I am trying to debug an application but it throws same origin policy error.
So I followed ticket
Disable same origin policy in Chrome
However when ever I start chrome with CC:\Program Files\Google\Chrome\Application\chrome.exe" --args --disable-web-security from cmd, it is not starting in non-secure mode and it also doesn't show a notification that says that chrome is running in non secure mode.
I have disabled all the extensions too for this.
Please help.
Remove --args, start Chrome or Chromium as follows:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security
This flag is quite dangerous, I suggest to start up a separate profile to avoid leaking confidential information from one website to another:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir=%TMP%\profiledirname
And if you want to load an unpacked extension, use the --load-extension flag (multiple extensions can be loaded by separating the paths by a comma):
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir=%TMP%\profiledirname --load-extension="C:\Users\My User\Documents\My extension"
It seems that --disable-web-security is not supported anymore...
Chromium 38 says (translated from spanish) "--disable-web-security option is not accepted because it affects security and stability" :-(
You don't need --args to use --disable-web-security but it seems that since Chrome 38 even enabling that parameter does not allow CORS without the proper header.
See: https://code.google.com/p/chromium/issues/detail?id=392170
Related
I think happened in the latest update of Chrome. They're not letting any of these content types if they come from a site. This is problematic because I need the chrome developer tools to develop my app making calls to an api. Does anyone know how to disable or override this?
Change the directory in cmd to "cd Program Files (x86)\Google\Chrome\Application"
and execute the below command to disable chrome security and also avoid "Blocked receiving cross-site document warning."
C:\Program Files (x86)\Google\Chrome\Application>chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security --user-data-dir --disable-features=CrossSiteDocumentBlockingIfIsolating
Today (Mar, 15, 2016) chrome stopped working with the --disable-web-security flag. I have tried the following options described in various posts:
1) Kill all instances of Chrome.exe in the windows task manager.
2) add the --use-data-dir flag, there is a current post regarding this, but the answers there do not work anymore
Here is my script I am using:
start chrome.exe --disable-web-security --allow-running-insecure-content --use-data-dir=c:/temp/chrome_dev
Chrome opens under this script with the disable security warning but localhost cross domain calls still fail:
I have solutions that are using --disable-web-security.
Finally I found solution. Now chrome just will accept it if you set --user-data-dir together.
You will have different instances when you use it.
Try it:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="D:\chrome"
For linux
google-chrome --user-data-dir=”/var/tmp/Chrome” --disable-web-security
I suggest a temp directory
Just for OS X user, this worked for me (on El Capitan): /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-web-security --user-data-dir="<some-dir>"
Also works on Yosemite 10.10.5. Please note that --user-data-dir may no longer be left empty. You have to specify some dir.
This doesn't work anymore, since Chrome 80. You have to specify a non-default --user-data-dir to make it work now.
Original answer:
You can use your existing data dir, if you don't want to create a new one.
So on Linux the command to start unsafe Chrome will be something like this:
google-chrome --user-data-dir=/home/<your username>/.config/google-chrome --disable-web-security
But don't use this Chrome instance for anything except development or debugging, since it's open for a vast amount of web attacks.
This works with chrome 61 too for me -
chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security
Update: I have found a permanent solution for this disable web security issue.
step 1: create 1 chrome app shortcut on desktop and rename it anything like "disabled-security.exe"
step 2: right click on icon and go to properties => change target input box to something like following eg. and save it.
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-site-isolation-trials --user-data-dir=c:\chromeSession
step 3: launch this app, it will work fine as expected
Note: everytime you need to clear folder "c:\chromeSession" before opening this app
Do not disable web security. You're opening your accounts to attacks and your local files to being stolen.
Instead use a simple web server. It will take you all of 2 minutes to install and use. Here's one with a gui, and here's several more that run from the command-line
I have a problem with the --disable-web-security flag. It is not working in Chrome 48 and Chrome 49 beta on Windows.
I've tried killing all of the instances, reboot and run Chrome with the flag first of all, tried different machines as well. In the beta I can see the warning popup ("You are using unsupported flag.."), but CORS is still being enforced. Public version seems to ignore the flag completely.
There seems to be no news or people reports about that, so it might be a local issue.
Will be grateful for help or any related info.
