For development purposes, I had a especially configured Google Chrome shortcut that allowed us to circumvent the same origin policy. This would in turn set a cookie with the result of the query to that endpoint, Anyway, the configured used to be as follows.
C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-gpu --disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure --disable-web-security --user-data-dir="C:\Users\joao.pereira\Documents\cors_user_data_dir"
However, as of Chrome 91, according to the release notes, the SameSiteDefaultCookies and CookiesWithoutSameSiteMustBeSecure would be dropped come Chrome 94.
Mar 18, 2021: The flags #same-site-by-default-cookies and
#cookies-without-same-site-must-be-secure have been removed from chrome://flags as of Chrome 91, as the behavior is now enabled by
default. In Chrome 94, the command-line flag
--disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure
will be removed.
And that's where we're at as Chrome 94 has arrived. With these dropped, I am currently unable to access the intended resources. Unfortunately, downgrading the Chrome version isn't an option either since the computer is controled by the organization. Setting another browser with a similiar configuration would work so suggestions in that regard are also appreciated.
You may ask your System Admin to disable this feature by updating managed policies on your system (if you don't have control) for your browser as mentioned here. See How To Setup for Windows
You can whitelist all of your domains that you don't want to check for SameSite cookie policy.
Related
I'm trying to decrypt SSL packages with Wireshark as described here. I have already created a SSLKEYLOGFILE System and User variable and the log file. I have restarted my computer (running Windows 10), and opened https urls with Chrome and Firefox, but none write to the ssl log file. My Chrome version is 56.0.2924.87 (64-bit) and my Firefox version is 51.0.1 (32-bit). Any idea how can I make any of the two browsers write to that file? Or is there any way to get the SSL key to be able to decrypt SSL packages in Wireshark?
You are doing something wrong. Tested on version 58 & you do not need to reboot. To activate either:
set environment variable e.g. SSLKEYLOGFILE to %USERPROFILE%\sslkeysENV.pms
run chrome with argument e.g.:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-key-log-file=%USERPROFILE%\sslkeysARG.pms
With Firefox the features seems to be disabled by default and is only available in debug builds. With Chrome this might have been vanished by switching the underlying SSL engine from NSS (which implemented this feature and is also used in Firefox) to BoringSSL (which maybe does not have this feature).
Update: according to #Lekensteyn (see comment) the feature is again available in current Firefox and Chrome builds.
I have solved it!
You MUST be sure chrome totally be closed. And then reopen a fresh new chrome instance.
Chrome has a default options let chrome run in background enabled.
Double check your taskbar of windows or processes lists to make sure there's no chrome instance exists.
That's why --ssl-key-log-file don't working, chrome stills alive after you click exit button.
Try Firefox Developer edition, the above mentioned feature is turned on by default. I tested yesterday only.
Some antiviruses (like Avast) inject the SSLKEYLOGFILE environment variable into well-known processes like firefox.exe and chrome.exe. If you rename the browser executable file and launch that, then the environment variable won't be overridden.
Try to close your current browsing session, it behave like you just add a new path to PATH, only work from the new session and so on.
Besides what they have already pointed out, I want to show three points that may help. These are tips for Linux (CentOS)
Make sure the file that related to SSLKEYLOGFILE can be written and read, to make sure you can use:
chmod -R 777 sslkey.txt
Make sure your Firefox or Chrome is opened under the same user with the file mentioned, for example under root.
Find some useful comments here
I am developing an extension that uses chrome's Native messaging. After setting the key value in my extension (for native messaging) chrome goes bananas and deletes my files after closing chrome. Turning off sync extensions somehow keeps my files in tact, but it still removes the extension from itself every reboot. I can't figure out if this is some bizarre bug I've stumbled upon or this has to do with not being able to install non web-store extensions
Problem
As you can read on google forums (productforums.google.com), posted on 04.09.2015, new versions of Google Chrome will automatically disable extension that are have not been installed from Chrome Web Store. There is no option to change this behaviour.
