I have extensions that call web API provided by the applications in LAN. This API is only available through the http: scheme. MV3 extensions now have upgrade-insecure-requests enabled by default in their CSP, and MV3 ports of the extensions do not work, because requests are upgraded to https:. I haven’t found any description of how to disable this behavior. I tried to add the following CSP to the extension manifest, “content_security_policy”: “default-src ‘self’”, but this does not help, requests are still upgraded (Firefox v109). Is it by design?
As a sidenote, the HTTPS-Only Mode also forcefully upgrades requests, and when it is enabled, even MV2 extensions that rely only on http: do not work. Is there any workaround?