Disable firefox same origin policy
Solution 1
There's a Firefox extension that adds the CORS headers to any HTTP response working on the latest Firefox (build 36.0.1) released March 5, 2015. I tested it and it's working on both Windows 7 and Mavericks. I'll guide you throught the steps to get it working.
1) Getting the extension
You can either download the xpi from here (author builds) or from here (mirror, may not be updated).
Or download the files from GitHub. Now it's also on Firefox Marketplace: Download here. In this case, the addon is installed after you click install and you can skip to step 4.
If you downloaded the xpi you can jump to step 3. If you downloaded the zip from GitHub, go to step 2.
2) Building the xpi
You need to extract the zip, get inside the "cors-everywhere-firefox-addon-master" folder, select all the items and zip them. Then, rename the created zip as *.xpi
Note: If you are using the OS X gui, it may create some hidden files, so you 'd be better using the command line.
3) Installing the xpi
You can just drag and drop the xpi to firefox, or go to: "about:addons", click on the cog on the top right corner and select "install add on from file", then select you .xpi file. Now, restart firefox.
4) Getting it to work
Now, the extension won't be working by default. You need to drag the extension icon to the extension bar, but don't worry. There are pictures!
- Click on the Firefox Menu
- Click on Customise
- Drag CorsE to the bar
- Now, click on the icon, when it's green the CORS headers will be added to any HTTP response
5) Testing if it's working
jQuery
$.get( "http://example.com/", function( data ) {
console.log (data);
});
JavaScript
xmlhttp=new XMLHttpRequest();
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == 4) {
console.log(xmlhttp.responseText);
}
}
xmlhttp.open("GET","http://example.com/");
xmlhttp.send();
6) Final considerations
Note that https to http is not allowed.
There may be a way around it, but it's behind the scope of the question.
Solution 2
about:config -> security.fileuri.strict_origin_policy -> false
Solution 3
I realized my older answer is downvoted because I didn't specify how to disable FF's same origin policy specifically. Here I will give a more detailed answer:
Warning: This requires a re-compilation of FF, and the newly compiled version of Firefox will not be able to enable SOP again.
Check out Mozilla's Firefox's source code, find nsScriptSecurityManager.cpp in the src directory. I will use the one listed here as example: http://mxr.mozilla.org/aviarybranch/source/caps/src/nsScriptSecurityManager.cpp
Go to the function implementation nsScriptSecurityManager::CheckSameOriginURI, which is line 568 as of date 03/02/2016.
Make that function always return NS_OK.
This will disable SOP for good.
The browser addon answer by @Giacomo should be useful for most people and I have accepted that answer, however, for my personal research needs (TL;won't explain here) it is not enough and I figure other researchers may need to do what I did here to fully kill SOP.
Solution 4
I wrote an add-on to overcome this issue in Firefox (Chrome, Opera version will have soon). It works with the latest Firefox version, with beautiful UI and support JS regex: https://addons.mozilla.org/en-US/firefox/addon/cross-domain-cors
Solution 5
As of September 2016 this addon is the best to disable CORS: https://github.com/fredericlb/Force-CORS/releases
In the options panel you can configure which header to inject and specific website to have it enabled automatically.
Yuchen Zhou
Updated on January 03, 2022Comments
-
Yuchen Zhou over 2 years
I'm developing a local research tool that requires me to turn off Firefox's same origin policy (in terms of script access, I don't really care about cross domain requests).
More specifically, I want scripts in the host domain to be able to access arbitrary elements in any iframes embedded in the page, regardless of their domain.
I'm aware previous Q&As which mentioned the CORS FF extension, but that is not what I need, since it only allows CORS, but not script access.
If it cannot be done easily, I would also appreciate any insights that point me to specific part of FF src code that I can modify to disable SOP, so that I can recompile FF.
-
Yuchen Zhou over 10 yearsThanks @Niklas, however, i think this only disables fileuri same origin policy checks - probably used for local web dev testing. It still stops me when I'm trying to access DOM nodes in an iframe with domain B from a JavaScript in domain A.
-
vknyvz almost 10 yearsthis doesn't do anything
-
eversor about 9 yearsAs vknyvz says, it is useless
-
bufh almost 9 yearsYou can disable HTTP/HTTPS mixed content protection by setting
security.mixed_content.block_active_content
to false andsecurity.mixed_content.block_display_content
to true. Keep in mind you are disabling some security and this should be a temporary solution. -
bufh almost 9 yearsConfirmed it does work in my firefox (developer) version: 40. Thank you for the tip @Niklas.
