Tuesday 24 August 2010

Bypassing Same-Origin policy on Firefox.

Same-origin policy is an essential feature implemented in most of the modern browsers to shield against malicious scripts execution. It simply blocks javascripts belong to domains other than the one which is currently being executed.

However, for development and testing of mash-ups, web apps or widgets, its sometimes required to disable this, so that a local javascript of my widget could reach Twitter or Foursquare webserver to pull the data via AJAX.

Firefox as a leader desktop browser simply block such attempts denying the cross origin AJAX requests.

Fortunately, Firefox’s settings are configurable and it allows us to disable such restrictions so that it can bypass the Same-origin policy.

Here is a brief summary of what I discovered for achieving this. Special thanks to Raghava for helping me out to reach to it.

Step-1

  • Launch Firefox browser, navigate to "about:config".
  • Set the property "security.fileuri.strict_origin_policy" to “false

Step-2

  • Update the javascript by add this line before creating any XHR request:

netscape.security.PrivilegeManager.enablePrivilege(”UniversalBrowserRead”);

Example :

// Enable Universal Browser Read
try{

netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");

}
catch(e){

alert(e);

}

// create XmlHttpRequest Object
var xmlhttp = new XMLHttpRequest();

That's it! You are now all set to access any cross origin resource from a local web app running on Firefox.

Please remember to revert this setting back so that your web is back to safe mode :)

3 comments:

Anonymous said...

it didnt worked for me!

Error: A script from "http://localhost" was denied UniversalBrowserRead privileges.

/Ramu

Anonymous said...

It didn't work for me either.

Anonymous said...

PriviledgeManager is gone from Firefox