Login/Register
Firefox setting to enable cross domain Ajax request
Asked Answered
Solved javascripthttpxmlhttprequest
Y

11

47

I need to temporally allow cross domain XMLHttpRequest. Changing firefox security setting seems to be the way to go. But I've tried with this and this but they didnt work. Has anyone been able to configure this before? Thanks.

Yashmak answered 20/3, 2009 at 19:4 Comment(3)
If you can require changing the Firefox security settings couldn't you use a GreaseMonkey script?Tag
Try it on Chrome: #3103319Latarsha
Try out my Firefox add on to enable cross domain with ajax here: addons.mozilla.org/en-US/firefox/addon/cross-domain-corsKeslie
C
22

For modern browsers, you may try the following approach:

https://developer.mozilla.org/en/HTTP_access_control

In short, you need to add the following into the SERVER response header (the following allows access from foo.example):

Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER
Access-Control-Max-Age: 1728000

Note that the X-PINGOTHER is the custom header that is inserted by JavaScript, and should differ from site to site.

If you want any site access your server in Ajax, use * instead.

Edit:

When I first answered the question by 2009, I actually hit the same problem, and I worked around it using the server side config.

There was no plugin on FF or Chrome by then.

However, now we do have alternatives using the browser side plugin, please check the answer of tsds

Carpophagous answered 5/11, 2009 at 7:8 Comment(3)
if I understand correctly, this does not solve the original problem if you can not change the serverCulbreth
Note that Access-Control-Allow-Origin: * will not work if you would also like to use XHR's withCredentials option to send cookie headers along. You do need to specify a specific domain in that case.Vitovitoria
-1 It doesnt answer the question. The OP ask for browser side configTarpeia
A
27

If you just don't want to waste your time on cross-domain issues during development and testing of your app you can use addon Force CORS for FF.

UPDATE: It seems that this addon no longer exists. But there is another option - this Chrome extension

Alterant answered 30/3, 2012 at 13:11 Comment(4)
Forcecors is great. Worth mentioning that after installing you have to click view => toolbars => add-on bar. Then the cors button will show in the right bottom click on that to enable it. I unzipped the xpi and see there is a toggle function when a button was pushed but never see the button.Titi
"Worth mentioning that after installing you have to click view => toolbars => add-on bar." You, sir, are a saintUpsurge
It seems FF has removed it.Scarab
Also Google will start phasing out third-party cookies from Q1 2024 : techcircle.in/2023/05/19/…Rowley
C
22

For modern browsers, you may try the following approach:

https://developer.mozilla.org/en/HTTP_access_control

In short, you need to add the following into the SERVER response header (the following allows access from foo.example):

Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER
Access-Control-Max-Age: 1728000

Note that the X-PINGOTHER is the custom header that is inserted by JavaScript, and should differ from site to site.

If you want any site access your server in Ajax, use * instead.

Edit:

When I first answered the question by 2009, I actually hit the same problem, and I worked around it using the server side config.

There was no plugin on FF or Chrome by then.

However, now we do have alternatives using the browser side plugin, please check the answer of tsds

Carpophagous answered 5/11, 2009 at 7:8 Comment(3)
if I understand correctly, this does not solve the original problem if you can not change the serverCulbreth
Note that Access-Control-Allow-Origin: * will not work if you would also like to use XHR's withCredentials option to send cookie headers along. You do need to specify a specific domain in that case.Vitovitoria
-1 It doesnt answer the question. The OP ask for browser side configTarpeia
T
9

Have you tried using jQuery's ajax request? As of version 1.3 jQuery supports certain types of cross domain ajax requests.

Quoting from the reference above:

Note: All remote (not on the same domain) requests should be specified as GET when 'script' or 'jsonp' is the dataType (because it loads script using a DOM script tag). Ajax options that require an XMLHttpRequest object are not available for these requests. The complete and success functions are called on completion, but do not receive an XHR object; the beforeSend and dataFilter functions are not called.

As of jQuery 1.2, you can load JSON data located on another domain if you specify a JSONP callback, which can be done like so: "myurl?callback=?". jQuery automatically replaces the ? with the correct method name to call, calling your specified callback. Or, if you set the dataType to "jsonp" a callback will be automatically added to your Ajax request.

