Backport 1467970 and 1590526
Mozilla landed a defense-in-depth security improvement, but they aren't planning on backporting it for esr68.
1467970 is the original patch and 1590526 corrects some regressions.
1467970: https://hg.mozilla.org/mozilla-central/rev/c8a2c27a1128
1590526 (uplift on 71 beta): https://hg.mozilla.org/releases/mozilla-beta/rev/1542e80327c2