Bug-1864284 Allow localhost access for temporary MV3 add-ons #42410
+28
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
Content:Firefox
Contributor
|
Preview URLs
External URLs (1)URL:
(comment last updated: 2026-01-02 17:45:20) |
Rob--W
reviewed
Dec 30, 2025
files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md
Outdated
Show resolved
Hide resolved
files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md
Outdated
Show resolved
Hide resolved
| - Directives that reference code – {{CSP("script-src")}}, {{CSP("script-src-elem")}}, {{CSP("worker-src")}}, and {{CSP("default-src")}} (if used as a fallback) – share the same secure source requirement. There are no restrictions on CSP directives that cover non-script content, such as {{CSP("img-src")}}. | ||
|
|
||
| In Manifest V3, all CSP sources that refer to external or non-static content are forbidden. The only permitted values are `'none'`, `'self'`, and `'wasm-unsafe-eval'`. | ||
| In Manifest V3, all CSP sources that refer to external or non-static content are forbidden. The only permitted values are `'none'`, `'self'`, and `'wasm-unsafe-eval'`. However, during development, you can access the localhost for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147 by setting the origin as `localhost` or `127.0.0.1`. |
Member
There was a problem hiding this comment.
Could you shorten the new addition and link to the new section in the other article? We only need to mention the option, the other section can be used to explain how to do so, along with details on the constraints.
Contributor
Author
There was a problem hiding this comment.
@Rob--W while I would usually err on the side of avoiding "documenting everything everywhere". However, forcing someone to follow a link for more information when the relevant information can be stated in one sentence and the linked content doesn't say much more seems unnecessary. I've added a for more information link here and for the comment around line 168. Github wouldn't let me apply your second suggestion as, for some reason, it considers the line to be deleted.
| ``` | ||
|
|
||
| - Manifest V3 does not allow remote URLs in `script-src` of `extension_pages`. | ||
| - Manifest V3 does not allow remote URLs in `script-src` of `extension_pages`. However, the localhost can be accessed during development for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147: |
Member
There was a problem hiding this comment.
Shorten and link to the article for details.
Suggested change
| - Manifest V3 does not allow remote URLs in `script-src` of `extension_pages`. However, the localhost can be accessed during development for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147: | |
| - Manifest V3 does not allow remote URLs in `script-src` of `extension_pages`. An exception exists for localhost during debugging, see [Scripts from localhost at Content Security Policy](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#scripts_from_localhost). |
Co-authored-by: Rob Wu <[email protected]>
Rob--W
approved these changes
Jan 2, 2026
| - Directives that reference code – {{CSP("script-src")}}, {{CSP("script-src-elem")}}, {{CSP("worker-src")}}, and {{CSP("default-src")}} (if used as a fallback) – share the same secure source requirement. There are no restrictions on CSP directives that cover non-script content, such as {{CSP("img-src")}}. | ||
|
|
||
| In Manifest V3, all CSP sources that refer to external or non-static content are forbidden. The only permitted values are `'none'`, `'self'`, and `'wasm-unsafe-eval'`. | ||
| In Manifest V3, all CSP sources that refer to external or non-static content are forbidden. The only permitted values are `'none'`, `'self'`, and `'wasm-unsafe-eval'`. However, during development, you can access the localhost for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147 by setting the origin as `localhost` or `127.0.0.1`. See [Scripts from localhost](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#scripts_from_localhost) in Content Security Policy for more information. |
Member
There was a problem hiding this comment.
Suggested change
| In Manifest V3, all CSP sources that refer to external or non-static content are forbidden. The only permitted values are `'none'`, `'self'`, and `'wasm-unsafe-eval'`. However, during development, you can access the localhost for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147 by setting the origin as `localhost` or `127.0.0.1`. See [Scripts from localhost](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#scripts_from_localhost) in Content Security Policy for more information. | |
| In Manifest V3, all CSP sources that refer to external or non-static content are forbidden in CSP directives covering script content. The only permitted values are `'none'`, `'self'`, and `'wasm-unsafe-eval'`. An exception exists for scripts from localhost during development; see [Scripts from localhost](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#scripts_from_localhost) in Content Security Policy for more information. |
Edit:
- change the overly broad "are forbidden" to "are forbidden in CSP directives covering script content". This issue existed before, I'm improving it since I'm looking at it anyway.
- "access" is broad too, it is not about access (which can also include sending a network request to that target), we are really specific about script execution in extension contexts.
- Cut most of the text and point to the single article. We don't want to encourage allowing localhost; we just want to mention the possibility and refer to the single place for more information. Also, "localhost" and "127.0.0.1" are technically not origins, but domains at best.
Contributor
Author
There was a problem hiding this comment.
Suggested change
| In Manifest V3, all CSP sources that refer to external or non-static content are forbidden. The only permitted values are `'none'`, `'self'`, and `'wasm-unsafe-eval'`. However, during development, you can access the localhost for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147 by setting the origin as `localhost` or `127.0.0.1`. See [Scripts from localhost](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#scripts_from_localhost) in Content Security Policy for more information. | |
| In Manifest V3, all CSP sources that refer to external or non-static content are forbidden in CSP directives covering script content. The only permitted values are `'none'`, `'self'`, and `'wasm-unsafe-eval'`. There is an exception for scripts from localhost during development; see [Scripts from localhost](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#scripts_from_localhost) in Content Security Policy for more information. |
| } | ||
| ``` | ||
|
|
||
| However, localhost can be accessed during development for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147. See [Scripts from localhost](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#scripts_from_localhost) in Content Security Policy for more information. |
Member
There was a problem hiding this comment.
Suggested change
| However, localhost can be accessed during development for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147. See [Scripts from localhost](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#scripts_from_localhost) in Content Security Policy for more information. | |
| However, scripts from localhost can be allowlisted during development for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147. See [Scripts from localhost](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#scripts_from_localhost) in Content Security Policy for more information. |
rebloor
deleted the
Bug-1864284-Allow-localhost-access-for-temporary-MV3-add-on
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Address is the dev-docs-needed require requirements of Bug 1864284 Allow localhost in MV3 CSP to allow connecting to local dev servers with the addition of:
Related issues and pull requests
See related BCD changes in mdn/browser-compat-data#28683