173

In Firefox, how do I do the equivalent of --disable-web-security in Chrome. This has been posted a lot, but never a true answer. Most are links to add-ons (some of which don't work in the latest Firefox or don't work at all) and "you just need to enable support on the server".

  1. This is temporary to test. I know the security implications.
  2. I can't turn on CORS on the server and I especially would never be able to allow localhost or similar.
  3. A flag, or setting, or something would be a lot better than a plugin. I also tried: http://www-jo.se/f.pfleger/forcecors, but something must be wrong since my requests come back as completely empty, but same requests in Chrome come back fine.

Again, this is only for testing before pushing to prod which, then, would be on an allowable domain.

Oscar Godson
  • 31,662
  • 41
  • 121
  • 201
  • 3
    possible duplicate of [Disable firefox same origin policy](http://stackoverflow.com/questions/17088609/disable-firefox-same-origin-policy) – askewchan May 15 '14 at 15:56
  • 1
    I believe it's not possible right now, here is related bug report in Firefox Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1039678 – rutsky Oct 09 '14 at 16:22
  • You can try out my Firefox add on here to disable or enable CORS: https://addons.mozilla.org/en-US/firefox/addon/cross-domain-cors/ – Tan Mai Van May 23 '16 at 14:38
  • 2
    @TanMaiVan Your addon did not worked for me on Firefox. – Khado Mikhal Sep 09 '16 at 20:51
  • @KhadoMikhal Thanks for the report. I will check and fix it soon. – Tan Mai Van Sep 10 '16 at 02:41
  • @TanMaiVan **Here's more information:** The addon work fine for the first URL right after the sandbox is killed: `function unloadSandbox(sandbox) { if ("nukeSandbox" in Cu) Cu.nukeSandbox(sandbox); }` Screenshot of Errors in Console: http://i.imgur.com/2PBy8VW.png **Do you have a GitHub Account where I can report the Issue ?** – Khado Mikhal Sep 10 '16 at 06:32
  • @TanMaiVan Look here: http://stackoverflow.com/questions/30549732/firefox-extension-works-through-sdk-but-not-when-installed-in-browser-compatib I'm pretty sure the addon work for you because you have tested it only from the SDK and not standalone. The problem seem to be in the bootstrap.js. – Khado Mikhal Sep 10 '16 at 06:49
  • @KhadoMikhal Thanks, I will check the issue you mention, but actually I run and test it in firefox. About Github, I am not public project in Github. – Tan Mai Van Sep 12 '16 at 13:26
  • @KhadoMikhal Just update the add on to work with the latest Firefox version. Could you check if it works in your side? – Tan Mai Van May 06 '18 at 11:13
  • @TanMaiVan Thanks but I don't use Firefox anymore I use Chromium could you do a version for Chrome since it is a webext ? Regards. – Khado Mikhal May 06 '18 at 15:12
  • @KhadoMikhal I am going to port the add on to chrome, almost done. Will inform you when done. – Tan Mai Van May 06 '18 at 15:46

9 Answers9

51

Almost everywhere you look, people refer to the about:config and the security.fileuri.strict_origin_policy. Sometimes also the network.http.refere.XOriginPolicy.

For me, none of these seem to have any effect.

This comment implies there is no built-in way in Firefox to do this (as of 2/8/14).

Peter
  • 13,733
  • 11
  • 75
  • 122
  • 17
    `security.fileuri.strict_origin_policy` helps when one needs to get the content of one local file through AJAX into another and the first one is not in the same folder (or in subfolder of that folder) as the second one. – YakovL Apr 15 '16 at 07:55
  • i think that setting "network.http.referer.XOriginPolicy" to 1 worked for me (Firefox beta). I am unsure how bad (insecure) it is to leave it like this. – 16851556 Apr 21 '20 at 15:24
21

From this answer I've known a CORS Everywhere Firefox extension and it works for me. It creates MITM proxy intercepting headers to disable CORS. You can find the extension at addons.mozilla.org or here.

andrej
  • 4,518
  • 2
  • 39
  • 39
fireb86
  • 1,723
  • 21
  • 35
16

Check out my addon that works with the latest Firefox version, with beautiful UI and support JS regex: https://addons.mozilla.org/en-US/firefox/addon/cross-domain-cors

