diff --git a/dom/base/nsPerformance.cpp b/dom/base/nsPerformance.cpp
index 50fb63ec5..962a96899 100644
--- a/dom/base/nsPerformance.cpp
+++ b/dom/base/nsPerformance.cpp
@@ -918,10 +918,10 @@ PerformanceBase::ClearResourceTimings()
 DOMHighResTimeStamp
 PerformanceBase::RoundTime(double aTime) const
 {
-  // Round down to the nearest 5us, because if the timer is too accurate people
-  // can do nasty timing attacks with it.  See similar code in the worker
-  // Performance implementation.
-  const double maxResolutionMs = 0.005;
+  // Round down to the nearest 20us, because if the timer is too accurate people
+  // can do nasty timing attacks with it. See TenFourFox issue 459 and
+  // bug 1427870.
+  const double maxResolutionMs = 0.020;
   return floor(aTime / maxResolutionMs) * maxResolutionMs;
 }
 
diff --git a/dom/events/EventStateManager.cpp b/dom/events/EventStateManager.cpp
index f4f8e139b..8c5bf1932 100644
--- a/dom/events/EventStateManager.cpp
+++ b/dom/events/EventStateManager.cpp
@@ -3900,12 +3900,15 @@ EventStateManager::DispatchMouseOrPointerEvent(WidgetMouseEvent* aMouseEvent,
     return nullptr;
   }
 
+  nsCOMPtr<nsIContent> targetContent = aTargetContent;
+  nsCOMPtr<nsIContent> relatedContent = aRelatedContent;
+
   nsAutoPtr<WidgetMouseEvent> dispatchEvent;
   CreateMouseOrPointerWidgetEvent(aMouseEvent, aMessage,
-                                  aRelatedContent, dispatchEvent);
+                                  relatedContent, dispatchEvent);
 
   nsWeakFrame previousTarget = mCurrentTarget;
-  mCurrentTargetContent = aTargetContent;
+  mCurrentTargetContent = targetContent;
 
   nsIFrame* targetFrame = nullptr;
 
@@ -3915,23 +3918,23 @@ EventStateManager::DispatchMouseOrPointerEvent(WidgetMouseEvent* aMouseEvent,
   }
 
   nsEventStatus status = nsEventStatus_eIgnore;
-  ESMEventCB callback(aTargetContent);
-  EventDispatcher::Dispatch(aTargetContent, mPresContext, dispatchEvent, nullptr,
+  ESMEventCB callback(targetContent);
+  EventDispatcher::Dispatch(targetContent, mPresContext, dispatchEvent, nullptr,
                             &status, &callback);
 
   if (mPresContext) {
     // Although the primary frame was checked in event callback, it may not be
     // the same object after event dispatch and handling, so refetch it.
-    targetFrame = mPresContext->GetPrimaryFrameFor(aTargetContent);
+    targetFrame = mPresContext->GetPrimaryFrameFor(targetContent);
 
     // If we are entering/leaving remote content, dispatch a mouse enter/exit
     // event to the remote frame.
-    if (IsRemoteTarget(aTargetContent)) {
+    if (IsRemoteTarget(targetContent)) {
       if (aMessage == eMouseOut) {
         // For remote content, send a "top-level" widget mouse exit event.
         nsAutoPtr<WidgetMouseEvent> remoteEvent;
         CreateMouseOrPointerWidgetEvent(aMouseEvent, eMouseExitFromWidget,
-                                        aRelatedContent, remoteEvent);
+                                        relatedContent, remoteEvent);
         remoteEvent->exit = WidgetMouseEvent::eTopLevel;
 
         // mCurrentTarget is set to the new target, so we must reset it to the
@@ -3943,7 +3946,7 @@ EventStateManager::DispatchMouseOrPointerEvent(WidgetMouseEvent* aMouseEvent,
       } else if (aMessage == eMouseOver) {
         nsAutoPtr<WidgetMouseEvent> remoteEvent;
         CreateMouseOrPointerWidgetEvent(aMouseEvent, eMouseEnterIntoWidget,
-                                        aRelatedContent, remoteEvent);
+                                        relatedContent, remoteEvent);
         HandleCrossProcessEvent(remoteEvent, &status);
       }
     }
diff --git a/dom/media/webrtc/MediaEngineDefault.cpp b/dom/media/webrtc/MediaEngineDefault.cpp
index 9f7d272b8..6e129fcc3 100644
--- a/dom/media/webrtc/MediaEngineDefault.cpp
+++ b/dom/media/webrtc/MediaEngineDefault.cpp
@@ -96,6 +96,8 @@ MediaEngineDefaultVideoSource::Allocate(const dom::MediaTrackConstraints &aConst
   mOpts = aPrefs;
   mOpts.mWidth = mOpts.mWidth ? mOpts.mWidth : MediaEngine::DEFAULT_43_VIDEO_WIDTH;
   mOpts.mHeight = mOpts.mHeight ? mOpts.mHeight : MediaEngine::DEFAULT_43_VIDEO_HEIGHT;
+  mOpts.mWidth = std::max(160, std::min(mOpts.mWidth, 4096));
+  mOpts.mHeight = std::max(90, std::min(mOpts.mHeight, 2160));
   mState = kAllocated;
   return NS_OK;
 }
diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
index 7a157de39..32a8f6382 100644
--- a/dom/workers/XMLHttpRequest.cpp
+++ b/dom/workers/XMLHttpRequest.cpp
@@ -1929,7 +1929,7 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl,
 
