Closed Bug 1628177 Opened 4 years ago Closed 3 years ago

Relax the CSP restrictions for localhost


(WebExtensions :: General, enhancement, P5)



(Not tracked)



(Reporter: rehandalal+mozilla, Unassigned)


There is currently a restriction on CSPs for Web Extensions that forces remote sources to use https schemes.

However during development there is a benefit to being able to load resources from servers on your local machine.

E.g.: I am building an extension which uses React for the UI and in order to connect to React Developer Tools I need to include <script src="http://localhost:8097"></script> in my file, however there is no way to whitelist this in the CSP.

I believe we should relax the https restriction for localhost (and maybe similar to how Chrome does.

If anything, we're likely to do the opposite and forbid any remote script sources. AMO already doesn't allow them.

We were discussing to either close the bug as WONTFIX or to accept external patches, and decided in favor of the latter, because localhost/ are considered potentially trustworthy by the web platform (Secure Contexts specification), and it's not too big of a maintenance burden to have it.

As Kris said, long term we are planning to move to non-remote resources only (currently being prototyped in bug 1594234).

To fix this, the content_security_policy validator (used by the schema validator) should first accept localhost. Relevant logic is at,201

And then the base policy should be updated to allow localhost, i.e. the (default) value of the extensions.webextensions.base-content-security-policy pref.

Priority: -- → P5

This is being worked on as part of bug 1594234

Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.