I have a problem with the --disable-web-security flag. It is not working in Chrome 48 and Chrome 49 beta on Windows.
I've tried killing all of the instances, reboot and run Chrome with the flag first of all, tried different machines as well. In the beta I can see the warning popup ("You are using unsupported flag.."), but CORS is still being enforced. Public version seems to ignore the flag completely.
There seems to be no news or people reports about that, so it might be a local issue.
Will be grateful for help or any related info.
Update 2021-10-18
As of Chrome 95, on MacOS and Windows, --disable-site-isolation-trials remains a required flag in order to disable web security, so the command-line arguments to Chrome seen below are still valid. (Some of the arguments are not formally supported by Chrome, as it will warn you.)
To test whether you've successfully launched Chrome with web security disabled, run the snippet in Web Security Test at the bottom of this post.
Update 2020-04-30
As of Chrome 81, it is mandatory to pass both --disable-site-isolation-trials and a non-empty profile path via --user-data-dir in order for --disable-web-security to take effect:
# MacOS (in Terminal)
open -na Google\ Chrome --args --user-data-dir=/tmp/temporary-chrome-profile-dir --disable-web-security --disable-site-isolation-trials
# Windows (from "Run" dialog [Windows+R] or start menu in Windows 8+)
chrome.exe --user-data-dir=%TMP%\temporary-chrome-profile-dir --disable-web-security --disable-site-isolation-trials
(Speculation) It is likely that Chrome requires a non-empty profile path to mitigate the high security risk of launching the browser with web security disabled on the default profile. See --user-data-dir= vs --user-data-dir=/some/path for more details below.
Thanks to #Snæbjørn for the Chrome 81 tip in the comments.
Update 2020-03-06
As of Chrome 80 (possibly even earlier), the combination of flags --user-data-dir=/tmp/some-path --disable-web-security --disable-site-isolation-trials no longer disables web security.
It is unclear when the Chromium codebase regressed, but downloading an older build of Chromium (following "Not-so-easy steps" on the Chromium download page) is the only workaround I found. I ended up using Version 77.0.3865.0, which properly disables web security with these flags.
Original Post 2019-11-01
In Chrome 67+, it is necessary to pass the --disable-site-isolation-trials flag alongside arguments --user-data-dir= and --disable-web-security to truly disable web security.
On MacOS, the full command becomes:
open -na Google\ Chrome --args --user-data-dir= --disable-web-security --disable-site-isolation-trials
Regarding --user-data-dir
Per David Amey's answer, it is still necessary to specify --user-data-dir= for Chrome to respect the --disable-web-security option.
--user-data-dir= vs --user-data-dir=/some/path
Though passing in an empty path via --user-data-dir= works with --disable-web-security, it is not recommended for security purposes as it uses your default Chrome profile, which has active login sessions to email, etc. With Chrome security disabled, your active sessions are thus vulnerable to additional in-browser exploits.
Thus, it is recommended to use an alternative directory for your Chrome profile with --user-data-dir=/tmp/chrome-sesh or equivalent. Credit to #James B for pointing this out in the comments.
Source
This fix was discovered within the browser testing framework Cypress: https://github.com/cypress-io/cypress/issues/1951
Web Security Test
Run this snippet to confirm that this solution actually disabled web security in Google Chrome:
window.addEventListener("DOMContentLoaded", () => {
const iframe = document.querySelector("iframe");
iframe.addEventListener("load", () => {
const canAccessIframeDocument = !!iframe.contentDocument;
document
.querySelector(
canAccessIframeDocument ? ".security-disabled" : ".security-enabled"
)
.classList.remove("hidden");
});
// To ensure the `load` event always fires, only set iframe src after the
// event listener is attached.
iframe.src = "https://google.com";
});
body {
font-family: sans-serif;
}
.hidden {
display: none;
}
/* Web security should normally be enabled, so this is colored green, despite
the objective of this solution to disable it. */
.security-enabled {
font-weight: bold;
color: darkgreen;
}
.security-disabled {
font-weight: bold;
color: darkred;
}
<h1>Web Security Test</h1>
<p>
This test attempts to access the inner contents of a cross-origin iframe,
which is normally disallowed.
</p>
<p class="security-enabled hidden">
Web security is enabled. The cross-origin iframe document could not be
accessed.
</p>
<p class="security-disabled hidden">
Web security is disabled. The cross-origin iframe document was
successfully accessed.
