Now that chrome 80 has implemented the samesite cookie enforcement - is there a way to turn that off?
You can disable this behaviour via chrome://flags. Specifically, you can enter these two into your location bar:
chrome://flags/#same-site-by-default-cookies
chrome://flags/#cookies-without-same-site-must-be-secure
Set both to "Disabled".
However, while this might be useful for dealing with sites that still need to update, I would not expect this to be a long term solution.
Related
I have the situation with Chrome, tested with 87.0.4280.88, that in some cases Chrome will send sec-ch-ua and sec-ch-ua-mobile request headers, although chrome://flags/#enable-experimental-web-platform-features is set to "disabled".
For instance:
sec-ch-ua: "Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87"
sec-ch-ua-mobile: ?0
When this happens, the only way to get rid of these headers is to start Chrome with the parameter --disable-features=UserAgentClientHint.
Does someone have an explanation for this? As far as I understand, these features are still experimental and the specification in progress (https://wicg.github.io/ua-client-hints/).
I couldn't find a list of features behind the "Experimental Platform Features" flag, but I assume it's more about experimental Chrome features than experimental web standards, so that this flag probably was never intended to disable client hints, the maturity or stability of the standard behind it notwithstanding. Experimental standards get implemented all the time with current browsers, since that's the only way to get web developers' feedback on the practical implications of the standard.
According to Chrome's Platform Status, client hints are enabled by default since Chrome 89 and seems to be a pre-requisite for the bigger issue of User-Agent string reduction, which is probably one of the reasons it has been implemented quickly.
Is there a chrome flag to avoid 2-minute window for "Lax+POST" temporary intervention? This way we can test impact on our sites when this behavior will be removed in the future.
Reference from https://www.chromium.org/updates/same-site
Note that the 2-minute window for "Lax+POST" is a temporary intervention and will be removed at some point in the future (some time after the Stable launch of Chrome 80), at which point cookies involved in these flows will require SameSite=None and Secure even if under 2 minutes old.
As of 2019/11/21 this update has been added:
Lax+POST temporary mitigation can be disabled for testing purposes using the new flag --enable-features=SameSiteDefaultChecksMethodRigorously
However, if you are addressing this by adding the appropriate SameSite flag to your cookies then be aware that the Lax+POST mitigation does not apply to cookies that have a SameSite attribute set. Explicitly setting the SameSite attribute will ensure consistent behaviour across different versions and flags.
I am developing a Chrome extension and need to implement an API to change settings in Chrome.
I find all the settings in about:flags page, but I cannot find extension API to get or set.
No, there is not.
The options in chrome://flags are intended for Chrome developers, not for end users. Flags are typically not permanent, as they are used for features that are still under development and testing, or features which are only used for testing. Once testing is complete, the flag is removed.
In short: flags are not a stable interface. Extensions should not depend on features controlled by flags. If a feature your extension needs is only available through a flag, it is not ready for general use yet, and you should wait until that changes.
I'm trying to debug difference between HTTP/1.1 and HTTP/2.
Is there any possibility for disabling HTTP/2 in chrome or chromium?
I couldn't find this option flag in chrome 56. I have tried chromium 58 with flag --disable-http2:
./Chromium.app/Contents/MacOS/Chromium --disable-http2
But content is still delivered with HTTP/2 protocol after using this flag:
For what it is worth, the flag works.
The issue is that you need to quit EVERYTHING Chrome for it to take effect. Including plugin shims and other chrome tabs and so on.
It is not enough just to add the command line switch.
An easier way to achieve something broadly equivalent is to use an HTTP Proxy, like https://www.telerik.com/fiddler. This adds negligible additional time to your requests, and (as far as I know) doesn't support http/2 at all (yet); even if it did, I'm pretty sure it would be much easier/practical to switch behavior in than restarting all your Chrome windows.
The advantage of this approach is that it takes effect immediately - disabling and reenabling HTTP/2 becomes as easy as starting and stopping the proxy, without messing with the (if you're anything like me) dozens of Chrome tabs you have open, to StackOverflow and elsewhere :)
What happens when you try doing the same thing in WebPageTest (select Chrome as the test agent and add the command line switch in the Chrome tab under advanced settings)
Here's a test I did for my personal site just now and the flag appears to work OK (if you look at the response headers you'll see HTTP/1.1)
https://www.webpagetest.org/result/170322_1B_ab8656afcfb8bcc4103e9872ff56c28b/1/details/#waterfall_view_step1
I have seen the same problem created by a firewall running in proxy mode vs flow mode.
The firewall would buffer the entire file so it could scan it then pass it along vs scanning the individual packets.
https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/721410/inspection-modes
The problem would only happen when using http2 and might have something to do with http request priority not being handled properly or it forced it single threaded.
We would have a video request start with a low priority that would stall then start causing other file downloads to be delayed. Then there was a api poler in the background coming in with high priority requests. After a few high priority requests were blocked chrome would cancel the low priority video.
It would happen in other cases but the video made it very reproduceable for us.
https://medium.com/dev-channel/javascript-loading-priorities-in-chrome-57c54cfa6672
https://blog.cloudflare.com/better-http-2-prioritization-for-a-faster-web/
https://blog.cloudflare.com/http-2-prioritization-with-nginx/
https://calendar.perfplanet.com/2018/http2-prioritization/
We set it back to flow mode on the firewall and the problem went away.
Afterwards the downloads all happened in parallel with no blocking or stalling in the chrome network waterfall.
I need to know what the --disable-web-security parameter does in chrome. I know that it disables same origin policy.
But I also noticed that it messes with your websockets (I first experienced it with googles gmail, now with my own nodeapp)
So what does it do exactly?
edit:
with messing I mean that I often fail to connect or lose connections to websocket-webapplications (while my chrome runs with the --disable-web-security parameter ). bear in mind that this is only an empirical diagnosis - I am not perfectly sure whether this parameter corelates with my connection issues.