(mCacheEntryHandle.forget());
+
   return NS_OK;
 }
 
diff --git a/netwerk/cache2/CacheFileInputStream.h b/netwerk/cache2/CacheFileInputStream.h
index 2b75420eed..f61ad8d189 100644
--- a/netwerk/cache2/CacheFileInputStream.h
+++ b/netwerk/cache2/CacheFileInputStream.h
@@ -11,7 +11,6 @@
 #include "nsAutoPtr.h"
 #include "CacheFileChunk.h"
 
-
 namespace mozilla {
 namespace net {
 
@@ -27,7 +26,7 @@ class CacheFileInputStream : public nsIAsyncInputStream
   NS_DECL_NSISEEKABLESTREAM
 
 public:
-  explicit CacheFileInputStream(CacheFile *aFile);
+  explicit CacheFileInputStream(CacheFile *aFile, nsISupports *aEntry);
 
   NS_IMETHOD OnChunkRead(nsresult aResult, CacheFileChunk *aChunk) override;
   NS_IMETHOD OnChunkWritten(nsresult aResult, CacheFileChunk *aChunk) override;
@@ -64,6 +63,8 @@ private:
   nsCOMPtr<nsIInputStreamCallback> mCallback;
   uint32_t                         mCallbackFlags;
   nsCOMPtr<nsIEventTarget>         mCallbackTarget;
+  // Held purely for referencing purposes
+  RefPtr<nsISupports>              mCacheEntryHandle;
 };
 
 
diff --git a/netwerk/cache2/CacheFileMetadata.h b/netwerk/cache2/CacheFileMetadata.h
index 8bfe5ca02f..0bc7f94820 100644
--- a/netwerk/cache2/CacheFileMetadata.h
+++ b/netwerk/cache2/CacheFileMetadata.h
@@ -116,6 +116,7 @@ public:
 
   NS_IMETHOD OnMetadataRead(nsresult aResult) = 0;
   NS_IMETHOD OnMetadataWritten(nsresult aResult) = 0;
+  virtual bool IsKilled() = 0;
 };
 
 NS_DEFINE_STATIC_IID_ACCESSOR(CacheFileMetadataListener,
@@ -183,6 +184,7 @@ public:
   NS_IMETHOD OnFileDoomed(CacheFileHandle *aHandle, nsresult aResult) override;
   NS_IMETHOD OnEOFSet(CacheFileHandle *aHandle, nsresult aResult) override;
   NS_IMETHOD OnFileRenamed(CacheFileHandle *aHandle, nsresult aResult) override;
+  virtual bool IsKilled() override { return mListener && mListener->IsKilled(); }
 
   // Memory reporting
   size_t SizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const;
diff --git a/netwerk/dns/ChildDNSService.cpp b/netwerk/dns/ChildDNSService.cpp
index d202c68fce..a7b49679e3 100644
--- a/netwerk/dns/ChildDNSService.cpp
+++ b/netwerk/dns/ChildDNSService.cpp
@@ -4,11 +4,13 @@
 
 #include "mozilla/net/ChildDNSService.h"
 #include "nsIDNSListener.h"
+#include "nsIIOService.h"
 #include "nsIThread.h"
 #include "nsThreadUtils.h"
 #include "nsIXPConnect.h"
 #include "nsIPrefService.h"
 #include "nsIProtocolProxyService.h"
+#include "nsNetCID.h"
 #include "mozilla/net/NeckoChild.h"
 #include "mozilla/net/DNSListenerProxy.h"
 #include "nsServiceManagerUtils.h"
@@ -42,7 +44,6 @@ NS_IMPL_ISUPPORTS(ChildDNSService,
 
 ChildDNSService::ChildDNSService()
   : mFirstTime(true)
-  , mOffline(false)
   , mDisablePrefetch(false)
   , mPendingRequestsLock("DNSPendingRequestsLock")
 {
@@ -103,7 +104,7 @@ ChildDNSService::AsyncResolveExtended(const nsACString  &hostname,
 
   // Support apps being 'offline' even if parent is not: avoids DNS traffic by
   // apps that have been told they are offline.
-  if (mOffline) {
+  if (GetOffline()) {
     flags |= RESOLVE_OFFLINE;
   }
 
@@ -298,18 +299,15 @@ ChildDNSService::SetPrefetchEnabled(bool inVal)
   return NS_OK;
 }
 
-NS_IMETHODIMP
-ChildDNSService::GetOffline(bool* aResult)
+bool
+ChildDNSService::GetOffline() const
 {
-  *aResult = mOffline;
-  return NS_OK;
-}
-
-NS_IMETHODIMP
-ChildDNSService::SetOffline(bool value)
-{
-  mOffline = value;
-  return NS_OK;
+  bool offline = false;
+  nsCOMPtr<nsIIOService> io = do_GetService(NS_IOSERVICE_CONTRACTID);
+  if (io) {
+    io->GetOffline(&offline);
+  }
+  return offline;
 }
 
 //-----------------------------------------------------------------------------
diff --git a/netwerk/dns/ChildDNSService.h b/netwerk/dns/ChildDNSService.h
index b2c3a1dbcc..1662960bbe 100644
--- a/netwerk/dns/ChildDNSService.h
+++ b/netwerk/dns/ChildDNSService.h
@@ -35,6 +35,8 @@ public:
   static ChildDNSService* GetSingleton();
 
   void NotifyRequestDone(DNSRequestChild *aDnsRequest);
+
+  bool GetOffline() const;
 private:
   virtual ~ChildDNSService();
 
@@ -45,7 +47,6 @@ private:
                                              nsACString &aHashKey);
 
   bool mFirstTime;
-  bool mOffline;
   bool mDisablePrefetch;
 
   // We need to remember pending dns requests to be able to cancel them.
diff --git a/netwerk/dns/nsDNSService2.cpp b/netwerk/dns/nsDNSService2.cpp
index 0a393128eb..37f4b35676 100644
--- a/netwerk/dns/nsDNSService2.cpp
+++ b/netwerk/dns/nsDNSService2.cpp
@@ -481,7 +481,6 @@ nsDNSService::nsDNSService()
     , mDisableIPv6(false)
     , mDisablePrefetch(false)
     , mFirstTime(true)
-    , mOffline(false)
     , mNotifyResolution(false)
     , mOfflineLocalhost(false)
 {
@@ -669,18 +668,15 @@ nsDNSService::Shutdown()
     return NS_OK;
 }
 
-NS_IMETHODIMP
-nsDNSService::GetOffline(bool *offline)
+bool
+nsDNSService::GetOffline() const
 {
-    *offline = mOffline;
-    return NS_OK;
-}
-
-NS_IMETHODIMP
-nsDNSService::SetOffline(bool offline)
-{
-    mOffline = offline;
-    return NS_OK;
+    bool offline = false;
+    nsCOMPtr<nsIIOService> io = do_GetService(NS_IOSERVICE_CONTRACTID);
+    if (io) {
+        io->GetOffline(&offline);
+    }
+    return offline;
 }
 
 NS_IMETHODIMP
@@ -776,7 +772,7 @@ nsDNSService::AsyncResolveExtended(const nsACString  &aHostname,
         return rv;
     }
 
-    if (mOffline &&
+    if (GetOffline() &&
         (!mOfflineLocalhost || !hostname.LowerCaseEqualsASCII("localhost"))) {
         flags |= RESOLVE_OFFLINE;
     }
@@ -891,7 +887,7 @@ nsDNSService::Resolve(const nsACString &aHostname,
         return rv;
     }
 
-    if (mOffline &&
+    if (GetOffline() &&
         (!mOfflineLocalhost || !hostname.LowerCaseEqualsASCII("localhost"))) {
         flags |= RESOLVE_OFFLINE;
     }
diff --git a/netwerk/dns/nsDNSService2.h b/netwerk/dns/nsDNSService2.h
index a33e2dd9b4..79454b901b 100644
--- a/netwerk/dns/nsDNSService2.h
+++ b/netwerk/dns/nsDNSService2.h
@@ -36,6 +36,8 @@ public:
 
     size_t SizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const;
 
+    bool GetOffline() const;
+
 private:
     ~nsDNSService();
 
@@ -62,7 +64,6 @@ private:
     bool                                      mDisablePrefetch;
     bool                                      mBlockDotOnion;
     bool                                      mFirstTime;
-    bool                                      mOffline;
     bool                                      mNotifyResolution;
     bool                                      mOfflineLocalhost;
     nsTHashtable<nsCStringHashKey>            mLocalDomains;
diff --git a/netwerk/dns/nsPIDNSService.idl b/netwerk/dns/nsPIDNSService.idl
index d89f1bdfb8..9bed0555c5 100644
--- a/netwerk/dns/nsPIDNSService.idl
+++ b/netwerk/dns/nsPIDNSService.idl
@@ -10,7 +10,7 @@
  * This is a private interface used by the internals of the networking library.
  * It will never be frozen.  Do not use it in external code.
  */
-[scriptable, uuid(6b16fb1f-5709-4c94-a89f-a22be873c54d)]
+[scriptable, uuid(24e598fd-7b1a-436c-9154-14d8b38df8a5)]
 interface nsPIDNSService : nsIDNSService
 {
     /**
@@ -31,9 +31,4 @@ interface nsPIDNSService : nsIDNSService
      * Whether or not DNS prefetching (aka RESOLVE_SPECULATE) is enabled
      */
     attribute boolean prefetchEnabled;
-
-    /**
-     * @return whether the DNS service is offline.
-     */
-    attribute boolean offline;
 };
diff --git a/netwerk/test/unit/test_standardurl.js b/netwerk/test/unit/test_standardurl.js
index 9d186efad5..92de451d63 100644
--- a/netwerk/test/unit/test_standardurl.js
+++ b/netwerk/test/unit/test_standardurl.js
@@ -301,8 +301,47 @@ add_test(function test_hugeStringThrows()
   run_next_test();
 });
 