Some extensions come bundled with others, which causes Chrome to ask
whether you want to install them (or not). However, bad actors have
abused this mechanism, bypassing the prompt to silently install
malicious extensions that can override browser settings and alter the
user experience in undesired ways.
...
Since these malicious extensions are not hosted on the Chrome Web
Store, it’s difficult to limit the damage they can cause. This is why
we announced in November that as part of our continuing security
efforts, all extensions for Windows users must be hosted in the
Chrome Web Store.
Solutions
1. Use a different browser. For example, Opera (version > 15) and SRWare Iron browsers extensions are 100% compatible and they don't get disabled on each browser startup. All the tools from Google Chrome are available in these browsers.
2. Pack the extension (idea taken from this url). Open the extension page, activate "Developer Mode"; Click "Load unpacked extension..."; Search trough your directory tree for the directory where you unpacked your extension and click OK; Disadvantages: Chrome nags you to disable the extension at each start up
If you are copy/pasting an installed extension that no longer exists, you can modify the manifest and remove:
the key
the update_url
Then load it again and it will work and assume you are developing it.
Here's the deal. We are trying to install some Chrome extensions (version 47+) via GPO. We're putting the ExtensionInstallForcelist under the user configuration, but it's not working. The registry entry shows up, so the GPO works, but Chrome doesn't seem to be reading it to perform the install.
There is a slight catch. We are running Websense Endpoint agent on our systems, which installs its own Chrome extension by adding a registry entry under the ExtensionInstallForcelist in HKLM.
When I look at the Chrome Policies, I see the ExtensionInstallForcelist enabled only for "Machine".
Does Chrome only accept one install list? Either HKLM or HKCU with HKLM being the preferred? At least that's the behavior that I'm seeing.
Any help or information would be appreciated. All of the information that I've found on Chrome Extensions and GPO only list the Machine policy and don't really cover the User policy.
Thank you.
We had the exact same issue as you, with the Websense Endpoint trumping any GPO User level ExtensionInstallForcelist settings we put in place for a custom Chrome Extension.
This was the party line I found from Chromium project regarding who wins in User vs Machine chrome policies:
"Correct. We do not merge policy values, we just use the value read from the highest-priority source."
(Taken from this person who had the same problem:
https://productforums.google.com/forum/#!msg/chrome/wygwLDak6ZQ/NKurhHpdCgAJ )
Observationally, the Machine level is apparently the higher priority source. As such, we moved all the Chrome extensions settings to the Computer Configuration level of the GPO instead, this worked and installed our custom extension and all settings, however, this in turn prevented the Websense Endpoint from making it's ExtensionInstallForcelist registry entries and stopped it loading correctly.
So we ended up adding the Websense Extension details to the machine level GPO ForceInstallList as well:
mkkjioebiampndpmidmadhpmgffdckhe;C:\Program Files\Websense\Websense Endpoint\dlpext.xml
This is obviously not the best approach, as we now need to manage/keep an eye the Websense endpoint deployments via GPO, but it got things working for the subset of machines we needed to install the Chrome extension on.
I have a problem with the --disable-web-security flag. It is not working in Chrome 48 and Chrome 49 beta on Windows.
I've tried killing all of the instances, reboot and run Chrome with the flag first of all, tried different machines as well. In the beta I can see the warning popup ("You are using unsupported flag.."), but CORS is still being enforced. Public version seems to ignore the flag completely.
There seems to be no news or people reports about that, so it might be a local issue.
Will be grateful for help or any related info.
Update 2021-10-18
As of Chrome 95, on MacOS and Windows, --disable-site-isolation-trials remains a required flag in order to disable web security, so the command-line arguments to Chrome seen below are still valid. (Some of the arguments are not formally supported by Chrome, as it will warn you.)
To test whether you've successfully launched Chrome with web security disabled, run the snippet in Web Security Test at the bottom of this post.
