I did resort with the natural way to shut down the security constraint of Netscape/Mozilla, adding userpref("signed.applets.codebaseprincipal_support", true); in my own Firefox pref.js, and then asking the user (being myself) to accept the security risk with netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead'); in my javascript code.

But there is another, hackish and cool way to prevent XMLHttpRequest to annoy people doing “the right thing” :) I just read this article about faking the xmlhttprequest security restrinction using apache mod_rewirte. Awesome, isn’t it? Practically, you need a RewriteRule in your local Apache (where the xhr page resides) that proxy [P]ass a fake “local request” to the remote host, and the pass again the response to your script.

Yes, you also need to enable the proxy support in Apache.

Read on that article for the pesky details :)

First I enabled the mod_setenvif module and then I put these instructions in my virtual host configuration:

 SetEnvIf Request_URI "^/favicon.ico$" dontlog
 customlog /logs/access.log combined  env=!dontlog

That’s all… bye bye favicon.

Oh, and here there’s another approach to the favicon.ico plague: Getting rid of favicon.ico. (It still logs favicon requests though).