How to prevent Upgrading insecure request to use ‘wss’

I am working on updating an old Manifest V2 browser extension that was developed by my employer to Manifest V3. The browser extension is meant to extend the functionality of one of our products.

The product is written in C#. It has two components that are used to communicate with the browser extension.

  • A WebServerForExtension object that receives messages from the browser extension. This object makes use of the SimpleHttpServer class.
  • A BrowserSystemWebSocket object that is used to send replies back to the browser extension.

The background scripts of the browser extension connect to the WebServerForExtension object using the fetch() global function and the BrowserSystemWebSocket object using a WebSocket object.

The C# application does not currently support HTTPS, it only supports HTTP.

The problem I am having is that the browser extension cannot connect to the BrowserSystemWebSocket object using a WebSocket object.

The following lines of code demonstrate how I am attempting to connect to the BrowserSystemWebSocket object.

static #InitializeWebSocket() {
  try {
    const url = `ws://`;
    Background.#socket = new WebSocket(url, 'pipes');
    Background.#socket.onclose = Background.#WebSocketOnClose;
    Background.#socket.onerror = Background.#WebSocketOnError;
    Background.#socket.onmessage = Background.#WebSocketOnMessage;
    Background.#socket.onopen = Background.#WebSocketOnOpen;
    /* Code that is called when the connection succeeds. */
  catch (error) {
    /* Code that is called when the connection fails. */

The #InitializeWebSocket method is failing with the following error.

Content-Security-Policy: Upgrading insecure request ‘ws://’ to use ‘wss’
Firefox can’t establish a connection to the server at wss://

Is there a way to tell Firefox not to try to upgrade the request to use ‘wss’?

Are you saying it works in MV2?
In any case, it looks like the CSP header is forcing the upgrade, maybe you can remove it? I have to say, this is not my area of expertise…

It does work correctly in MV2.

The HTTP server does not use the Content-Security-Policy header at all so that cannot be it.

Does you addon have host permissions? Those are not granted on install time in MV3. Open “about:addons” page, click your addon / Permissions tab to verify that you have them.

Also, staying on MV2 for Firefox may be a good approach too since there is no deadline and MV3 has still some issues.

I have discovered the cause of this issue on the Content Security Policy page. The following quotes from that page explain why this issue is occurring.

Extensions developed with WebExtension APIs have a Content Security Policy (CSP) applied to them by default. This restricts the sources from which they can load code such as and disallows potentially unsafe practices such as using eval().

Extensions should use https: and wss: when communicating with external servers. To encourage this as the standard behavior, the default Manifest V3 CSP includes the upgrade-insecure-requests directive. This directive automatically upgrades network requests to http: to use https:.

Fortunately, I should be able to use the content_security_policy key of manifest.json to resolve this issue.

1 Like

Did you end up being able to solve it with content_security_policy? I tried to set connect-src ws://localhost or connect-src ws:// but it doesn’t seem to have any impact

@mathieudutour, I believe you’ll also need to include the port for local connections.