Update 2020-04-30
As of Chrome 81, it is mandatory to pass both --disable-site-isolation-trials and a non-empty profile path via --user-data-dir in order for --disable-web-security to take effect:
# MacOS (in Terminal)
open -na Google\ Chrome --args --user-data-dir=/tmp/temporary-chrome-profile-dir --disable-web-security --disable-site-isolation-trials
# Windows (from "Run" dialog [Windows+R] or start menu in Windows 8+)
chrome.exe --user-data-dir=%TMP%\temporary-chrome-profile-dir --disable-web-security --disable-site-isolation-trials
(Speculation) It is likely that Chrome requires a non-empty profile path to mitigate the high security risk of launching the browser with web security disabled on the default profile. See --user-data-dir= vs --user-data-dir=/some/path for more details below.
Thanks to #Snæbjørn for the Chrome 81 tip in the comments.
Update 2020-03-06
As of Chrome 80 (possibly even earlier), the combination of flags --user-data-dir=/tmp/some-path --disable-web-security --disable-site-isolation-trials no longer disables web security.
It is unclear when the Chromium codebase regressed, but downloading an older build of Chromium (following "Not-so-easy steps" on the Chromium download page) is the only workaround I found. I ended up using Version 77.0.3865.0, which properly disables web security with these flags.
Original Post 2019-11-01
In Chrome 67+, it is necessary to pass the --disable-site-isolation-trials flag alongside arguments --user-data-dir= and --disable-web-security to truly disable web security.
On MacOS, the full command becomes:
open -na Google\ Chrome --args --user-data-dir= --disable-web-security --disable-site-isolation-trials
Regarding --user-data-dir
Per David Amey's answer, it is still necessary to specify --user-data-dir= for Chrome to respect the --disable-web-security option.
--user-data-dir= vs --user-data-dir=/some/path
Though passing in an empty path via --user-data-dir= works with --disable-web-security, it is not recommended for security purposes as it uses your default Chrome profile, which has active login sessions to email, etc. With Chrome security disabled, your active sessions are thus vulnerable to additional in-browser exploits.
Thus, it is recommended to use an alternative directory for your Chrome profile with --user-data-dir=/tmp/chrome-sesh or equivalent. Credit to #James B for pointing this out in the comments.
Source
This fix was discovered within the browser testing framework Cypress: https://github.com/cypress-io/cypress/issues/1951
Web Security Test
Run this snippet to confirm that this solution actually disabled web security in Google Chrome:
window.addEventListener("DOMContentLoaded", () => {
const iframe = document.querySelector("iframe");
iframe.addEventListener("load", () => {
const canAccessIframeDocument = !!iframe.contentDocument;
document
.querySelector(
canAccessIframeDocument ? ".security-disabled" : ".security-enabled"
)
.classList.remove("hidden");
});
// To ensure the `load` event always fires, only set iframe src after the
// event listener is attached.
iframe.src = "https://google.com";
});
body {
font-family: sans-serif;
}
.hidden {
display: none;
}
/* Web security should normally be enabled, so this is colored green, despite
the objective of this solution to disable it. */
.security-enabled {
font-weight: bold;
color: darkgreen;
}
.security-disabled {
font-weight: bold;
color: darkred;
}
<h1>Web Security Test</h1>
<p>
This test attempts to access the inner contents of a cross-origin iframe,
which is normally disallowed.
</p>
<p class="security-enabled hidden">
Web security is enabled. The cross-origin iframe document could not be
accessed.
</p>
<p class="security-disabled hidden">
Web security is disabled. The cross-origin iframe document was
successfully accessed.
</p>
<iframe class="hidden">
Iframes are not supported.
</iframe>
I'm seeing the same thing. A quick google found this question and a bug on the chromium forums. It seems that the --user-data-dir flag is now required.
Edit to add user-data-dir guide
Mac OS:
open -a Google\ Chrome --args --disable-web-security --user-data-dir=
UPD: add = to --user-data-dir because newer chrome versions require it in order to work
On OS X, to open a new Chrome window - without having to close the already open windows first - pass in the additional -n flag. Make sure to specify empty string for data-dir (necessary for newer versions of Chrome, like v50 something+).
open -na /Applications/Google\ Chrome.app/ --args --disable-web-security --user-data-dir=""
I found that using Chrome 60+ on Mac OS X Sierra, the above command no longer worked, but a slight modification does:
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_sess_1" --disable-web-security
The data directory path is important. Even if you're standing in your home directory when issuing the command, you can't simply refer to a local directory. It needs to be an absolute path.
