I’ve created a very simple extension for Firefox that adds the Cross Origin Resource Sharing (CORS) Access-Control- HTTP headers to all responses before they’re processed by the browser. This essentially disables the browser’s same origin policy and allows cross domain calls even if the web server does not support CORS.

The default setting adds the following headers to every response:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST

This can be customized in the forcecors.headers setting via about:config, the values are separated by spaces (and yes, you may add arbitrary, cors-unrelated headers :).

Force CORS is going to be very helpful for my numerous Javascript/HTML5 hacks (diagnostic scripts, little helpers, mashups, etc.) that load data from websites I don’t control :)

The code is available on github, feel free to fork it.

And here’s the link to Mozilla’s “AMO”:


Oh, and a warning: Force CORS circumvents the browser’s same origin policy, so be careful (i.e. don’t use it if you don’t know what you’re doing).


There’s a problem with the Mozilla add-on site.