10 files changed, 54 insertions, 23 deletions
diff --git a/application/basilisk/app/profile/basilisk.js b/application/basilisk/app/profile/basilisk.js
index eeec29eb90..cff5f599f2 100644
--- a/application/basilisk/app/profile/basilisk.js
+++ b/application/basilisk/app/profile/basilisk.js
@@ -580,6 +580,10 @@ pref("network.captive-portal-service.enabled", true);
 // If true, network link events will change the value of navigator.onLine
 pref("network.manage-offline-status", true);
 
+// Enable opportunistic encryption by default
+pref("network.http.altsvc.oe", true);
+pref("network.http.upgrade-insecure-requests", true);
+
 // We want to make sure mail URLs are handled externally...
 pref("network.protocol-handler.external.mailto", true); // for mail
 pref("network.protocol-handler.external.news", true);   // for news
diff --git a/application/palemoon/components/places/content/editBookmarkOverlay.js b/application/palemoon/components/places/content/editBookmarkOverlay.js
index 69d7d32eb5..e3d4537c7b 100644
--- a/application/palemoon/components/places/content/editBookmarkOverlay.js
+++ b/application/palemoon/components/places/content/editBookmarkOverlay.js
@@ -222,6 +222,11 @@ var gEditItemOverlay = {
     }
 
     let focusElement = () => {
+      let elt = document.querySelector("textbox:not([collapsed=true])");
+      if (elt) {
+        elt.focus();
+        elt.select();
+      }
       this._initialized = true;
     };
 
diff --git a/application/palemoon/components/preferences/security.xul b/application/palemoon/components/preferences/security.xul
index d3d321b16c..b12946f2a5 100644
--- a/application/palemoon/components/preferences/security.xul
+++ b/application/palemoon/components/preferences/security.xul
@@ -50,6 +50,15 @@
                   name="security.cert_pinning.enforcement_level"
                   type="int"/>
       
+      <!-- Opportunistic Encryption -->
+                  
+      <preference id="network.http.upgrade-insecure-requests"
+                  name="network.http.upgrade-insecure-requests"
+                  type="bool"/>
+      <preference id="network.http.altsvc.oe"
+                  name="network.http.altsvc.oe"
+                  type="bool"/>
+      
       <!-- XSS Filter -->
       <!--
       <preference id="security.xssfilter.enable" name="security.xssfilter.enable" type="bool"/>
@@ -144,6 +153,16 @@
                   oncommand="gSecurityPane.updateHPKPPref();"/>
       </vbox>
     </groupbox>
+    
+    <groupbox id="OpportunisticEncryption">
+      <caption label="&OpEnc.label;"/>
+      <checkbox id="enableUIROpEnc"
+                label="&enableUIROpEnc.label;"
+                preference="network.http.upgrade-insecure-requests" />
+      <checkbox id="enableAltSvcOpEnc"
+                label="&enableAltSvcOpEnc.label;"
+                preference="network.http.altsvc.oe" />
+    </groupbox>    
 
     <!-- XSS Filter -->
     <!--
diff --git a/application/palemoon/locales/en-US/chrome/browser/preferences/security.dtd b/application/palemoon/locales/en-US/chrome/browser/preferences/security.dtd
index 2bd3b3aecf..930736d56c 100644
--- a/application/palemoon/locales/en-US/chrome/browser/preferences/security.dtd
+++ b/application/palemoon/locales/en-US/chrome/browser/preferences/security.dtd
@@ -40,6 +40,10 @@
 <!ENTITY  enableHPKP.label           "Enable Certificate Key Pinning (HPKP)">
 <!ENTITY  enableHPKP.accesskey       "C">
 
