Add the equivalent of Google Chrome --disable-web-security to Firefox developer options to globally disable CORS security features.
Categories
(DevTools :: General, enhancement, P2)
Tracking
(Not tracked)
People
(Reporter: jujjyl, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [gaming-tools])
Attachments
(1 obsolete file)
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Comment 3•10 years ago
|
||
Comment 4•10 years ago
|
||
Comment 5•10 years ago
|
||
Reporter | ||
Comment 6•10 years ago
|
||
Comment 7•10 years ago
|
||
Comment 8•10 years ago
|
||
Comment 9•10 years ago
|
||
Comment 10•10 years ago
|
||
Reporter | ||
Comment 11•10 years ago
|
||
Reporter | ||
Updated•10 years ago
|
Comment 12•10 years ago
|
||
Reporter | ||
Comment 13•10 years ago
|
||
Comment 14•10 years ago
|
||
Comment 15•10 years ago
|
||
Comment 16•10 years ago
|
||
Comment hidden (metoo) |
Updated•10 years ago
|
Comment hidden (metoo) |
Comment hidden (metoo) |
Comment hidden (metoo) |
Comment hidden (metoo) |
Comment 23•9 years ago
|
||
Comment 24•9 years ago
|
||
Comment 25•9 years ago
|
||
Comment 26•9 years ago
|
||
Comment 27•9 years ago
|
||
Comment 28•9 years ago
|
||
Comment 29•9 years ago
|
||
Comment 30•9 years ago
|
||
Comment 31•9 years ago
|
||
Comment 32•9 years ago
|
||
Comment 33•9 years ago
|
||
Comment 34•9 years ago
|
||
Comment 35•9 years ago
|
||
Comment 36•9 years ago
|
||
Comment 37•9 years ago
|
||
Comment 39•9 years ago
|
||
Comment 41•9 years ago
|
||
Updated•9 years ago
|
Comment 42•9 years ago
|
||
Comment 43•9 years ago
|
||
Comment 44•9 years ago
|
||
Comment 45•9 years ago
|
||
Reporter | ||
Comment 46•9 years ago
|
||
Comment 47•9 years ago
|
||
Comment 49•9 years ago
|
||
Comment 50•9 years ago
|
||
Updated•9 years ago
|
Updated•9 years ago
|
Comment 51•9 years ago
|
||
Comment 52•9 years ago
|
||
Comment 54•9 years ago
|
||
Comment 55•9 years ago
|
||
Reporter | ||
Comment 56•9 years ago
|
||
Comment 57•9 years ago
|
||
Comment 58•9 years ago
|
||
Comment 59•9 years ago
|
||
Comment 60•9 years ago
|
||
Comment 62•7 years ago
|
||
Comment 63•7 years ago
|
||
Updated•7 years ago
|
Comment 64•7 years ago
|
||
Updated•7 years ago
|
Comment 65•7 years ago
|
||
Comment 66•7 years ago
|
||
Updated•6 years ago
|
Comment 67•6 years ago
|
||
Comment hidden (obsolete) |
Comment hidden (obsolete) |
Comment hidden (obsolete) |
Updated•5 years ago
|
Comment 71•5 years ago
|
||
Just to mention there will be changes in Chrome regarding to this: https://bugs.chromium.org/p/chromium/issues/detail?id=327804 Actually we already had changes a year ago, because I can no longer access error pages when trying to load a site with disabled web security, which is an issue for me, because I cannot parse the error page and write something about what kind of error happened. Another thing I had to do is using the --disable-site-isolation-trials flag, because without that I was no longer able to reach js engines of windows with different origins. Normally that is not encouraged and postMessage is used, but I do e2e testing with karma and pure javascript code instead of selenium, and this is the only way I know of without changing the code of the tested page or using a browser plugin.
Comment 72•5 years ago
|
||
I would love to see this.
My use case is developing locally on Microsoft Windows with an ASP.NET core web api backend and an angular frontend using Windows/NTLM auth.
I use Visual Studio Code and vscode-firefox-debug https://github.com/firefox-devtools/vscode-firefox-debug
I'd be happy to see this land in nightly and Firefox Developer edition.
I don't think we should worry about Chrome team switching away from
--disable-web-security flag to a more specific --disable-web-security-for-domain flag
In my case, it doesn't matter. I just use localhost.
However, I think we don't need to restrict this to localhost or a specific domain if we implement it just in aurora/nightly.
Thoughts?
Comment 73•5 years ago
|
||
Ethan, Arthur, assuming this falls into your team's purview, who would be a good counterpart on your team to get the platform side scoped and maybe prioritized within your roadmap? This is blocking some web compat work but also many enterprise use cases that want to call APIs from their development environment.
