Disable firefox same origin policy
I'm developing a local research tool that requires me to turn off Firefox's same origin policy (in terms of script access, I don't really care about cross domain requests).
More specifically, I want scripts in the host domain to be able to access arbitrary elements in any iframes embedded in the page, regardless of their domain.
I'm aware previous Q&As which mentioned the CORS FF extension, but that is not what I need, since it only allows CORS, but not script access.
If it cannot be done easily, I would also appreciate any insights that point me to specific part of FF src code that I can modify to disable SOP, so that I can recompile FF.
There's a Firefox extension that adds the CORS headers to any HTTP response working on the latest Firefox (build 36.0.1) released March 5, 2015. I tested it and it's working on both Windows 7 and Mavericks. I'll guide you throught the steps to get it working.
1) Getting the extension
You can either download the xpi from here (author builds) or from here (mirror, may not be updated).
Or download the files from GitHub. Now it's also on Firefox Marketplace: Download here. In this case, the addon is installed after you click install and you can skip to step 4.
If you downloaded the xpi you can jump to step 3. If you downloaded the zip from GitHub, go to step 2.
2) Building the xpi
You need to extract the zip, get inside the "cors-everywhere-firefox-addon-master" folder, select all the items and zip them. Then, rename the created zip as *.xpi
Note: If you are using the OS X gui, it may create some hidden files, so you 'd be better using the command line.
3) Installing the xpi
You can just drag and drop the xpi to firefox, or go to: "about:addons", click on the cog on the top right corner and select "install add on from file", then select you .xpi file. Now, restart firefox.
4) Getting it to work
Now, the extension won't be working by default. You need to drag the extension icon to the extension bar, but don't worry. There are pictures!
Click on the Firefox Menu
Click on Customise
https://i.stack.imgur.com/VSspG.png
Drag CorsE to the bar
Now, click on the icon, when it's green the CORS headers will be added to any HTTP response
https://i.stack.imgur.com/ead0z.png
5) Testing if it's working
jQuery
$.get( "http://example.com/", function( data ) {
console.log (data);
});
JavaScript
xmlhttp=new XMLHttpRequest();
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == 4) {
console.log(xmlhttp.responseText);
}
}
xmlhttp.open("GET","http://example.com/");
xmlhttp.send();
6) Final considerations
Note that https to http is not allowed.
There may be a way around it, but it's behind the scope of the question.
about:config -> security.fileuri.strict_origin_policy -> false
file:// protocol. Computer scientists ought to put more weight into the word "anything" -- unless you have tested everything (which you haven't), try to be more conservative with your remarks. Same goes for use of word "useless".
I realized my older answer is downvoted because I didn't specify how to disable FF's same origin policy specifically. Here I will give a more detailed answer:
Warning: This requires a re-compilation of FF, and the newly compiled version of Firefox will not be able to enable SOP again.
Check out Mozilla's Firefox's source code, find nsScriptSecurityManager.cpp in the src directory. I will use the one listed here as example: http://mxr.mozilla.org/aviarybranch/source/caps/src/nsScriptSecurityManager.cpp
Go to the function implementation nsScriptSecurityManager::CheckSameOriginURI, which is line 568 as of date 03/02/2016.
Make that function always return NS_OK.
This will disable SOP for good.
The browser addon answer by @Giacomo should be useful for most people and I have accepted that answer, however, for my personal research needs (TL;won't explain here) it is not enough and I figure other researchers may need to do what I did here to fully kill SOP.
I wrote an add-on to overcome this issue in Firefox (Chrome, Opera version will have soon). It works with the latest Firefox version, with beautiful UI and support JS regex: https://addons.mozilla.org/en-US/firefox/addon/cross-domain-cors
https://i.stack.imgur.com/fU2fa.png
As of September 2016 this addon is the best to disable CORS: https://github.com/fredericlb/Force-CORS/releases
In the options panel you can configure which header to inject and specific website to have it enabled automatically.
https://i.stack.imgur.com/kLFrb.png
The cors-everywhere addon works for me until Firefox 68, after 68 I need to adjust 'privacy.file_unique_origin' -> false (by open 'about:config') to solve 'CORS request not HTTP' for new CORS same-origin rule introduced.
NOTE: 12/2021 updated. Since firefox 95 the 'CORS request not HTTP' can't be disabled by adjusting 'privacy.file_unique_origin'. See above 'CORS request not HTTP' link, it already updated by official rencently. The only way for me is '....Developers who need to perform local testing should now set up a local server.'
For me worked by setting content.cors.disable to false
In about:config add content.cors.disable (empty string).
true, but says nothing about false or other values. "In Firefox, the preference that disables CORS is content.cors.disable. Setting this to true disables CORS, so whenever that's the case, CORS requests will always fail with this error." developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/…
content.cors.disable exists, but its boolean, remove/edit is not possible
Follow WeChat
Success story sharing
Want to stay one step ahead of the latest teleworks?
Subscribe Now相似问题
- How to manually send HTTP POST requests from Firefox or Chrome browser
- Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?
- SecurityError: Blocked a frame with origin from accessing a cross-origin frame
- same-origin policy and CORS - what's the point?
security.mixed_content.block_active_contentto false andsecurity.mixed_content.block_display_contentto true. Keep in mind you are disabling some security and this should be a temporary solution.