Skip to content

Bug-1864284 Allow localhost access for temporary MV3 add-ons #42410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rebloor wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bug-1864284 Allow localhost access for temporary MV3 add-ons #42410

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion files/en-us/mozilla/add-ons/webextensions/content_security_policy/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,11 +74,26 @@ For example, consider a line like this in an extension's document:
This doesn't load the requested resource: it fails silently, and any object that you expect to be present from the resource is not found. There are two main solutions to this:

- download the resource, package it in your extension, and refer to this version of the resource.
- allow the remote origin you need using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) key or, in Manifest V3, the `content_scripts` property.
- allow the remote origin you need using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) key.

> [!NOTE]
> If your modified CSP allows remote script injection, your extension will get rejected from addons.mozilla.org (AMO) during the review. For more information, see details about [security best practices](https://extensionworkshop.com/documentation/develop/build-a-secure-extension/).

#### Development access to localhosts

Where you need access to the localhost during development, you can do this for unpacked Manifest V3 extensions from Chrome 110 and temporarily loaded Manifest V3 extensions from Firefox 147, by setting the origin as `localhost` or `127.0.0.1` in the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) key. For example:

```json
{
"manifest_version": 3,
"name": "example",
"version": "1.0.0",
"content_security_policy": {
"extension_pages": "script-src 'self' http://localhost:3000"
}
}
```

### eval() and friends

Under the default CSP, extensions cannot evaluate strings as JavaScript. This means that the following are not permitted:
Expand Down
11 changes: 9 additions & 2 deletions ...us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,8 @@ There are restrictions on the policy you can specify with this manifest key:
- The {{CSP("object-src")}} keyword may be required, see [object-src directive](#object-src_directive) for details.
- Directives that reference code – {{CSP("script-src")}}, {{CSP("script-src-elem")}}, {{CSP("worker-src")}}, and {{CSP("default-src")}} (if used as a fallback) – share the same secure source requirement. There are no restrictions on CSP directives that cover non-script content, such as {{CSP("img-src")}}.

In Manifest V3, all CSP sources that refer to external or non-static content are forbidden. The only permitted values are `'none'`, `'self'`, and `'wasm-unsafe-eval'`.
In Manifest V3, all CSP sources that refer to external or non-static content are forbidden. The only permitted values are `'none'`, `'self'`, and `'wasm-unsafe-eval'`. However, during development, you can access the localhost for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147 by setting the origin as `localhost` or `127.0.0.1`.

In Manifest V2, a source for a script directive is considered secure if it meets these criteria:

- Wildcard hosts are not permitted, such as `"script-src 'self' *"`.
Expand Down Expand Up @@ -164,7 +165,13 @@ Allow remote scripts from any subdomain of "jquery.com":
"content_security_policy": "script-src 'self' https://*.jquery.com; object-src 'self'"
```

- Manifest V3 does not allow remote URLs in `script-src` of `extension_pages`.
- Manifest V3 does not allow remote URLs in `script-src` of `extension_pages`. However, the localhost can be accessed during development for unpacked extensions from Chrome 110 and temporarily loaded extensions from Firefox 147:

```json
"content_security_policy": {
"extension_pages": "script-src 'self' http://localhost:3000"
}
```

Allow [`eval()` and friends](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy#eval_and_friends):

Expand Down
2 changes: 2 additions & 0 deletions files/en-us/mozilla/firefox/releases/147/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,8 @@ Firefox 147 is the current [Beta version of Firefox](https://www.firefox.com/en-

## Changes for add-on developers

- You can gain access to the local host in temporarily loaded Manifest V3 extensions by setting the origin as `localhost` or `127.0.0.1` in the manifest.json [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) key. ([Firefox bug 1864284](https://bugzil.la/1864284))

<!-- ### Removals -->

<!-- ### Other -->
Expand Down