Today (Mar, 15, 2016) chrome stopped working with the --disable-web-security flag. I have tried the following options described in various posts:
1) Kill all instances of Chrome.exe in the windows task manager.
2) add the --use-data-dir flag, there is a current post regarding this, but the answers there do not work anymore
Here is my script I am using:
start chrome.exe --disable-web-security --allow-running-insecure-content --use-data-dir=c:/temp/chrome_dev
Chrome opens under this script with the disable security warning but localhost cross domain calls still fail:
I have solutions that are using --disable-web-security.
Finally I found solution. Now chrome just will accept it if you set --user-data-dir together.
You will have different instances when you use it.
Try it:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="D:\chrome"
For linux
google-chrome --user-data-dir=”/var/tmp/Chrome” --disable-web-security
I suggest a temp directory
Just for OS X user, this worked for me (on El Capitan): /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-web-security --user-data-dir="<some-dir>"
Also works on Yosemite 10.10.5. Please note that --user-data-dir may no longer be left empty. You have to specify some dir.
This doesn't work anymore, since Chrome 80. You have to specify a non-default --user-data-dir to make it work now.
Original answer:
You can use your existing data dir, if you don't want to create a new one.
So on Linux the command to start unsafe Chrome will be something like this:
google-chrome --user-data-dir=/home/<your username>/.config/google-chrome --disable-web-security
But don't use this Chrome instance for anything except development or debugging, since it's open for a vast amount of web attacks.
This works with chrome 61 too for me -
chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security
Update: I have found a permanent solution for this disable web security issue.
step 1: create 1 chrome app shortcut on desktop and rename it anything like "disabled-security.exe"
step 2: right click on icon and go to properties => change target input box to something like following eg. and save it.
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-site-isolation-trials --user-data-dir=c:\chromeSession
step 3: launch this app, it will work fine as expected
Note: everytime you need to clear folder "c:\chromeSession" before opening this app
Do not disable web security. You're opening your accounts to attacks and your local files to being stolen.
Instead use a simple web server. It will take you all of 2 minutes to install and use. Here's one with a gui, and here's several more that run from the command-line
Related
I'm trying to decrypt SSL packages with Wireshark as described here. I have already created a SSLKEYLOGFILE System and User variable and the log file. I have restarted my computer (running Windows 10), and opened https urls with Chrome and Firefox, but none write to the ssl log file. My Chrome version is 56.0.2924.87 (64-bit) and my Firefox version is 51.0.1 (32-bit). Any idea how can I make any of the two browsers write to that file? Or is there any way to get the SSL key to be able to decrypt SSL packages in Wireshark?
You are doing something wrong. Tested on version 58 & you do not need to reboot. To activate either:
set environment variable e.g. SSLKEYLOGFILE to %USERPROFILE%\sslkeysENV.pms
run chrome with argument e.g.:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-key-log-file=%USERPROFILE%\sslkeysARG.pms
With Firefox the features seems to be disabled by default and is only available in debug builds. With Chrome this might have been vanished by switching the underlying SSL engine from NSS (which implemented this feature and is also used in Firefox) to BoringSSL (which maybe does not have this feature).
Update: according to #Lekensteyn (see comment) the feature is again available in current Firefox and Chrome builds.
I have solved it!
You MUST be sure chrome totally be closed. And then reopen a fresh new chrome instance.
Chrome has a default options let chrome run in background enabled.
Double check your taskbar of windows or processes lists to make sure there's no chrome instance exists.
That's why --ssl-key-log-file don't working, chrome stills alive after you click exit button.
Try Firefox Developer edition, the above mentioned feature is turned on by default. I tested yesterday only.
Some antiviruses (like Avast) inject the SSLKEYLOGFILE environment variable into well-known processes like firefox.exe and chrome.exe. If you rename the browser executable file and launch that, then the environment variable won't be overridden.
Try to close your current browsing session, it behave like you just add a new path to PATH, only work from the new session and so on.
