Closed Bug 1864284 Opened 2 years ago Closed 3 months ago

Allow localhost in MV3 CSP to allow connecting to local dev servers

Categories

(WebExtensions :: General, enhancement, P2)

Product:
WebExtensions
Component:
General
Version:
Firefox 120
Type:
enhancement

Tracking

(firefox147 verified)

Status:
VERIFIED FIXED
Milestone:
147 Branch
Tracking Flags:
Tracking Status
firefox147 --- verified

People

(Reporter: aaronklinker1, Assigned: yellow.desk1472, Mentored)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, good-first-bug, Whiteboard: [addons-jira][wecg])

Attachments

(1 file, 1 obsolete file)

Bug 1864284 - Allow localhost origins in temporary MV3 add-ons. r=#extension-reviewers
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0

Steps to reproduce:

Create a manifest.json with the following content:

{
  "manifest_version": 3,
  "name": "example",
  "version": "1.0.0",
  "content_security_policy": {
    "extension_pages": "script-src 'self' 'wasm-unsafe-eval' http://localhost:3000; object-src 'self';"
  }
}

Then load the extension into Firefox.

Actual results:

After loading the the extension, a warning showed up:

"Reading manifest: Error processing content_security_policy.extension_pages: ‘script-src’ directive contains a forbidden http: protocol source"

Expected results:

Firefox should allow adding localhost and 127.0.0.1 to CSPs for temporary extensions.

For security reasons, MV3 is originally blocked all sources not included in your extension. However, Chrome added support for allowing localhost and 127.0.0.1 for unpacked extensions in v110 so dev servers like Vite and Webpack can host JS files during development, enabling features like HMR.

Firefox should allow the same for temporary extensions. It seems to have been explicitly removed from firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1789751

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Component: DOM: Security → Untriaged
Product: Core → WebExtensions

Hello,

I reproduced the issue on the latest Nightly (121.0a1/20231115214519), Beta (120.0/20231113165053) and Release (119.0.1/20231106151204) under Windows 10 x64 and Ubuntu 22.04 LTS.

Since it seems this feature has been explicitly and intentionally removed, I’ll mark this report as an Enhancement and not a defect.

Type: defect → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true

Given the amount of feedback (this bug, bug 1789751, bug 1790236, and other places), I'm leaning towards supporting the request here., by allowing localhost and 127.0.0.1 for temporarily loaded add-ons only. That would be consistent with Chrome, where I provided input that lead to their current implementation (https://github.com/w3c/webextensions/issues/98#issuecomment-1298964372).

I originally wanted to any remote URL, to allow blocking of http(s) loads in the extension process (bug 1767798). I think that it would still be acceptable to have the check, with an exception for localhost only (when there are any temporarily loaded add-ons).

Blocks: 1767798
Severity: -- → N/A
Priority: -- → P2
See Also: → 1789751, 1790236, https://github.com/w3c/webextensions/issues/98
Whiteboard: [addons-jira][wecg]

Any news on this?

It's practically impossible to develop extensions on firefox due to this issue. I have to use Chromium browser to develop. And manually building and loading is a pain.

Even Chrome is supporting this officially. Can this be fixed asap?

This is a good-first-bug for people with JavaScript and a little C++ skills.

The task here is to partially restore the functionality from bug 1789751, restricted to temporarily added add-ons.

The relevant C++ code to touch is here:

Mentor: rob
Component: Untriaged → General
Keywords: good-first-bug
Assignee: nobody → yellow.desk1472
Status: NEW → ASSIGNED
Attachment #9520943 - Attachment is obsolete: true

Hello,

I have created a patch to allow localhost scripts in MV3 extensions when they are temporarily installed. I believe that I have covered the test cases correctly, but as this is my first attempt at a contribution to Firefox, I may be missing the mark on some of the conventions used.

I'm also not sure who to set as the reviewer, I used the whole extension-reviewers group, but I'm not sure if that's a good idea or not. Please take a look when you're free and let me know what I should change.

Thanks for your patch! I'm assigned as the mentor to this bug, so I'll take a look soon. I am traveling this week, so it might take until next week before you get a full review.

Have you managed to build with the changes and run the tests locally?

Thanks!

I have built Firefox and updated the tests you listed. They all pass locally. I have also manually tested with a minimal reproducible example, similar to the reporters and verified that it does allow localhost scripts when installed temporarily, and that the current release of Firefox does not.

I would say that the part I'm most unsure about is the tests. They all pass, and I think that they cover the new cases correctly, but testing is quite project dependant, so I'm not sure if I've exposed too much, or if there's better ways of utilizing some of the test infrastructure.

Anyway, let me know once you get around to reviewing it

(In reply to Rob Wu [:robwu] from comment #10)

Thanks for your patch! I'm assigned as the mentor to this bug, so I'll take a look soon. I am traveling this week, so it might take until next week before you get a full review.

Have you managed to build with the changes and run the tests locally?

Hey Rob, did you get a chance to look at this, any updates?

I posted a review at https://phabricator.services.mozilla.com/D269149#9371144

FYI: I have more travel coming up after next week. I can get back to you rather quickly this week, but my availability and responsiveness is reduced after that.

Thanks, I've had a quick skim of the changes requested. Unfortunately I am travelling this week, so I won't have much time to address anything. I should be back again next week.

https://hg.mozilla.org/mozilla-central/rev/9f87c36ef896

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
status-firefox147: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 147 Branch

Verified as Fixed. Tested on the latest Nightly (147.0a1/20251124094751) under Windows 11 and Ubuntu 24.10.

Using the STR from Comment 0, temporarily loading the manifest.json file will show a warning stating - Reading manifest: Warning processing content_security_policy.extension_pages: Warning processing content_security_policy.extension_pages: Using localhost in the Content Security Policy is invalid, and is only permitted during development with temporarily loaded add-ons

as opposed to an error, as before - Reading manifest: Error processing content_security_policy.extension_pages: ‘script-src’ directive contains a forbidden http: protocol source.

Status: RESOLVED → VERIFIED
status-firefox147: fixedverified

Is this something we should call out in the Fx147 relnotes?

Flags: needinfo?(rob)

Not in the regular release notes, but we should document it on MDN. Here is more context for our tech writer (Richard):

Flags: needinfo?(rob)
Keywords: dev-doc-needed
Keywords: dev-doc-neededdev-doc-complete
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: