Disable cross domain web security in Firefox

security firefox cross-domain cors

257,636

Solution 1

Almost everywhere you look, people refer to the about:config and the security.fileuri.strict_origin_policy. Sometimes also the network.http.refere.XOriginPolicy.

For me, none of these seem to have any effect.

This comment implies there is no built-in way in Firefox to do this (as of 2/8/14).

Solution 2

From this answer I've known a CORS Everywhere Firefox extension and it works for me. It creates MITM proxy intercepting headers to disable CORS. You can find the extension at addons.mozilla.org or here.

Solution 3

Check out my addon that works with the latest Firefox version, with beautiful UI and support JS regex: https://addons.mozilla.org/en-US/firefox/addon/cross-domain-cors

Update: I just add Chrome extension for this https://chrome.google.com/webstore/detail/cross-domain-cors/mjhpgnbimicffchbodmgfnemoghjakai

Solution 4

The Chrome setting you refer to is to disable the same origin policy.

This was covered in this thread also: Disable firefox same origin policy

about:config -> security.fileuri.strict_origin_policy -> false

Solution 5

I have not been able to find a Firefox option equivalent of --disable-web-security or an addon that does that for me. I really needed it for some testing scenarios where modifying the web server was not possible. What did help was to use Fiddler to auto-modify web responses so that they have the correct headers and CORS is no longer an issue.

The steps are:

Open fiddler.
If on https go to menu Tools -> Options -> Https and tick the Capture & Decrypt https options

Go to menu Rules -> Customize rules. Modify the OnBeforeResponseFunction so that it looks like the following, then save:

 static function OnBeforeResponse(oSession: Session) {
    //....
    oSession.oResponse.headers.Remove("Access-Control-Allow-Origin");
    oSession.oResponse.headers.Add("Access-Control-Allow-Origin", "*");
    //...
 }

This will make every web response to have the Access-Control-Allow-Origin: * header.

This still won't work as the OPTIONS preflight will pass through and cause the request to block before our above rule gets the chance to modify the headers. So to fix this, in the fiddler main window, on the right hand side there's an AutoResponder tab. Add a new rule and response: METHOD:OPTIONS https://yoursite.com/ with auto response: *CORSPreflightAllow and tick the boxes: "Enable Rules" and "Unmatched requests passthrough".

See picture below for reference:

View more solutions

257,636

Author by

Oscar Godson

Fork me on Github: http://github.com/oscargodson Read my stuff: http://oscargodson.com

Updated on October 28, 2020

Comments

Oscar Godson over 3 years
In Firefox, how do I do the equivalent of --disable-web-security in Chrome. This has been posted a lot, but never a true answer. Most are links to add-ons (some of which don't work in the latest Firefox or don't work at all) and "you just need to enable support on the server".
1. This is temporary to test. I know the security implications.
2. I can't turn on CORS on the server and I especially would never be able to allow localhost or similar.
3. A flag, or setting, or something would be a lot better than a plugin. I also tried: http://www-jo.se/f.pfleger/forcecors, but something must be wrong since my requests come back as completely empty, but same requests in Chrome come back fine.
Again, this is only for testing before pushing to prod which, then, would be on an allowable domain.
Anton Soradoi about 10 years

setting this setting to false did not have any effect; the requests are still stuck on OPTIONS
vknyvz almost 10 years

yes this has no effect on cors, doesn't do anything
Ed Orsi over 9 years

This does nothing on Firefox latest
Nick over 9 years

This just changes file:// URI policy, not the one needed
Daniel Nalbach almost 9 years

This answer fixed the font-awesome download failed issue I was having on my local dev environment from a cross-origin restriction.
YakovL about 8 years

security.fileuri.strict_origin_policy helps when one needs to get the content of one local file through AJAX into another and the first one is not in the same folder (or in subfolder of that folder) as the second one.
Jonathan Benn about 7 years

Does not work for me when loading a local file that fetches URLs :(
beta over 6 years

It doesn't seem to work with Firefox 55.0.3. Nice UI, though.
nachtigall about 6 years

FWIW, there's also the CORS-Everywhere Extension doing something similar.
Tan Mai Van about 6 years

Just fixed the bug and the add on working again now.
16851556 about 4 years

i think that setting "network.http.referer.XOriginPolicy" to 1 worked for me (Firefox beta). I am unsure how bad (insecure) it is to leave it like this.
Arthur Khazbs almost 4 years

Works for me! I allowed CORS for localhost and now I can test my web apps and APIs locally without setting up complicated servers. Thank you!
Patrick Michaelsen over 3 years

firefox didn't allow an option for engineers to disable CORS for development, but life, uh, finds a way
bob over 2 years

Very handy , I wish if u could add support for subdomains, Thank u 🌹.
Klimaat over 2 years

still working for me in 2021, FF96.
Kordi about 2 years

Doesn't work for me either. I just installed the extension and still got CORS error.
Jamie Hutber about 2 years

Sadly I am still getting Cors Failed, with localhost:3009 on my sites. Also if it helps, the UI is confusing with "disable" cors button. I am not sure if its running or not :O?