Besides what they have already pointed out, I want to show three points that may help. These are tips for Linux (CentOS)
Make sure the file that related to SSLKEYLOGFILE can be written and read, to make sure you can use:
chmod -R 777 sslkey.txt
Make sure your Firefox or Chrome is opened under the same user with the file mentioned, for example under root.
Find some useful comments here
I have a problem with the --disable-web-security flag. It is not working in Chrome 48 and Chrome 49 beta on Windows.
I've tried killing all of the instances, reboot and run Chrome with the flag first of all, tried different machines as well. In the beta I can see the warning popup ("You are using unsupported flag.."), but CORS is still being enforced. Public version seems to ignore the flag completely.
There seems to be no news or people reports about that, so it might be a local issue.
Will be grateful for help or any related info.
Update 2021-10-18
As of Chrome 95, on MacOS and Windows, --disable-site-isolation-trials remains a required flag in order to disable web security, so the command-line arguments to Chrome seen below are still valid. (Some of the arguments are not formally supported by Chrome, as it will warn you.)
To test whether you've successfully launched Chrome with web security disabled, run the snippet in Web Security Test at the bottom of this post.
Update 2020-04-30
As of Chrome 81, it is mandatory to pass both --disable-site-isolation-trials and a non-empty profile path via --user-data-dir in order for --disable-web-security to take effect:
# MacOS (in Terminal)
open -na Google\ Chrome --args --user-data-dir=/tmp/temporary-chrome-profile-dir --disable-web-security --disable-site-isolation-trials
# Windows (from "Run" dialog [Windows+R] or start menu in Windows 8+)
chrome.exe --user-data-dir=%TMP%\temporary-chrome-profile-dir --disable-web-security --disable-site-isolation-trials
(Speculation) It is likely that Chrome requires a non-empty profile path to mitigate the high security risk of launching the browser with web security disabled on the default profile. See --user-data-dir= vs --user-data-dir=/some/path for more details below.
Thanks to #Snæbjørn for the Chrome 81 tip in the comments.
Update 2020-03-06
As of Chrome 80 (possibly even earlier), the combination of flags --user-data-dir=/tmp/some-path --disable-web-security --disable-site-isolation-trials no longer disables web security.
It is unclear when the Chromium codebase regressed, but downloading an older build of Chromium (following "Not-so-easy steps" on the Chromium download page) is the only workaround I found. I ended up using Version 77.0.3865.0, which properly disables web security with these flags.
Original Post 2019-11-01
In Chrome 67+, it is necessary to pass the --disable-site-isolation-trials flag alongside arguments --user-data-dir= and --disable-web-security to truly disable web security.
On MacOS, the full command becomes:
open -na Google\ Chrome --args --user-data-dir= --disable-web-security --disable-site-isolation-trials
Regarding --user-data-dir
Per David Amey's answer, it is still necessary to specify --user-data-dir= for Chrome to respect the --disable-web-security option.
--user-data-dir= vs --user-data-dir=/some/path
Though passing in an empty path via --user-data-dir= works with --disable-web-security, it is not recommended for security purposes as it uses your default Chrome profile, which has active login sessions to email, etc. With Chrome security disabled, your active sessions are thus vulnerable to additional in-browser exploits.
Thus, it is recommended to use an alternative directory for your Chrome profile with --user-data-dir=/tmp/chrome-sesh or equivalent. Credit to #James B for pointing this out in the comments.
Source
This fix was discovered within the browser testing framework Cypress: https://github.com/cypress-io/cypress/issues/1951
Web Security Test
Run this snippet to confirm that this solution actually disabled web security in Google Chrome:
window.addEventListener("DOMContentLoaded", () => {
const iframe = document.querySelector("iframe");
iframe.addEventListener("load", () => {
const canAccessIframeDocument = !!iframe.contentDocument;
document
.querySelector(
canAccessIframeDocument ? ".security-disabled" : ".security-enabled"
)
.classList.remove("hidden");
});
// To ensure the `load` event always fires, only set iframe src after the
// event listener is attached.
iframe.src = "https://google.com";
});
body {
font-family: sans-serif;
}
.hidden {
display: none;
}
/* Web security should normally be enabled, so this is colored green, despite
the objective of this solution to disable it. */
.security-enabled {
font-weight: bold;
color: darkgreen;
}
.security-disabled {
font-weight: bold;
color: darkred;
}
<h1>Web Security Test</h1>
<p>
This test attempts to access the inner contents of a cross-origin iframe,
which is normally disallowed.
