For the Remote Agent (partial implementation of CDP - the Chrome devtools protocol) we would need the option to also disallow localhost connections while the browser is in offline mode. See bug 1553849. Given by Honza this is not possible at the moment:

No API, no pref:
https://searchfox.org/mozilla-central/rev/7fd1c1c34923ece7ad8c822bee062dd0491d64dc/netwerk/base/nsSocketTransport2.cpp#1291

What would be the preferred way in getting this implemented?

(In reply to Henrik Skupin (:whimboo) [⌚️UTC+2] from comment #0)

What would be the preferred way in getting this implemented?

Honza, can you answer this?

Add a new static bool pref, perhaps network.disable-localhost-when-offline. At the code referred in comment 0 check that pref and if true ignore the !isLocal bit - always disallow.

I think we may also need to tear down existing localhost connections here, again - ignore result of IsLocal when the pref is on:
https://searchfox.org/mozilla-central/rev/7fd1c1c34923ece7ad8c822bee062dd0491d64dc/netwerk/base/nsSocketTransportService2.cpp#1187

(In reply to Honza Bambas (:mayhemer) from comment #2)

Add a new static bool pref, perhaps network.disable-localhost-when-offline. At the code referred in comment 0 check that pref and if true ignore the !isLocal bit - always disallow.

Honza, where (in the source code) would one go about and add such a static-bool pref?

Henrik pointed me to browser/app/profile/firefox.js, but made the remark that it's possibly not what we want here. What did you have in mind, specifically?

I think Ii got it. I assume it would be in https://searchfox.org/mozilla-central/source/modules/libpref/init/all.js. firefox.js only holds the defaults for Firefox. But lets wait for the feedback from Honza.

(In reply to Henrik Skupin (:whimboo) [⌚️UTC+2] from comment #5)

I think Ii got it. I assume it would be in https://searchfox.org/mozilla-central/source/modules/libpref/init/all.js. firefox.js only holds the defaults for Firefox. But lets wait for the feedback from Honza.

No. The right place is here:
https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml

And an example how to use it then:
https://searchfox.org/mozilla-central/rev/9f074fab9bf905fad62e7cc32faf121195f4ba46/dom/html/HTMLLinkElement.cpp#412

Do we still need this?

Yes, it would still be good to have to match the behavior of CDP which also disables localhost connections in offline mode. I assume that the current remote connection (websocket, tcp) to control the browser will not be affected.

https://hg.mozilla.org/mozilla-central/rev/37996bf2e978

What about loopback and 127.0.0.2 – 127.255.255.254?

It seems that while this pref correctly prevents traffic from localhost host name and 127.0.0.1 IP address it does not prevent traffic from the rest of the loop-back 127.x.x.x IP address range and the loopback host name.

At least on my (Windows 10) machine I'm getting my local server's responses from http://127.0.0.2/ through http://127.255.255.254/ and http://loopback/ even with "Work Offline" and network.disable-localhost-when-offline turned on.

Is intended and/or necessary behaviour?

https://superuser.com/questions/393700/what-is-the-127-0-0-2-ip-address-for

Ah, NVM, sorry, my tests were confused by the fact that even the force reload (Ctrl+Shift+R) in the Offline mode tends to serve from the cache anyway (if they were loaded from regular "Online" mode).
Cannot understand why, though, but it is probably completely different issue; if all cached responses still work in offline+disable-localhost scenario, I guess this also could wreak havoc into service worker testing process(?).

So OK, Testing with "cache busting" timestamps in URL queries reveals that network.disable-localhost-when-offline indeed works as advertised so in Offline mode yet unvisited addresses like http://127.0.0.2/?2022-10-11T18:40:36 are being correctly unavailable the same way as http://localhost/?2022-10-11T18:40:36 is. Sorry for confusion.

(On the contrary, http://loopback/?2022-10-11T18:40:36 in Offline mode is being blocked even while network.disable-localhost-when-offline is OFF; probably not considering loopback being localhost. Other "exotic" localhost variants like http://127.0.0.20/?2022-10-11T2018:28:31 are not blocked in this case.)