Update 2021-10-18
As of Chrome 95, on MacOS and Windows, --disable-site-isolation-trials remains a required flag in order to disable web security, so the command-line arguments to Chrome seen below are still valid. (Some of the arguments are not formally supported by Chrome, as it will warn you.)
To test whether you've successfully launched Chrome with web security disabled, run the snippet in Web Security Test at the bottom of this post.
Update 2020-04-30
As of Chrome 81, it is mandatory to pass both --disable-site-isolation-trials and a non-empty profile path via --user-data-dir in order for --disable-web-security to take effect:
# MacOS (in Terminal)
open -na Google\ Chrome --args --user-data-dir=/tmp/temporary-chrome-profile-dir --disable-web-security --disable-site-isolation-trials
# Windows (from "Run" dialog [Windows+R] or start menu in Windows 8+)
chrome.exe --user-data-dir=%TMP%\temporary-chrome-profile-dir --disable-web-security --disable-site-isolation-trials
(Speculation) It is likely that Chrome requires a non-empty profile path to mitigate the high security risk of launching the browser with web security disabled on the default profile. See --user-data-dir= vs --user-data-dir=/some/path for more details below.
Thanks to #Snæbjørn for the Chrome 81 tip in the comments.
Update 2020-03-06
As of Chrome 80 (possibly even earlier), the combination of flags --user-data-dir=/tmp/some-path --disable-web-security --disable-site-isolation-trials no longer disables web security.
It is unclear when the Chromium codebase regressed, but downloading an older build of Chromium (following "Not-so-easy steps" on the Chromium download page) is the only workaround I found. I ended up using Version 77.0.3865.0, which properly disables web security with these flags.
Original Post 2019-11-01
In Chrome 67+, it is necessary to pass the --disable-site-isolation-trials flag alongside arguments --user-data-dir= and --disable-web-security to truly disable web security.
On MacOS, the full command becomes:
open -na Google\ Chrome --args --user-data-dir= --disable-web-security --disable-site-isolation-trials
Regarding --user-data-dir
Per David Amey's answer, it is still necessary to specify --user-data-dir= for Chrome to respect the --disable-web-security option.
--user-data-dir= vs --user-data-dir=/some/path
Though passing in an empty path via --user-data-dir= works with --disable-web-security, it is not recommended for security purposes as it uses your default Chrome profile, which has active login sessions to email, etc. With Chrome security disabled, your active sessions are thus vulnerable to additional in-browser exploits.
Thus, it is recommended to use an alternative directory for your Chrome profile with --user-data-dir=/tmp/chrome-sesh or equivalent. Credit to #James B for pointing this out in the comments.
Source
This fix was discovered within the browser testing framework Cypress: https://github.com/cypress-io/cypress/issues/1951
Web Security Test
Run this snippet to confirm that this solution actually disabled web security in Google Chrome:
window.addEventListener("DOMContentLoaded", () => {
const iframe = document.querySelector("iframe");
iframe.addEventListener("load", () => {
const canAccessIframeDocument = !!iframe.contentDocument;
document
.querySelector(
canAccessIframeDocument ? ".security-disabled" : ".security-enabled"
)
.classList.remove("hidden");
});
// To ensure the `load` event always fires, only set iframe src after the
// event listener is attached.
iframe.src = "https://google.com";
});
body {
font-family: sans-serif;
}
.hidden {
display: none;
}
/* Web security should normally be enabled, so this is colored green, despite
the objective of this solution to disable it. */
.security-enabled {
font-weight: bold;
color: darkgreen;
}
.security-disabled {
font-weight: bold;
color: darkred;
}
<h1>Web Security Test</h1>
<p>
This test attempts to access the inner contents of a cross-origin iframe,
which is normally disallowed.
</p>
<p class="security-enabled hidden">
Web security is enabled. The cross-origin iframe document could not be
accessed.
</p>
<p class="security-disabled hidden">
Web security is disabled. The cross-origin iframe document was
successfully accessed.
</p>
<iframe class="hidden">
Iframes are not supported.
</iframe>
I'm seeing the same thing. A quick google found this question and a bug on the chromium forums. It seems that the --user-data-dir flag is now required.