</p>
<p class="security-enabled hidden">
Web security is enabled. The cross-origin iframe document could not be
accessed.
</p>
<p class="security-disabled hidden">
Web security is disabled. The cross-origin iframe document was
successfully accessed.
</p>
<iframe class="hidden">
Iframes are not supported.
</iframe>
I'm seeing the same thing. A quick google found this question and a bug on the chromium forums. It seems that the --user-data-dir flag is now required.
Edit to add user-data-dir guide
Mac OS:
open -a Google\ Chrome --args --disable-web-security --user-data-dir=
UPD: add = to --user-data-dir because newer chrome versions require it in order to work
On OS X, to open a new Chrome window - without having to close the already open windows first - pass in the additional -n flag. Make sure to specify empty string for data-dir (necessary for newer versions of Chrome, like v50 something+).
open -na /Applications/Google\ Chrome.app/ --args --disable-web-security --user-data-dir=""
I found that using Chrome 60+ on Mac OS X Sierra, the above command no longer worked, but a slight modification does:
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_sess_1" --disable-web-security
The data directory path is important. Even if you're standing in your home directory when issuing the command, you can't simply refer to a local directory. It needs to be an absolute path.
The chosen answer is good, but for those who are still struggling with what they are talking about(your first time dealing with this issue), the following worked for me.
I created a new shortcut to Chrome on my desktop, right clicked it, and set the "Target" field to the following,
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="c:/chromedev"
The directory can be anything you want, I decided to make an empty folder called chrome dev in my C: directory. It has nothing to do where chrome is installed on your computer. It's just a fluff type thing.
This link also has clear directions for other OSes. How to disable web securityin Chrome
The version 49.0.2623.75 (64-bit) is not in beta anymore.
The command to fix the CORS issue is
google-chrome-stable --disable-web-security --user-data-dir
Install This Chrome-plugin for Disable-web-security in Chrome::
" Allow-Control-Allow-Origin: * "
link Here or you can google above plugin if you want.
it is very easy to enable and disable the security with this plugin.
For Chrome Version 50+ for Mac Users. Close all opened chrome first and run the below command
open -a Google\ Chrome --args --disable-web-security --user-data-dir=""
The above will work. Thanks
For Mac, using Safari is a good alternate option for local development purpose and the feature is built into the browser (so no need to add browser extension or launch Chrome using bash command like [open -a Google\ Chrome --args --disable-web-security --user-data-dir=""].
To disable cross origin restriction using Safari (v11+): From menu click “Develop > Disable Cross Origin Restriction”.
This does not require relaunching the browser and since its a toggle you can easily switch to secure mode.
From Chorme v81 the params --user-data-dir= requires an actual parameter, whereas in the past it didn't.
Something like this works fine for me
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="\tmp\chrome_test"
In a terminal put these:
cd C:\Program Files (x86)\Google\Chrome\Application
chrome.exe --disable-web-security --user-data-dir="c:/chromedev"
As of the date of this answer (March 2020) there is a plugin for chrome called CORS unblock that allows you to skip that browser policy. The 'same origin policy' is an important security feature of browsers. Please only install this plugin for development or testing purposes. Do not promote its installation in end client browsers because you compromise the security of users and the chrome community will be forced to remove this plugin from the store.
For MacOSX
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_sess_1" --disable-web-security
For Windows 10+
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=~/chromeTemp
It working for me.
