What is the risk in overriding this?
Posted: Tue May 05, 2009 7:55 pm
Hi Giorgio Maone,
Firefox doesn't allow cross-domain XMLHttpRequests for security reasons. While good security is a plus, this restriction can make development and testing a real chore. For those of us willing to risk the security vulnerability, here is how to bypass the cross-domain restriction once and for all:
1. Close Firefox
2. Edit the file prefs.js in your Firefox user profile folder (while the browser is not running)
3. Add the following line anywhere in the file
user_pref("capability.policy.default.XMLHttpRequest.open", "allAccess");
4. Save the file and re-open Firefox. You can now risk your life and limb by doing XHR's to whatever domains you want
Just imagine you did this or in an easier way to enable cross domain without editing config files by hand.
type "about:config" in your URL bar
right click on the list of preferences and select the "New->String" contextual menu.
add capability.policy.default.XMLHttpRequest.open as key name and allAccess as value/
Just imagine a user did this, what is the risk, and is he or she or it still protected by NoScript overruling this?
luntrus
Firefox doesn't allow cross-domain XMLHttpRequests for security reasons. While good security is a plus, this restriction can make development and testing a real chore. For those of us willing to risk the security vulnerability, here is how to bypass the cross-domain restriction once and for all:
1. Close Firefox
2. Edit the file prefs.js in your Firefox user profile folder (while the browser is not running)
3. Add the following line anywhere in the file
user_pref("capability.policy.default.XMLHttpRequest.open", "allAccess");
4. Save the file and re-open Firefox. You can now risk your life and limb by doing XHR's to whatever domains you want
Just imagine you did this or in an easier way to enable cross domain without editing config files by hand.
type "about:config" in your URL bar
right click on the list of preferences and select the "New->String" contextual menu.
add capability.policy.default.XMLHttpRequest.open as key name and allAccess as value/
Just imagine a user did this, what is the risk, and is he or she or it still protected by NoScript overruling this?
luntrus