How can I turn off cross-site scripting protection in my own browser?

Update Nov.2016 An easier way to disable the same origin policy in Chrome is to run it with the following flags:

google-chrome --disable-web-security --user-data-dir

      

        
        
        
      

    

Update: Be aware of what area you are requesting elevated privileges in. Method one works as expected, catch should ask for elevated privileges in the same scope where you will use it (in the same function, in the global scope ...), it will not work in any other scope.
I've updated the example with working code.

It's in the documentation:
Privileges are only granted as part of the requesting function. This scope includes any functions called by the requesting function. When the script function leaves the requesting function, the privileges are no longer applied. http://www.mozilla.org/projects/security/components/signed-scripts.html

I am trying to do the same for my intranet sites (we have 47 different domanis based on server location and it would be easy to disable the "same origin policy" for those sites in Firefox applications only).

According to the documentation on the mozilla site, these methods should work ... I found from googling that this was true for Firefox 2, I tested in FF3 and FF4 and doesn't seem to work. You should try this, maibe il will work for you, I am still looking for a solution

Method 1.

• Modify about:config
  
  and set signed.applets.codebase_principal_support
  
  to true
  
  (this will allow unsigned scripts to prompt for elevated privileges)

• In the parent script, request elevated privileges:

<html> <& head GT; <script
type = "text / JavaScript">
   xss () function
   {
     try {
        netscape.security.PrivilegeManager.enablePrivilege ("UniversalBrowserRead");
    } catch (e)
    {
        alert (e); // console.log (e) if you have firebug
    }
    Alert (document.getElementById ('frame') contentWindow.document.); // console.log ()
   }
< / script> </ head>
<body onLoad = "xss ();" > <iframe id = "frame"
src = "http://example_1.com"> </IFRAME>
</ body> </HTML>

3. Now when you load the page, FF will ask for your permission to grant script privileges:

Allow this and you should receive a warning with the text: [object HTMLDocument]

Before making any changes, if I try to access ....contentWindow.document

, I get this error:

Error: A script from "http://example.com" was denied UniversalBrowserRead privileges.

      

        
        
        
      

    

After I got this:

Permission denied for <http://example.com> to get property Window.document from <http://example_1.com>.

      

        
        
        
      

    

If you like working on the command line, you can skip steps 1 and 3 and edit the presf.js file (on Linux: /home/$yourUser/.mozilla/firefox/$yourProfile/prefs.js) and add 4 lines

user_pref("signed.applets.codebase_principal_support", true);
user_pref("capability.principal.codebase.p0.granted", "UniversalBrowserRead");
user_pref("capability.principal.codebase.p0.id", "http://example.com");
user_pref("capability.principal.codebase.p0.subjectName", "");

      

        
        
        
      

    

Method 2.

Try adding a policy to allow sites to bypass SOP for this edit prefs.js and add these lines:

user_pref("capability.policy.policynames", "example");
user_pref("capability.policy.example.HTMLDocument", "allAccess");
user_pref("capability.policy.example.sites", "http://example.com http://example_1.com");

      

        
        
        
      

    

Unfortunately, even Method 2 doesn't do the job.

I am still looking for a solution. If I find anything new, I will update the answer.