diff --git a/browser/components/extensions/test/browser/browser_ext_contentscript_cross_docGroup_adoption.js b/browser/components/extensions/test/browser/browser_ext_contentscript_cross_docGroup_adoption.js
index fd67da9e5c43a..3e3014e8d2470 100644
--- a/browser/components/extensions/test/browser/browser_ext_contentscript_cross_docGroup_adoption.js
+++ b/browser/components/extensions/test/browser/browser_ext_contentscript_cross_docGroup_adoption.js
@@ -3,6 +3,10 @@
 "use strict";
 
 add_task(async function test_cross_docGroup_adoption() {
+  await SpecialPowers.pushPrefEnv({
+    set: [["extensions.content_web_accessible.enabled", true]],
+  });
+
   let tab = await BrowserTestUtils.openNewForegroundTab(
     gBrowser,
     "http://example.com/"
@@ -16,6 +20,7 @@ add_task(async function test_cross_docGroup_adoption() {
           js: ["content-script.js"],
         },
       ],
+      web_accessible_resources: ["current.html"],
     },
 
     files: {
diff --git a/browser/components/extensions/test/browser/browser_ext_contentscript_cross_docGroup_adoption_xhr.js b/browser/components/extensions/test/browser/browser_ext_contentscript_cross_docGroup_adoption_xhr.js
index dd0f6c4f870fb..a1b7fcee2c837 100644
--- a/browser/components/extensions/test/browser/browser_ext_contentscript_cross_docGroup_adoption_xhr.js
+++ b/browser/components/extensions/test/browser/browser_ext_contentscript_cross_docGroup_adoption_xhr.js
@@ -3,6 +3,10 @@
 "use strict";
 
 add_task(async function test_cross_docGroup_adoption() {
+  await SpecialPowers.pushPrefEnv({
+    set: [["extensions.content_web_accessible.enabled", true]],
+  });
+
   let tab = await BrowserTestUtils.openNewForegroundTab(
     gBrowser,
     "http://example.com/"
@@ -16,6 +20,7 @@ add_task(async function test_cross_docGroup_adoption() {
           js: ["content-script.js"],
         },
       ],
+      web_accessible_resources: ["blank.html"],
     },
 
     files: {
diff --git a/browser/components/extensions/test/browser/browser_ext_nontab_process_switch.js b/browser/components/extensions/test/browser/browser_ext_nontab_process_switch.js
index 0c05408b17523..b81c3756aa36e 100644
--- a/browser/components/extensions/test/browser/browser_ext_nontab_process_switch.js
+++ b/browser/components/extensions/test/browser/browser_ext_nontab_process_switch.js
@@ -1,6 +1,10 @@
 "use strict";
 
 add_task(async function process_switch_in_sidebars_popups() {
+  await SpecialPowers.pushPrefEnv({
+    set: [["extensions.content_web_accessible.enabled", true]],
+  });
+
   let extension = ExtensionTestUtils.loadExtension({
     useAddonManager: "temporary", // To automatically show sidebar on load.
     manifest: {
@@ -17,6 +21,7 @@ add_task(async function process_switch_in_sidebars_popups() {
       browser_action: {
         default_popup: "page.html?popup",
       },
+      web_accessible_resources: ["page.html"],
     },
     files: {
       "page.html": `<!DOCTYPE html><meta charset=utf-8><script src=page.js></script>`,
diff --git a/caps/nsScriptSecurityManager.cpp b/caps/nsScriptSecurityManager.cpp
index b00edbd6adc96..070122b07587b 100644
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -693,11 +693,26 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
   basePrin->GetURI(getter_AddRefs(sourceURI));
   if (!sourceURI) {
     if (basePrin->Is<ExpandedPrincipal>()) {
+      // If the target addon is MV3 or the pref is on we require extension
+      // resources loaded from content to be listed in web_accessible_resources.
+      auto* targetPolicy =
+          ExtensionPolicyService::GetSingleton().GetByURL(aTargetURI);
+      bool contentAccessRequired =
+          targetPolicy &&
+          (targetPolicy->ManifestVersion() > 2 ||
+           StaticPrefs::extensions_content_web_accessible_enabled());
       auto expanded = basePrin->As<ExpandedPrincipal>();
       const auto& allowList = expanded->AllowList();
       // Only report errors when all principals fail.
+      // With expanded principals, which are used by extension content scripts,
+      // we check only against non-extension principals for access to extension
+      // resource to enforce making those resources explicitly web accessible.
       uint32_t flags = aFlags | nsIScriptSecurityManager::DONT_REPORT_ERRORS;
       for (size_t i = 0; i < allowList.Length() - 1; i++) {
+        if (contentAccessRequired &&
+            BasePrincipal::Cast(allowList[i])->AddonPolicy()) {
+          continue;
+        }
         nsresult rv = CheckLoadURIWithPrincipal(allowList[i], aTargetURI, flags,
                                                 aInnerWindowID);
         if (NS_SUCCEEDED(rv)) {
@@ -706,6 +721,19 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
         }
       }
 
