How to enable CORS on Firefox

Question

How can I allow CORS on Firefox?

I easily managed it on Chrome and Internet Explorer, but I am totally failing at it with Firefox. I edited the following about:config entry

security.fileuri.strict_origin_policy = false

This attempt has been posted several times here and is told on other sites too, but it doesn't have any effect. I read the Mozilla guide to same-origin policies:

Cross-Origin Resource Sharing (CORS)

but it just explains CORS and the related topics. A workaround to enable it on Firefox is not listed.

Is there a definitive solution?

PS: FORCECORS does not work either somehow...

There is no simple answer when it comes to CORS. This website has all the information you need on both Server and Client side http://enable-cors.org/ — percebus, Nov 13 '14 at 20:21

score 31 · Accepted Answer · answered Aug 26 '14 at 13:42

31

Do nothing to the browser. CORS is supported by default on all modern browsers (and since Firefox 3.5).

The server being accessed by JavaScript has to give the site hosting the HTML document in which the JS is running permission via CORS HTTP response headers.

security.fileuri.strict_origin_policy is used to give JS in local HTML documents access to your entire hard disk. Don't set it to false as it makes you vulnerable to attacks from downloaded HTML documents (including email attachments).

answered Aug 26 '14 at 13:42

Quentin

914,110
126
1,211
1,335

Thanks, I am trying this approach now, but I still can not access the web service on my tomcat. I tried the advanced example cited on the following link: http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter/Initialisation_parameters Can you tell me what I still have to manage? – Ahab Aug 26 '14 at 14:17
6

Since you haven't provided any code that you are using to try to access the web server, nor have you quoted the error messages you get in the JavaScript console and nor have you quoted the HTTP requests and responses that JavaScript is making and receiving (and which are visible in the Net tab of your browser's developer tools) — no. – Quentin Aug 26 '14 at 14:38
1

The request is aborted so no response headers at all. The problem is only in firefox. not in chrome. – Ahamed Jul 30 '15 at 00:03

score 10 · Answer 2 · edited Aug 17 '21 at 02:38

10

It's only possible when the server sends this header: Access-Control-Allow-Origin: *

If this is your code then you can set up it like this (PHP):

header('Access-Control-Allow-Origin: *');

edited Aug 17 '21 at 02:38

Peter Mortensen

30,738
21
105
131

answered Oct 15 '14 at 21:39

Abbas

552
5
8

Thanks man CORS problems have been messing with my testing for a long time. – kiwicomb123 Feb 12 '18 at 02:52
4

just a warning note, adding `Access-Control-Allow-Origin: *` everywhere enables CORS for anyone and everyone. While you should have security measures in place whatever the case, if the API is only used by specific resources then you should limit which domains are allowed via a comma-separated-list instead of supplying `*` – Jay Edwards Apr 11 '18 at 11:01
1

This is insecure. Do not do this unless you are sure it is what you want. – span Dec 07 '20 at 10:33
I've done this with a simple python server but my browser still blocks it. – HyperChromatica Jul 14 '22 at 20:35

score 4 · Answer 3 · answered Jul 27 '18 at 18:38

4

This Firefox add-on may work for you:

https://addons.mozilla.org/en-US/firefox/addon/cors-everywhere/

It can toggle CORS on and off for development purposes.

answered Jul 27 '18 at 18:38

saudes

202
2
15

Vasily · Answer 4 · 2016-11-16T21:29:28.380

2

I was stucked with this problem for a long time (CORS does not work in FF, but works in Chrome and others). No advice could help. Finally, i found that my local dev subdomain (like sub.example.dev) was not explicitly mentioned in /etc/hosts, thus FF just is not able to find it and shows confusing error message 'Aborted...' in dev tools panel.

Putting the exact subdomain into my local /etc/hosts fixed the problem. /etc/hosts is just a plain-text file in unix systems, so you can open it under the root user and put your subdomain in front of '127.0.0.1' ip address.

edited Nov 16 '16 at 21:29

answered Nov 16 '16 at 20:23

Vasily

981
10
12

2

probably describing *how* one "puts" a subdomain into /etc/hosts would be helpful. Best regards – YakovL Nov 16 '16 at 20:47

score 0 · Answer 5 · edited Aug 17 '21 at 02:47

Very often you have no option to set up the sending server, so I changed the XMLHttpRequest.open call in my JavaScript code to a local get-file.php file where I have the following code in it:

<?php
  $file = file($_GET['url']);
  echo implode('', $file);
?>

The JavaScript code is doing this:

var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
  if (this.readyState == 4 && this.status == 200) {
    // File content is now in the this.responseText
  }
};
xhttp.open("GET", "get-file.php?url=http://site/file", true);
xhttp.send();

In my case this solved the restriction/situation just perfectly. There isn't any need to hack Firefox or servers. Just load your JavaScript/HTML file with that small PHP file into the server and you're done.

How to enable CORS on Firefox

5 Answers5

Linked

Related