See bug 1588956 for a conversation about this. "We apparently prevent relative urls in xhr/fetch in content scripts. I'm not certain how much effort it would be to catch all the potential locations we'd need to handle that, so I'd lean first to enforcing the addon csp regardless, then if we think it's a good idea to prevent relative urls, knock those off in another bug. I don't have a strong inclination either way."
Bug 1589171 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
See bug 1588956 for a conversation about this. "We apparently prevent relative urls in xhr/fetch in content scripts. I'm not certain how much effort it would be to catch all the potential locations we'd need to handle that, so I'd lean first to enforcing the addon csp regardless, then if we think it's a good idea to prevent relative urls, knock those off in another bug. I don't have a strong inclination either way." Btw, this is about stuff like setting img.src to a relative url