+add_test(function test_pathPercentEncodedDot()
+{
+  var url = stringToURL("http://example.com/%2eX/X%2e/%2eX");
+  do_check_eq(url.spec, "http://example.com/.X/X./.X");
+
+  url = stringToURL("http://example.com/hello/%2e%2E/%2e");
+  do_check_eq(url.spec, "http://example.com/");
+
+  url = stringToURL("http://example.com/hello/%2e%2E/%");
+  do_check_eq(url.spec, "http://example.com/%");
+
+  url = stringToURL("http://example.com/hello/%2e%2E/%2");
+  do_check_eq(url.spec, "http://example.com/%2");
+
+  url = stringToURL("http://example.com/hello/%2e%2E/%#");
+  do_check_eq(url.spec, "http://example.com/%#");
+
+  url = stringToURL("http://example.com/hello/%2e%2E/%2?");
+  do_check_eq(url.spec, "http://example.com/%2?");
+
+  url = stringToURL("http://example.com/hello/%2e/");
+  do_check_eq(url.spec, "http://example.com/hello/");
+
+  run_next_test();
+});
+
 add_test(function test_filterWhitespace()
 {
   var url = stringToURL(" \r\n\th\nt\rt\tp://ex\r\n\tample.com/path\r\n\t/\r\n\tto the/fil\r\n\te.e\r\n\txt?que\r\n\try#ha\r\n\tsh \r\n\t ");
   do_check_eq(url.spec, "http://example.com/path/to%20the/file.ext?query#hash");
 });
+
+add_test(function test_backslashReplacement()
+{
+  var url = stringToURL("http:\\\\test.com\\path/to\\file?query\\backslash#hash\\");
+  do_check_eq(url.spec, "http://test.com/path/to/file?query\\backslash#hash\\");
+
+  url = stringToURL("http:\\\\test.com\\example.org/path\\to/file");
+  do_check_eq(url.spec, "http://test.com/example.org/path/to/file");
+  do_check_eq(url.host, "test.com");
+  do_check_eq(url.path, "/example.org/path/to/file");
+
+  run_next_test();
+});
diff --git a/testing/profiles/prefs_general.js b/testing/profiles/prefs_general.js
index 6a23d96ef4..140b6576ce 100644
--- a/testing/profiles/prefs_general.js
+++ b/testing/profiles/prefs_general.js
@@ -14,7 +14,6 @@ user_pref("dom.forms.color", true); // on for testing
 user_pref("dom.max_script_run_time", 0); // no slow script dialogs
 user_pref("hangmonitor.timeout", 0); // no hang monitor
 user_pref("dom.max_chrome_script_run_time", 0);
-user_pref("dom.max_child_script_run_time", 0);
 user_pref("dom.ipc.reportProcessHangs", false); // process hang monitor
 user_pref("dom.popup_maximum", -1);
 user_pref("dom.send_after_paint_to_content", true);
diff --git a/testing/web-platform/meta/MANIFEST.json b/testing/web-platform/meta/MANIFEST.json
index 1eff99df79..1f6d359b59 100644
--- a/testing/web-platform/meta/MANIFEST.json
+++ b/testing/web-platform/meta/MANIFEST.json
@@ -18900,57 +18900,86 @@
         "path": "web-animations/animation-effect-timing/getComputedStyle.html",
         "url": "/web-animations/animation-effect-timing/getComputedStyle.html"
       },
-      {
-        "path": "web-animations/animation-effect-timing/iterations.html",
-        "url": "/web-animations/animation-effect-timing/iterations.html"
-      },
       {
         "path": "web-animations/animation-effect-timing/iterationStart.html",
         "url": "/web-animations/animation-effect-timing/iterationStart.html"
       },
       {
-        "path": "web-animations/animation-node/animation-node-after.html",
-        "url": "/web-animations/animation-node/animation-node-after.html"
+        "path": "web-animations/animation-effect-timing/iterations.html",
+        "url": "/web-animations/animation-effect-timing/iterations.html"
       },
       {
-        "path": "web-animations/animation-node/animation-node-before.html",
-        "url": "/web-animations/animation-node/animation-node-before.html"
+        "path": "web-animations/animation-model/animation-types/discrete-animation.html",
+        "url": "/web-animations/animation-model/animation-types/discrete-animation.html"
       },
       {
-        "path": "web-animations/animation-node/animation-node-next-sibling.html",
-        "url": "/web-animations/animation-node/animation-node-next-sibling.html"
+        "path": "web-animations/animation-model/animation-types/not-animatable.html",
+        "url": "/web-animations/animation-model/animation-types/not-animatable.html"
       },
       {
-        "path": "web-animations/animation-node/animation-node-parent.html",
-        "url": "/web-animations/animation-node/animation-node-parent.html"
+        "path": "web-animations/animation-model/keyframes/effect-value-context.html",
+        "url": "/web-animations/animation-model/keyframes/effect-value-context.html"
       },
       {
-        "path": "web-animations/animation-node/animation-node-previous-sibling.html",
-        "url": "/web-animations/animation-node/animation-node-previous-sibling.html"
-      },
-      {
-        "path": "web-animations/animation-node/animation-node-remove.html",
-        "url": "/web-animations/animation-node/animation-node-remove.html"
-      },
-      {
-        "path": "web-animations/animation-node/animation-node-replace.html",
-        "url": "/web-animations/animation-node/animation-node-replace.html"
-      },
-      {
-        "path": "web-animations/animation-node/idlharness.html",
-        "url": "/web-animations/animation-node/idlharness.html"
-      },
-      {
-        "url": "/web-animations/animation-timeline/animation-timeline.html"
+        "path": "web-animations/animation-timeline/document-timeline.html",
+        "url": "/web-animations/animation-timeline/document-timeline.html"
       },
       {
         "path": "web-animations/animation-timeline/idlharness.html",
         "url": "/web-animations/animation-timeline/idlharness.html"
       },
+      {
+        "path": "web-animations/animation/cancel.html",
+        "url": "/web-animations/animation/cancel.html"
+      },
       {
         "path": "web-animations/animation/constructor.html",
         "url": "/web-animations/animation/constructor.html"
       },
+      {
+        "path": "web-animations/animation/finish.html",
+        "url": "/web-animations/animation/finish.html"
+      },
+      {
+        "path": "web-animations/animation/finished.html",
+        "url": "/web-animations/animation/finished.html"
+      },
+      {
+        "path": "web-animations/animation/id.html",
+        "url": "/web-animations/animation/id.html"
+      },
+      {
+        "path": "web-animations/animation/oncancel.html",
+        "url": "/web-animations/animation/oncancel.html"
+      },
+      {
+        "path": "web-animations/animation/onfinish.html",
+        "url": "/web-animations/animation/onfinish.html"
+      },
+      {
+        "path": "web-animations/animation/pause.html",
+        "url": "/web-animations/animation/pause.html"
+      },
+      {
+        "path": "web-animations/animation/play.html",
+        "url": "/web-animations/animation/play.html"
+      },
+      {
+        "path": "web-animations/animation/playState.html",
+        "url": "/web-animations/animation/playState.html"
+      },
+      {
+        "path": "web-animations/animation/playbackRate.html",
+        "url": "/web-animations/animation/playbackRate.html"
+      },
+      {
+        "path": "web-animations/animation/ready.html",
+        "url": "/web-animations/animation/ready.html"
+      },
+      {
+        "path": "web-animations/animation/reverse.html",
+        "url": "/web-animations/animation/reverse.html"
+      },
       {
         "path": "web-animations/keyframe-effect/constructor.html",
         "url": "/web-animations/keyframe-effect/constructor.html"
diff --git a/testing/web-platform/meta/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute.html.ini b/testing/web-platform/meta/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute.html.ini
index 865150c6d8..57d9b9f411 100644
--- a/testing/web-platform/meta/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute.html.ini
+++ b/testing/web-platform/meta/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute.html.ini
@@ -168,18 +168,12 @@
   [<img srcset="/images/green-1x1.png?e109 50w, /images/green-16x16.png?e109 51w" sizes="not ((max-width:0) or (unknown &quot;general-enclosed&quot;)) 100vw, 1px"> ref sizes="1px" (standards mode)]
     expected: FAIL
 
-  [<img srcset="/images/green-1x1.png?f6 50w, /images/green-16x16.png?f6 51w" sizes="0.1%"> ref sizes="100vw" (standards mode)]
-    expected: FAIL
-
   [<img srcset="/images/green-1x1.png?f33 50w, /images/green-16x16.png?f33 51w" sizes="1px !important"> ref sizes="100vw" (standards mode)]
     expected: FAIL
 
   [<img srcset="/images/green-1x1.png?f42 50w, /images/green-16x16.png?f42 51w" sizes="(min-width:0) 1px foo bar"> ref sizes="100vw" (standards mode)]
     expected: FAIL
 
