fix: allow non-local RPC hosts and improve HTTPS-Only guidance

- Add wildcard host permissions for RPC calls
- Surface HTTPS-Only hint in Options test flow
- Update Troubleshooting docs for HTTPS-Only and host perms

README.md

@@ -104,6 +104,8 @@ For development, make changes and click “Reload” in `about:debugging` to pic
 
 - No links found: ensure you are on a `/download/*` page (not the item overview). Try reloading after the page finishes loading.
 - RPC errors: verify `aria2c` is running with `--enable-rpc` and that the secret/token matches. Check endpoint URL and port.
+- HTTPS-Only Mode: if your aria2 endpoint is `http://` on a non-local host, Firefox may upgrade it to `https://` and the request will fail. Use HTTPS on the aria2 RPC (preferred), add a site exception for the host, or disable HTTPS-Only Mode while testing.
+- Host permissions: the extension needs host permission to reach non-local RPC endpoints. The manifest includes wildcard host permissions; if you self-package, ensure your manifest allows your RPC host(s).
 - CORS/Network: Extensions can call cross-origin endpoints with host permission. If using HTTPS with a self-signed cert, allow it in Firefox or use a valid cert.
 - Clipboard blocked: confirm the browser allowed clipboard write; try clicking the button again or check site focus.
 
@@ -128,4 +130,3 @@ Issues and PRs are welcome. If proposing new filters or aria2 options, please in
 ## Disclaimer
 
 This project is not affiliated with archive.org or aria2. Use responsibly and respect site terms of service.
-

manifest.json

@@ -18,7 +18,9 @@
     "contextMenus",
     "https://archive.org/*",
     "http://localhost:6800/*",
-    "https://localhost:6800/*"
+    "https://localhost:6800/*",
+    "http://*/*",
+    "https://*/*"
   ],
   "background": {
     "scripts": [

src/options/index.js

@@ -29,13 +29,38 @@ async function reset() {
 }
 
 async function testConnection() {
-  els.status.textContent = 'Testing…';
+  const endpoint = els.endpoint.value.trim();
+  const secret = els.secret.value.trim();
+
+  // Heads-up for Firefox HTTPS-Only Mode when using non-local HTTP
   try {
-    const res = await getVersion({ endpoint: els.endpoint.value.trim(), secret: els.secret.value.trim() });
+    const u = new URL(endpoint);
+    const isHttp = u.protocol === 'http:';
+    const isLoopback = ['localhost', '127.0.0.1', '[::1]'].includes(u.hostname);
+    if (isHttp && !isLoopback) {
+      els.status.textContent = 'Testing… (note: Firefox HTTPS-Only may upgrade this)';
+    } else {
+      els.status.textContent = 'Testing…';
+    }
+  } catch {
+    els.status.textContent = 'Testing…';
+  }
+  try {
+    const res = await getVersion({ endpoint, secret });
     const version = res?.result?.version || JSON.stringify(res?.result || res);
     els.status.textContent = `OK: aria2 version ${version}`;
   } catch (e) {
-    els.status.textContent = `Error: ${e?.message || e}`;
+    // Provide a more actionable hint when HTTPS-Only likely interferes
+    let hint = '';
+    try {
+      const u = new URL(endpoint);
+      const isHttp = u.protocol === 'http:';
+      const isLoopback = ['localhost', '127.0.0.1', '[::1]'].includes(u.hostname);
+      if (isHttp && !isLoopback) {
+        hint = ' — if Firefox HTTPS-Only Mode is on, use https, add a site exception, or disable HTTPS-Only temporarily.';
+      }
+    } catch {}
+    els.status.textContent = `Error: ${e?.message || e}${hint}`;
   }
 }
 
@@ -49,4 +74,3 @@ document.addEventListener('DOMContentLoaded', async () => {
   wire();
   await restore();
 });
-