Disable firefox same origin policy

security firefox same-origin-policy
Yuchen Zhou picture Yuchen Zhou · Jun 13, 2013 · Viewed 193.8k times · Source

I'm developing a local research tool that requires me to turn off Firefox's same origin policy (in terms of script access, I don't really care about cross domain requests).

More specifically, I want scripts in the host domain to be able to access arbitrary elements in any iframes embedded in the page, regardless of their domain.

I'm aware previous Q&As which mentioned the CORS FF extension, but that is not what I need, since it only allows CORS, but not script access.

If it cannot be done easily, I would also appreciate any insights that point me to specific part of FF src code that I can modify to disable SOP, so that I can recompile FF.

Answer

Giacomo Tecya Pigani picture Giacomo Tecya Pigani · Mar 17, 2015

There's a Firefox extension that adds the CORS headers to any HTTP response working on the latest Firefox (build 36.0.1) released March 5, 2015. I tested it and it's working on both Windows 7 and Mavericks. I'll guide you throught the steps to get it working.

1) Getting the extension

You can either download the xpi from here (author builds) or from here (mirror, may not be updated).

Or download the files from GitHub. Now it's also on Firefox Marketplace: Download here. In this case, the addon is installed after you click install and you can skip to step 4.

If you downloaded the xpi you can jump to step 3. If you downloaded the zip from GitHub, go to step 2.

2) Building the xpi

You need to extract the zip, get inside the "cors-everywhere-firefox-addon-master" folder, select all the items and zip them. Then, rename the created zip as *.xpi

Note: If you are using the OS X gui, it may create some hidden files, so you 'd be better using the command line.

3) Installing the xpi

You can just drag and drop the xpi to firefox, or go to: "about:addons", click on the cog on the top right corner and select "install add on from file", then select you .xpi file. Now, restart firefox.

4) Getting it to work

Now, the extension won't be working by default. You need to drag the extension icon to the extension bar, but don't worry. There are pictures!

  • Click on the Firefox Menu
  • Click on Customise

p1

  • Drag CorsE to the bar
  • Now, click on the icon, when it's green the CORS headers will be added to any HTTP response

p2

5) Testing if it's working

jQuery

$.get( "http://example.com/", function( data ) {
  console.log (data);
});

JavaScript

xmlhttp=new XMLHttpRequest();

xmlhttp.onreadystatechange = function() {
    if (xmlhttp.readyState == 4) {
        console.log(xmlhttp.responseText);
    }
}

xmlhttp.open("GET","http://example.com/");
xmlhttp.send();

6) Final considerations

Note that https to http is not allowed.

There may be a way around it, but it's behind the scope of the question.

Related questions

Why am I suddenly getting a "Blocked loading mixed active content" issue in Firefox?

This morning, upon upgrading my Firefox browser to the latest version (from 22 to 23), some of the key aspects of my back office (website) stopped working. Looking at the Firebug log, the following errors were being reported: Blocked loading mixed active …

Read More
Disable cross domain web security in Firefox

In Firefox, how do I do the equivalent of --disable-web-security in Chrome. This has been posted a lot, but never a true answer. Most are links to add-ons (some of which don't work in the latest Firefox or don't work …

Read More
CSP: How to allow unsafe-eval for a given URI prefix (Firefox)

I'm trying to use MathJax as part of our web application which uses pretty strict Content Security Policy (CSP). The problem is that MathJax is coded to use eval() [to be exact, in form of Function()] which is not considered …

Read More