30

Is there a way to disable the same origin policy on the Mozilla Firefox browser by toggling a flag in the browser?

This is strictly for development, for not production use.

Please note:

A similar question asked 3+ years ago yielded an accepted answer that recommends users to install a plugin. I consider this less secure and more cumbersome than toggling a flag (e.g. in the about:config, or passing a parameter when starting the browser like in Chrome).

  • 10
    I see this got downvoted. Could I receive some feedback as to what the problem is with this question? Thanks. –  Feb 20 '18 at 13:46

4 Answers4

13

After having tried to find a Firefox setting for various hours, and after having opened a bounty, I think the right answer to this question is:

At the moment of writing (March 2018), it is not possible to disable the same policy origin in Firefox by simply setting a flag.

I would personally recommend people to use Chrome instead for this kind of work, because disabling this setting is very easy, quick and doesn't involve installing third-party software.

  • Useful information. Does you have some documentation about it? – Sergio A. Nov 19 '19 at 08:31
  • Bug report can be seen here: https://bugzilla.mozilla.org/show_bug.cgi?id=1039678 Was opened 6 years ago and the general consensus is that it is wanted and needed in Firefox but needs to be presented in a clear and usable way, there is resistance to make it a command line flag as the developers appear to feel this is not clear enough. – Otis Wright Jan 15 '20 at 01:25
  • You may be able to by compiling your own version, see https://stackoverflow.com/a/35760327/109458 though I haven't yet verified this as of today, I might try to do this for some experimentation – kamranicus Jul 28 '20 at 04:09
7

There is a boolean in Mozilla Firefox that should allow toggling of the same origin policy called security.fileuri.strict_origin_policy.

Go to about:config in your browser and accept the risk:

enter image description here

Then search for security.fileuri.strict_origin_policy and double click it to toggle it to false like so:

enter image description here

I have not tested this but in my experience, this is the flag controlling the same origin policy.

Cole
  • 1,530
  • 10
  • 21
  • 6
    Unfortunately this does not solve the issue. From the manual, if this flag is set to true, then: `Local documents have access to other local documents in the same directory and in subdirectories, but not directory listings`. See: http://kb.mozillazine.org/Security.fileuri.strict_origin_policy –  Feb 26 '18 at 05:43
5

Rather than directly answer your question, this alternative might be viable if you also have ownership of the server

Get your server to add the following response header. (+ Apply a DevOps process or piece of code to ensure only apply this code during development)

Access-Control-Allow-Origin

.. With the value of your origin domain, e.g. http://example.com or alternatively * for all domains.

Niccaman
  • 364
  • 1
  • 4
  • Thanks, but I don't want to be modifying the server, I'm looking for a solution similar to what Chrome offers, thanks. –  Mar 02 '18 at 07:49
  • doesn't work. My browser isn't even sending requests to the desired server because it throws a `TypeError: Failed to fetch` before the request is even sent, so changing the server won't help. – AjaxLeung Nov 19 '18 at 06:10
  • Thanks, but I dont hace access to server resources. That's why most of us are looking for a way to disable CORS policy. – Sergio A. Nov 19 '19 at 08:30
-1

So I wasn't able to do this using Firefox. I was able to do this inside of chrome using the following. My purpose was for testing endpoint access to a server without CORS being setup.

google-chrome disable-web-security -allow-file-access-from-files — allow-file-access

Your google chrome executable can vary to whatever you have linked it to.

Source: https://medium.com/@siddhartha.ng/disable-cross-origin-on-chrome-for-localhost-c644b131db19

James O
  • 72
  • 5