SyntaxFix

[security] Disable firefox same origin policy

I'm developing a local research tool that requires me to turn off Firefox's same origin policy (in terms of script access, I don't really care about cross domain requests).

More specifically, I want scripts in the host domain to be able to access arbitrary elements in any iframes embedded in the page, regardless of their domain.

I'm aware previous Q&As which mentioned the CORS FF extension, but that is not what I need, since it only allows CORS, but not script access.

If it cannot be done easily, I would also appreciate any insights that point me to specific part of FF src code that I can modify to disable SOP, so that I can recompile FF.

This question is related to security firefox same-origin-policy

The answer is

In about:config add content.cors.disable (empty string).

The cors-everywhere addon works for me until Firefox 68, after 68 I need to adjust 'privacy.file_unique_origin' -> false (by open 'about:config') to solve 'CORS request not HTTP' for new CORS same-origin rule introduced.

I wrote an add-on to overcome this issue in Firefox (Chrome, Opera version will have soon). It works with the latest Firefox version, with beautiful UI and support JS regex: https://addons.mozilla.org/en-US/firefox/addon/cross-domain-cors

enter image description here

I realized my older answer is downvoted because I didn't specify how to disable FF's same origin policy specifically. Here I will give a more detailed answer:

Warning: This requires a re-compilation of FF, and the newly compiled version of Firefox will not be able to enable SOP again.

Check out Mozilla's Firefox's source code, find nsScriptSecurityManager.cpp in the src directory. I will use the one listed here as example: http://mxr.mozilla.org/aviarybranch/source/caps/src/nsScriptSecurityManager.cpp

Go to the function implementation nsScriptSecurityManager::CheckSameOriginURI, which is line 568 as of date 03/02/2016.

Make that function always return NS_OK.

This will disable SOP for good.

The browser addon answer by @Giacomo should be useful for most people and I have accepted that answer, however, for my personal research needs (TL;won't explain here) it is not enough and I figure other researchers may need to do what I did here to fully kill SOP.

about:config -> security.fileuri.strict_origin_policy -> false

As of September 2016 this addon is the best to disable CORS: https://github.com/fredericlb/Force-CORS/releases

In the options panel you can configure which header to inject and specific website to have it enabled automatically.

enter image description here

Source: Stackoverflow.com

Examples related to security

Monitoring the Full Disclosure mailinglist Two Page Login with Spring Security 3.2.x How to prevent a browser from storing passwords JWT authentication for ASP.NET Web API How to use a client certificate to authenticate and authorize in a Web API Disable-web-security in Chrome 48+ When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site? How does Content Security Policy (CSP) work? How to prevent Screen Capture in Android Default SecurityProtocol in .NET 4.5

Examples related to firefox

Drag and drop menuitems Class has been compiled by a more recent version of the Java Environment Only on Firefox "Loading failed for the <script> with source" Selenium using Python - Geckodriver executable needs to be in PATH Selenium using Java - The path to the driver executable must be set by the webdriver.gecko.driver system property How to use the gecko executable with Selenium Selenium 2.53 not working on Firefox 47 Postman addon's like in firefox Edit and replay XHR chrome/firefox etc? How to enable CORS on Firefox?

Examples related to same-origin-policy

XMLHttpRequest cannot load XXX No 'Access-Control-Allow-Origin' header Disable-web-security in Chrome 48+ How to enable CORS on Firefox? SecurityError: Blocked a frame with origin from accessing a cross-origin frame Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not? Disable firefox same origin policy Catch error if iframe src fails to load . Error :-"Refused to display 'http://www.google.co.in/' in a frame.." Cross Domain Form POSTing How do I use Access-Control-Allow-Origin? Does it just go in between the html head tags? Disabling same-origin policy in Safari

Tags

Name-length Mirc Pervasive-sql Custom-url Logparser Library-interposition Ime Scriptresource.axd Xenomai Splint Ucma Scrapy Rollover-effect Hyper-v Mac-address Sequential-workflow Mouse-hook Siblings Man-in-the-middle Eaglcontext Bsd Dining-philosopher Http-status-code-405 Nunit-mocks Column-aggregation Service-design Jikes No-www Ligature Hierarchical-data Mms Dynamic-pivot Graph-visualization Sql-agent-job Enterprise-manager Keypreview Tessellation Taskmanager Map-projections Quickform Snowflake-schema Form-designer Bcdedit Read-committed-snapshot Mouse-picking Generic-list Pocketpc Enfinity Configure Aol Ensime Date Business-objects-sdk Libssl Infowindow Designer Antialiasing Mercurial-queue Embedded-linux Multiline Marker-interfaces Format-patch Kxml Cross-site Yourkit Datetime-conversion Django-openid-auth Macromedia Statspack Biztalk2006r2 Radphp Publisher Spring-webflow Gxt Dummy-data Multiscreen Newsequentialid Sphinx Validationattribute Django-urls Conditional-compilation Text-decoding Fdf Nt4 Fsevents Curve Uploader Lso Voting-system Edges Minidump Interrupt Xmlunit Raii Servicepoint Interopservices Options-menu Format Qt-creator Prototyping