Update: I just add Chrome extension for this https://chrome.google.com/webstore/detail/cross-domain-cors/mjhpgnbimicffchbodmgfnemoghjakai

enter image description here

Tan Mai Van
  • 657
  • 6
  • 8
  • 5
    It doesn't seem to work with Firefox 55.0.3. Nice UI, though. – beta Sep 19 '17 at 14:44
  • 4
    FWIW, there's also the [CORS-Everywhere Extension](https://addons.mozilla.org/en-US/firefox/addon/cors-everywhere/) doing something similar. – nachtigall Feb 23 '18 at 10:44
  • 1
    Just fixed the bug and the add on working again now. – Tan Mai Van May 06 '18 at 11:02
  • 1
    Works for me! I allowed CORS for localhost and now I can test my web apps and APIs locally without setting up complicated servers. Thank you! – Arthur Khazbs Jun 08 '20 at 14:46
  • Very handy , I wish if u could add support for subdomains, Thank u . – bob Oct 16 '21 at 00:10
  • 1
    Sadly I am still getting Cors Failed, with localhost:3009 on my sites. Also if it helps, the UI is confusing with "disable" cors button. I am not sure if its running or not :O? – Jamie Hutber Apr 21 '22 at 23:19
9

The Chrome setting you refer to is to disable the same origin policy.

This was covered in this thread also: Disable firefox same origin policy

about:config -> security.fileuri.strict_origin_policy -> false

Community
  • 1
  • 1
mightilybix
  • 481
  • 3
  • 6
3

I have not been able to find a Firefox option equivalent of --disable-web-security or an addon that does that for me. I really needed it for some testing scenarios where modifying the web server was not possible. What did help was to use Fiddler to auto-modify web responses so that they have the correct headers and CORS is no longer an issue.

The steps are:

  1. Open fiddler.

  2. If on https go to menu Tools -> Options -> Https and tick the Capture & Decrypt https options

  3. Go to menu Rules -> Customize rules. Modify the OnBeforeResponseFunction so that it looks like the following, then save:

     static function OnBeforeResponse(oSession: Session) {
    //....
    oSession.oResponse.headers.Remove("Access-Control-Allow-Origin");
    oSession.oResponse.headers.Add("Access-Control-Allow-Origin", "*");
    //...
 }

    This will make every web response to have the Access-Control-Allow-Origin: * header.

  4. This still won't work as the OPTIONS preflight will pass through and cause the request to block before our above rule gets the chance to modify the headers. So to fix this, in the fiddler main window, on the right hand side there's an AutoResponder tab. Add a new rule and response: METHOD:OPTIONS https://yoursite.com/ with auto response: *CORSPreflightAllow and tick the boxes: "Enable Rules" and "Unmatched requests passthrough".

See picture below for reference:

enter image description here

Liviu Trifoi
  • 2,980
  • 1
  • 21
  • 28
1

Best Firefox Addon to disable CORS as of September 2016: https://github.com/fredericlb/Force-CORS/releases

You can even configure it by Referrers (Website).

Khado Mikhal
  • 602
  • 7
  • 14
1

As of June 2022, Mozilla Firefox does allow you to natively change the CORS configuration. No extra addons are required. As per Mozilla docs you can change the CORS setting by changing the value of the key content.cors.disable

To do so first go to your browser and type about:config in your address bar as shown in the screen shot.

Click on accept risk and continue, since you are on this stack overflow page we assume you are aware of the risks you are undertaking.

You will see a page with your user variables. On this page just search for key content.cors.disable as shown below.

You do not have to type in true or false values, just hit the toggle button at the far right of you in the screen and it will change values.

Soham
  • 671
  • 1
  • 7
  • 23
  • 28
    Unfortunately, this appears to do the opposite of what this thread is all about. It blocks all requests that would require CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSDisabled – Murphy Randle Sep 09 '22 at 16:33
-1

While the question mentions Chrome and Firefox, there are other software without cross domain security. I mention it for people who ignore that such software exists.

For example, PhantomJS is an engine for browser automation, it supports cross domain security deactivation.

phantomjs.exe --web-security=no script.js

See this other comment of mine: Userscript to bypass same-origin policy for accessing nested iframes

Mar Cnu
  • 1,165
  • 11
  • 16
-1

For anyone finding this question while using Nightwatch.js (1.3.4), there's an acceptInsecureCerts: true setting in the config file:

firefox: {
      desiredCapabilities: {
        browserName: 'firefox',
        alwaysMatch: {
          // Enable this if you encounter unexpected SSL certificate errors in Firefox
          acceptInsecureCerts: true,
          'moz:firefoxOptions': {
            args: [
              // '-headless',
              // '-verbose'
            ],
          }
        }
      }
    },
jeti
  • 1,650
  • 1
  • 19
  • 28