What is the risk in overriding this?

General discussion about the NoScript extension for Firefox
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

What is the risk in overriding this?

Post by luntrus » Tue May 05, 2009 7:55 pm

Hi Giorgio Maone,

Firefox doesn't allow cross-domain XMLHttpRequests for security reasons. While good security is a plus, this restriction can make development and testing a real chore. For those of us willing to risk the security vulnerability, here is how to bypass the cross-domain restriction once and for all:

1. Close Firefox

2. Edit the file prefs.js in your Firefox user profile folder (while the browser is not running)

3. Add the following line anywhere in the file

user_pref("capability.policy.default.XMLHttpRequest.open", "allAccess");

4. Save the file and re-open Firefox. You can now risk your life and limb by doing XHR's to whatever domains you want

Just imagine you did this or in an easier way to enable cross domain without editing config files by hand.

type "about:config" in your URL bar
right click on the list of preferences and select the "New->String" contextual menu.

add capability.policy.default.XMLHttpRequest.open as key name and allAccess as value/

Just imagine a user did this, what is the risk, and is he or she or it still protected by NoScript overruling this?

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090505 Shiretoko/3.5b5pre

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: What is the risk in overriding this?

Post by Giorgio Maone » Tue May 05, 2009 8:17 pm

NoScript have been overruling that since it has been possible, very long time ago:
NoScript 1.4.9.4
=====================================================================
+ Added client-side policy control for new Firefox 3 cross-site XHR,
configurable via noscript.forbidXHR about:config preference:
0 - Allow any XHR
1 - Allow cross-site XHR across trusted sites only (default)
2 - Allow same-site XHR only (like Firefox 2)
3 - Forbid all XHR
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

Post Reply