Try using this..it will help you out..
c:\Program Files\Google\Chrome\Application>chrome.exe --disable-web-security --user-data-dir="D:\chrome"
For Windows
C:\Program Files\Google\Chrome\Application> .\chrome.exe --disable-web-security --disable-gpu --user-data-dir=~/chromeTemp
How do I disable Google Chrome extension autoupdate?
Solutions I've found for this:
1. Disabling a concrete extension update
That's what I wanted!
You can do this by editing the extension's manifest.json file:
On Windows: C:\Users\<USERNAME>\AppData\Local\Google\Chrome\User Data\Default\Extensions\<EXTENSION-ID>\<VERSION>\manifest.json (find out the extension's ID by enabling Developer Mode in the extension settings page)
On MacOS: Open /Users/USERNAME/Library/Application Support/Google/Chrome/Default/Extensions/EXTENSION-ID/VERSION/manifest.json in a text editor.
On Ubuntu for Chromium: ${HOME}/.config/chromium/Default/Preferences
In this file, set the "update_url" property to something invalid like "https://localhost" for example. For the given url, it makes auto-updating that extension as simply impossible.
Source: https://productforums.google.com/d/msg/chrome/l3zOZeO-5-M/Y7VaR0KCWNIJ
2. Disabling all Google Chrome extension updates
For any OS: Just type chrome://plugins/ at address bar and turn Google Update plugin off. Source: How to disable Google Chrome auto update?
For Windows OS: Set Registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes"=dword:00000000
"UpdateDefault"=dword:00000000
Source: Making Google Chrome leave itself alone
If the chrome extension is on Github (which many if not most of them are), you can simply:
(1.) clone the Github repo,
(2.) reset the head to the version that you want, and
(3.) enable Developer Mode at chrome://extensions/
(4.) select the "Load unpacked" option from chrome://extensions/, and then select the folder enclosing the source code for the extension.
I recently used this technique to downgrade my version of Reddit Link Opener, which no longer supports users who have opted out of using that site's redesign. This worked for me on MacOS, but should work on all platforms.
If the extension is loaded as an unpacked extension (in the manner described above), it will NOT auto-update to a newer version.
Disabling update for a specific extension:
This can be achieved with the system policies, (more details here)
For Linux :
Get the installed extensions list (IDs), this can be found with ls -l ~/.config/google-chrome/Default/Extensions or chrome://extensions
Create the necessary directory if not present mkdir -p /etc/opt/chrome/policies/managed (with root)
Create the needed file policies file touch /etc/opt/chrome/policies/managed/google-chrome.json
Edit that file with the code bellow
open the page chrome://policy/ and reload the policies
{
"ExtensionSettings": {
"ghijklmnopabcdefghijklmnopabcdef": {
"update_url": "https://127.0.0.1/update_url",
"override_update_url": true
},
"YOUR-EXTENSION-ID-LIKE-THE-PREVIOUS-EXAMPLE": {
"update_url": "https://127.0.0.1/update_url",
"override_update_url": true
}
}
}
Note: this can not be applied widely to all extensions in a single rule and also for each newly installed extension the file need to be updated
Hi all those solitions for me have one disadvantage is that all extensions have no updates, I needed to stop only for one extension in this case and wanted al the other to keep making updates.
I think I found the solutuion for windows
Go to
C:\Users\YOUR_NAME_HERE\AppData\Local\Google\Chrome\User Data\Default\Extensions\YOUR_FOLDER APP HERE\
In that folder app click in properties and select read only an aplly that to all subfolders and files... for now for me solved the problem !!!