The chosen answer is good, but for those who are still struggling with what they are talking about(your first time dealing with this issue), the following worked for me.
I created a new shortcut to Chrome on my desktop, right clicked it, and set the "Target" field to the following,
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="c:/chromedev"
The directory can be anything you want, I decided to make an empty folder called chrome dev in my C: directory. It has nothing to do where chrome is installed on your computer. It's just a fluff type thing.
This link also has clear directions for other OSes. How to disable web securityin Chrome
The version 49.0.2623.75 (64-bit) is not in beta anymore.
The command to fix the CORS issue is
google-chrome-stable --disable-web-security --user-data-dir
Install This Chrome-plugin for Disable-web-security in Chrome::
" Allow-Control-Allow-Origin: * "
link Here or you can google above plugin if you want.
it is very easy to enable and disable the security with this plugin.
For Chrome Version 50+ for Mac Users. Close all opened chrome first and run the below command
open -a Google\ Chrome --args --disable-web-security --user-data-dir=""
The above will work. Thanks
For Mac, using Safari is a good alternate option for local development purpose and the feature is built into the browser (so no need to add browser extension or launch Chrome using bash command like [open -a Google\ Chrome --args --disable-web-security --user-data-dir=""].
To disable cross origin restriction using Safari (v11+): From menu click “Develop > Disable Cross Origin Restriction”.
This does not require relaunching the browser and since its a toggle you can easily switch to secure mode.
From Chorme v81 the params --user-data-dir= requires an actual parameter, whereas in the past it didn't.
Something like this works fine for me
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="\tmp\chrome_test"
In a terminal put these:
cd C:\Program Files (x86)\Google\Chrome\Application
chrome.exe --disable-web-security --user-data-dir="c:/chromedev"
As of the date of this answer (March 2020) there is a plugin for chrome called CORS unblock that allows you to skip that browser policy. The 'same origin policy' is an important security feature of browsers. Please only install this plugin for development or testing purposes. Do not promote its installation in end client browsers because you compromise the security of users and the chrome community will be forced to remove this plugin from the store.
For MacOSX
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_sess_1" --disable-web-security
For Windows 10+
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=~/chromeTemp
It working for me.
Try using this..it will help you out..
c:\Program Files\Google\Chrome\Application>chrome.exe --disable-web-security --user-data-dir="D:\chrome"
For Windows
C:\Program Files\Google\Chrome\Application> .\chrome.exe --disable-web-security --disable-gpu --user-data-dir=~/chromeTemp
I am trying to debug an application but it throws same origin policy error.
So I followed ticket
Disable same origin policy in Chrome
However when ever I start chrome with CC:\Program Files\Google\Chrome\Application\chrome.exe" --args --disable-web-security from cmd, it is not starting in non-secure mode and it also doesn't show a notification that says that chrome is running in non secure mode.
I have disabled all the extensions too for this.
Please help.
Remove --args, start Chrome or Chromium as follows:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security
This flag is quite dangerous, I suggest to start up a separate profile to avoid leaking confidential information from one website to another:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir=%TMP%\profiledirname
And if you want to load an unpacked extension, use the --load-extension flag (multiple extensions can be loaded by separating the paths by a comma):
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir=%TMP%\profiledirname --load-extension="C:\Users\My User\Documents\My extension"
It seems that --disable-web-security is not supported anymore...
Chromium 38 says (translated from spanish) "--disable-web-security option is not accepted because it affects security and stability" :-(
You don't need --args to use --disable-web-security but it seems that since Chrome 38 even enabling that parameter does not allow CORS without the proper header.
See: https://code.google.com/p/chromium/issues/detail?id=392170