Content Security Policy blocking localhost in Firefox

OS etc Developing on Lubuntu 20.04 inside Virtualbox 5.2.42 on host Ubuntu 18.04.6 LTS

I’m serving a site on localhost using the php development server:

php -S 0.0.0.0:8080 -t /home/alan/DEV/

index.html is

<!DOCTYPE HTML>
<html>
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
  <div id="main"></div>
  <script src="/main.js"></script>
  <script src="/script.js"></script>
</body>
</html>

Chromium has no problem viewing the page at localhost:8080. Until recently, neither did Firefox.

However, I just tried to connect on Firefox 122.0.1 . Nothing of the page is displayed, and I get these errors in the browser console:

Content-Security-Policy: The page's settings blocked the loading of a resource at data: ("media-src"). localhost:8080
Content-Security-Policy: The page's settings blocked the loading of a resource at http://localhost:8080/main.js ("script-src-elem"). localhost:8080
Content-Security-Policy: The page's settings blocked the loading of a resource at http://localhost:8080/script.js ("script-src-elem"). localhost:8080

Looking at about:config in Firefox, and searching on content-security, I see the following:

extensions.webextensions.base-content-security-policy:

script-src 'self' https://* http://localhost:* http://127.0.0.1:* moz-extension: blob: filesystem: 'unsafe-eval' 'wasm-unsafe-eval' 'unsafe-inline';

extensions.webextensions.base-content-security-policy.v3:

script-src 'self' 'wasm-unsafe-eval';

extensions.webextensions.default-content-security-policy:

script-src 'self' 'wasm-unsafe-eval';

extensions.webextensions.default-content-security-policy.v3:

script-src 'self'; upgrade-insecure-requests;

I tried adding <meta http-equiv="Content-Security-Policy" content="default-src 'self'"> to the head of my index.html file, but it made no difference (except it partially screwed up the page layout on Chromium).