-  [<img srcset="/images/green-1x1.png?f43 50w, /images/green-16x16.png?f43 51w" sizes="(min-width:0) 0.1%"> ref sizes="100vw" (standards mode)]
-    expected: FAIL
-
   [<img srcset="/images/green-1x1.png?f48 50w, /images/green-16x16.png?f48 51w" sizes="calc(1px"> ref sizes="100vw" (standards mode)]
     expected: FAIL
 
@@ -354,18 +348,12 @@
   [<img srcset="/images/green-1x1.png?e109 50w, /images/green-16x16.png?e109 51w" sizes="not ((max-width:0) or (unknown &quot;general-enclosed&quot;)) 100vw, 1px"> ref sizes="1px" (quirks mode)]
     expected: FAIL
 
-  [<img srcset="/images/green-1x1.png?f6 50w, /images/green-16x16.png?f6 51w" sizes="0.1%"> ref sizes="100vw" (quirks mode)]
-    expected: FAIL
-
   [<img srcset="/images/green-1x1.png?f33 50w, /images/green-16x16.png?f33 51w" sizes="1px !important"> ref sizes="100vw" (quirks mode)]
     expected: FAIL
 
   [<img srcset="/images/green-1x1.png?f42 50w, /images/green-16x16.png?f42 51w" sizes="(min-width:0) 1px foo bar"> ref sizes="100vw" (quirks mode)]
     expected: FAIL
 
-  [<img srcset="/images/green-1x1.png?f43 50w, /images/green-16x16.png?f43 51w" sizes="(min-width:0) 0.1%"> ref sizes="100vw" (quirks mode)]
-    expected: FAIL
-
   [<img srcset="/images/green-1x1.png?f48 50w, /images/green-16x16.png?f48 51w" sizes="calc(1px"> ref sizes="100vw" (quirks mode)]
     expected: FAIL
 
@@ -540,18 +528,12 @@
   [<img srcset="/images/green-1x1.png?e109 50w, /images/green-16x16.png?e109 51w" sizes="not ((max-width:0) or (unknown &quot;general-enclosed&quot;)) 100vw, 1px"> ref sizes="1px" (display:none)]
     expected: FAIL
 
-  [<img srcset="/images/green-1x1.png?f6 50w, /images/green-16x16.png?f6 51w" sizes="0.1%"> ref sizes="100vw" (display:none)]
-    expected: FAIL
-
   [<img srcset="/images/green-1x1.png?f33 50w, /images/green-16x16.png?f33 51w" sizes="1px !important"> ref sizes="100vw" (display:none)]
     expected: FAIL
 
   [<img srcset="/images/green-1x1.png?f42 50w, /images/green-16x16.png?f42 51w" sizes="(min-width:0) 1px foo bar"> ref sizes="100vw" (display:none)]
     expected: FAIL
 
-  [<img srcset="/images/green-1x1.png?f43 50w, /images/green-16x16.png?f43 51w" sizes="(min-width:0) 0.1%"> ref sizes="100vw" (display:none)]
-    expected: FAIL
-
   [<img srcset="/images/green-1x1.png?f48 50w, /images/green-16x16.png?f48 51w" sizes="calc(1px"> ref sizes="100vw" (display:none)]
     expected: FAIL
 
@@ -726,18 +708,12 @@
   [<img srcset="/images/green-1x1.png?e109 50w, /images/green-16x16.png?e109 51w" sizes="not ((max-width:0) or (unknown &quot;general-enclosed&quot;)) 100vw, 1px"> ref sizes="1px" (width:1000px)]
     expected: FAIL
 
-  [<img srcset="/images/green-1x1.png?f6 50w, /images/green-16x16.png?f6 51w" sizes="0.1%"> ref sizes="100vw" (width:1000px)]
-    expected: FAIL
-
   [<img srcset="/images/green-1x1.png?f33 50w, /images/green-16x16.png?f33 51w" sizes="1px !important"> ref sizes="100vw" (width:1000px)]
     expected: FAIL
 
   [<img srcset="/images/green-1x1.png?f42 50w, /images/green-16x16.png?f42 51w" sizes="(min-width:0) 1px foo bar"> ref sizes="100vw" (width:1000px)]
     expected: FAIL
 
-  [<img srcset="/images/green-1x1.png?f43 50w, /images/green-16x16.png?f43 51w" sizes="(min-width:0) 0.1%"> ref sizes="100vw" (width:1000px)]
-    expected: FAIL
-
   [<img srcset="/images/green-1x1.png?f48 50w, /images/green-16x16.png?f48 51w" sizes="calc(1px"> ref sizes="100vw" (width:1000px)]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/url/a-element.html.ini b/testing/web-platform/meta/url/a-element.html.ini
index b707d5e069..287738526b 100644
--- a/testing/web-platform/meta/url/a-element.html.ini
+++ b/testing/web-platform/meta/url/a-element.html.ini
@@ -153,9 +153,6 @@
   [Parsing: <file://localhost/test> against <file:///tmp/mock/path>]
     expected: FAIL
 
-  [Parsing: <http://example.com/foo/%2e> against <about:blank>]
-    expected: FAIL
-
   [Parsing: <http://example.com\\\\foo\\\\bar> against <about:blank>]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/url/url-constructor.html.ini b/testing/web-platform/meta/url/url-constructor.html.ini
index 6aeee9a1fa..94547d7793 100644
--- a/testing/web-platform/meta/url/url-constructor.html.ini
+++ b/testing/web-platform/meta/url/url-constructor.html.ini
@@ -108,9 +108,6 @@
   [Parsing: <file://localhost/test> against <file:///tmp/mock/path>]
     expected: FAIL
 
-  [Parsing: <http://example.com/foo/%2e> against <about:blank>]
-    expected: FAIL
-
   [Parsing: <http://example.com\\\\foo\\\\bar> against <about:blank>]
     expected: FAIL
 
diff --git a/testing/web-platform/meta/web-animations/animation-model/animation-types/not-animatable.html.ini b/testing/web-platform/meta/web-animations/animation-model/animation-types/not-animatable.html.ini
new file mode 100644
index 0000000000..6e3530a1f3
--- /dev/null
+++ b/testing/web-platform/meta/web-animations/animation-model/animation-types/not-animatable.html.ini
@@ -0,0 +1,10 @@
+[not-animatable.html]
+  type: testharness
+  [CSS animations and CSS transitions properties cannot be animated using property-indexed notation]
+    expected: FAIL
+    bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1264822
+
+  [CSS animations and CSS transitions properties cannot be animated using a sequence of keyframes]
+    expected: FAIL
+    bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1264822
+
diff --git a/testing/web-platform/tests/web-animations/animation-model/animation-types/not-animatable.html b/testing/web-platform/tests/web-animations/animation-model/animation-types/not-animatable.html
new file mode 100644
index 0000000000..653c78036e
--- /dev/null
+++ b/testing/web-platform/tests/web-animations/animation-model/animation-types/not-animatable.html
@@ -0,0 +1,120 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Tests for not animatable properties</title>
+<link rel="help" href="https://w3c.github.io/web-animations/#not-animatable-section">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../../testcommon.js"></script>
+<body>
+<div id="log"></div>
+<script>
+'use strict';
+
+test(function(t) {
+  var div = createDiv(t);
+  var anim = div.animate({ display: [ 'inline', 'inline-block' ] }, 1000);
+
+  assert_equals(anim.effect.getFrames().length, 0,
+                'Animation specified using property-indexed notation but'
+                + ' consisting of only non-animatable properties should not'
+                + ' contain any keyframes');
+}, '\'display\' property cannot be animated using property-indexed notation');
+
+test(function(t) {
+  var div = createDiv(t);
+  var anim = div.animate([ { display: 'inline' }, { display: 'inline-block' } ],
+                         1000);
+
+  assert_equals(anim.effect.getFrames().length, 2,
+                'Animation specified using a keyframe sequence where each'
+                + ' keyframe contains only non-animatable properties should'
+                + ' return an equal number of (empty) keyframes');
+  assert_false(anim.effect.getFrames()[0].hasOwnProperty('display'),
+               'Initial keyframe should not have the \'display\' property');
+  assert_false(anim.effect.getFrames()[1].hasOwnProperty('display'),
+               'Final keyframe should not have the \'display\' property');
+}, '\'display\' property cannot be animated using a keyframe sequence');
+
+test(function(t) {
+  var properties = {
+    // CSS Animations properties
+    animation:                [ 'anim 1s', 'anim 2s' ],
+    animationName:            [ 'abc', 'xyz' ],
+    animationTimingFunction:  [ 'ease', 'steps(2)' ],
+    animationDelay:           [ '1s', '2s' ],
+    animationIterationCount:  [ 1, 2 ],
+    animationDirection:       [ 'normal', 'reverse' ],
+    animationFillMode:        [ 'forwards', 'backwards' ],
+    animationPlayState:       [ 'paused', 'running' ],
+
+    // CSS Transitions properties
+    transition:               [ 'all 1s', 'all 2s' ],
+    transitionDelay:          [ '1s', '2s' ],
+    transitionDuration:       [ '1s', '2s' ],
+    transitionProperty:       [ 'all', 'opacity' ],
+    transitionTimingFunction: [ 'ease', 'ease-out' ]
+  };
+
+  var div = createDiv(t);
+  var anim = div.animate(properties, 1000);
+
+  assert_equals(anim.effect.getFrames().length, 0,
+                'Animation specified using property-indexed notation but'
+                + ' consisting of only non-animatable properties should not'
+                + ' contain any keyframes');
+}, 'CSS animations and CSS transitions properties cannot be animated using'
+   + ' property-indexed notation');
+
+test(function(t) {
+  var frames = [
+    {
+      animation:                'anim 1s',
+      animationName:            'abc',
+      animationTimingFunction:  'ease',
+      animationDelay:           '1s',
+      animationIterationCount:  1,
+      animationDirection:       'normal',
+      animationFillMode:        'forwards',
+      animationPlayState:       'paused',
+      transition:               'all 1s',
+      transitionDelay:          '1s',
+      transitionDuration:       '1s',
+      transitionProperty:       'opacity',
+      transitionTimingFunction: 'ease'
+    },
+    {
+      animation:                'anim 2s',
+      animationName:            'xyz',
+      animationTimingFunction:  'steps(2)',
+      animationDelay:           '2s',
+      animationIterationCount:  2,
+      animationDirection:       'reverse',
+      animationFillMode:        'backwards',
+      animationPlayState:       'running',
+      transition:               'all 2s',
+      transitionDelay:          '2s',
+      transitionDuration:       '2s',
+      transitionProperty:       'all',
+      transitionTimingFunction: 'ease-out'
+    }
+  ];
+  var defaultKeyframeProperties = [ 'computedOffset', 'easing', 'offset' ];
+
+  var div = createDiv(t);
+  var anim = div.animate(frames, 1000);
+
+  assert_equals(anim.effect.getFrames().length, 2,
+                'Animation specified using a keyframe sequence where each'
+                + ' keyframe contains only non-animatable properties should'
+                + ' return an equal number of (empty) keyframes');
+  assert_array_equals(Object.keys(anim.effect.getFrames()[0]),
+                      defaultKeyframeProperties,
+                      'Initial keyframe should not contain any properties other'
+                      + ' than the default keyframe properties');
+  assert_array_equals(Object.keys(anim.effect.getFrames()[1]),
+                      defaultKeyframeProperties,
+                      'Final keyframe should not contain any properties other'
+                      + ' than the default keyframe properties');
+}, 'CSS animations and CSS transitions properties cannot be animated using'
+   + ' a sequence of keyframes');
+</script>
diff --git a/toolkit/components/formautofill/FormAutofill.jsm b/toolkit/components/formautofill/FormAutofill.jsm
index e87431b0c3..aae3a956ca 100644
--- a/toolkit/components/formautofill/FormAutofill.jsm
+++ b/toolkit/components/formautofill/FormAutofill.jsm
@@ -14,31 +14,13 @@ this.EXPORTED_SYMBOLS = [
 
