Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Disable cross domain web security in Firefox

Tags:

security

cors

firefox

cross-domain

Almost everywhere you look, people refer to the about:config and the security.fileuri.strict_origin_policy. Sometimes also the network.http.refere.XOriginPolicy.

For me, none of these seem to have any effect.

This comment implies there is no built-in way in Firefox to do this (as of 2/8/14).


From this answer I've known a CORS Everywhere Firefox extension and it works for me. It creates MITM proxy intercepting headers to disable CORS. You can find the extension at addons.mozilla.org or here.


Check out my addon that works with the latest Firefox version, with beautiful UI and support JS regex: https://addons.mozilla.org/en-US/firefox/addon/cross-domain-cors

Update: I just add Chrome extension for this https://chrome.google.com/webstore/detail/cross-domain-cors/mjhpgnbimicffchbodmgfnemoghjakai

enter image description here


The Chrome setting you refer to is to disable the same origin policy.

This was covered in this thread also: Disable firefox same origin policy

about:config -> security.fileuri.strict_origin_policy -> false


Best Firefox Addon to disable CORS as of September 2016: https://github.com/fredericlb/Force-CORS/releases

You can even configure it by Referrers (Website).


I have not been able to find a Firefox option equivalent of --disable-web-security or an addon that does that for me. I really needed it for some testing scenarios where modifying the web server was not possible. What did help was to use Fiddler to auto-modify web responses so that they have the correct headers and CORS is no longer an issue.

The steps are:

  1. Open fiddler.

  2. If on https go to menu Tools -> Options -> Https and tick the Capture & Decrypt https options

  3. Go to menu Rules -> Customize rules. Modify the OnBeforeResponseFunction so that it looks like the following, then save:

     static function OnBeforeResponse(oSession: Session) {
    //....
    oSession.oResponse.headers.Remove("Access-Control-Allow-Origin");
    oSession.oResponse.headers.Add("Access-Control-Allow-Origin", "*");
    //...
 }

    This will make every web response to have the Access-Control-Allow-Origin: * header.

  4. This still won't work as the OPTIONS preflight will pass through and cause the request to block before our above rule gets the chance to modify the headers. So to fix this, in the fiddler main window, on the right hand side there's an AutoResponder tab. Add a new rule and response: METHOD:OPTIONS https://yoursite.com/ with auto response: *CORSPreflightAllow and tick the boxes: "Enable Rules" and "Unmatched requests passthrough".

See picture below for reference:

enter image description here

Related questions

How to properly add cross-site request forgery (CSRF) token using PHP
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
Google Authenticator implementation in Python
How to encrypt/decrypt data in php?
Best practices for server-side handling of JWT tokens [closed]
How to read a HttpOnly cookie using JavaScript
How to do stateless (session-less) & cookie-less authentication?
What 'sensitive information' could be disclosed when setting JsonRequestBehavior to AllowGet
Disable firefox same origin policy
How to securely save username/password (local)?
PHP Session Security
Keystore type: which one to use?
Should I hash the password before sending it to the server side?
CSRF protection with CORS Origin header vs. CSRF token
Why not use HTTPS for everything?
How to send password securely over HTTP?
What is the best way to prevent session hijacking?
Android SharedPreference security
Should JWT be stored in localStorage or cookie? [duplicate]
How can pass the value of a variable to the standard input of a command?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!