Comment 74•5 years ago
|
||
(In reply to :Harald Kirschner :digitarald from comment #73)
Ethan, Arthur, assuming this falls into your team's purview, who would be a good counterpart on your team to get the platform side scoped and maybe prioritized within your roadmap? This is blocking some web compat work but also many enterprise use cases that want to call APIs from their development environment.
Harald, thanks for reaching out.
Christoph (ckerschb) might be a good candidate to help scope and prioritize this requirement. Let me discuss this with him and/or the team first. I'll get back to you soon (leave my needinfo as a reminder).
Comment 75•5 years ago
|
||
(In reply to :Harald Kirschner :digitarald from comment #73)
Harald and Christoph discussed this bug offline.
- There is a pref to disable CORS:
content.cors.disable
. - The pref is global to Firefox. Please use it cautiously.
- We're considering to combine the pref with Containers to limit its effect within development tools.
Comment 76•5 years ago
|
||
I found some docs for that. If I'm reading them right, it's the opposite of what's desired here: that pref makes every CORS request fail; the desire here is to let every CORS request succeed without any checking.
Comment 77•5 years ago
|
||
(In reply to Matt McHenry from comment #76)
I found some docs for that. If I'm reading them right, it's the opposite of what's desired here: that pref makes every CORS request fail; the desire here is to let every CORS request succeed without any checking.
Christoph, could you help clarify it? Will the pref be helpful here?
Comment 78•5 years ago
|
||
(In reply to Ethan Tseng [:ethan] from comment #77)
(In reply to Matt McHenry from comment #76)
I found some docs for that. If I'm reading them right, it's the opposite of what's desired here: that pref makes every CORS request fail; the desire here is to let every CORS request succeed without any checking.
Christoph, could you help clarify it? Will the pref be helpful here?
It is not just about CORS. For example I open google.com in a new window, reach the javascript engine of that window directly, type the keywords and send the form. I use this for end to end testing without selenium, but it can be used to write bots too.
Comment 79•5 years ago
|
||
(In reply to Matt McHenry from comment #76)
I found some docs for that. If I'm reading them right, it's the opposite of what's desired here: that pref makes every CORS request fail; the desire here is to let every CORS request succeed without any checking.
Ah indeed, it's the opposite, it will fail all CORS checks; Anyway, I guess it would be good if you could assemble a list of security checks you want to disable and then we can take it from there. As discussed, disabling security checks browser wide obviously bears risks, so ideally we could bound them somehow. E.g. by adding a new Developer-Container or something like that. Again, while technically it's not hard to add prefs to disable whatever security checks, it might be tricky to bundle that information in some meaningful way so the Developers are actually aware of the risks too.
Comment 80•5 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #79)
Ah indeed, it's the opposite, it will fail all CORS checks; Anyway, I guess it would be good if you could assemble a list of security checks you want to disable.
- CORS
1.1 <canvas> Access Denied
1.2 <img> Access denied
1.3 <iframe> Access denied
1.3.1 (includes access to parent page)
1.4 window.opener Access denied
etc... - file:// Access denied
2.1. allow xhr/fetch for file://
2.2. treat <script>, <link> (stylesheets), canvas, etc... using file:// as belonging to all possible URLs.
1.X use cases:
- Developing main a website locally but the servers are external but inside the network (E.g. 10.0.0.0/8)
** Or with a seemingly public IP although routed through VPN (developing locally against staging servers, for example).
2.X. Use cases:
- Developing a website locally and simulating a server returning static data without the need of the server itself. Much faster (less CPU usage over conditionals), less RAM usage, no need to makeshift some random server, mistaken commits won't open unwanted vulnerabilities (E.g. special code in server due to this limitation accidentally kept on) and easier to develop the website before there's any server at all.
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #79)
and then we can take it from there. As discussed, disabling security checks browser wide obviously bears risks, so ideally we could bound them somehow. E.g. by adding a new Developer-Container or something like that. Again, while technically it's not hard to add prefs to disable whatever security checks, it might be tricky to bundle that information in some meaningful way so the Developers are actually aware of the risks too.
I'm perfectly fine with restricting this feature to container configurations and/or limit the feature to nightly+dev_edition but I do feel a heavy need for it.
If you want not to restrict to certain browsers, that's better, though.
These restricting options can even live behind about:config and I'm fine with that.
Again, I just want it.
Comment 81•5 years ago
|
||
First, Bruno's two broad categories of use case might be best treated as two separate tickets. I think the first use case (disabling CORS protections) is appropriate for this ticket, but I'm pretty sure supporting fetch against file:// URLs is already its own ticket. (No time to dig it up ATM, sorry.)
Second, I am not perfectly fine with restricting this to a dedicated nightly and/or dev edition. The kinds of tests that require this feature aren't limited to developer machines -- sometimes I'm working with a customer on their machine and need to test out how a feature will behave, after I've finished the 2 months of paperwork required to get the server owner to put us on their CORS whitelist.
