Relax the CSP restrictions for localhost
Categories
(WebExtensions :: General, enhancement, P5)
Tracking
(Not tracked)
People
(Reporter: rehandalal+mozilla, Unassigned)
Details
There is currently a restriction on CSPs for Web Extensions that forces remote sources to use https schemes.
However during development there is a benefit to being able to load resources from servers on your local machine.
E.g.: I am building an extension which uses React for the UI and in order to connect to React Developer Tools I need to include <script src="http://localhost:8097"></script>
in my file, however there is no way to whitelist this in the CSP.
I believe we should relax the https restriction for localhost (and maybe 127.0.0.1) similar to how Chrome does.
Comment 1•5 years ago
|
||
If anything, we're likely to do the opposite and forbid any remote script sources. AMO already doesn't allow them.
Comment 2•5 years ago
|
||
We were discussing to either close the bug as WONTFIX or to accept external patches, and decided in favor of the latter, because localhost/127.0.0.1/::1 are considered potentially trustworthy by the web platform (Secure Contexts specification), and it's not too big of a maintenance burden to have it.
As Kris said, long term we are planning to move to non-remote resources only (currently being prototyped in bug 1594234).
To fix this, the content_security_policy
validator (used by the schema validator) should first accept localhost. Relevant logic is at https://searchfox.org/mozilla-central/rev/9120151ddb35f2d4c37bfe613a54a4f10a9a3dc5/toolkit/mozapps/extensions/AddonContentPolicy.cpp#161-179,201
And then the base policy should be updated to allow localhost, i.e. the (default) value of the extensions.webextensions.base-content-security-policy
pref.
Comment 3•4 years ago
|
||
This is being worked on as part of bug 1594234
Description
•