</p>
<iframe class="hidden">
Iframes are not supported.
</iframe>
I'm seeing the same thing. A quick google found this question and a bug on the chromium forums. It seems that the --user-data-dir flag is now required.
Edit to add user-data-dir guide
Mac OS:
open -a Google\ Chrome --args --disable-web-security --user-data-dir=
UPD: add = to --user-data-dir because newer chrome versions require it in order to work
On OS X, to open a new Chrome window - without having to close the already open windows first - pass in the additional -n flag. Make sure to specify empty string for data-dir (necessary for newer versions of Chrome, like v50 something+).
open -na /Applications/Google\ Chrome.app/ --args --disable-web-security --user-data-dir=""
I found that using Chrome 60+ on Mac OS X Sierra, the above command no longer worked, but a slight modification does:
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_sess_1" --disable-web-security
The data directory path is important. Even if you're standing in your home directory when issuing the command, you can't simply refer to a local directory. It needs to be an absolute path.
The chosen answer is good, but for those who are still struggling with what they are talking about(your first time dealing with this issue), the following worked for me.
I created a new shortcut to Chrome on my desktop, right clicked it, and set the "Target" field to the following,
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="c:/chromedev"
The directory can be anything you want, I decided to make an empty folder called chrome dev in my C: directory. It has nothing to do where chrome is installed on your computer. It's just a fluff type thing.
This link also has clear directions for other OSes. How to disable web securityin Chrome
The version 49.0.2623.75 (64-bit) is not in beta anymore.
The command to fix the CORS issue is
google-chrome-stable --disable-web-security --user-data-dir
Install This Chrome-plugin for Disable-web-security in Chrome::
" Allow-Control-Allow-Origin: * "
link Here or you can google above plugin if you want.
it is very easy to enable and disable the security with this plugin.
For Chrome Version 50+ for Mac Users. Close all opened chrome first and run the below command
open -a Google\ Chrome --args --disable-web-security --user-data-dir=""
The above will work. Thanks
For Mac, using Safari is a good alternate option for local development purpose and the feature is built into the browser (so no need to add browser extension or launch Chrome using bash command like [open -a Google\ Chrome --args --disable-web-security --user-data-dir=""].
To disable cross origin restriction using Safari (v11+): From menu click “Develop > Disable Cross Origin Restriction”.
This does not require relaunching the browser and since its a toggle you can easily switch to secure mode.
From Chorme v81 the params --user-data-dir= requires an actual parameter, whereas in the past it didn't.
Something like this works fine for me
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="\tmp\chrome_test"
In a terminal put these:
cd C:\Program Files (x86)\Google\Chrome\Application
chrome.exe --disable-web-security --user-data-dir="c:/chromedev"
As of the date of this answer (March 2020) there is a plugin for chrome called CORS unblock that allows you to skip that browser policy. The 'same origin policy' is an important security feature of browsers. Please only install this plugin for development or testing purposes. Do not promote its installation in end client browsers because you compromise the security of users and the chrome community will be forced to remove this plugin from the store.
For MacOSX
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_sess_1" --disable-web-security
For Windows 10+
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=~/chromeTemp
It working for me.
Try using this..it will help you out..
c:\Program Files\Google\Chrome\Application>chrome.exe --disable-web-security --user-data-dir="D:\chrome"
For Windows
C:\Program Files\Google\Chrome\Application> .\chrome.exe --disable-web-security --disable-gpu --user-data-dir=~/chromeTemp
Related
I'm trying to decrypt SSL packages with Wireshark as described here. I have already created a SSLKEYLOGFILE System and User variable and the log file. I have restarted my computer (running Windows 10), and opened https urls with Chrome and Firefox, but none write to the ssl log file. My Chrome version is 56.0.2924.87 (64-bit) and my Firefox version is 51.0.1 (32-bit). Any idea how can I make any of the two browsers write to that file? Or is there any way to get the SSL key to be able to decrypt SSL packages in Wireshark?
You are doing something wrong. Tested on version 58 & you do not need to reboot. To activate either:
set environment variable e.g. SSLKEYLOGFILE to %USERPROFILE%\sslkeysENV.pms
run chrome with argument e.g.:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-key-log-file=%USERPROFILE%\sslkeysARG.pms
With Firefox the features seems to be disabled by default and is only available in debug builds. With Chrome this might have been vanished by switching the underlying SSL engine from NSS (which implemented this feature and is also used in Firefox) to BoringSSL (which maybe does not have this feature).
