Open Bug 1864284 Opened 1 year ago Updated 1 month ago

Allow localhost in MV3 CSP to allow connecting to local dev servers

Categories

(WebExtensions :: Untriaged, enhancement, P2)

Product:
WebExtensions
Component:
Untriaged
Version:
Firefox 120
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: aaronklinker1, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [addons-jira][wecg])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0

Steps to reproduce:

Create a manifest.json with the following content:

{
  "manifest_version": 3,
  "name": "example",
  "version": "1.0.0",
  "content_security_policy": {
    "extension_pages": "script-src 'self' 'wasm-unsafe-eval' http://localhost:3000; object-src 'self';"
  }
}

Then load the extension into Firefox.

Actual results:

After loading the the extension, a warning showed up:

"Reading manifest: Error processing content_security_policy.extension_pages: ‘script-src’ directive contains a forbidden http: protocol source"

Expected results:

Firefox should allow adding localhost and 127.0.0.1 to CSPs for temporary extensions.

For security reasons, MV3 is originally blocked all sources not included in your extension. However, Chrome added support for allowing localhost and 127.0.0.1 for unpacked extensions in v110 so dev servers like Vite and Webpack can host JS files during development, enabling features like HMR.

Firefox should allow the same for temporary extensions. It seems to have been explicitly removed from firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1789751

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Component: DOM: Security → Untriaged
Product: Core → WebExtensions

Hello,

I reproduced the issue on the latest Nightly (121.0a1/20231115214519), Beta (120.0/20231113165053) and Release (119.0.1/20231106151204) under Windows 10 x64 and Ubuntu 22.04 LTS.

Since it seems this feature has been explicitly and intentionally removed, I’ll mark this report as an Enhancement and not a defect.

Type: defect → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true

Given the amount of feedback (this bug, bug 1789751, bug 1790236, and other places), I'm leaning towards supporting the request here., by allowing localhost and 127.0.0.1 for temporarily loaded add-ons only. That would be consistent with Chrome, where I provided input that lead to their current implementation (https://github.com/w3c/webextensions/issues/98#issuecomment-1298964372).

I originally wanted to any remote URL, to allow blocking of http(s) loads in the extension process (bug 1767798). I think that it would still be acceptable to have the check, with an exception for localhost only (when there are any temporarily loaded add-ons).

Blocks: 1767798
Severity: -- → N/A
Priority: -- → P2
See Also: → 1789751, 1790236, https://github.com/w3c/webextensions/issues/98
Whiteboard: [addons-jira][wecg]

Any news on this?

It's practically impossible to develop extensions on firefox due to this issue. I have to use Chromium browser to develop. And manually building and loading is a pain.

Even Chrome is supporting this officially. Can this be fixed asap?

You need to log in before you can comment on or make changes to this bug.