diff --git a/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php b/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php
index 60a7cef8fa1d2..8741d312f3e88 100644
--- a/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php
@@ -74,6 +74,17 @@ public function afterController($controller, $methodName, Response $response): R
 			$defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue());
 		}
 
+		// Loosen security presets in debug mode to enable development
+		// tools functionality
+		$debugging = \OC::$server->getConfig()->getSystemValue('debug', false);
+		if ($debugging) {
+			// Allow vue dev tool to work on Firefox.
+			$defaultPolicy->allowEvalScript(true);
+			// Unblock HMR requests.
+			$defaultPolicy->addAllowedConnectDomain('*');
+			$defaultPolicy->addAllowedScriptDomain('*');
+		}
+
 		$response->setContentSecurityPolicy($defaultPolicy);
 
 		return $response;