Best IT Recipes

Disable cross-domain web security in Firefox

In Firefox, how do I make the equivalent of --disable-web-security in Chrome. It has been published a lot, but there has never been a true answer. Most of them are links to add-ons (some of which do not work in the latest Firefox or do not work at all) and "you just need to enable support on the server."

  • This is a temporary test. I know the security implications.
  • I cannot enable CORS on the server, and I especially will never be able to resolve localhost or the like.
  • A flag or setting or something will be much better than a plugin. I also tried: http://www-jo.se/f.pfleger/forcecors , but something should be wrong, since my requests are returned as completely empty, but the same requests are returned in Chrome.

Again, this is only for testing, before clicking on prod, which will then be in a valid domain.

+85
security firefox cors cross-domain
Jul 17 '13 at 23:19
source share
6 answers

Almost everywhere you look, people refer to about: config and security.fileuri.strict_origin_policy. Sometimes also network.http.refere.XOriginPolicy.

For me, none of this has any effect.

This comment implies that there is no built-in method in Firefox (starting from 2/8/14).

+19
Oct 08
source share

The chrome you refer to is to disable the same origin policy.

This topic also said: Disable the same firefox origin policy.

about: config โ†’ security.fileuri.strict_origin_policy โ†’ false

+8
Oct 16 '13 at 14:18
source share

Check out my addon, which works with the latest version of Firefox, with a nice interface and JS regex support: https://addons.mozilla.org/en-US/firefox/addon/cross-domain-cors

enter image description here

+5
May 21 '17 at 4:27 a.m.
source share

From this answer, I learned the CORS Everywhere Firefox extension, and it works for me. It creates a MITM proxy that intercepts the headers to disable CORS. You can find the extension at addons.mozilla.org or here .

+3
May 7 '15 at 14:05
source share

Best Firefox Addon to disable CORS from September 2016 : https://github.com/fredericlb/Force-CORS/releases

You can even configure it using Referrers (Website).

0
Sep 09 '16 at 20:49
source share

While Chrome and Firefox are mentioned in the question, there is other software without cross-domain security. I mention this for people who ignore that such software exists.

For example, PhantomJS is a browser automation mechanism that supports cross-domain security deactivation.

 phantomjs.exe --web-security=no script.js

Look at another comment of mine: "Custom" to bypass a policy of the same origin for accessing nested iframes

0
Oct. 06 '17 at 18:33
source share


More articles:


All Articles