Disable cross domain web security in Firefox

Question

In Firefox  how do I do the equivalent of --disable-web-security in Chrome  This has been posted a lot  but never a true answer  Most are links to add-ons  some of which don t work in the latest Firefox or don t work at all  and  you just need to enable support on the server     This is temporary to test  I know the security implications  I can t turn on CORS on the server and I especially would never be able to allow localhost or similar  A flag  or setting  or something would be a lot better than a plugin  I also tried  http   www-jo se f pfleger forcecors  but something must be wrong since my requests come back as completely empty  but same requests in Chrome come back fine    Again  this is only for testing before pushing to prod which  then  would be on an allowable domain

User · Answer

While the question mentions Chrome and Firefox, there are other software without cross domain security. I mention it for people who ignore that such software exists.

For example, PhantomJS is an engine for browser automation, it supports cross domain security deactivation.

phantomjs.exe --web-security=no script.js

See this other comment of mine: Userscript to bypass same-origin policy for accessing nested iframes

User · Answer

Check out my addon that works with the latest Firefox version  with beautiful UI and support JS regex  https   addons mozilla org en-US firefox addon cross-domain-cors Update  I just add Chrome extension for this https   chrome google com webstore detail cross-domain-cors mjhpgnbimicffchbodmgfnemoghjakai

User · Answer

I have not been able to find a Firefox option equivalent of --disable-web-security or an addon that does that for me  I really needed it for some testing scenarios where modifying the web server was not possible  What did help was to use Fiddler to auto-modify web responses so that they have the correct headers and CORS is no longer an issue  The steps are   Open fiddler   If on https go to menu Tools - gt  Options - gt  Https and tick the Capture  amp  Decrypt https options  Go to menu Rules - gt  Customize rules  Modify the OnBeforeResponseFunction so that it looks like the following  then save   static function OnBeforeResponse oSession  Session                   oSession oResponse headers Remove  quot Access-Control-Allow-Origin quot        oSession oResponse headers Add  quot Access-Control-Allow-Origin quot    quot   quot                  This will make every web response to have the Access-Control-Allow-Origin    header   This still won t work as the OPTIONS preflight will pass through and cause the request to block before our above rule gets the chance to modify the headers  So to fix this  in the fiddler main window  on the right hand side there s an AutoResponder tab  Add a new rule and response  METHOD OPTIONS https   yoursite com   with auto response   CORSPreflightAllow and tick the boxes   quot Enable Rules quot  and  quot Unmatched requests passthrough quot     See picture below for reference

User · Answer

From this answer I ve known a CORS Everywhere Firefox extension and it works for me  It creates MITM proxy intercepting headers to disable CORS  You can find the extension at addons mozilla org or here

User · Answer

Best Firefox Addon to disable CORS as of September 2016  https   github com fredericlb Force-CORS releases  You can even configure it by Referrers  Website

User · Answer

The Chrome setting you refer to is to disable the same origin policy   This was covered in this thread also  Disable firefox same origin policy  about config -  security fileuri strict origin policy -  false

User · Answer

For anyone finding this question while using Nightwatch js  1 3 4   there s an  acceptInsecureCerts  true setting in the config file    x000D   x000D  firefox    x000D        desiredCapabilities    x000D          browserName   firefox   x000D          alwaysMatch    x000D               Enable this if you encounter unexpected SSL certificate errors in Firefox x000D            acceptInsecureCerts  true  x000D             moz firefoxOptions     x000D              args    x000D                    -headless   x000D                    -verbose  x000D                 x000D              x000D            x000D          x000D         x000D   x000D   x000D

User · Answer

Almost everywhere you look  people refer to the about config and the security fileuri strict origin policy  Sometimes also the network http refere XOriginPolicy   For me  none of these seem to have any effect   This comment implies there is no built-in way in Firefox to do this  as of 2 8 14

[security] Disable cross domain web security in Firefox

Examples related to security

Examples related to firefox

Examples related to cross-domain

Examples related to cors