Edit to add user-data-dir guide
Mac OS:
open -a Google\ Chrome --args --disable-web-security --user-data-dir=
UPD: add = to --user-data-dir because newer chrome versions require it in order to work
On OS X, to open a new Chrome window - without having to close the already open windows first - pass in the additional -n flag. Make sure to specify empty string for data-dir (necessary for newer versions of Chrome, like v50 something+).
open -na /Applications/Google\ Chrome.app/ --args --disable-web-security --user-data-dir=""
I found that using Chrome 60+ on Mac OS X Sierra, the above command no longer worked, but a slight modification does:
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_sess_1" --disable-web-security
The data directory path is important. Even if you're standing in your home directory when issuing the command, you can't simply refer to a local directory. It needs to be an absolute path.
The chosen answer is good, but for those who are still struggling with what they are talking about(your first time dealing with this issue), the following worked for me.
I created a new shortcut to Chrome on my desktop, right clicked it, and set the "Target" field to the following,
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="c:/chromedev"
The directory can be anything you want, I decided to make an empty folder called chrome dev in my C: directory. It has nothing to do where chrome is installed on your computer. It's just a fluff type thing.
This link also has clear directions for other OSes. How to disable web securityin Chrome
The version 49.0.2623.75 (64-bit) is not in beta anymore.
The command to fix the CORS issue is
google-chrome-stable --disable-web-security --user-data-dir
Install This Chrome-plugin for Disable-web-security in Chrome::
" Allow-Control-Allow-Origin: * "
link Here or you can google above plugin if you want.
it is very easy to enable and disable the security with this plugin.
For Chrome Version 50+ for Mac Users. Close all opened chrome first and run the below command
open -a Google\ Chrome --args --disable-web-security --user-data-dir=""
The above will work. Thanks
For Mac, using Safari is a good alternate option for local development purpose and the feature is built into the browser (so no need to add browser extension or launch Chrome using bash command like [open -a Google\ Chrome --args --disable-web-security --user-data-dir=""].
To disable cross origin restriction using Safari (v11+): From menu click “Develop > Disable Cross Origin Restriction”.
This does not require relaunching the browser and since its a toggle you can easily switch to secure mode.
From Chorme v81 the params --user-data-dir= requires an actual parameter, whereas in the past it didn't.
Something like this works fine for me
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="\tmp\chrome_test"
In a terminal put these:
cd C:\Program Files (x86)\Google\Chrome\Application
chrome.exe --disable-web-security --user-data-dir="c:/chromedev"
As of the date of this answer (March 2020) there is a plugin for chrome called CORS unblock that allows you to skip that browser policy. The 'same origin policy' is an important security feature of browsers. Please only install this plugin for development or testing purposes. Do not promote its installation in end client browsers because you compromise the security of users and the chrome community will be forced to remove this plugin from the store.
For MacOSX
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_sess_1" --disable-web-security
For Windows 10+
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=~/chromeTemp
It working for me.
Try using this..it will help you out..
c:\Program Files\Google\Chrome\Application>chrome.exe --disable-web-security --user-data-dir="D:\chrome"
For Windows
C:\Program Files\Google\Chrome\Application> .\chrome.exe --disable-web-security --disable-gpu --user-data-dir=~/chromeTemp
I am trying to access some local files via jqueryMobile, it works fine in Firefox and IE but Chrome gives a security exception. I can open Chrome in disabled security mode to access local files by using
C:\Program Files\Chrome\Chrome.exe --disable-web-security
or run it via this
chrome.exe --disable-web-security
but is there any way I can create a shortcut on desktop that will always open Chrome in disabled security mode?
Just clone the shortcut for chrome you have on your desktop, and then in the shortcut properties add the parameter --disable-web-security (and --user-data-dir) at the end of chrome executable path
e.g
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="C:\tmpChromeSession"
Edit #1 : I changed google chrome path, the old one was not correct.
I just tried it on XP with fresh Chrome installed, but i got a error message that this flag is not supported.
Edit #2 : http://peter.sh/experiments/chromium-command-line-switches/
First search Run, then try this:
chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security
just a quick update, now you need not only --disable-web-security but --user-data-dir
to sum it up:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir
You must use the following flags
--disable-web-security
--user-data-dir
but also pass the path to your chrome user profile
See this:
https://productforums.google.com/forum/#!topic/chrome/9nHBcjNW384
https://bugs.chromium.org/p/chromium/issues/detail?id=575690
So now i have top pass my user profile path:
C:\Users\user\projects\project>"C:\Program Files (x86)\Google\Chrome\App
lication\chrome.exe" --disable-web-security --user-data-dir="C:\Users\user\A
ppData\Local\Google\Chrome\User Data\Default"
For MAC (ios)
Run following command in terminal.
