AliExpress login doesn’t show up on Firefox when there is a strict cross-origin policy (i.e.
network.http.referer.XOriginPolicy). Here’s how to whitelist it.
Click here to go straight to the workarounds.
Firefox can restrict the referrer to the same origin only (docs), by setting
network.http.referer.XOriginPolicy value to 2 in
about:config. Initially, I figured this would break many websites. But to my surprise, I have yet to encounter any issue; well, except for AliExpress.
When you try to login to AliExpress, the login box is just blank.
In the new design, the loading wheel just keeps spinning.
Upon inspection on the blank element (right click on the blank login and select
Inspect Element), the login box is an iframe of
https://passport.aliexpress.com. From the Web Console (
Ctrl + Shift + K), the following error message suggested it’s caused by X-Frame-Options.
From the Network inspection (
Ctrl + Shift + E),
https://passport.aliexpress.com has HTTP header
x-frame-options: SAMEORIGIN (which I believe stems from the
XOriginPolicy setting). This restricts the iframe to the same domain. This caused the iframe unable to load because it’s different from the login page
Edit: After pinpoint the issue to
XOriginPolicy, I suspect AliExpress sends the referrer from
passport for tracking purpose, and somehow
passport could not be loaded if it does not receive any referrer. There are a few options to resolve this.
Edit: This step alone doesn’t work anymore, requires resetting referer policy. See next section.
To use the old login page, mouse-over on the Account link at the top right corner and click on My Orders. It should redirects to
- Go to about:config.
- Search for “referer”, then adjust the following option,
network.http.referer.defaultPolicy;1 (must be '1' or above) network.http.referer.sendRefererHeader;2
- Mouse-over on the Account link at the top right corner and click on My Orders. It should redirects to
Ignore X-Frame-Options Firefox extension is a way to whitelist the domain from the restriction. By default, the extension whitelist all domains. This is highly discouraged because it nullifies the security benefits of x-frame-options (e.g. prevent a banking website from being iframe-d inside a phishing website). Instead, we can whitelist the login page only.
That’s how the whitelist works on the extension; you add the domain of the iframe not the page’s domain. After you add it to the list, refresh the page and you should see the login.
If none of the above work, the last resort is to use the direct link https://login.aliexpress.com/express/mulSiteLogin.htm