禁用 Firefox 同源策略 [英] Disable firefox same origin policy

问题描述

我正在开发一个本地研究工具，它要求我关闭 Firefox 的同源策略(在脚本访问方面，我并不真正关心跨域请求).

更具体地说，我希望宿主域中的脚本能够访问嵌入页面的任何 iframe 中的任意元素，而不管它们的域如何.

我知道之前的 Q&As 提到了 CORS FF 扩展，但这不是我需要的，因为它只允许 CORS，但不允许脚本访问.

如果不能轻松完成，我也将不胜感激，如果您有任何见解，我可以指出我可以修改以禁用 SOP 的 FF src 代码的特定部分，以便我可以重新编译 FF.

解决方案

有一个 Firefox 扩展，可以将 CORS 标头添加到适用于最新发布的 Firefox (build 36.0.1) 的任何 HTTP 响应<强>2015 年 3 月 5 日.我对它进行了测试，它在 Windows 7 和 Mavericks 上都可以使用.我将指导您完成使其正常工作的步骤.

1) 获取扩展

您可以从.

可能有办法绕过它，但这超出了问题的范围.

I'm developing a local research tool that requires me to turn off Firefox's same origin policy (in terms of script access, I don't really care about cross domain requests).

More specifically, I want scripts in the host domain to be able to access arbitrary elements in any iframes embedded in the page, regardless of their domain.

I'm aware previous Q&As which mentioned the CORS FF extension, but that is not what I need, since it only allows CORS, but not script access.

If it cannot be done easily, I would also appreciate any insights that point me to specific part of FF src code that I can modify to disable SOP, so that I can recompile FF.

解决方案

There's a Firefox extension that adds the CORS headers to any HTTP response working on the latest Firefox (build 36.0.1) released March 5, 2015. I tested it and it's working on both Windows 7 and Mavericks. I'll guide you throught the steps to get it working.

1) Getting the extension

You can either download the xpi from here (author builds) or from here (mirror, may not be updated).

Or download the files from GitHub. Now it's also on Firefox Marketplace: Download here. In this case, the addon is installed after you click install and you can skip to step 4.

If you downloaded the xpi you can jump to step 3. If you downloaded the zip from GitHub, go to step 2.

2) Building the xpi

You need to extract the zip, get inside the "cors-everywhere-firefox-addon-master" folder, select all the items and zip them. Then, rename the created zip as *.xpi

Note: If you are using the OS X gui, it may create some hidden files, so you 'd be better using the command line.

3) Installing the xpi

You can just drag and drop the xpi to firefox, or go to: "about:addons", click on the cog on the top right corner and select "install add on from file", then select you .xpi file. Now, restart firefox.

4) Getting it to work

Now, the extension won't be working by default. You need to drag the extension icon to the extension bar, but don't worry. There are pictures!

• Click on the Firefox Menu
• Click on Customise

• Drag CorsE to the bar
• Now, click on the icon, when it's green the CORS headers will be added to any HTTP response

5) Testing if it's working

jQuery

$.get( "http://example.com/", function( data ) {
  console.log (data);
});

JavaScript

xmlhttp=new XMLHttpRequest();

xmlhttp.onreadystatechange = function() {
    if (xmlhttp.readyState == 4) {
        console.log(xmlhttp.responseText);
    }
}

xmlhttp.open("GET","http://example.com/");
xmlhttp.send();

6) Final considerations

Note that https to http is not allowed.

There may be a way around it, but it's behind the scope of the question.

这篇关于禁用 Firefox 同源策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！