Regards xichas
this is a complementary answer to the accepted one https://stackoverflow.com/a/27657703/1422630 , allowing disable all at once on chromium
this is also only for linux (may be run on windows thru cygwin tho, not tested..)
this script will
backup the prefs file,
modify it,
if didnt succeed will output "FAILED"
show the differences using meld if installed
#!/bin/bash
set -ue
strPref="$HOME/.config/chromium/Default/Preferences"
cat "$strPref" |egrep "\"update_url[^,]*," -o |sort -u
read -p "existing unique urls above..." -n 1
strBkp="${strPref}.`date +"%Y%m%d%H%M%S"`.bkp"
if cp -v "$strPref" "$strBkp";then
strUpdUrl="clients2.google.com/service/update2/crx" #change this if needed #TODO should match any URL...
sed -i -r "s#(update_url\":\"https{,1}://)(${strUpdUrl})#\1127.0.0.1#g" "$strPref"
if grep "$strUpdUrl" "$strPref";then echo FAILED >&2;exit 1;fi
cmdDiff=colordiff
if which meld;then cmdDiff=meld;fi
#$cmdDiff <(cat "$strPref" |egrep "\"update_url[^,]*," -o) <(cat "$strBkp" |egrep "\"update_url[^,]*," -o)
$cmdDiff <(cat "$strPref" |sed -r 's#","#",\n"#g') <(cat "$strBkp" |sed -r 's#","#",\n"#g')
fi
tested on chromium: Version 63.0.3239.84 (Official Build) Built on Ubuntu , running on Ubuntu 16.04 (64-bit)
obs.: that script also works for google-chrome, just change the preferences file path
After updating Google Chrome to v60, no solution found on the Internet has helped me
So i just blocked IP addresses, used for updating, by doing following steps:
Opened Chrome with blank browser tab
Waited, until extension
autoupdate begins, by looking on to network tab in Resource
Monitor
Wrote out all the IP addresses with high download rate. My IP address list was:
64.233.161.94
64.233.161.102
64.233.163.95
74.125.238.132
108.177.14.138
173.194.73.132
173.194.222.102
216.58.209.110
216.58.209.97
173.194.222.99
173.194.32.227
173.194.113.172
173.194.32.224
195.216.237.77
74.125.232.170
143.215.130.61
74.125.238.147
173.194.122.137
173.194.44.66
173.194.44.67
173.194.44.95
173.194.122.136
74.125.232.183
74.125.232.171
Created outbound rule for chrome.exe in Windows Firewall and added listed IP addresses to blocklist
After I enabled this rule, chrome was unable to update my extensions.
Just (re)install the extension via Load unpacked.
Let's suppose "Roboform Password Manager" extension version 8.6.5.5 dropped some important functionality, so you want to keep version 8.6.2.2 installed.
Go to chrome://extensions/
Enable Developer mode
Get the required version of the plugin:
If Chrome still got the version you need:
Utilize Pack extension button on the plugin details page.
Just copy the extension folder, e.g. C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnlccmojcmeohlpggmfnbbiapkmbliob. The extension id is visible in the url bar, on the plugin details page, e.g. chrome://extensions/?id=pnlccmojcmeohlpggmfnbbiapkmbliob.
If the version you need was overwritten already:
Get appropriate ".crx" from some extensions archive
Look for ".crx" in "C:\Program Files\..." (applications/installers sometimes bundle original ".crx" versions, unaffected by any updates)
Unzip (e.g. with 7-zip) your ".crx" (or paste the extension folder contents) to a non-temporary folder - you would have to keep those files in place until you uninstall the extension.
Click Load unpacked, select that folder.
If you just drag&drop the ".crx" file, Chrome extension details would show Source=Chrome Web Store, and it would get updated as soon as you click Update extensions now. But for an unpacked extension, you get a special "Unpacked extension" overlay icon, Source=Unpacked extension and it won't get updated.
Just tested on Chrome 79.0.3945.88 (64-bit), Windows.
Now, Chrome shows "Disable developer mode extensions" popup on each startup. Personally, I just manually dismiss them each time. I do not re-start Chrome too often.
I am trying to debug an application but it throws same origin policy error.
So I followed ticket
Disable same origin policy in Chrome
However when ever I start chrome with CC:\Program Files\Google\Chrome\Application\chrome.exe" --args --disable-web-security from cmd, it is not starting in non-secure mode and it also doesn't show a notification that says that chrome is running in non secure mode.
I have disabled all the extensions too for this.