Update: according to #Lekensteyn (see comment) the feature is again available in current Firefox and Chrome builds.
I have solved it!
You MUST be sure chrome totally be closed. And then reopen a fresh new chrome instance.
Chrome has a default options let chrome run in background enabled.
Double check your taskbar of windows or processes lists to make sure there's no chrome instance exists.
That's why --ssl-key-log-file don't working, chrome stills alive after you click exit button.
Try Firefox Developer edition, the above mentioned feature is turned on by default. I tested yesterday only.
Some antiviruses (like Avast) inject the SSLKEYLOGFILE environment variable into well-known processes like firefox.exe and chrome.exe. If you rename the browser executable file and launch that, then the environment variable won't be overridden.
Try to close your current browsing session, it behave like you just add a new path to PATH, only work from the new session and so on.
Besides what they have already pointed out, I want to show three points that may help. These are tips for Linux (CentOS)
Make sure the file that related to SSLKEYLOGFILE can be written and read, to make sure you can use:
chmod -R 777 sslkey.txt
Make sure your Firefox or Chrome is opened under the same user with the file mentioned, for example under root.
Find some useful comments here
Today (Mar, 15, 2016) chrome stopped working with the --disable-web-security flag. I have tried the following options described in various posts:
1) Kill all instances of Chrome.exe in the windows task manager.
2) add the --use-data-dir flag, there is a current post regarding this, but the answers there do not work anymore
Here is my script I am using:
start chrome.exe --disable-web-security --allow-running-insecure-content --use-data-dir=c:/temp/chrome_dev
Chrome opens under this script with the disable security warning but localhost cross domain calls still fail:
I have solutions that are using --disable-web-security.
Finally I found solution. Now chrome just will accept it if you set --user-data-dir together.
You will have different instances when you use it.
Try it:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="D:\chrome"
For linux
google-chrome --user-data-dir=”/var/tmp/Chrome” --disable-web-security
I suggest a temp directory
Just for OS X user, this worked for me (on El Capitan): /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-web-security --user-data-dir="<some-dir>"
Also works on Yosemite 10.10.5. Please note that --user-data-dir may no longer be left empty. You have to specify some dir.
This doesn't work anymore, since Chrome 80. You have to specify a non-default --user-data-dir to make it work now.
Original answer:
You can use your existing data dir, if you don't want to create a new one.
So on Linux the command to start unsafe Chrome will be something like this:
google-chrome --user-data-dir=/home/<your username>/.config/google-chrome --disable-web-security
But don't use this Chrome instance for anything except development or debugging, since it's open for a vast amount of web attacks.
This works with chrome 61 too for me -
chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security
Update: I have found a permanent solution for this disable web security issue.
step 1: create 1 chrome app shortcut on desktop and rename it anything like "disabled-security.exe"
step 2: right click on icon and go to properties => change target input box to something like following eg. and save it.
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-site-isolation-trials --user-data-dir=c:\chromeSession
step 3: launch this app, it will work fine as expected
Note: everytime you need to clear folder "c:\chromeSession" before opening this app
Do not disable web security. You're opening your accounts to attacks and your local files to being stolen.
Instead use a simple web server. It will take you all of 2 minutes to install and use. Here's one with a gui, and here's several more that run from the command-line
I would know if it's possible to make a chrome app who could be launched in the terminal without chrome UI. Example:
chrome.app.runtime.onLaunched.addListener(function() {
console.log("Hello world!);
});
imac:bin$ chrome --app-id=<my-app-id>
Hello world!
imac:bin$
I think not, but could you confirm. Thanks
I use this line to start chrome apps from the command line, on OSX:
open -n -a Google\ Chrome\ Canary --args --user-data-dir=/tmp/temp_chrome_data_dir --load-and-launch-app=...
The key flags are --user-data-dir to create an isolated profile, and --load-and-launch-app to start a chrome app automatically. I use the open command to resolve the path to chrome application on OSX, but you can just an explicit path instead:
/path/to/Google\ Chrome\ Canary --user-data-dir=/tmp/temp_chrome_data_dir --load-and-launch-app=...
That said, this will pop open a chrome browser window as well. I'm not yet sure how to get around that, but I will investigate. (My workaround for local development is to just minimize the window once, and it won't pop up any more).