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_test" --disable-web-security
It's working You have to add that parameter --disable-web-security in Target location after one space
Goto window search type Run
then on the run popup
just paste "chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security "
and ok || worked for me :)
Now it's
--disable-web-security --user-data-dir="c:/someFolderName"
chrome security command
for windows open run->than paste this command and make sure you have to close all windows before run this command
"chrome --disable-web-security --user-data-dir"
For Windows10:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="C:\temp"
For Ubuntu,
google-chrome --args --disable-web-security --user-data-dir="Path_To_Project_Directory"
Creating Google Chrome
Ubuntu
Windows10
chrome.exe --disable-web-security --user-data-dir=c:\my-chrome-data\data
Why don't you try with Safari browser? It is simple to disable web security over there.
Simply click on
Develop > Disable Cross-Origin Restrictions
in the menu bar.
In order to get Develop menu, do the following:
Preferences > Advanced > Show Develop menu in menu bar.
I'm trying to do a simple test without changing any server-side code involving a cross-domain AJAX call, and I was wondering if it's possible to use --disable-web-security anymore. It seems to not work on Chrome 28.
I haven't used it since Chrome version 21; has this feature been dropped?
Check your windows task manager and make sure you kill all chrome processes before running the command.
The new tag for recent Chrome and Chromium browsers is :
--disable-web-security --user-data-dir=c:\my\data
Try this :
Windows:
Run below commands in CMD to start a new instance of chrome browser with disabled security
Go to Chrome folder:
cd C:\Program Files (x86)\Google\Chrome\Application
Run below command:
chrome.exe --disable-web-security --user-data-dir=c:\my-chrome-data\data
MAC OS:
Run this command in terminal:
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_sess_1" --disable-web-security
Hope this will help both Windows & Mac users!
This flag worked for me at v30.0.1599.101 m
The warning "You are using an unsupported command-line flag" can be ignored. The flag still works (as of Chrome v86).
This should work. You may save the following in a batch file:
TASKKILL /F /IM chrome.exe
start chrome.exe --args --disable-web-security
pause
Open target location of chrome and navigate through cmd
type
chrome.exe --disable-web-security --user-data-dir=c:\my\dat
Just create this batch file and run it on windows. It basically would kill all chrome instances and then would start chrome with disabling security. Save the following script in batch file say ***.bat and double click on it.
TASKKILL /F /IM chrome.exe
start chrome.exe --args --disable-web-security –-allow-file-access-from-files
Check if you have Chrome App Launcher. You can usually see it in your toolbar. It runs as a second instance of chrome, but unlike the browser, it auto-runs so is going to be running whenever you start your PC. Even though it isn't a browser view, it is a chrome instance which is enough to prevent your arguments from taking effect. Go to your task manager and you will probably have to kill 2 chrome processes.
As you can't run --disable-web-security and a normal chrome in parallel it's probably a good solution to use Opera for --disable-web-security
Here is how to create a launcher for opera on windows. By the way, Opera has the same debugging tools as chrome!
http://www.opera.com/
:: opera-browse-dangerously.bat
cd c:\Program Files\Opera\
launcher.exe --disable-web-security --user-data-dir="c:\opera-dev"
PS: Opera doesn't display any notification when started without web-security
If you want to automate this:
Kill chrome from task Manager First. In Windows - Right Click (or Shift+right click, in-case of taskbar) on Chrome Icon. Select Properties. In "Target" text-box, add --disable-web-security flag.
So text in text-box should look like
C:\Users\njadhav\AppData\Local\Google\Chrome SxS\Application\chrome.exe" --disable-web-security
Click Ok and launch chrome.
just run this command from command prompt and it will launch chrome instance with CORS disabled:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=~/chromeTemp
Automated solution for Windows 10
Right-click on Chrome icon > right-click Google Chrome > Properties
Shortcut > Target > "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="C:\ChromeDevSession"
Notes:
Your file path for chrome.exe may vary.
Also, the --user-data-dir flag is required, and its file path may vary. Besides C:\ChromeDevSession, another possible location is ~/chromeTemp
Now Chrome always has its web security disabled :-)