Disable firefox same origin policy

SecurityFirefoxSame Origin-Policy

Security Problem Overview

I'm developing a local research tool that requires me to turn off Firefox's same origin policy (in terms of script access, I don't really care about cross domain requests).

More specifically, I want scripts in the host domain to be able to access arbitrary elements in any iframes embedded in the page, regardless of their domain.

I'm aware previous Q&As which mentioned the CORS FF extension, but that is not what I need, since it only allows CORS, but not script access.

If it cannot be done easily, I would also appreciate any insights that point me to specific part of FF src code that I can modify to disable SOP, so that I can recompile FF.

Security Solutions

Solution 1 - Security

There's a Firefox extension that adds the CORS headers to any HTTP response working on the latest Firefox (build 36.0.1) released March 5, 2015. I tested it and it's working on both Windows 7 and Mavericks. I'll guide you throught the steps to get it working.

1) Getting the extension

You can either download the xpi from here (author builds) or from here (mirror, may not be updated).

Or download the files from GitHub. Now it's also on Firefox Marketplace: Download here. In this case, the addon is installed after you click install and you can skip to step 4.

If you downloaded the xpi you can jump to step 3. If you downloaded the zip from GitHub, go to step 2.

2) Building the xpi

You need to extract the zip, get inside the "cors-everywhere-firefox-addon-master" folder, select all the items and zip them. Then, rename the created zip as *.xpi

Note: If you are using the OS X gui, it may create some hidden files, so you 'd be better using the command line.

3) Installing the xpi

You can just drag and drop the xpi to firefox, or go to: "about:addons", click on the cog on the top right corner and select "install add on from file", then select you .xpi file. Now, restart firefox.

4) Getting it to work

Now, the extension won't be working by default. You need to drag the extension icon to the extension bar, but don't worry. There are pictures!

  • Click on the Firefox Menu
  • Click on Customise


  • Drag CorsE to the bar
  • Now, click on the icon, when it's green the CORS headers will be added to any HTTP response


5) Testing if it's working


$.get( "http://example.com/", function( data ) {
  console.log (data);


xmlhttp=new XMLHttpRequest();

xmlhttp.onreadystatechange = function() {
    if (xmlhttp.readyState == 4) {


6) Final considerations

Note that https to http is not allowed.

There may be a way around it, but it's behind the scope of the question.

Solution 2 - Security

about:config -> security.fileuri.strict_origin_policy -> false

Solution 3 - Security

I realized my older answer is downvoted because I didn't specify how to disable FF's same origin policy specifically. Here I will give a more detailed answer:

Warning: This requires a re-compilation of FF, and the newly compiled version of Firefox will not be able to enable SOP again.

Check out Mozilla's Firefox's source code, find nsScriptSecurityManager.cpp in the src directory. I will use the one listed here as example: http://mxr.mozilla.org/aviarybranch/source/caps/src/nsScriptSecurityManager.cpp

Go to the function implementation nsScriptSecurityManager::CheckSameOriginURI, which is line 568 as of date 03/02/2016.

Make that function always return NS_OK.

This will disable SOP for good.

The browser addon answer by @Giacomo should be useful for most people and I have accepted that answer, however, for my personal research needs (TL;won't explain here) it is not enough and I figure other researchers may need to do what I did here to fully kill SOP.

Solution 4 - Security

I wrote an add-on to overcome this issue in Firefox (Chrome, Opera version will have soon). It works with the latest Firefox version, with beautiful UI and support JS regex: https://addons.mozilla.org/en-US/firefox/addon/cross-domain-cors

enter image description here

Solution 5 - Security

As of September 2016 this addon is the best to disable CORS: https://github.com/fredericlb/Force-CORS/releases

In the options panel you can configure which header to inject and specific website to have it enabled automatically.

enter image description here

Solution 6 - Security

The cors-everywhere addon works for me until Firefox 68, after 68 I need to adjust 'privacy.file_unique_origin' -> false (by open 'about:config') to solve 'CORS request not HTTP' for new CORS same-origin rule introduced.

NOTE: 12/2021 updated. Since firefox 95 the 'CORS request not HTTP' can't be disabled by adjusting 'privacy.file_unique_origin'. See above 'CORS request not HTTP' link, it already updated by official rencently. The only way for me is '....Developers who need to perform local testing should now set up a local server.'

Solution 7 - Security

For me worked by setting content.cors.disable to false

Solution 8 - Security

In about:config add content.cors.disable (empty string).


All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionYuchen ZhouView Question on Stackoverflow
Solution 1 - SecurityGiacomo Tecya PiganiView Answer on Stackoverflow
Solution 2 - SecurityNiklasView Answer on Stackoverflow
Solution 3 - SecurityYuchen ZhouView Answer on Stackoverflow
Solution 4 - SecurityTan Mai VanView Answer on Stackoverflow
Solution 5 - SecurityKhado MikhalView Answer on Stackoverflow
Solution 6 - Securityob.yannView Answer on Stackoverflow
Solution 7 - SecurityAmar TView Answer on Stackoverflow
Solution 8 - SecurityghstView Answer on Stackoverflow