Apply suggestions from review

Co-authored-by: Rob Wu <[email protected]>
mdn · rebloor · Jan 4, 2023 · Dec 21, 2022 · Dec 26, 2022 · Dec 26, 2022
commit dfbb13b38cdfbbfa9777b5a95abb5ca38acf1cb2
@@ -52,7 +52,7 @@ The default content security policy for extensions using Manifest V2 is:
 While for extensions using Manifest V3, the default content security policy is:
 
 ```
-"script-src 'self'; object-src 'self'; upgrade-insecure-requests;"
+"script-src 'self'; upgrade-insecure-requests;"
 ```
 
 These policies are applied to any extension that has not explicitly set its own content security policy using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest.json key. It has the following consequences:
@@ -61,7 +61,7 @@ These policies are applied to any extension that has not explicitly set its own
 - [The extension is not allowed to evaluate strings as JavaScript.](#eval_and_friends)
 - [Inline JavaScript is not executed.](#inline_javascript)
 - [WebAssembly cannot be used by default.](#webassembly)
-- in Manifest V3 extensions, user data requests to `http:` are automatically upgraded to use `https:`. Extensions that need to make `http:` requests can opt-out of this behavior by overriding the default CSP using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest.json key.
+- Due to presence of {{CSP("upgrade-insecure-requests")}} in the default CSP of Manifest V3 extensions, network requests to `http:` are automatically upgraded to use `https:`. Extensions that need to make `http:` or `ws:` requests can opt-out of this behavior by overriding the default CSP using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest.json key with a policy that excludes the `upgrade-insecure-requests` directive.
 
 ### Location of script and object resources
 

@@ -56,7 +56,7 @@ This article provides information about the changes in Firefox 109 that will aff
 
 ## Changes for add-on developers
 
-- The default [Content Security Policy (CSP)](/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy) for Manifest V3 extensions has been updated to include `upgrade-insecure-requests`. This means that, by default, all user data requests are upgraded to use `https:`. Extensions that need to use `http:` can do so by overriding the default CSP using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest.json key ({{bug(1797086)}}).
+- The default [Content Security Policy (CSP)](/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy) for Manifest V3 extensions has been updated to include `upgrade-insecure-requests`. This means that, by default, all network requests are upgraded to use `https:`. Extensions that need to use `http:` can do so by overriding the default CSP using the [`content_security_policy`](/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy) manifest.json key ({{bug(1797086)}}).
 
 ### Removals