 const { classes: Cc, interfaces: Ci, utils: Cu, results: Cr } = Components;
 
-Cu.import("resource://gre/modules/XPCOMUtils.jsm");
-Cu.import("resource://gre/modules/Services.jsm");
-
-XPCOMUtils.defineLazyModuleGetter(this, "FormAutofillIntegration",
-                                  "resource://gre/modules/FormAutofillIntegration.jsm");
-XPCOMUtils.defineLazyModuleGetter(this, "Promise",
-                                  "resource://gre/modules/Promise.jsm");
-XPCOMUtils.defineLazyModuleGetter(this, "Task",
-                                  "resource://gre/modules/Task.jsm");
+Cu.import("resource://gre/modules/Integration.jsm");
+Cu.import("resource://gre/modules/Task.jsm");
 
 /**
  * Main module handling references to objects living in the main process.
  */
 this.FormAutofill = {
-  /**
-   * Dynamically generated object implementing the FormAutofillIntegration
-   * methods.  Platform-specific code and add-ons can override methods of this
-   * object using the registerIntegration method.
-   */
-  get integration() {
-    // This lazy getter is only called if registerIntegration was never called.
-    this._refreshIntegrations();
-    return this.integration;
-  },
-
   /**
    * Registers new overrides for the FormAutofillIntegration methods.  Example:
    *
@@ -57,9 +39,8 @@ this.FormAutofill = {
    *       integration functions changes.  Thus, it should not have any side
    *       effects or do any other initialization.
    */
-  registerIntegration: function (aIntegrationFn) {
-    this._integrationFns.add(aIntegrationFn);
-    this._refreshIntegrations();
+  registerIntegration(aIntegrationFn) {
+    Integration.formAutofill.register(aIntegrationFn);
   },
 
   /**
@@ -72,45 +53,8 @@ this.FormAutofill = {
    * @param aIntegrationFn
    *        This must be the same function object passed to registerIntegration.
    */
-  unregisterIntegration: function (aIntegrationFn) {
-    this._integrationFns.delete(aIntegrationFn);
-    this._refreshIntegrations();
-  },
-
-  /**
-   * Ordered list of registered functions defining integration overrides.
-   */
-  _integrationFns: new Set(),
-
-  /**
-   * Updates the "integration" getter with the object resulting from combining
-   * all the registered integration overrides with the default implementation.
-   */
-  _refreshIntegrations: function () {
-    delete this.integration;
-
-    let combined = FormAutofillIntegration;
-    for (let integrationFn of this._integrationFns) {
-      try {
-        // Obtain a new set of methods from the next integration function in the
-        // list, specifying the current combined object as the base argument.
-        let integration = integrationFn.call(null, combined);
-
-        // Retrieve a list of property descriptors from the returned object, and
-        // use them to build a new combined object whose prototype points to the
-        // previous combined object.
-        let descriptors = {};
-        for (let name of Object.getOwnPropertyNames(integration)) {
-          descriptors[name] = Object.getOwnPropertyDescriptor(integration, name);
-        }
-        combined = Object.create(combined, descriptors);
-      } catch (ex) {
-        // Any error will result in the current integration being skipped.
-        Cu.reportError(ex);
-      }
-    }
-
-    this.integration = combined;
+  unregisterIntegration(aIntegrationFn) {
+    Integration.formAutofill.unregister(aIntegrationFn);
   },
 
   /**
@@ -127,3 +71,15 @@ this.FormAutofill = {
     return yield ui.show();
   }),
 };
+
+/**
+ * Dynamically generated object implementing the FormAutofillIntegration
+ * methods.  Platform-specific code and add-ons can override methods of this
+ * object using the registerIntegration method.
+ */
+Integration.formAutofill.defineModuleGetter(
+  this.FormAutofill,
+  "integration",
+  "resource://gre/modules/FormAutofillIntegration.jsm",
+  "FormAutofillIntegration"
+);
diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json
index fe88f5b01c..dad9693c82 100644
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -2796,6 +2796,11 @@
     "kind": "boolean",
     "description": "The URL path contains !//"
   },
+  "NETWORK_AUTODIAL": {
+    "expires_in_version": "never",
+    "kind": "boolean",
+    "description": "session used autodialer"
+  },
   "NETWORK_SESSION_AT_256FD": {
     "expires_in_version": "49",
     "kind": "boolean",
@@ -3369,6 +3374,29 @@
     "kind": "boolean",
     "description": "Did UrlClassifier fail to construct the PrefixSet?"
   },
+  "URLCLASSIFIER_UPDATE_REMOTE_STATUS": {
+    "alert_emails": ["gcp@mozilla.com", "francois@mozilla.com"],
+    "expires_in_version": "never",
+    "kind": "enumerated",
+    "n_values": 16,
+    "bug_numbers": [1150921],
+    "description": "Server HTTP status code from SafeBrowsing database updates. (0=1xx, 1=200, 2=2xx, 3=204, 4=3xx, 5=400, 6=4xx, 7=403, 8=404, 9=408, 10=413, 11=5xx, 12=502|504|511, 13=503, 14=505, 15=Other)"
+  },
+  "URLCLASSIFIER_COMPLETE_REMOTE_STATUS": {
+    "alert_emails": ["gcp@mozilla.com", "francois@mozilla.com"],
+    "expires_in_version": "never",
+    "kind": "enumerated",
+    "n_values": 16,
+    "bug_numbers": [1150921],
+    "description": "Server HTTP status code from remote SafeBrowsing gethash lookups. (0=1xx, 1=200, 2=2xx, 3=204, 4=3xx, 5=400, 6=4xx, 7=403, 8=404, 9=408, 10=413, 11=5xx, 12=502|504|511, 13=503, 14=505, 15=Other)"
+  },
+  "URLCLASSIFIER_COMPLETE_TIMEOUT": {
+    "alert_emails": ["gcp@mozilla.com", "francois@mozilla.com"],
+    "expires_in_version": "52",
+    "kind": "boolean",
+    "bug_numbers": [1172688],
+    "description": "This metric is recorded every time a gethash lookup is performed, `true` is recorded if the lookup times out."
+  },
   "CSP_DOCUMENTS_COUNT": {
     "alert_emails": ["seceng@mozilla.com"],
     "bug_numbers": [1252829],
diff --git a/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp b/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
index 0220005e07..e3112eb37d 100644
--- a/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
+++ b/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
@@ -863,6 +863,8 @@ nsUrlClassifierLookupCallback::LookupComplete(nsTArray<LookupResult>* results)
     }
   }
 
+  LOG(("nsUrlClassifierLookupCallback::LookupComplete [%p] "
+       "%u pending completions", this, mPendingCompletions));
   if (mPendingCompletions == 0) {
     // All results were complete, we're ready!
     HandleResults();
@@ -933,8 +935,14 @@ nsUrlClassifierLookupCallback::HandleResults()
 {
   if (!mResults) {
     // No results, this URI is clean.
+    LOG(("nsUrlClassifierLookupCallback::HandleResults [%p, no results]", this));
     return mCallback->HandleEvent(NS_LITERAL_CSTRING(""));
   }
+  MOZ_ASSERT(mPendingCompletions == 0, "HandleResults() should never be "
+             "called while there are pending completions");
+
+  LOG(("nsUrlClassifierLookupCallback::HandleResults [%p, %u results]",
+       this, mResults->Length()));
 
   nsTArray<nsCString> tables;
   // Build a stringified list of result tables.
@@ -952,7 +960,8 @@ nsUrlClassifierLookupCallback::HandleResults()
       continue;
     }
 
