What is the risk in overriding this?

[luntrus]

Hi Giorgio Maone,

Firefox doesn't allow cross-domain XMLHttpRequests for security reasons. While good security is a plus, this restriction can make development and testing a real chore. For those of us willing to risk the security vulnerability, here is how to bypass the cross-domain restriction once and for all:

1. Close Firefox

2. Edit the file prefs.js in your Firefox user profile folder (while the browser is not running)

3. Add the following line anywhere in the file

user_pref("capability.policy.default.XMLHttpRequest.open", "allAccess");

4. Save the file and re-open Firefox. You can now risk your life and limb by doing XHR's to whatever domains you want

Just imagine you did this or in an easier way to enable cross domain without editing config files by hand.

type "about:config" in your URL bar
right click on the list of preferences and select the "New->String" contextual menu.

add capability.policy.default.XMLHttpRequest.open as key name and allAccess as value/

Just imagine a user did this, what is the risk, and is he or she or it still protected by NoScript overruling this?

luntrus

[Giorgio Maone]

NoScript have been overruling that since it has been possible, very long time ago:
NoScript 1.4.9.4
=====================================================================
+ Added client-side policy control for new Firefox 3 cross-site XHR,
configurable via noscript.forbidXHR about:config preference:
0 - Allow any XHR
1 - Allow cross-site XHR across trusted sites only (default)
2 - Allow same-site XHR only (like Firefox 2)
3 - Forbid all XHR