   ++mProxy->mOpenCount;
   if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) {
-    if (!--mProxy->mOpenCount) {
+    if (mProxy && !--mProxy->mOpenCount) {
       ReleaseProxy();
     }
 
diff --git a/layout/forms/nsNumberControlFrame.cpp b/layout/forms/nsNumberControlFrame.cpp
index 349afba3a..21c05ba50 100644
--- a/layout/forms/nsNumberControlFrame.cpp
+++ b/layout/forms/nsNumberControlFrame.cpp
@@ -677,14 +677,16 @@ nsNumberControlFrame::HandleFocusEvent(WidgetEvent* aEvent)
 {
   if (aEvent->originalTarget != mTextField) {
     // Move focus to our text field
-    HTMLInputElement::FromContent(mTextField)->Focus();
+    RefPtr<HTMLInputElement> textField = HTMLInputElement::FromContent(mTextField);
+    textField->Focus();
   }
 }
 
 nsresult
 nsNumberControlFrame::HandleSelectCall()
 {
-  return HTMLInputElement::FromContent(mTextField)->Select();
+  RefPtr<HTMLInputElement> textField = HTMLInputElement::FromContent(mTextField);
+  return textField->Select();
 }
 
 #define STYLES_DISABLING_NATIVE_THEMING \
diff --git a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
index 43742bffb..5584b5e67 100644
--- a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
+++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
@@ -2997,12 +2997,11 @@ PeerConnectionImpl::IceGatheringStateChange(
     return;
   }
   WrappableJSErrorResult rv;
-  RUN_ON_THREAD(mThread,
-                WrapRunnable(pco,
-                             &PeerConnectionObserver::OnStateChange,
-                             PCObserverStateType::IceGatheringState,
-                             rv, static_cast<JSCompartment*>(nullptr)),
-                NS_DISPATCH_NORMAL);
+  mThread->Dispatch(WrapRunnable(pco,
+                                 &PeerConnectionObserver::OnStateChange,
+                                 PCObserverStateType::IceGatheringState,
+                                 rv, static_cast<JSCompartment*>(nullptr)),
+                    NS_DISPATCH_NORMAL);
 
   if (mIceGatheringState == PCImplIceGatheringState::Complete) {
     SendLocalIceCandidateToContent(0, "", "");
diff --git a/netwerk/cookie/nsCookieService.cpp b/netwerk/cookie/nsCookieService.cpp
index 6c2a4991c..5fa3d152b 100644
--- a/netwerk/cookie/nsCookieService.cpp
+++ b/netwerk/cookie/nsCookieService.cpp
@@ -4061,8 +4061,9 @@ nsCookieService::PurgeCookies(int64_t aCurrentTimeInUsec)
   for (auto iter = mDBState->hostTable.Iter(); !iter.Done(); iter.Next()) {
     nsCookieEntry* entry = iter.Get();
 
-    const nsCookieEntry::ArrayType &cookies = entry->GetCookies();
-    for (nsCookieEntry::IndexType i = 0; i < cookies.Length(); ) {
+    const nsCookieEntry::ArrayType& cookies = entry->GetCookies();
+    auto length = cookies.Length();
+    for (nsCookieEntry::IndexType i = 0; i < length; ) {
       nsListIter iter(entry, i);
       nsCookie* cookie = cookies[i];
 
@@ -4071,9 +4072,12 @@ nsCookieService::PurgeCookies(int64_t aCurrentTimeInUsec)
         removedList->AppendElement(cookie, false);
         COOKIE_LOGEVICTED(cookie, "Cookie expired");
 