Tithe answered 20/3, 2009 at 19:10 Comment(2)
we are using this to retrieve json data, but this is html that gets incorporated in the page and it's only temporal, so changing firefox config should be the simplest thing to doYashmak
Why the downvote? Using a framework's cross domain capabilities is a reasonable response to this question. The fact that HTML was required wasn't mentioned in the question, just in the comment to my response.Tithe
T
7

Here is the thing, there is no way to "temporarily" disable cross-domain XMLHttpRequest, if you can disable it temporarily then it can be disabled permanently. This is a rather common problem in the modern-day of AJAX programming and is most often solved using the technique known as cross-domain scripting.

The idea here being is that if you call out to a cross-domain script it returns JavaScript (JSON) results that are then passed on to a function on your end.

Here is some sample code to illustrate how it may look from a JavaScript code perspective:

  function request_some_data() {
    var s = "http://my.document.url.com/my_data?p1=v1&p2=v2&callback=myfunc";

      try {
        try{
          document.write("<scr"+"ipt type='text/javascript' src='"+s+"'></scr"+"ipt>");
        } 
        catch(e){
          var x = document.createElement("script");
          x.src = s;
          document.getElementsByTagName("head")[0].appendChild(x);
        }
      }
      catch (e) {
        alert(e.message);
      }
   }

You will then define a function in your code that receives the data and in the server you "handle" the callback case, here is the client-side JavaScript:

function myfunc(data) {
  alert(data);
}

And on the server side, here i'm giving a PHP example but this can be done just as easily in Java or what-ever your server-side technology is:

<?php
   if($_GET["callback"]) {
     print($_GET["callback"] . "(");
   }
   /* place your JSON object code/logic here */
   if($_GET["callback"]) {
     print(");");
   }
 ?>

Note that what you are generating on the server side winds up being some JavaScript that gets executed on the client side.

Tetrad answered 26/3, 2009 at 3:28 Comment(3)
"<scr"+"ipt" this looks so maliciousSolutrean
Of course you can disable it temporarily. For example, start Chrome with --disable-web-security.Ryswick
@JosephLust please note this was asked / answered a bit before Chrom had widespread use.Tetrad
M
2

I've tried using that 'UniversalBrowswerRead' thing too and it didn't work. You might be able to add an 'allow' header, but I haven't actually tried doing it yet. It's pretty new.

You can find more information here

Mooney answered 20/3, 2009 at 19:12 Comment(0)
S
2

I'm facing this from file://. I'd like to send queries to two servers from a local HTML file (a testbed).

This particular case should not be any safety concern, but only Safari allows this.

Here is the best discussion I've found of the issue.

Stereograph answered 15/12, 2009 at 10:32 Comment(1)
Thanks ! I guess I wont be testing in Chrome no more.Bartell
Q
1

What about using something like mod_proxy? Then it looks to your browser like the requests are going to the same server, but they're really being forwarded to another server.

Quaternity answered 22/3, 2009 at 22:44 Comment(0)
F
1

I used Fiddler as a proxy. Fiddler redirects localhost calls to a external server.

I configured Firefox to use manual proxy (127.0.0.1 port 8888). Fiddler capture the calls and redirect them to another server, by using URL filters.

Foamflower answered 5/8, 2011 at 7:19 Comment(0)
L
1

To allow cross domain:

  1. enter about:config
  2. accept to be careful
  3. enter security.fileuri.strict_origin_policy in the search bar
  4. change to false

You can now close the tab. Normally you can now make cross domain request with this config.

See here for more details.

Lindholm answered 15/7, 2016 at 20:5 Comment(0)
K
0

You can check out my add on for firefox. It allows to cross domain in the lastest firefox version: https://addons.mozilla.org/en-US/firefox/addon/cross-domain-cors/

Keslie answered 6/5, 2018 at 11:11 Comment(0)
P
-1

Manually editing firefox's settings is the way to go, but it's inconvenient when you need to do it often.

Instead, you can install an add-on that will do it for you in one click.

I use CORS everywhere, which works great for me.

Here is a link to the installer

Phippen answered 29/3, 2016 at 12:33 Comment(1)
Answers that just links to other resources are generally considered bad, as they can change in time. Please add the most relevant part in the answer itself.Latonia

© 2022 - 2024 — McMap. All rights reserved.