-    LOG(("Confirmed result from table %s", result.mTableName.get()));
+    LOG(("Confirmed result %X from table %s",
+         result.hash.prefix.ToUint32(), result.mTableName.get()));
 
     if (tables.IndexOf(result.mTableName) == nsTArray<nsCString>::NoIndex) {
       tables.AppendElement(result.mTableName);
diff --git a/toolkit/components/url-classifier/nsUrlClassifierHashCompleter.js b/toolkit/components/url-classifier/nsUrlClassifierHashCompleter.js
index a7900b84cf..03c9c6b83d 100644
--- a/toolkit/components/url-classifier/nsUrlClassifierHashCompleter.js
+++ b/toolkit/components/url-classifier/nsUrlClassifierHashCompleter.js
@@ -47,6 +47,115 @@ function log(...stuff) {
   dump(msg + "\n");
 }
 
+// Map the HTTP response code to a Telemetry bucket
+// https://developers.google.com/safe-browsing/developers_guide_v2?hl=en
+function httpStatusToBucket(httpStatus) {
+  var statusBucket;
+  switch (httpStatus) {
+  case 100:
+  case 101:
+    // Unexpected 1xx return code
+    statusBucket = 0;
+    break;
+  case 200:
+    // OK - Data is available in the HTTP response body.
+    statusBucket = 1;
+    break;
+  case 201:
+  case 202:
+  case 203:
+  case 205:
+  case 206:
+    // Unexpected 2xx return code
+    statusBucket = 2;
+    break;
+  case 204:
+    // No Content - There are no full-length hashes with the requested prefix.
+    statusBucket = 3;
+    break;
+  case 300:
+  case 301:
+  case 302:
+  case 303:
+  case 304:
+  case 305:
+  case 307:
+  case 308:
+    // Unexpected 3xx return code
+    statusBucket = 4;
+    break;
+  case 400:
+    // Bad Request - The HTTP request was not correctly formed.
+    // The client did not provide all required CGI parameters.
+    statusBucket = 5;
+    break;
+  case 401:
+  case 402:
+  case 405:
+  case 406:
+  case 407:
+  case 409:
+  case 410:
+  case 411:
+  case 412:
+  case 414:
+  case 415:
+  case 416:
+  case 417:
+  case 421:
+  case 426:
+  case 428:
+  case 429:
+  case 431:
+  case 451:
+    // Unexpected 4xx return code
+    statusBucket = 6;
+    break;
+  case 403:
+    // Forbidden - The client id is invalid.
+    statusBucket = 7;
+    break;
+  case 404:
+    // Not Found
+    statusBucket = 8;
+    break;
+  case 408:
+    // Request Timeout
+    statusBucket = 9;
+    break;
+  case 413:
+    // Request Entity Too Large - Bug 1150334
+    statusBucket = 10;
+    break;
+  case 500:
+  case 501:
+  case 510:
+    // Unexpected 5xx return code
+    statusBucket = 11;
+    break;
+  case 502:
+  case 504:
+  case 511:
+    // Local network errors, we'll ignore these.
+    statusBucket = 12;
+    break;
+  case 503:
+    // Service Unavailable - The server cannot handle the request.
+    // Clients MUST follow the backoff behavior specified in the
+    // Request Frequency section.
+    statusBucket = 13;
+    break;
+  case 505:
+    // HTTP Version Not Supported - The server CANNOT handle the requested
+    // protocol major version.
+    statusBucket = 14;
+    break;
+  default:
+    statusBucket = 15;
+  };
+  return statusBucket;
+}
+
 function HashCompleter() {
   // The current HashCompleterRequest in flight. Once it is started, it is set
   // to null. It may be used by multiple calls to |complete| in succession to
@@ -229,6 +338,7 @@ HashCompleterRequest.prototype = {
     // channel.
     if (this._channel && this._channel.isPending()) {
       dump("hashcompleter: cancelling request to " + this.gethashUrl + "\n");
+      Services.telemetry.getHistogramById("URLCLASSIFIER_COMPLETE_TIMEOUT").add(1);
       this._channel.cancel(Cr.NS_BINDING_ABORTED);
     }
   },
@@ -433,9 +543,14 @@ HashCompleterRequest.prototype = {
         aStatusCode = Cr.NS_ERROR_ABORT;
       }
     }
-    log('Received a ' + httpStatus + ' status code from the gethash server.');
-
     let success = Components.isSuccessCode(aStatusCode);
+    log('Received a ' + httpStatus + ' status code from the gethash server (success=' + success + ').');
+
+    let histogram =
+      Services.telemetry.getHistogramById("URLCLASSIFIER_COMPLETE_REMOTE_STATUS");
+    histogram.add(httpStatusToBucket(httpStatus));
+    Services.telemetry.getHistogramById("URLCLASSIFIER_COMPLETE_TIMEOUT").add(0);
+
     // Notify the RequestBackoff once a response is received.
     this._completer.finishRequest(this.gethashUrl, httpStatus);
 
diff --git a/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp b/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp
index a8ad3a3445..431c2a3513 100644
--- a/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp
+++ b/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp
@@ -20,6 +20,7 @@
 #include "mozilla/Logging.h"
 #include "nsIInterfaceRequestor.h"
 #include "mozilla/LoadContext.h"
+#include "mozilla/Telemetry.h"
 #include "nsContentUtils.h"
 
 static const char* gQuitApplicationMessage = "quit-application";
@@ -444,6 +445,114 @@ nsUrlClassifierStreamUpdater::AddRequestBody(const nsACString &aRequestBody)
   return NS_OK;
 }
 
+// Map the HTTP response code to a Telemetry bucket
+static uint32_t HTTPStatusToBucket(uint32_t status)
+{
+  uint32_t statusBucket;
+  switch (status) {
+  case 100:
+  case 101:
+    // Unexpected 1xx return code
+    statusBucket = 0;
+    break;
+  case 200:
+    // OK - Data is available in the HTTP response body.
+    statusBucket = 1;
+    break;
+  case 201:
+  case 202:
+  case 203:
+  case 205:
+  case 206:
+    // Unexpected 2xx return code
+    statusBucket = 2;
+    break;
+  case 204:
+    // No Content
+    statusBucket = 3;
+    break;
+  case 300:
+  case 301:
+  case 302:
+  case 303:
+  case 304:
+  case 305:
+  case 307:
+  case 308:
+    // Unexpected 3xx return code
+    statusBucket = 4;
+    break;
+  case 400:
+    // Bad Request - The HTTP request was not correctly formed.
+    // The client did not provide all required CGI parameters.
+    statusBucket = 5;
+    break;
+  case 401:
+  case 402:
+  case 405:
+  case 406:
+  case 407:
+  case 409:
+  case 410:
+  case 411:
+  case 412:
+  case 414:
+  case 415:
+  case 416:
+  case 417:
+  case 421:
+  case 426:
+  case 428:
+  case 429:
+  case 431:
+  case 451:
+    // Unexpected 4xx return code
+    statusBucket = 6;
+    break;
+  case 403:
+    // Forbidden - The client id is invalid.
+    statusBucket = 7;
+    break;
+  case 404:
+    // Not Found
+    statusBucket = 8;
+    break;
+  case 408:
+    // Request Timeout
+    statusBucket = 9;
+    break;
+  case 413:
+    // Request Entity Too Large - Bug 1150334
+    statusBucket = 10;
+    break;
+  case 500:
+  case 501:
+  case 510:
+    // Unexpected 5xx return code
+    statusBucket = 11;
+    break;
+  case 502:
+  case 504:
+  case 511:
+    // Local network errors, we'll ignore these.
+    statusBucket = 12;
+    break;
+  case 503:
+    // Service Unavailable - The server cannot handle the request.
+    // Clients MUST follow the backoff behavior specified in the
+    // Request Frequency section.
+    statusBucket = 13;
+    break;
+  case 505:
+    // HTTP Version Not Supported - The server CANNOT handle the requested
+    // protocol major version.
+    statusBucket = 14;
+    break;
+  default:
+    statusBucket = 15;
+  };
+  return statusBucket;
+}
 