Please help.
Remove --args, start Chrome or Chromium as follows:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security
This flag is quite dangerous, I suggest to start up a separate profile to avoid leaking confidential information from one website to another:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir=%TMP%\profiledirname
And if you want to load an unpacked extension, use the --load-extension flag (multiple extensions can be loaded by separating the paths by a comma):
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir=%TMP%\profiledirname --load-extension="C:\Users\My User\Documents\My extension"
It seems that --disable-web-security is not supported anymore...
Chromium 38 says (translated from spanish) "--disable-web-security option is not accepted because it affects security and stability" :-(
You don't need --args to use --disable-web-security but it seems that since Chrome 38 even enabling that parameter does not allow CORS without the proper header.
See: https://code.google.com/p/chromium/issues/detail?id=392170
I'm trying to do a simple test without changing any server-side code involving a cross-domain AJAX call, and I was wondering if it's possible to use --disable-web-security anymore. It seems to not work on Chrome 28.
I haven't used it since Chrome version 21; has this feature been dropped?
Check your windows task manager and make sure you kill all chrome processes before running the command.
The new tag for recent Chrome and Chromium browsers is :
--disable-web-security --user-data-dir=c:\my\data
Try this :
Windows:
Run below commands in CMD to start a new instance of chrome browser with disabled security
Go to Chrome folder:
cd C:\Program Files (x86)\Google\Chrome\Application
Run below command:
chrome.exe --disable-web-security --user-data-dir=c:\my-chrome-data\data
MAC OS:
Run this command in terminal:
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_sess_1" --disable-web-security
Hope this will help both Windows & Mac users!
This flag worked for me at v30.0.1599.101 m
The warning "You are using an unsupported command-line flag" can be ignored. The flag still works (as of Chrome v86).
This should work. You may save the following in a batch file:
TASKKILL /F /IM chrome.exe
start chrome.exe --args --disable-web-security
pause
Open target location of chrome and navigate through cmd
type
chrome.exe --disable-web-security --user-data-dir=c:\my\dat
Just create this batch file and run it on windows. It basically would kill all chrome instances and then would start chrome with disabling security. Save the following script in batch file say ***.bat and double click on it.
TASKKILL /F /IM chrome.exe
start chrome.exe --args --disable-web-security –-allow-file-access-from-files
Check if you have Chrome App Launcher. You can usually see it in your toolbar. It runs as a second instance of chrome, but unlike the browser, it auto-runs so is going to be running whenever you start your PC. Even though it isn't a browser view, it is a chrome instance which is enough to prevent your arguments from taking effect. Go to your task manager and you will probably have to kill 2 chrome processes.
As you can't run --disable-web-security and a normal chrome in parallel it's probably a good solution to use Opera for --disable-web-security
Here is how to create a launcher for opera on windows. By the way, Opera has the same debugging tools as chrome!
http://www.opera.com/
:: opera-browse-dangerously.bat
cd c:\Program Files\Opera\
launcher.exe --disable-web-security --user-data-dir="c:\opera-dev"
PS: Opera doesn't display any notification when started without web-security
If you want to automate this:
Kill chrome from task Manager First. In Windows - Right Click (or Shift+right click, in-case of taskbar) on Chrome Icon. Select Properties. In "Target" text-box, add --disable-web-security flag.
So text in text-box should look like
C:\Users\njadhav\AppData\Local\Google\Chrome SxS\Application\chrome.exe" --disable-web-security
Click Ok and launch chrome.
just run this command from command prompt and it will launch chrome instance with CORS disabled:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=~/chromeTemp
Automated solution for Windows 10
Right-click on Chrome icon > right-click Google Chrome > Properties
Shortcut > Target > "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="C:\ChromeDevSession"
Notes:
Your file path for chrome.exe may vary.
Also, the --user-data-dir flag is required, and its file path may vary. Besides C:\ChromeDevSession, another possible location is ~/chromeTemp
Now Chrome always has its web security disabled :-)