[d0vs]

You have to allow it first on a per-website basis

[kpthunder]

You actually have to allow it per-website per-visit (not even per-session).

[Klathmon]

no, it's per domain.

You only need to per-visit when it's an insecure localhost endpoint or something similar IIRC. (or if you have an extension which clears that setting every page load)

[gruez]

Which I'm betting nobody will do

[mod]

A few folks in this thread already have.