This reverts part of commit dbb476e6.

This removes the mechanize dependency.

* Add a hint to the next step.
* Add a hint how to create content for the default page.
* There will be no 2.x version after 2.7.

As described in the definition document by the ietf:
https://tools.ietf.org/html/draft-west-first-party-cookies-07

"The 'SameSite' attribute allows servers to assert that a cookie
ought not to be sent along with cross-site requests. This assertion
allows user agents to mitigate the risk of cross-origin information
leakage, and provides some protection against cross-site request
forgery attacks."

Remove unused klass_args argument and avoid aborting transactions if
none is active. The publisher should always commit or abort the
transaction, so the Cleanup instance in `REQUEST._hold` shouldn't need
to abort anything. This gets rids of debug log messages, where each
request opens and aborts a secondary transaction.

Split a common base class out of them and move ZServer specific logic
onto HTTPResponse without impacting WSGIResponse.

Also change the error generating methods on WSGIResponse to raise
exceptions rather than returning responses. It's the publishers job
to turn them into responses and now they get treated in the same way
as when they get raised directly.

Quote variable in manage_tabs to avoid XSS [master]

From Products.PloneHotfix20160830.

This avoids the `repoze.retry` dependency for WSGIPublisher.