+      if (contentAccessRequired &&
+          BasePrincipal::Cast(allowList.LastElement())->AddonPolicy()) {
+        bool reportErrors =
+            !(aFlags & nsIScriptSecurityManager::DONT_REPORT_ERRORS);
+        if (reportErrors) {
+          ReportError("CheckLoadURI", sourceURI, aTargetURI,
+                      allowList.LastElement()
+                              ->OriginAttributesRef()
+                              .mPrivateBrowsingId > 0,
+                      aInnerWindowID);
+        }
+        return NS_ERROR_DOM_BAD_URI;
+      }
       // Report errors (if requested) for the last principal.
       return CheckLoadURIWithPrincipal(allowList.LastElement(), aTargetURI,
                                        aFlags, aInnerWindowID);
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
index 5b19ffbd25fc7..09e92c56cde09 100644
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@@ -4670,6 +4670,13 @@
 # Prefs starting with "extensions."
 #---------------------------------------------------------------------------
 
+# Pref that enforces the use of web_accessible_resources for content loads.
+# This behavior is default for MV3.  The pref controls this for MV2.
+- name: extensions.content_web_accessible.enabled
+  type: bool
+  value: false
+  mirror: always
+
 # Whether the InstallTrigger implementation should be enabled (or hidden and
 # none of its methods available).
 - name: extensions.InstallTriggerImpl.enabled
diff --git a/toolkit/components/extensions/test/mochitest/test_ext_extension_iframe_messaging.html b/toolkit/components/extensions/test/mochitest/test_ext_extension_iframe_messaging.html
index 170457dd6c98d..403782ab7d5c5 100644
--- a/toolkit/components/extensions/test/mochitest/test_ext_extension_iframe_messaging.html
+++ b/toolkit/components/extensions/test/mochitest/test_ext_extension_iframe_messaging.html
@@ -13,13 +13,20 @@
 "use strict";
 
 add_task(async function test_moz_extension_iframe_messaging() {
+  await SpecialPowers.pushPrefEnv({
+    set: [
+      ["extensions.content_web_accessible.enabled", true],
+    ],
+  });
+
   let extension = ExtensionTestUtils.loadExtension({
     manifest: {
-      "content_scripts": [{
-        "js": ["cs.js"],
-        "matches": ["http://mochi.test/*/file_sample.html"],
+      content_scripts: [{
+        js: ["cs.js"],
+        matches: ["http://mochi.test/*/file_sample.html"],
       }],
-      "permissions": ["tabs"],
+      web_accessible_resources: ["iframe.html"],
+      permissions: ["tabs"],
     },
     files: {
       "cs.js"() {
diff --git a/toolkit/components/extensions/test/mochitest/test_ext_web_accessible_resources.html b/toolkit/components/extensions/test/mochitest/test_ext_web_accessible_resources.html
index 13bd18602e98d..0158a3bd194ca 100644
--- a/toolkit/components/extensions/test/mochitest/test_ext_web_accessible_resources.html
+++ b/toolkit/components/extensions/test/mochitest/test_ext_web_accessible_resources.html
@@ -12,11 +12,10 @@
 <script type="text/javascript">
 "use strict";
 
-/* eslint-disable mozilla/balanced-listeners */
-
-SimpleTest.registerCleanupFunction(() => {
-  SpecialPowers.clearUserPref("security.mixed_content.block_display_content");
-});
+// add_setup not available in mochitest
+add_task(async function setup() {
+  await SpecialPowers.pushPrefEnv({set: [["extensions.manifestV3.enabled", true]]});
+})
 
 let image = atob(
   "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABAQMAAAAl21bKAAAAA1BMVEUAA" +
@@ -64,8 +63,12 @@
   });
 }
 
-add_task(async function test_web_accessible_resources() {
-  function background() {
+async function _test_web_accessible_resources({
+  manifest,
+  expectShouldLoadByDefault = true,
+  usePagePrincipal = false,
+}) {
+  function background(shouldLoad, usePagePrincipal) {
     let gotURL;
     let tabId;
     let expectBrowserAPI;
@@ -74,7 +77,7 @@
       return new Promise(resolve => {
         browser.tabs.sendMessage(
           tabId,
-          ["load-iframe", url, sandbox, srcdoc],
+          ["load-iframe", url, sandbox, srcdoc, usePagePrincipal],
           reply => {
             resolve(reply);
           }
@@ -82,33 +85,34 @@
       });
     }
 
