Disable cross domain web security in Firefox
Solution 1
Almost everywhere you look, people refer to the about:config and the security.fileuri.strict_origin_policy. Sometimes also the network.http.refere.XOriginPolicy.
For me, none of these seem to have any effect.
This comment implies there is no built-in way in Firefox to do this (as of 2/8/14).
Solution 2
From this answer I've known a CORS Everywhere Firefox extension and it works for me. It creates MITM proxy intercepting headers to disable CORS. You can find the extension at addons.mozilla.org or here.
Solution 3
Check out my addon that works with the latest Firefox version, with beautiful UI and support JS regex: https://addons.mozilla.org/en-US/firefox/addon/cross-domain-cors
Update: I just add Chrome extension for this https://chrome.google.com/webstore/detail/cross-domain-cors/mjhpgnbimicffchbodmgfnemoghjakai
Solution 4
The Chrome setting you refer to is to disable the same origin policy.
This was covered in this thread also: Disable firefox same origin policy
about:config -> security.fileuri.strict_origin_policy -> false
Solution 5
I have not been able to find a Firefox option equivalent of --disable-web-security or an addon that does that for me. I really needed it for some testing scenarios where modifying the web server was not possible. What did help was to use Fiddler to auto-modify web responses so that they have the correct headers and CORS is no longer an issue.
The steps are:
-
Open fiddler.
-
If on https go to menu Tools -> Options -> Https and tick the Capture & Decrypt https options
-
Go to menu Rules -> Customize rules. Modify the OnBeforeResponseFunction so that it looks like the following, then save:
static function OnBeforeResponse(oSession: Session) { //.... oSession.oResponse.headers.Remove("Access-Control-Allow-Origin"); oSession.oResponse.headers.Add("Access-Control-Allow-Origin", "*"); //... }
This will make every web response to have the Access-Control-Allow-Origin: * header.
-
This still won't work as the OPTIONS preflight will pass through and cause the request to block before our above rule gets the chance to modify the headers. So to fix this, in the fiddler main window, on the right hand side there's an AutoResponder tab. Add a new rule and response: METHOD:OPTIONS https://yoursite.com/ with auto response: *CORSPreflightAllow and tick the boxes: "Enable Rules" and "Unmatched requests passthrough".
See picture below for reference:
Oscar Godson
Fork me on Github: http://github.com/oscargodson Read my stuff: http://oscargodson.com
Updated on October 28, 2020Comments
-
Oscar Godson over 3 years
In Firefox, how do I do the equivalent of
--disable-web-security
in Chrome. This has been posted a lot, but never a true answer. Most are links to add-ons (some of which don't work in the latest Firefox or don't work at all) and "you just need to enable support on the server".- This is temporary to test. I know the security implications.
- I can't turn on CORS on the server and I especially would never be able to allow localhost or similar.
- A flag, or setting, or something would be a lot better than a plugin. I also tried: http://www-jo.se/f.pfleger/forcecors, but something must be wrong since my requests come back as completely empty, but same requests in Chrome come back fine.
Again, this is only for testing before pushing to prod which, then, would be on an allowable domain.
-
Anton Soradoi about 10 yearssetting this setting to false did not have any effect; the requests are still stuck on OPTIONS
-
vknyvz almost 10 yearsyes this has no effect on cors, doesn't do anything
-
Ed Orsi over 9 yearsThis does nothing on Firefox latest
-
Nick over 9 yearsThis just changes file:// URI policy, not the one needed
-
Daniel Nalbach almost 9 yearsThis answer fixed the font-awesome download failed issue I was having on my local dev environment from a cross-origin restriction.
-
YakovL about 8 years
security.fileuri.strict_origin_policy
helps when one needs to get the content of one local file through AJAX into another and the first one is not in the same folder (or in subfolder of that folder) as the second one. -
Jonathan Benn about 7 yearsDoes not work for me when loading a local file that fetches URLs :(
-
beta over 6 yearsIt doesn't seem to work with Firefox 55.0.3. Nice UI, though.
-
nachtigall about 6 yearsFWIW, there's also the CORS-Everywhere Extension doing something similar.
-
Tan Mai Van about 6 yearsJust fixed the bug and the add on working again now.
-
16851556 about 4 yearsi think that setting "network.http.referer.XOriginPolicy" to 1 worked for me (Firefox beta). I am unsure how bad (insecure) it is to leave it like this.
-
Arthur Khazbs almost 4 yearsWorks for me! I allowed CORS for localhost and now I can test my web apps and APIs locally without setting up complicated servers. Thank you!
-
Patrick Michaelsen over 3 yearsfirefox didn't allow an option for engineers to disable CORS for development, but life, uh, finds a way
-
bob over 2 yearsVery handy , I wish if u could add support for subdomains, Thank u 🌹.
-
Klimaat over 2 yearsstill working for me in 2021, FF96.
-
Kordi about 2 yearsDoesn't work for me either. I just installed the extension and still got CORS error.
-
Jamie Hutber about 2 yearsSadly I am still getting Cors Failed, with localhost:3009 on my sites. Also if it helps, the UI is confusing with "disable" cors button. I am not sure if its running or not :O?