public marks

PUBLIC MARKS from decembre with tags development & securite


FIR XPI - DEV - Force CORS Firefox Extension

a very simple extension for Firefox that adds the Cross Origin Resource Sharing (CORS) Access-Control- HTTP headers to all responses before they're processed by the browser. This essentially disables the browser's same origin policy and allows cross domain calls even if the web server does not support CORS. The default setting adds the following headers to every response:



Curiosity is bliss: XMLHttpRequest - Security Bypass

While trying to help Dare make his MovieFinder page run in Firefox, I ran into an issue that can make developing AJAX applications a pain: when testing your pages, you need to host them in the same domain as your services. I explain the details of the problem and how the "XMLHttpRequest - Bypass Security" Greasemonkey user script solves it. Note: this script is meant for development only, as it gives the page access to a potentially dangerous API. The default @include is "file:///*", but feel free to restrict it even further to the path for the pages you're trying to tweak. You should never have to @include an http ur