 ///////////////////////////////////////////////////////////////////////////////
 // nsIStreamListenerObserver implementation
@@ -479,6 +588,9 @@ nsUrlClassifierStreamUpdater::OnStartRequest(nsIRequest *request,
     if (NS_FAILED(status)) {
       // Assume we're overloading the server and trigger backoff.
       downloadError = true;
+      mozilla::Telemetry::Accumulate(mozilla::Telemetry::URLCLASSIFIER_UPDATE_REMOTE_STATUS,
+                                     15 /* unknown response code */);
+
     } else {
       bool succeeded = false;
       rv = httpChannel->GetRequestSucceeded(&succeeded);
@@ -487,6 +599,8 @@ nsUrlClassifierStreamUpdater::OnStartRequest(nsIRequest *request,
       uint32_t requestStatus;
       rv = httpChannel->GetResponseStatus(&requestStatus);
       NS_ENSURE_SUCCESS(rv, rv);
+      mozilla::Telemetry::Accumulate(mozilla::Telemetry::URLCLASSIFIER_UPDATE_REMOTE_STATUS,
+                                     HTTPStatusToBucket(requestStatus));
       LOG(("nsUrlClassifierStreamUpdater::OnStartRequest %s (%d)", succeeded ?
            "succeeded" : "failed", requestStatus));
       if (!succeeded) {
diff --git a/toolkit/modules/Integration.jsm b/toolkit/modules/Integration.jsm
new file mode 100644
index 0000000000..d648d80ea1
--- /dev/null
+++ b/toolkit/modules/Integration.jsm
@@ -0,0 +1,283 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * Implements low-overhead integration between components of the application.
+ * This may have different uses depending on the component, including:
+ *
+ * - Providing product-specific implementations registered at startup.
+ * - Using alternative implementations during unit tests.
+ * - Allowing add-ons to change specific behaviors.
+ *
+ * Components may define one or more integration points, each defined by a
+ * root integration object whose properties and methods are the public interface
+ * and default implementation of the integration point. For example:
+ *
+ *   const DownloadIntegration = {
+ *     getTemporaryDirectory() {
+ *       return "/tmp/";
+ *     },
+ *
+ *     getTemporaryFile(name) {
+ *       return this.getTemporaryDirectory() + name;
+ *     },
+ *   };
+ *
+ * Other parts of the application may register overrides for some or all of the
+ * defined properties and methods. The component defining the integration point
+ * does not have to be loaded at this stage, because the name of the integration
+ * point is the only information required. For example, if the integration point
+ * is called "downloads":
+ *
+ *   Integration.downloads.register(base => ({
+ *     getTemporaryDirectory() {
+ *       return base.getTemporaryDirectory.call(this) + "subdir/";
+ *     },
+ *   }));
+ *
+ * When the component defining the integration point needs to call a method on
+ * the integration object, instead of using it directly the component would use
+ * the "getCombined" method to retrieve an object that includes all overrides.
+ * For example:
+ *
+ *   let combined = Integration.downloads.getCombined(DownloadIntegration);
+ *   Assert.is(combined.getTemporaryFile("file"), "/tmp/subdir/file");
+ *
+ * Overrides can be registered at startup or at any later time, so each call to
+ * "getCombined" may return a different object. The simplest way to create a
+ * reference to the combined object that stays updated to the latest version is
+ * to define the root object in a JSM and use the "defineModuleGetter" method.
+ *
+ * *** Registration ***
+ *
+ * Since the interface is not declared formally, the registrations can happen
+ * at startup without loading the component, so they do not affect performance.
+ *
+ * Hovever, this module does not provide a startup registry, this means that the
+ * code that registers and implements the override must be loaded at startup.
+ *
+ * If performance for the override code is a concern, you can take advantage of
+ * the fact that the function used to create the override is called lazily, and
+ * include only a stub loader for the final code in an existing startup module.
+ *
+ * The registration of overrides should be repeated for each process where the
+ * relevant integration methods will be called.
+ *
+ * *** Accessing base methods and properties ***
+ *
+ * Overrides are included in the prototype chain of the combined object in the
+ * same order they were registered, where the first is closest to the root.
+ *
+ * When defining overrides, you do not need to set the "__proto__" property of
+ * the objects you create, because their properties and methods are moved to a
+ * new object with the correct prototype. If you do, however, you can call base
+ * properties and methods using the "super" keyword. For example:
+ *
+ *   Integration.downloads.register(base => ({
+ *     __proto__: base,
+ *     getTemporaryDirectory() {
+ *       return super.getTemporaryDirectory() + "subdir/";
+ *     },
+ *   }));
+ *
+ * *** State handling ***
+ *
+ * Storing state directly on the combined integration object using the "this"
+ * reference is not recommended. When a new integration is registered, own
+ * properties stored on the old combined object are copied to the new combined
+ * object using a shallow copy, but the "this" reference for new invocations
+ * of the methods will be different.
+ *
+ * If the root object defines a property that always points to the same object,
+ * for example a "state" property, you can safely use it across registrations.
+ *
+ * Integration overrides provided by restartless add-ons should not use the
+ * "this" reference to store state, to avoid conflicts with other add-ons.
+ *
+ * *** Interaction with XPCOM ***
+ *
+ * Providing the combined object as an argument to any XPCOM method will
+ * generate a console error message, and will throw an exception where possible.
+ * For example, you cannot register observers directly on the combined object.
+ * This helps preventing mistakes due to the fact that the combined object
+ * reference changes when new integration overrides are registered.
+ */
+
+"use strict";
+
+this.EXPORTED_SYMBOLS = [
+  "Integration",
+];
+
+const { classes: Cc, interfaces: Ci, utils: Cu, results: Cr } = Components;
+
+Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+
+/**
+ * Maps integration point names to IntegrationPoint objects.
+ */
+const gIntegrationPoints = new Map();
+
+/**
+ * This Proxy object creates IntegrationPoint objects using their name as key.
+ * The objects will be the same for the duration of the process. For example:
+ *
+ *   Integration.downloads.register(...);
+ *   Integration["addon-provided-integration"].register(...);
+ */
+this.Integration = new Proxy({}, {
+  get(target, name) {
+    let integrationPoint = gIntegrationPoints.get(name);
+    if (!integrationPoint) {
+      integrationPoint = new IntegrationPoint();
+      gIntegrationPoints.set(name, integrationPoint);
+    }
+    return integrationPoint;
+  },
+});
+
+/**
+ * Individual integration point for which overrides can be registered.
+ */
+this.IntegrationPoint = function () {
+  this._overrideFns = new Set();
+  this._combined = {
+    QueryInterface: function() {
+      let ex = new Components.Exception(
+                   "Integration objects should not be used with XPCOM because" +
+                   " they change when new overrides are registered.",
+                   Cr.NS_ERROR_NO_INTERFACE);
+      Cu.reportError(ex);
+      throw ex;
+    },
+  };
+}
+
+this.IntegrationPoint.prototype = {
+  /**
+   * Ordered set of registered functions defining integration overrides.
+   */
+  _overrideFns: null,
+
+  /**
+   * Combined integration object. When this reference changes, properties
+   * defined directly on this object are copied to the new object.
+   *
+   * Initially, the only property of this object is a "QueryInterface" method
+   * that throws an exception, to prevent misuse as a permanent XPCOM listener.
+   */
+  _combined: null,
+
+  /**
+   * Indicates whether the integration object is current based on the list of
+   * registered integration overrides.
+   */
+  _combinedIsCurrent: false,
+
+  /**
+   * Registers new overrides for the integration methods. For example:
+   *
+   *   Integration.nameOfIntegrationPoint.register(base => ({
+   *     asyncMethod: Task.async(function* () {
+   *       return yield base.asyncMethod.apply(this, arguments);
+   *     }),
+   *   }));
+   *
+   * @param overrideFn
+   *        Function returning an object defining the methods that should be
+   *        overridden. Its only parameter is an object that contains the base
+   *        implementation of all the available methods.
+   *
+   * @note The override function is called every time the list of registered
+   *       override functions changes. Thus, it should not have any side
+   *       effects or do any other initialization.
+   */
+  register(overrideFn) {
+    this._overrideFns.add(overrideFn);
+    this._combinedIsCurrent = false;
+  },
+
+  /**
+   * Removes a previously registered integration override.
+   *
+   * Overrides don't usually need to be unregistered, unless they are added by a
+   * restartless add-on, in which case they should be unregistered when the
+   * add-on is disabled or uninstalled.
+   *
+   * @param overrideFn
+   *        This must be the same function object passed to "register".
+   */
+  unregister(overrideFn) {
+    this._overrideFns.delete(overrideFn);
+    this._combinedIsCurrent = false;
+  },
+
+  /**
+   * Retrieves the dynamically generated object implementing the integration
+   * methods. Platform-specific code and add-ons can override methods of this
+   * object using the "register" method.
+   */
+  getCombined(root) {
+    if (this._combinedIsCurrent) {
+      return this._combined;
+    }
+
+    // In addition to enumerating all the registered integration overrides in
+    // order, we want to keep any state that was previously stored in the
+    // combined object using the "this" reference in integration methods.
+    let overrideFnArray = [...this._overrideFns, () => this._combined];
+
+    let combined = root;
+    for (let overrideFn of overrideFnArray) {
+      try {
+        // Obtain a new set of methods from the next override function in the
+        // list, specifying the current combined object as the base argument.
+        let override = overrideFn.call(null, combined);
+
+        // Retrieve a list of property descriptors from the returned object, and
+        // use them to build a new combined object whose prototype points to the
+        // previous combined object.
+        let descriptors = {};
+        for (let name of Object.getOwnPropertyNames(override)) {
+          descriptors[name] = Object.getOwnPropertyDescriptor(override, name);
+        }
+        combined = Object.create(combined, descriptors);
+      } catch (ex) {
+        // Any error will result in the current override being skipped.
+        Cu.reportError(ex);
+      }
+    }
+
+    this._combinedIsCurrent = true;
+    return this._combined = combined;
+  },
+
+  /**
+   * Defines a getter to retrieve the dynamically generated object implementing
+   * the integration methods, loading the root implementation lazily from the
+   * specified JSM module. For example:
+   *
+   *   Integration.test.defineModuleGetter(this, "TestIntegration",
+   *                    "resource://testing-common/TestIntegration.jsm");
+   *
+   * @param targetObject
+   *        The object on which the lazy getter will be defined.
+   * @param name
+   *        The name of the getter to define.
+   * @param moduleUrl
+   *        The URL used to obtain the module.
+   * @param symbol [optional]
+   *        The name of the symbol exported by the module. This can be omitted
+   *        if the name of the exported symbol is equal to the getter name.
+   */
+  defineModuleGetter(targetObject, name, moduleUrl, symbol) {
+    let moduleHolder = {};
+    XPCOMUtils.defineLazyModuleGetter(moduleHolder, name, moduleUrl, symbol);
+    Object.defineProperty(targetObject, name, {
+      get: () => this.getCombined(moduleHolder[name]),
+      configurable: true,
+      enumerable: true,
+    });
+  },
+};
diff --git a/toolkit/modules/PageMetadata.jsm b/toolkit/modules/PageMetadata.jsm
index 44e0eade2e..820ec38eab 100644
--- a/toolkit/modules/PageMetadata.jsm
+++ b/toolkit/modules/PageMetadata.jsm
@@ -10,6 +10,7 @@ const {classes: Cc, interfaces: Ci, utils: Cu, results: Cr} = Components;
 
