Exact restrictions for WebExtensions

Add-ons Development
#1

Hi, i tried the intro to WebExtensions at https://developer.mozilla.org and everything worked.

I then changed the match URL to an exact (no wildcards) local IP address (10.***.***.***) which also has a https certificate (which is currently not configured properly). The WebExtension stopped working.

My question: Are WebExtensions not allowed on local IPs? If so, how to allow them?

And another question: Are WebExtensions not allowed on untrusted https sites (where you had to confirm the exception in order to see the page)? If so, how to grant the WebExtension access?

#2

I think webrequest only works on http, https sites. Iā€™m pretty sure.

#3

This does not answer my question, but thank you for the reply anyways.

In the meantime i found out some things by myself:

  • local IPs should work
  • the behaviour for which URLs are allowed and which not is defined by the Content Security Policy
  • by default the CSP only allows https, except for Firefox-internal URLs, inline scripts and eval.
  • the CSP can be changed to some extend by the script (or the surrounding website??) itself (i think it can only be made more restrictive but not less restrictive).
  • the default CSP can be changed in about:config. There are 2 keys, which I am still reverse engineering.
  • My issue is probably because my https certificate is not configured properly. I think when Firefox encounters a badly configured certificate (and you add an exception for this site), Firefox distrusts it anyways and treats it like a normal http site. So no scripts/WebExtensions get executed.
1 Like