MV3, default CSP, override upgrade-insecure-requests

I have extensions that call web API provided by the applications in LAN. This API is only available through the http: scheme. MV3 extensions now have upgrade-insecure-requests enabled by default in their CSP, and MV3 ports of the extensions do not work, because requests are upgraded to https:. I haven’t found any description of how to disable this behavior. I tried to add the following CSP to the extension manifest, “content_security_policy”: “default-src ‘self’”, but this does not help, requests are still upgraded (Firefox v109). Is it by design?

As a sidenote, the HTTPS-Only Mode also forcefully upgrades requests, and when it is enabled, even MV2 extensions that rely only on http: do not work. Is there any workaround?

I use this value in my extension:

    "content_security_policy": {
        "extension_pages": "script-src 'self'; object-src 'self'"

script-src 'self' is to Firefox. And object-src 'self' is to Chromium (‘content_security_policy.extension_pages’: CSP directive ‘object-src’ must be specified (either explicitly, or implicitly via ‘default-src’) and must allowlist only secure resources).