 Cu.import("resource://gre/modules/Services.jsm");
 Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+Cu.import("resource://gre/modules/microformat-shiv.js");
 
 XPCOMUtils.defineLazyServiceGetter(this, "UnescapeService",
                                    "@mozilla.org/feed-unescapehtml;1",
@@ -25,7 +26,7 @@ const DISCOVER_IMAGES_MAX  = 5;
 
 
 /**
- * Extract metadata and microdata from a HTML document.
+ * Extract metadata and microformats from a HTML document.
  * @type {Object}
  */
 this.PageMetadata = {
@@ -36,14 +37,14 @@ this.PageMetadata = {
    * - Metadata specified in <meta> tags, including OpenGraph data
    * - Links specified in <link> tags (short, canonical, preview images, alternative)
    * - Content that can be found in the page content that we consider useful metadata
-   * - Microdata, as defined by the spec:
-   *   http://www.whatwg.org/specs/web-apps/current-work/multipage/microdata-2.html
+   * - Microformats
    *
    * @param {Document} document - Document to extract data from.
+   * @param {Element} [target] - Optional element to restrict microformats lookup to.
    * @returns {Object} Object containing the various metadata, normalized to
    *                   merge some common alternative names for metadata.
    */
-  getData(document) {
+  getData(document, target = null) {
     let result = {
       url: this._validateURL(document, document.documentURI),
       title: document.title,
@@ -68,84 +69,16 @@ this.PageMetadata = {
     this._getMetaData(document, result);
     this._getLinkData(document, result);
     this._getPageData(document, result);
-    result.microdata = this.getMicrodata(document);
+    result.microformats = this.getMicroformats(document, target);
 
     return result;
   },
 
-  /**
-   * Get all microdata from an HTML document, or from only a given element.
-   *
-   * Returns an object in the format:
-   *   {
-   *     "items": [
-   *       {
-   *         "type": [ "<TYPE>" ],
-   *         "properties": {
-   *            "<PROPERTY-NAME>": [ "<PROPERTY-VALUE>", ... ],
-   *            ...,
-   *         }
-   *       },
-   *       ...,
-   *     ]
-   *   }
-   *
-   * @note This is based on wg algorythm to convert microdata to json
-   *      http://www.whatwg.org/specs/web-apps/current-work/multipage/microdata-2.html#json
-   *
-   * @param {Document} document - Document to extract data from.
-   * @param {Element} [target] - Optional element to restrict microdata lookup to.
-   * @return {Object} Object describing the found microdata.
-   */
-  getMicrodata(document, target = null) {
-    function getObject(item) {
-      let result = {};
-
-      if (item.itemType.length) {
-        result.types = [...item.itemType];
-      }
-
-      if (item.itemId) {
-        result.itemId = item.itemId;
-      }
-
-      if (item.properties.length) {
-        result.properties = {};
-      }
-
-      for (let elem of item.properties) {
-        let value;
-        if (elem.itemScope) {
-          value = getObject(elem);
-        } else if (elem.itemValue) {
-          value = elem.itemValue;
-        } else if (elem.hasAttribute("content")) {
-          // Handle mis-formatted microdata.
-          value = elem.getAttribute("content");
-        }
-
-        for (let prop of elem.itemProp) {
-          if (!result.properties[prop]) {
-            result.properties[prop] = [];
-          }
-
-          result.properties[prop].push(value);
-        }
-      }
-
-      return result;
+  getMicroformats(document, target = null) {
+    if (target) {
+      return Microformats.getParent(target, {node: document});
     }
-
-    let result = { items: [] };
-    let elements = target ? [target] : document.getItems();
-
-    for (let element of elements) {
-      if (element.itemScope) {
-        result.items.push(getObject(element));
-      }
-    }
-
-    return result;
+    return Microformats.get({node: document});
   },
 
   /**
diff --git a/toolkit/modules/PromiseMessage.jsm b/toolkit/modules/PromiseMessage.jsm
index 8419ccb22f..f232d074b3 100644
--- a/toolkit/modules/PromiseMessage.jsm
+++ b/toolkit/modules/PromiseMessage.jsm
@@ -10,14 +10,11 @@ var msgId = 0;
 
 var PromiseMessage = {
   send(messageManager, name, data = {}) {
-    let id = msgId++;
+    const id = `${name}_${msgId++}`;
 
-    // Make a copy of data so that the caller doesn't see us setting 'id'.
-    let dataCopy = {};
-    for (let prop in data) {
-      dataCopy[prop] = data[prop];
-    }
-    dataCopy.id = id;
+    // Make a copy of data so that the caller doesn't see us setting 'id':
+    // To a new object, assign data's props, and then override the id.
+    const dataCopy = Object.assign({}, data, {id});
 
     // Send the message.
     messageManager.sendAsyncMessage(name, dataCopy);
diff --git a/toolkit/modules/moz.build b/toolkit/modules/moz.build
index dc7d5855c8..ada0f07738 100644
--- a/toolkit/modules/moz.build
+++ b/toolkit/modules/moz.build
@@ -11,6 +11,7 @@ MOCHITEST_CHROME_MANIFESTS += ['tests/chrome/chrome.ini']
 
 TESTING_JS_MODULES += [
     'tests/PromiseTestUtils.jsm',
+    'tests/xpcshell/TestIntegration.jsm',
 ]
 