+<!ENTITY  OpEnc.label                "Opportunistic Encryption (OE)">
+<!ENTITY  enableUIROpEnc.label       "Enable Upgrade Insecure Requests">
+<!ENTITY  enableAltSvcOpEnc.label    "Enable HTTP Alternative Services for OE">
+
 <!ENTITY  XSSFilt.label              "XSS Filter">
 <!ENTITY  enableXSSFilt.label        "Enable XSS filter">
 <!ENTITY  enableXSSFilt.accesskey    "f">
diff --git a/media/libvpx/vpx_config_x86-win32-vs12.h b/media/libvpx/vpx_config_x86-win32-vs12.h
index 42525a303c..9ec6a90bee 100644
--- a/media/libvpx/vpx_config_x86-win32-vs12.h
+++ b/media/libvpx/vpx_config_x86-win32-vs12.h
@@ -31,6 +31,9 @@
 #define HAVE_AVX 1
 #define HAVE_AVX2 1
 #define HAVE_VPX_PORTS 1
+#ifdef HAVE_STDINT_H
+#undef HAVE_STDINT_H
+#endif
 #define HAVE_STDINT_H 0
 #define HAVE_PTHREAD_H 0
 #define HAVE_SYS_MMAN_H 0
diff --git a/media/libvpx/vpx_config_x86_64-win64-vs12.h b/media/libvpx/vpx_config_x86_64-win64-vs12.h
index 65e45f5ba3..afbaf2e43a 100644
--- a/media/libvpx/vpx_config_x86_64-win64-vs12.h
+++ b/media/libvpx/vpx_config_x86_64-win64-vs12.h
@@ -31,6 +31,9 @@
 #define HAVE_AVX 1
 #define HAVE_AVX2 1
 #define HAVE_VPX_PORTS 1
+#ifdef HAVE_STDINT_H
+#undef HAVE_STDINT_H
+#endif
 #define HAVE_STDINT_H 0
 #define HAVE_PTHREAD_H 0
 #define HAVE_SYS_MMAN_H 0
diff --git a/modules/libjar/nsJARChannel.cpp b/modules/libjar/nsJARChannel.cpp
index 2f721fa3f5..ee60602dae 100644
--- a/modules/libjar/nsJARChannel.cpp
+++ b/modules/libjar/nsJARChannel.cpp
@@ -995,25 +995,6 @@ nsJARChannel::OnStartRequest(nsIRequest *req, nsISupports *ctx)
     mRequest = req;
     nsresult rv = mListener->OnStartRequest(this, mListenerContext);
     mRequest = nullptr;
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    // Restrict loadable content types.
-    nsAutoCString contentType;
-    GetContentType(contentType);
-    auto contentPolicyType = mLoadInfo->GetExternalContentPolicyType();
-    if (contentType.Equals(APPLICATION_HTTP_INDEX_FORMAT) &&
-        contentPolicyType != nsIContentPolicy::TYPE_DOCUMENT &&
-        contentPolicyType != nsIContentPolicy::TYPE_FETCH) {
-      return NS_ERROR_CORRUPTED_CONTENT;
-    }
-    if (contentPolicyType == nsIContentPolicy::TYPE_STYLESHEET &&
-        !contentType.EqualsLiteral(TEXT_CSS)) {
-      return NS_ERROR_CORRUPTED_CONTENT;
-    }
-    if (contentPolicyType == nsIContentPolicy::TYPE_SCRIPT &&
-        !nsContentUtils::IsJavascriptMIMEType(NS_ConvertUTF8toUTF16(contentType))) {
-      return NS_ERROR_CORRUPTED_CONTENT;
-    }
 
     return rv;
 }
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index 957affa795..378745ea4c 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -1593,7 +1593,10 @@ pref("network.http.spdy.default-hpack-buffer", 65536); // 64k
 // alt-svc allows separation of transport routing from
 // the origin host without using a proxy.
 pref("network.http.altsvc.enabled", true);
-pref("network.http.altsvc.oe", true);
+// Opportunistic encryption use of alt-svc
+pref("network.http.altsvc.oe", false);
+// Send upgrade-insecure-requests HTTP header?
+pref("network.http.upgrade-insecure-requests", false);
 
 pref("network.http.diagnostics", false);
 
@@ -4977,7 +4980,7 @@ pref("network.captive-portal-service.maxInterval", 1500000); // 25 minutes
 pref("network.captive-portal-service.backoffFactor", "5.0");
 pref("network.captive-portal-service.enabled", false);
 
-pref("captivedetect.canonicalURL", "http://detectportal.firefox.com/success.txt");
+pref("captivedetect.canonicalURL", "http://detectportal.palemoon.org/success.txt");
 pref("captivedetect.canonicalContent", "success\n");
 pref("captivedetect.maxWaitingTime", 5000);
 pref("captivedetect.pollingTime", 3000);
diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
index bb0b3ca774..be5539a02f 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -313,11 +313,15 @@ nsHttpChannel::nsHttpChannel()
     , mPushedStream(nullptr)
     , mLocalBlocklist(false)
     , mWarningReporter(nullptr)
+    , mSendUpgradeRequest(false)
     , mDidReval(false)
 {
     LOG(("Creating nsHttpChannel [this=%p]\n", this));
     mChannelCreationTime = PR_Now();
     mChannelCreationTimestamp = TimeStamp::Now();
+    
+    mSendUpgradeRequest = 
+      Preferences::GetBool("network.http.upgrade-insecure-requests", false);
 }
 
 nsHttpChannel::~nsHttpChannel()
@@ -377,8 +381,9 @@ nsHttpChannel::Connect()
                                mLoadInfo->GetExternalContentPolicyType() :
                                nsIContentPolicy::TYPE_OTHER;
 
-    if (type == nsIContentPolicy::TYPE_DOCUMENT ||
-        type == nsIContentPolicy::TYPE_SUBDOCUMENT) {
+    if (mSendUpgradeRequest &&
+        (type == nsIContentPolicy::TYPE_DOCUMENT ||
+         type == nsIContentPolicy::TYPE_SUBDOCUMENT)) {
         rv = SetRequestHeader(NS_LITERAL_CSTRING("Upgrade-Insecure-Requests"),
                               NS_LITERAL_CSTRING("1"), false);
         NS_ENSURE_SUCCESS(rv, rv);
diff --git a/netwerk/protocol/http/nsHttpChannel.h b/netwerk/protocol/http/nsHttpChannel.h
index 2e24d6e81c..152cf1503d 100644
--- a/netwerk/protocol/http/nsHttpChannel.h
+++ b/netwerk/protocol/http/nsHttpChannel.h
@@ -597,6 +597,10 @@ private:
     HttpChannelSecurityWarningReporter* mWarningReporter;
 
     RefPtr<ADivertableParentChannel> mParentChannel;
+    
+    // Whether we send opportunistic encryption requests.
+    bool mSendUpgradeRequest;
+
 protected:
     virtual void DoNotifyListenerCleanup() override;