+    // shouldLoad will be true unless we expect all attempts to fail.
     let urls = [
       // { url, shouldLoad, sandbox, srcdoc }
       {
         url: browser.runtime.getURL("accessible.html"),
-        shouldLoad: true,
+        shouldLoad,
       },
       {
         url: browser.runtime.getURL("accessible.html") + "?foo=bar",
-        shouldLoad: true,
+        shouldLoad,
       },
       {
         url: browser.runtime.getURL("accessible.html") + "#!foo=bar",
-        shouldLoad: true,
+        shouldLoad,
       },
       {
         url: browser.runtime.getURL("accessible.html"),
-        shouldLoad: true,
+        shouldLoad,
         sandbox: "allow-scripts",
       },
       {
         url: browser.runtime.getURL("accessible.html"),
-        shouldLoad: true,
+        shouldLoad,
         sandbox: "allow-same-origin allow-scripts",
       },
       {
         url: browser.runtime.getURL("accessible.html"),
-        shouldLoad: true,
+        shouldLoad,
         sandbox: "allow-scripts",
         srcdoc: true,
       },
@@ -129,7 +133,7 @@
       },
       {
         url: browser.runtime.getURL("wild1.html"),
-        shouldLoad: true,
+        shouldLoad,
       },
       {
         url: browser.runtime.getURL("wild2.htm"),
@@ -189,14 +193,14 @@
     });
 
     browser.runtime.onMessage.addListener(
-      ([msg, url, sandboxed, srcdoc], sender, respond) => {
+      ([msg, url, sandboxed, srcdoc, usePagePrincipal], sender, respond) => {
         if (msg == "load-iframe") {
           // construct the frame using srcdoc if requested.
           if (srcdoc) {
             sandboxed = sandboxed !== null ? `sandbox="${sandboxed}"` : "";
             let frameSrc = `<iframe ${sandboxed} src="${url}" onload="parent.postMessage(true, '*')" onerror="parent.postMessage(false, '*')">`;
             let frame = document.createElement("iframe");
-            frame.wrappedJSObject.setAttribute("srcdoc", frameSrc);
+            frame.setAttribute("srcdoc", frameSrc);
             window.addEventListener("message", function listener(event) {
               if (event.source === frame.contentWindow) {
                 window.removeEventListener("message", listener);
@@ -209,11 +213,16 @@
 
           let iframe = document.createElement("iframe");
           if (sandboxed !== null) {
-            iframe.wrappedJSObject.setAttribute("sandbox", sandboxed);
+            iframe.setAttribute("sandbox", sandboxed);
+          }
+
+          if (usePagePrincipal) {
+            // Test using the page principal
+            iframe.wrappedJSObject.src = url;
+          } else {
+            // Test using the expanded principal
+            iframe.src = url;
           }
-          // Set the src via wrappedJSObject so the load is triggered with the
-          // content page's principal rather than ours.
-          iframe.wrappedJSObject.setAttribute("src", url);
           iframe.addEventListener("load", () => {
             respond(true);
           });
@@ -229,6 +238,7 @@
   }
 
   let extension = ExtensionTestUtils.loadExtension({
+    useAddonManager: "temporary",
     manifest: {
       content_scripts: [
         {
@@ -237,11 +247,10 @@
           run_at: "document_idle",
         },
       ],
-
-      web_accessible_resources: ["/accessible.html", "wild*.html"],
+      ...manifest,
     },
 
-    background,
+    background: `(${background})(${expectShouldLoadByDefault}, ${usePagePrincipal})`,
 
     files: {
       "content_script.js": contentScript,
@@ -283,6 +292,89 @@
   win.close();
 
