From 55392d29d65f04529c18b6cd688da0ee1dfe8ed3 Mon Sep 17 00:00:00 2001
From: Richard Bloor <git@sherpa.co.nz>
Date: Tue, 16 Dec 2025 06:37:11 +1300
Subject: [PATCH] Bug-1864284 Allow localhost access for temporary MV3 add-ons

---
 .../content_security_policy/index.md            | 17 ++++++++++++++++-
 .../content_security_policy/index.md            | 11 +++++++++--
 .../en-us/mozilla/firefox/releases/147/index.md |  2 ++
 3 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md b/files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md
index 2fa19e7412e876b..70b969ecc389c6e 100644
--- a/files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md
+++ b/files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md
@@ -74,11 +74,26 @@ For example, consider a line like this in an extension's document:
 This doesn't load the requested resource: it fails silently, and any object that you expect to be present from the resource is not found. There are two main solutions to this:
 
 - download the resource, package it in your extension, and refer to this version of the resource.
-- allow the remote origin you need using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) key or, in Manifest V3, the `content_scripts` property.
+- allow the remote origin you need using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) key.
 
 > [!NOTE]
 > If your modified CSP allows remote script injection, your extension will get rejected from addons.mozilla.org (AMO) during the review. For more information, see details about [security best practices](https://extensionworkshop.com/documentation/develop/build-a-secure-extension/).
 
+#### Development access to localhosts
+
+Where you need access to the localhost during development, you can do this for unpacked Manifest V3 extensions from Chrome 110 and temporarily loaded Manifest V3 extensions from Firefox 147, by setting the origin as `localhost` or `127.0.0.1` in the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) key. For example:
+
+```json
+{
+  "manifest_version": 3,
+  "name": "example",
+  "version": "1.0.0",
+  "content_security_policy": {
+    "extension_pages": "script-src 'self' http://localhost:3000"
+  }
+}
+```
+
 ### eval() and friends
 
 Under the default CSP, extensions cannot evaluate strings as JavaScript. This means that the following are not permitted:
diff --git a/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md b/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md
index 4ee0b99eb429c61..4b60eba97119e5f 100644
--- a/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md
+++ b/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md
@@ -56,7 +56,8 @@ There are restrictions on the policy you can specify with this manifest key:
 - The {{CSP("object-src")}} keyword may be required, see [object-src directive](#object-src_directive) for details.
 - Directives that reference code – {{CSP("script-src")}}, {{CSP("script-src-elem")}}, {{CSP("worker-src")}}, and {{CSP("default-src")}} (if used as a fallback) – share the same secure source requirement. There are no restrictions on CSP directives that cover non-script content, such as {{CSP("img-src")}}.
 
-In Manifest V3, all CSP sources that refer to external or non-static content are forbidden. The only permitted values are `'none'`, `'self'`, and `'wasm-unsafe-eval'`.
+In Manifest V3, all CSP sources that refer to external or non-static content are forbidden. The only permitted values are `'none'`, `'self'`, and `'wasm-unsafe-eval'`. However, during development, you can access the localhost for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147 by setting the origin as `localhost` or `127.0.0.1`.
+
 In Manifest V2, a source for a script directive is considered secure if it meets these criteria:
 
 - Wildcard hosts are not permitted, such as `"script-src 'self' *"`.
@@ -164,7 +165,13 @@ Allow remote scripts from any subdomain of "jquery.com":
   "content_security_policy": "script-src 'self' https://*.jquery.com; object-src 'self'"
   ```
 
-- Manifest V3 does not allow remote URLs in `script-src` of `extension_pages`.
+- Manifest V3 does not allow remote URLs in `script-src` of `extension_pages`. However, the localhost can be accessed during development for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147:
+
+  ```json
+  "content_security_policy": {
+    "extension_pages": "script-src 'self' http://localhost:3000"
+  }
+  ```
 
 Allow [`eval()` and friends](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#eval_and_friends):
 
diff --git a/files/en-us/mozilla/firefox/releases/147/index.md b/files/en-us/mozilla/firefox/releases/147/index.md
index 2079627d6c53b71..040ee9f3482f37b 100644
--- a/files/en-us/mozilla/firefox/releases/147/index.md
+++ b/files/en-us/mozilla/firefox/releases/147/index.md
@@ -86,6 +86,8 @@ Firefox 147 is the current [Beta version of Firefox](https://www.firefox.com/en-
 
 ## Changes for add-on developers
 
+- You can gain access to the local host in temporarily loaded Manifest V3 extensions by setting the origin as `localhost` or `127.0.0.1` in the manifest.json [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) key. ([Firefox bug 1864284](https://bugzil.la/1864284))
+
 <!-- ### Removals -->
 
 <!-- ### Other -->