-
bufh almost 9 yearsJust found about
XOriginPolicy
,sendRefererHeader
,spoofSource
which may be useful for testing purposes bypassing CORS and all (sources: ghacks.net, b.agilob.net). -
spenibus almost 9 yearsAs the author of this addon, I'm not actually convinced it would solve this particular question. It's nice to get a mention though.
-
Peter Ajtai over 8 years@spenibus - you should get your add on signed - I can't install it :( - support.mozilla.org/en-US/kb/…
-
spenibus over 8 years@PeterAjtai Mozilla keeps on trying hard to annoy me I see. Awaiting review: addons.mozilla.org/en-US/firefox/addon/cors-everywhere Should hopefully get auto signed.
-
Jon Egerton over 8 yearsThis is a setting specifically for debugging, and controls a local files access to other local files (set to true a local file can only access local files in the same folder or sub folders, set to false a local file can access all local files). Source
-
Alex about 8 yearsdoesnt work for me. CorsE icon is green, but XmlHttpRequest returns just empty String for example.com or google.com. It works for a file on localhost - so the example script should be ok.
-
user2345998 about 8 yearsin about:config set xpinstall.signatures.required to false to install the addon. It worked for me.
-
Pete Alvin almost 8 yearsUse Chrome because it's so much easier to disable CORS for developing.
-
Type-Style over 7 yearsaddons.mozilla.org/de/firefox/addon/cors-everywhere This is the addon mentioned above. It works great.
-
FelixM about 7 yearsFrom wiki.mozilla.org/Add-ons/Extension_Signing: Firefox 48: Release and Beta versions of Firefox for Desktop will not allow unsigned extensions to be installed, with no override. I could not find a signed version of this addon.
-
Khado Mikhal about 7 years@FelixM Here's how to do it: ghacks.net/2016/08/14/…
-
Tan Mai Van almost 7 yearsMy addon also work with the latest version of Firefox too. With better UI and support JS regex. Check it out here: addons.mozilla.org/en-US/firefox/addon/cross-domain-cors
-
alxndr over 6 years@FelixM Firefox Developer Edition has an option "xpinstall.signatures.required" boolean in the "about:config" flags. However, version 0.1.1 of this extension is not compatible with Firefox Developer Edition 58.0 (Quantum).
-
wizzwizz4 over 6 years@spenibus This is a really useful tool. Any plans for making it work on the new FF version?
-
spenibus over 6 years@wizzwizz4 I switched to the WebExtensions API around 6 months ago, it should work unless Mozilla already broke compatibility, which I wouldn't know since I've stopped updating Firefox and nobody opened an issue on the tracker. Perhaps you missed the marketplace link ? addons.mozilla.org/firefox/addon/cors-everywhere
-
wizzwizz4 over 6 years@spenibus It disappeared from my Firefox when I got Quantum. I installed it through that. (Review link: addons.mozilla.org/en-GB/firefox/addon/cors-everywhere/reviews/…)
-
wizzwizz4 over 6 yearsWhat. I just reinstalled it... and it works. And now it's gone from the Legacy Extensions list. I blame cosmic rays.
-
nachtigall about 6 yearsThanks you. Additionally, there's also CORS-Everywhere Extension which is similar.
-
sphakka about 5 yearsEasiest workaround for CSS rules referencing local files, such as
@font-face { url(local/path); ... }
-
Armen Michaeli about 5 yearsIt does do something, in my case it allows me to access local resources from a document served over
file://
protocol. Computer scientists ought to put more weight into the word "anything" -- unless you have tested everything (which you haven't), try to be more conservative with your remarks. Same goes for use of word "useless". -
stealththeninja almost 4 yearsHas this been tested? From what I'm reading, this pref was designed to make all CORS requests fail when set to
true
, but says nothing aboutfalse
or other values. "In Firefox, the preference that disables CORS is content.cors.disable. Setting this to true disables CORS, so whenever that's the case, CORS requests will always fail with this error." developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/… -
Gunnar Bernstein almost 4 yearsAs of Firefox 68.7 this setting is not even available.
-
kamranicus almost 4 yearsLine 499 as of today, Git mirror: github.com/mozilla/gecko-dev/blob/…
-
Tim Daubenschütz over 3 yearsAs someone trying to solve the problem of blocked
fetch
requests in Firefox Developer Edition when debugging locally, this didn't work for me. -
Tim Daubenschütz over 3 yearsFound this setting in FF 84 but it didn't help me overcome my issue of FF wanting valid CORS policy to foreign server.
-
a55 over 3 yearsin FF85
content.cors.disable
exists, but its boolean, remove/edit is not possible -
Panu Logic about 3 yearsIt crashed my Firefox when after making the change I tried to reload the local file that was the problem.
-
Donald Duck about 3 yearsIt's not working. I tried enabling it and I still get an error saying "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource".