Backport 1467970 and 1590526

Mozilla landed a defense-in-depth security improvement, but they aren't planning on backporting it for esr68.

1467970 is the original patch and 1590526 corrects some regressions.

1467970: https://hg.mozilla.org/mozilla-central/rev/c8a2c27a1128

1590526 (uplift on 71 beta): https://hg.mozilla.org/releases/mozilla-beta/rev/1542e80327c2

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information