   await extension.unload();
+};
+
+add_task(async function test_web_accessible_resources_v2() {
+  await SpecialPowers.pushPrefEnv({set: [["extensions.content_web_accessible.enabled", true]]});
+  consoleMonitor.start([
+    {message: /Content at https:\/\/example.com\/ may not load or link to.*inaccessible.html/},
+  ]);
+  await _test_web_accessible_resources({
+    manifest: {
+      manifest_version: 2,
+      web_accessible_resources: ["/accessible.html", "wild*.html"],
+    }
+  });
+  await consoleMonitor.finished();
+  await SpecialPowers.popPrefEnv();
+});
+
+// Same test as above, but using only the content principal
+add_task(async function test_web_accessible_resources_v2_content() {
+  await SpecialPowers.pushPrefEnv({set: [["extensions.content_web_accessible.enabled", true]]});
+  consoleMonitor.start([
+    {message: /Content at https:\/\/example.com\/ may not load or link to.*inaccessible.html/},
+  ]);
+  await _test_web_accessible_resources({
+    manifest: {
+      manifest_version: 2,
+      web_accessible_resources: ["/accessible.html", "wild*.html"],
+    },
+    usePagePrincipal: true,
+  });
+  await consoleMonitor.finished();
+  await SpecialPowers.popPrefEnv();
+});
+
+add_task(async function test_web_accessible_resources_v3() {
+  // MV3 always requires this, pref off to ensure it works.
+  await SpecialPowers.pushPrefEnv({set: [["extensions.content_web_accessible.enabled", false]]});
+  consoleMonitor.start([
+    {message: /Content at https:\/\/example.com\/ may not load or link to.*inaccessible.html/},
+  ]);
+  await _test_web_accessible_resources({
+    manifest: {
+      manifest_version: 3,
+      web_accessible_resources: [
+        {
+          resources: ["/accessible.html", "wild*.html"],
+          matches: ["*://example.com/*"]
+        },
+      ],
+      host_permissions: ["*://example.com/*"],
+      granted_host_permissions: true,
+    }
+  });
+  await consoleMonitor.finished();
+  await SpecialPowers.popPrefEnv();
+});
+
+add_task(async function test_web_accessible_resources_v3_by_id() {
+  consoleMonitor.start([
+    {message: /Content at https:\/\/example.com\/ may not load or link to.*accessible.html/},
+    {message: /Content at https:\/\/example.com\/ may not load or link to.*inaccessible.html/},
+  ]);
+  await _test_web_accessible_resources({
+    manifest: {
+      manifest_version: 3,
+      applications: {
+        gecko: {
+          id: "extension_wac@mochitest",
+        },
+      },
+      web_accessible_resources: [
+        {
+          resources: ["/accessible.html", "wild*.html"],
+          extension_ids: ["extension_wac@mochitest"]
+        },
+      ],
+      host_permissions: ["*://example.com/*"],
+      // Work-around for bug 1766752 to allow content_scripts to run:
+      granted_host_permissions: true,
+    },
+    expectShouldLoadByDefault: false,
+  });
+  await consoleMonitor.finished();
 });
 
 add_task(async function test_web_accessible_resources_mixed_content() {
@@ -347,14 +439,10 @@
     },
   });
 
-  SpecialPowers.setBoolPref(
-    "security.mixed_content.upgrade_display_content",
-    false
-  );
-  SpecialPowers.setBoolPref(
-    "security.mixed_content.block_display_content",
-    true
-  );
+  await SpecialPowers.pushPrefEnv({set: [
+    ["security.mixed_content.upgrade_display_content", false],
+    ["security.mixed_content.block_display_content", true],
+  ]});
 
   await Promise.all([
     extension.startup(),
@@ -374,6 +462,7 @@
   win.close();
 
   await extension.unload();
+  await SpecialPowers.popPrefEnv();
 });
 
 // test that MV2 extensions continue to open other MV2 extension pages
diff --git a/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_module_import.js b/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_module_import.js
index a10715e89198e..3c23eb4dc3ad7 100644
--- a/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_module_import.js
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_module_import.js
@@ -70,6 +70,8 @@ add_task(async function test_disallowed_import() {
 });
 
 add_task(async function test_normal_import() {
+  Services.prefs.setBoolPref("extensions.content_web_accessible.enabled", true);
+
   let extension = ExtensionTestUtils.loadExtension({
     manifest: {
       content_scripts: [
@@ -84,11 +86,12 @@ add_task(async function test_normal_import() {
       "main.js": async function() {
         /* global exportFunction */
         const url = browser.runtime.getURL("module1.js");
-        let mod = await import(url);
-        browser.test.assertEq(mod.bar, 2);
 
-        browser.test.assertEq(mod.counter(), 0);
-        browser.test.assertEq(mod.counter(), 1);
+        await browser.test.assertRejects(
+          import(url),
+          /error loading dynamically imported module/,
+          "Cannot import script that is not web-accessible from page context"
+        );
 
         await browser.test.assertRejects(
           window.eval(`import("${url}")`),
diff --git a/toolkit/components/extensions/test/xpcshell/test_ext_webSocket.js b/toolkit/components/extensions/test/xpcshell/test_ext_webSocket.js
index ac7560fa8a5e3..c88fe26601497 100644
--- a/toolkit/components/extensions/test/xpcshell/test_ext_webSocket.js
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_webSocket.js
@@ -25,12 +25,18 @@ async function testWebSocketInFrameUpgraded() {
 // testIframe = true: open WebSocket from iframe (original test case).
 // testIframe = false: open WebSocket from content script.
 async function test_webSocket({ manifest_version, useIframe }) {
+  let web_accessible_resources =
+    manifest_version == 2
+      ? ["frame.html"]
+      : [{ resources: ["frame.html"], matches: ["*://example.com/*"] }];
+
   let extension = ExtensionTestUtils.loadExtension({
     manifest: {
       manifest_version,
       permissions: ["webRequest", "webRequestBlocking"],
       host_permissions: ["<all_urls>"],
       granted_host_permissions: true,
+      web_accessible_resources,
       content_scripts: [
         {
           matches: ["http://*/plain.html"],