 SPHINX_TREES['toolkit_modules'] = 'docs'
@@ -41,6 +42,7 @@ EXTRA_JS_MODULES += [
     'Http.jsm',
     'InlineSpellChecker.jsm',
     'InlineSpellCheckerContent.jsm',
+    'Integration.jsm',
     'LoadContextInfo.jsm',
     'Locale.jsm',
     'Log.jsm',
diff --git a/toolkit/modules/tests/browser/browser.ini b/toolkit/modules/tests/browser/browser.ini
index 63c8997a21..f10d688507 100644
--- a/toolkit/modules/tests/browser/browser.ini
+++ b/toolkit/modules/tests/browser/browser.ini
@@ -18,5 +18,6 @@ skip-if = e10s # Bug ?????? - test already uses content scripts, but still fails
 [browser_WebRequest_cookies.js]
 [browser_WebRequest_filtering.js]
 [browser_PageMetadata.js]
+[browser_PromiseMessage.js]
 [browser_RemotePageManager.js]
 [browser_Troubleshoot.js]
diff --git a/toolkit/modules/tests/browser/browser_PromiseMessage.js b/toolkit/modules/tests/browser/browser_PromiseMessage.js
new file mode 100644
index 0000000000..89d437c66a
--- /dev/null
+++ b/toolkit/modules/tests/browser/browser_PromiseMessage.js
@@ -0,0 +1,38 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*global Cu, BrowserTestUtils, is, ok, add_task, gBrowser */
+"use strict";
+Cu.import("resource://gre/modules/PromiseMessage.jsm", this);
+
+
+const url = "http://example.org/tests/dom/manifest/test/resource.sjs";
+
+/**
+ * Test basic API error conditions
+ */
+add_task(function* () {
+  yield BrowserTestUtils.withNewTab({gBrowser, url}, testPromiseMessageAPI)
+});
+
+function* testPromiseMessageAPI(aBrowser){
+  // Reusing an existing message.
+  const msgKey = "DOM:WebManifest:hasManifestLink";
+  const mm = aBrowser.messageManager;
+  const id = "this should not change";
+  const foo = "neitherShouldThis";
+  const data = {id, foo};
+
+  // This just returns false, and it doesn't matter for this test.
+  yield PromiseMessage.send(mm, msgKey, data);
+
+  // Check that no new props were added
+  const props = Object.getOwnPropertyNames(data);
+  ok(props.length === 2, "There should only be 2 props");
+  ok(props.includes("id"), "Has the id property");
+  ok(props.includes("foo"), "Has the foo property");
+
+  // Check that the props didn't change.
+  is(data.id, id, "The id prop must not change.");
+  is(data.foo, foo, "The foo prop must not change.");
+}
diff --git a/toolkit/modules/tests/xpcshell/TestIntegration.jsm b/toolkit/modules/tests/xpcshell/TestIntegration.jsm
new file mode 100644
index 0000000000..78a0b72671
--- /dev/null
+++ b/toolkit/modules/tests/xpcshell/TestIntegration.jsm
@@ -0,0 +1,42 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+/*
+ * Internal module used to test the generation of Integration.jsm getters.
+ */
+
+"use strict";
+
+this.EXPORTED_SYMBOLS = [
+  "TestIntegration",
+];
+
+const { classes: Cc, interfaces: Ci, utils: Cu, results: Cr } = Components;
+
+Cu.import("resource://gre/modules/Task.jsm");
+
+this.TestIntegration = {
+  value: "value",
+
+  get valueFromThis() {
+    return this.value;
+  },
+
+  get property() {
+    return this._property;
+  },
+
+  set property(value) {
+    this._property = value;
+  },
+
+  method(argument) {
+    this.methodArgument = argument;
+    return "method" + argument;
+  },
+
+  asyncMethod: Task.async(function* (argument) {
+    this.asyncMethodArgument = argument;
+    return "asyncMethod" + argument;
+  }),
+};
diff --git a/toolkit/modules/tests/xpcshell/test_Integration.js b/toolkit/modules/tests/xpcshell/test_Integration.js
new file mode 100644
index 0000000000..808e2d34fb
--- /dev/null
+++ b/toolkit/modules/tests/xpcshell/test_Integration.js
@@ -0,0 +1,238 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+/*
+ * Tests the Integration.jsm module.
+ */
+
+"use strict";
+
+const { classes: Cc, interfaces: Ci, utils: Cu, results: Cr } = Components;
+
+Cu.import("resource://gre/modules/Integration.jsm", this);
+Cu.import("resource://gre/modules/Services.jsm", this);
+Cu.import("resource://gre/modules/Task.jsm", this);
+
+const TestIntegration = {
+  value: "value",
+
+  get valueFromThis() {
+    return this.value;
+  },
+
+  get property() {
+    return this._property;
+  },
+
+  set property(value) {
+    this._property = value;
+  },
+
+  method(argument) {
+    this.methodArgument = argument;
+    return "method" + argument;
+  },
+
+  asyncMethod: Task.async(function* (argument) {
+    this.asyncMethodArgument = argument;
+    return "asyncMethod" + argument;
+  }),
+};
+
+let overrideFn = base => ({
+  value: "overridden-value",
+
+  get property() {
+    return "overridden-" + base.__lookupGetter__("property").call(this);
+  },
+
+  set property(value) {
+    base.__lookupSetter__("property").call(this, "overridden-" + value);
+  },
+
+  method() {
+    return "overridden-" + base.method.apply(this, arguments);
+  },
+
+  asyncMethod: Task.async(function* () {
+    return "overridden-" + (yield base.asyncMethod.apply(this, arguments));
+  }),
+});
+
+let superOverrideFn = base => ({
+  __proto__: base,
+
+  value: "overridden-value",
+
+  get property() {
+    return "overridden-" + super.property;
+  },
+
+  set property(value) {
+    super.property = "overridden-" + value;
+  },
+
+  method() {
+    return "overridden-" + super.method(...arguments);
+  },
+
+  asyncMethod: Task.async(function* () {
+    // We cannot use the "super" keyword in methods defined using "Task.async".
+    return "overridden-" + (yield base.asyncMethod.apply(this, arguments));
+  }),
+});
+
+/**
+ * Fails the test if the results of method invocations on the combined object
+ * don't match the expected results based on how many overrides are registered.
+ *
+ * @param combined
+ *        The combined object based on the TestIntegration root.
+ * @param overridesCount
+ *        Zero if the root object is not overridden, or a higher value to test
+ *        the presence of one or more integration overrides.
+ */
+function* assertCombinedResults(combined, overridesCount) {
+  let expectedValue = overridesCount > 0 ? "overridden-value" : "value";
+  let prefix = "overridden-".repeat(overridesCount);
+
+  Assert.equal(combined.value, expectedValue);
+  Assert.equal(combined.valueFromThis, expectedValue);
+
+  combined.property = "property";
+  Assert.equal(combined.property, prefix.repeat(2) + "property");
+
+  combined.methodArgument = "";
+  Assert.equal(combined.method("-argument"), prefix + "method-argument");
+  Assert.equal(combined.methodArgument, "-argument");
+
+  combined.asyncMethodArgument = "";
+  Assert.equal(yield combined.asyncMethod("-argument"),
+               prefix + "asyncMethod-argument");
+  Assert.equal(combined.asyncMethodArgument, "-argument");
+}
+
+/**
+ * Fails the test if the results of method invocations on the combined object
+ * for the "testModule" integration point don't match the expected results based
+ * on how many overrides are registered.
+ *
+ * @param overridesCount
+ *        Zero if the root object is not overridden, or a higher value to test
+ *        the presence of one or more integration overrides.
+ */
+function* assertCurrentCombinedResults(overridesCount) {
+  let combined = Integration.testModule.getCombined(TestIntegration);
+  yield assertCombinedResults(combined, overridesCount);
+}
+
+/**
+ * Checks the initial state with no integration override functions registered.
+ */
+add_task(function* test_base() {
+  yield assertCurrentCombinedResults(0);
+});
+
+/**
+ * Registers and unregisters an integration override function.
+ */
+add_task(function* test_override() {
+  Integration.testModule.register(overrideFn);
+  yield assertCurrentCombinedResults(1);
+
+  // Registering the same function more than once has no effect.
+  Integration.testModule.register(overrideFn);
+  yield assertCurrentCombinedResults(1);
+
+  Integration.testModule.unregister(overrideFn);
+  yield assertCurrentCombinedResults(0);
+});
+
+/**
+ * Registers and unregisters more than one integration override function, of
+ * which one uses the prototype and the "super" keyword to access the base.
+ */
+add_task(function* test_override_super_multiple() {
+  Integration.testModule.register(overrideFn);
+  Integration.testModule.register(superOverrideFn);
+  yield assertCurrentCombinedResults(2);
+
+  Integration.testModule.unregister(overrideFn);
+  yield assertCurrentCombinedResults(1);
+
+  Integration.testModule.unregister(superOverrideFn);
+  yield assertCurrentCombinedResults(0);
+});
+
+/**
+ * Registers an integration override function that throws an exception, and
+ * ensures that this does not block other functions from being registered.
+ */
+add_task(function* test_override_error() {
+  let errorOverrideFn = base => { throw "Expected error." };
+
+  Integration.testModule.register(errorOverrideFn);
+  Integration.testModule.register(overrideFn);
+  yield assertCurrentCombinedResults(1);
+
+  Integration.testModule.unregister(errorOverrideFn);
+  Integration.testModule.unregister(overrideFn);
+  yield assertCurrentCombinedResults(0);
+});
+
+/**
+ * Checks that state saved using the "this" reference is preserved as a shallow
+ * copy when registering new integration override functions.
+ */
+add_task(function* test_state_preserved() {
+  let valueObject = { toString: () => "toString" };
+
+  let combined = Integration.testModule.getCombined(TestIntegration);
+  combined.property = valueObject;
+  Assert.ok(combined.property === valueObject);
+
+  Integration.testModule.register(overrideFn);
+  combined = Integration.testModule.getCombined(TestIntegration);
+  Assert.equal(combined.property, "overridden-toString");
+
+  Integration.testModule.unregister(overrideFn);
+  combined = Integration.testModule.getCombined(TestIntegration);
+  Assert.ok(combined.property === valueObject);
+});
+
+/**
+ * Checks that the combined integration objects cannot be used with XPCOM.
+ *
+ * This is limited by the fact that interfaces with the "[function]" annotation,
+ * for example nsIObserver, do not call the QueryInterface implementation.
+ */
+add_task(function* test_xpcom_throws() {
+  let combined = Integration.testModule.getCombined(TestIntegration);
+
+  // This calls QueryInterface because it looks for nsISupportsWeakReference.
+  Assert.throws(() => Services.obs.addObserver(combined, "test-topic", true),
+                "NS_NOINTERFACE");
+});
+
+/**
+ * Checks that getters defined by defineModuleGetter are able to retrieve the
+ * latest version of the combined integration object.
+ */
+add_task(function* test_defineModuleGetter() {
+  let objectForGetters = {};
+
+  // Test with and without the optional "symbol" parameter.
+  Integration.testModule.defineModuleGetter(objectForGetters,
+    "TestIntegration", "resource://testing-common/TestIntegration.jsm");
+  Integration.testModule.defineModuleGetter(objectForGetters,
+    "integration", "resource://testing-common/TestIntegration.jsm",
+    "TestIntegration");
+
+  Integration.testModule.register(overrideFn);
+  yield assertCombinedResults(objectForGetters.integration, 1);
+  yield assertCombinedResults(objectForGetters.TestIntegration, 1);
+
+  Integration.testModule.unregister(overrideFn);
+  yield assertCombinedResults(objectForGetters.integration, 0);
+  yield assertCombinedResults(objectForGetters.TestIntegration, 0);
+});
diff --git a/toolkit/modules/tests/xpcshell/xpcshell.ini b/toolkit/modules/tests/xpcshell/xpcshell.ini
index dcc945935b..f083bd9c06 100644
--- a/toolkit/modules/tests/xpcshell/xpcshell.ini
+++ b/toolkit/modules/tests/xpcshell/xpcshell.ini
@@ -20,6 +20,7 @@ skip-if = toolkit == 'android'
 [test_GMPInstallManager.js]
 skip-if = toolkit == 'android'
 [test_Http.js]
+[test_Integration.js]
 skip-if = toolkit == 'android'
 [test_Log.js]
 skip-if = toolkit == 'android'