Moreover, sometimes I'm in an environment where Firefox ESR is on the "approved software" list but special dev builds are not. I'm in no position to get the dev/nightly builds approved, so if it's not in the official release channel -- behind a battalion of command line switches, dire warnings, "yes I'm really sure" buttons, etc -- then I might as well not have it at all.
Comment 82•5 years ago
|
||
See also: bug 1266960
Comment 83•4 years ago
|
||
I just wanted to chime in and add that the number one use case in my world for this is e2e testing a deployed application that uses APIs that become restricted in cross-origin scenarios. I am working on a course regarding testing Progressive Web Apps and many features are only enabled under HTTPS with valid certs. To make e2e testing easier, I test against a deployed URL (Netlify) which means I don't have to step the student through trying to generate self-signed trusted certs for CI / local testing, etc. we can just rely on the trusted certs in the deployed environment (plus, it's much more production-like to test against than a localhost
URL).
Using Cypress, I can test in Chrome/Chromium browsers with disableWebSecurity
configuration (which uses --disable-web-security
) but this is unsupported for Firefox due to this issue. This means there are various APIs/scenarios I have to exclude from the FF e2e test run (window.Notification API, window.caches, service workers) since they will fail with cross-origin iframe access errors. In my course, I'll just have to explain that you can't test certain features in Firefox due to web security issues but of course it would be fantastic to have complete parity between FF, Edge, and Chrome test runs.
For more info regarding Cypress and disabling web security, see https://docs.cypress.io/guides/guides/web-security.html#Disabling-Web-Security
Comment 84•4 years ago
|
||
This is still a pain point with FF. My use-case is also related to test automation. We do allow localhost development without HTTPS as it is easier to setup, but with Playwright where I have not found a way to modify CORS settings I cannot run the tests against firefox in localhost. There is additional hitch in enabling the HTTPS for my local use as I would need to overwrite the HTTPS also to Azure AD B2C account to have HTTPS redirect address for localhost instead of http. If I change that to HTTPS, others in our dev team are also forced to setup HTTPS for the authentication to work.
Sure I could then go out of my way to hack the code to disable authentication from both the React App, backend rest API and the test cases, but then I am not anymore running the same test case.
Comment 85•4 years ago
|
||
(In reply to Antti Viita from comment #84)
This is still a pain point with FF. My use-case is also related to test automation. We do allow localhost development without HTTPS as it is easier to setup, but with Playwright where I have not found a way to modify CORS settings I cannot run the tests against firefox in localhost. There is additional hitch in enabling the HTTPS for my local use as I would need to overwrite the HTTPS also to Azure AD B2C account to have HTTPS redirect address for localhost instead of http. If I change that to HTTPS, others in our dev team are also forced to setup HTTPS for the authentication to work.
Sure I could then go out of my way to hack the code to disable authentication from both the React App, backend rest API and the test cases, but then I am not anymore running the same test case.
Same here, I need this for e2e testing mostly. For now I just run the tests in Chrome, but it would be nice to be able to run them on a different browser too.
Comment 86•4 years ago
|
||
There are several large companies I have noticed (ours included) Fortune 500 that are starting to use Cypress as their main testing platform, the power to run e2e tests against all supported browsers is a major appeal. Right now, we currently support the latest version of all major browsers. Firefox, Chrome, Safari, Edge, and to some extent IE11. IE11 is being phased out by the end of this year.
If we can't ensure success in Firefox, then we might have to consider stopping support for Firefox as well.
Comment 87•4 years ago
|
||
It might make sense to expose this as a WebDriver session capability, similar to acceptInseureCerts
. That would allow standardising the behaviour to be the same in all browsers, rather than relying on the exisiting solutions that depend on unstable browser-specific flags. It would also make it difficult/impossible to accidentially run this with a normal user profile since you'd need to both enable automation and create a WebDriver session. For Cypress in particular I don't think they are currently using WebDriver, but I think they do use CDP for some functionality, so it seems plausible they would be able to use WebDriver-BiDi in place of CDP.
I've filed https://github.com/w3c/webdriver/issues/1583 for this issue; please comment there if the description doesn't accurately reflec your use cases here.
I also note that setups which depend on disabling security features are inherently fragile in that accidentially breaking sites by incorrect CORS-confguration is common, and a testing setup relying on disabling CORS is going to be unable to detect such bugs.
Comment 88•3 years ago
|
||
I'd like to see a way to disable CORS for requests (say via fetch
) performed from the Developer Console interactive interpreter.
Updated•2 years ago
|
Comment hidden (advocacy) |
Comment 90•1 year ago
|
||
+1 to this feature
Currently blocks or development and test at work with Firefox.extensions found in addons.mozilla.org doesn't work and compile a version of Firefox to remove that layer of security is not an option due to the time/effort required.
Please I hope this bug/feature will take more relevance to help us (developers) to adopt Firefox easily.
Thanks
Description
•