-        // remove from list; do not increment our iterator
+        // remove from list; do not increment our iterator unless we're the last
+        // in the list already.
         gCookieService->RemoveCookieFromList(iter, paramsArray);
-
+        if (i == --length) {
+          break;
+        }
       } else {
         // check if the cookie is over the age limit
         if (cookie->LastAccessed() <= purgeTime) {
@@ -4086,6 +4090,7 @@ nsCookieService::PurgeCookies(int64_t aCurrentTimeInUsec)
 
         ++i;
       }
+      MOZ_ASSERT(length == cookies.Length());
     }
   }
 
diff --git a/netwerk/protocol/http/HttpBaseChannel.cpp b/netwerk/protocol/http/HttpBaseChannel.cpp
index 183684b68..75b4fbef5 100644
--- a/netwerk/protocol/http/HttpBaseChannel.cpp
+++ b/netwerk/protocol/http/HttpBaseChannel.cpp
@@ -3069,6 +3069,14 @@ HttpBaseChannel::GetPerformance()
     return nullptr;
   }
 
+  // We only add to the document's performance object if it has the same
+  // principal as the one triggering the load. This is to prevent navigations
+  // triggered _by_ the iframe from showing up in the parent document's
+  // performance entries if they have different origins.
+  if (!mLoadInfo->TriggeringPrincipal()->Equals(loadingDocument->NodePrincipal())) {
+    return nullptr;
+  }
+
   nsCOMPtr<nsPIDOMWindow> innerWindow = loadingDocument->GetInnerWindow();
   if (!innerWindow) {
     return nullptr;
diff --git a/toolkit/components/places/History.cpp b/toolkit/components/places/History.cpp
index 8178b0535..6287d52ee 100644
--- a/toolkit/components/places/History.cpp
+++ b/toolkit/components/places/History.cpp
@@ -2574,7 +2574,16 @@ History::RegisterVisitedCallback(nsIURI* aURI,
     // assumes that aLink is non-nullptr, we will need to return now.
     if (NS_FAILED(rv) || !aLink) {
       // Remove our array from the hashtable so we don't keep it around.
-      mObservers.RemoveEntry(aURI);
+      // In some case calling RemoveEntry on the key obtained by PutEntry
+      // crashes for currently unknown reasons.  Our suspect is that something
+      // between PutEntry and this call causes a nested loop that either removes
+      // the entry or reallocs the hash.
+      // TODO (Bug 1412647): we must figure the root cause for these issues and
+      // remove this stop-gap crash fix.
+      key = mObservers.GetEntry(aURI);
+      if (key) {
+        mObservers.RemoveEntry(key);
+      }
       return rv;
     }
   }
diff --git a/toolkit/components/satchel/nsFormFillController.cpp b/toolkit/components/satchel/nsFormFillController.cpp
index d69ecb1bc..da126bf86 100644
--- a/toolkit/components/satchel/nsFormFillController.cpp
+++ b/toolkit/components/satchel/nsFormFillController.cpp
@@ -501,7 +501,8 @@ NS_IMETHODIMP
 nsFormFillController::GetTextValue(nsAString & aTextValue)
 {
   if (mFocusedInput) {
-    mFocusedInput->GetValue(aTextValue);
+    nsCOMPtr<nsIDOMHTMLInputElement> input = mFocusedInput;
+    input->GetValue(aTextValue);
   } else {
     aTextValue.Truncate();
   }
@@ -523,24 +524,30 @@ nsFormFillController::SetTextValue(const nsAString & aTextValue)
 NS_IMETHODIMP
 nsFormFillController::GetSelectionStart(int32_t *aSelectionStart)
 {
-  if (mFocusedInput)
-    mFocusedInput->GetSelectionStart(aSelectionStart);
+  if (mFocusedInput) {
+    nsCOMPtr<nsIDOMHTMLInputElement> input = mFocusedInput;
+    input->GetSelectionStart(aSelectionStart);
+  }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsFormFillController::GetSelectionEnd(int32_t *aSelectionEnd)
 {
-  if (mFocusedInput)
-    mFocusedInput->GetSelectionEnd(aSelectionEnd);
+  if (mFocusedInput) {
+    nsCOMPtr<nsIDOMHTMLInputElement> input = mFocusedInput;
+    input->GetSelectionEnd(aSelectionEnd);
+  }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsFormFillController::SelectTextRange(int32_t aStartIndex, int32_t aEndIndex)
 {
- if (mFocusedInput)
-    mFocusedInput->SetSelectionRange(aStartIndex, aEndIndex, EmptyString());
+  if (mFocusedInput) {
+    nsCOMPtr<nsIDOMHTMLInputElement> input = mFocusedInput;
+    input->SetSelectionRange(aStartIndex, aEndIndex, EmptyString());
+  }
   return NS_OK;
 }