I am trying to debug an application but it throws same origin policy error.
So I followed ticket
Disable same origin policy in Chrome
However when ever I start chrome with CC:\Program Files\Google\Chrome\Application\chrome.exe" --args --disable-web-security from cmd, it is not starting in non-secure mode and it also doesn't show a notification that says that chrome is running in non secure mode.
I have disabled all the extensions too for this.
Please help.
Remove --args, start Chrome or Chromium as follows:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security
This flag is quite dangerous, I suggest to start up a separate profile to avoid leaking confidential information from one website to another:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir=%TMP%\profiledirname
And if you want to load an unpacked extension, use the --load-extension flag (multiple extensions can be loaded by separating the paths by a comma):
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir=%TMP%\profiledirname --load-extension="C:\Users\My User\Documents\My extension"
It seems that --disable-web-security is not supported anymore...
Chromium 38 says (translated from spanish) "--disable-web-security option is not accepted because it affects security and stability" :-(
You don't need --args to use --disable-web-security but it seems that since Chrome 38 even enabling that parameter does not allow CORS without the proper header.
See: https://code.google.com/p/chromium/issues/detail?id=392170
I'm trying to do a simple test without changing any server-side code involving a cross-domain AJAX call, and I was wondering if it's possible to use --disable-web-security anymore. It seems to not work on Chrome 28.
I haven't used it since Chrome version 21; has this feature been dropped?
Check your windows task manager and make sure you kill all chrome processes before running the command.
The new tag for recent Chrome and Chromium browsers is :
--disable-web-security --user-data-dir=c:\my\data
Try this :
Windows:
Run below commands in CMD to start a new instance of chrome browser with disabled security
Go to Chrome folder:
cd C:\Program Files (x86)\Google\Chrome\Application
Run below command:
chrome.exe --disable-web-security --user-data-dir=c:\my-chrome-data\data
MAC OS:
Run this command in terminal:
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_sess_1" --disable-web-security
Hope this will help both Windows & Mac users!
This flag worked for me at v30.0.1599.101 m
The warning "You are using an unsupported command-line flag" can be ignored. The flag still works (as of Chrome v86).
This should work. You may save the following in a batch file:
TASKKILL /F /IM chrome.exe
start chrome.exe --args --disable-web-security
pause
Open target location of chrome and navigate through cmd
type
chrome.exe --disable-web-security --user-data-dir=c:\my\dat
Just create this batch file and run it on windows. It basically would kill all chrome instances and then would start chrome with disabling security. Save the following script in batch file say ***.bat and double click on it.
TASKKILL /F /IM chrome.exe
start chrome.exe --args --disable-web-security –-allow-file-access-from-files
Check if you have Chrome App Launcher. You can usually see it in your toolbar. It runs as a second instance of chrome, but unlike the browser, it auto-runs so is going to be running whenever you start your PC. Even though it isn't a browser view, it is a chrome instance which is enough to prevent your arguments from taking effect. Go to your task manager and you will probably have to kill 2 chrome processes.
As you can't run --disable-web-security and a normal chrome in parallel it's probably a good solution to use Opera for --disable-web-security
Here is how to create a launcher for opera on windows. By the way, Opera has the same debugging tools as chrome!
http://www.opera.com/
:: opera-browse-dangerously.bat
cd c:\Program Files\Opera\
launcher.exe --disable-web-security --user-data-dir="c:\opera-dev"
PS: Opera doesn't display any notification when started without web-security
If you want to automate this:
Kill chrome from task Manager First. In Windows - Right Click (or Shift+right click, in-case of taskbar) on Chrome Icon. Select Properties. In "Target" text-box, add --disable-web-security flag.
So text in text-box should look like
C:\Users\njadhav\AppData\Local\Google\Chrome SxS\Application\chrome.exe" --disable-web-security
Click Ok and launch chrome.
just run this command from command prompt and it will launch chrome instance with CORS disabled:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=~/chromeTemp
Automated solution for Windows 10
Right-click on Chrome icon > right-click Google Chrome > Properties
Shortcut > Target > "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="C:\ChromeDevSession"
Notes:
Your file path for chrome.exe may vary.
Also, the --user-data-dir flag is required, and its file path may vary. Besides C:\ChromeDevSession, another possible location is ~/chromeTemp
Now Chrome always has its web security disabled :-)