Disable same origin policy in Chrome

Question

Is there any way to disable the Same-origin policy on Google s Chrome browser

User · Answer

I use this sometimes  for posting a localhost front-end site to a localhost back-end API  e g  React to an old  NET API   I created a separate shortcut on my Windows 10 desktop  so that it never is used for normal browsing  only for debugging locally  I did the following -   Right click on desktop  add new shortcut Add the target as   PATH TO CHROME  chrome exe  --disable-web-security Click OK    You will get a warning on load of this browser  that it is not secure  just take care with what you browser on it  I tend to rename this new shortcut on the desktop  something in capital  and move it away from my other icons  so it can t be confused for normal Chrome   Hope this helps

User · Answer

On Linux- Ubuntu  to run simultaneously a normal session and an unsafe session run the following command   google-chrome  --user-data-dir  tmp --disable-web-security

User · Answer

EDIT 3  Seems that the extension no longer exists    Normally to get around CORS these days I set up another version of Chrome with a separate directory or I use Firefox with https   addons mozilla org en-US firefox addon cors-everywhere  instead   EDIT 2  I can no longer get this to work consistently   EDIT  I tried using the just the other day for another project and it stopped working  Uninstalling and reinstalling the extension fixed it  to reset the defaults    Original Answer   I didn t want to restart Chrome and disable my web security  because I was browsing while developing  and stumbled onto this Chrome extension   Chrome Web Store Allow-Control-Allow-Origin     https   chrome google com webstore detail allow-control-allow-origi nlfbmbojpeacfghkpbjhddihlkkiljbi hl en   Basically it s a little toggle switch to toggle on and off the Allow-Access-Origin-Control check  Works perfectly for me for what I m doing

User · Answer

The Allow-Control-Allow-Origin plugin for Chrome does not work  This is for MacOS  I added alias chrome  open -n -a  Applications Google  Chrome app Contents MacOS Google  Chrome --args --user-data-dir --disable-web-security  to my  profile as an alias    The other commands will disable my other extensions and this will boot your normal chrome with cors disabled

User · Answer

Using the current latest chrome version  Version 88 0 4324 182  Official Build   64-bit    the only way I could make it work on windows 10 was to start chrome using the below flags  change the D  temp to your liking   This solution will start chrome as a sandbox for tests and it will not affect the main chrome profile   --disable-site-isolation-trials --disable-web-security --user-data-dir  quot D  temp quot   in windows  click the start button then copy paste the below  chrome exe  --disable-site-isolation-trials --disable-web-security --user-data-dir  quot D  temp quot

User · Answer

There is a Chrome extension called CORS Toggle   Click here to access it and add it to Chrome   After adding it  toggle it to the on position to allow cross-domain requests

User · Answer

Following on Ola Karlsson answer  indeed the best way would be to open the unsafe Chrome in a different session  This way you don t need to worry about closing all of the currently opened tabs  and also can continue to surf the web securely with the original Chrome session   These batch files should just work for you on Windows   Put it in a Chrome CORS bat file for easy use  start     c  Program Files  x86  Google Chrome Application chrome exe  --user-data-dir  c   chrome dev  --disable-web-security   This one is for Chrome Canary  Canary CORS bat  start     c  Users  USERNAME  AppData Local Google Chrome SxS Application chrome exe  --user-data-dir  c   canary dev  --disable-web-security

User · Answer

For windows users with Chrome Versions 60 0 3112 78  the day the solution was tested and worked  and at least until today 19 01 2019  ver  71 0 3578 98   You do not need to close any chrome instance    Create a shortcut on your desktop Right-click on the shortcut and click Properties Edit the Target property Set it to  C  Program Files  x86  Google Chrome Application chrome exe  --disable-web-security --user-data-dir  C  ChromeDevSession  Start chrome and ignore the message that says --disable-web-security is not supported    BEWARE NOT TO USE THIS PARTICULAR BROWSER INSTANCE FOR BROWSING BECAUSE YOU CAN BE HACKED WITH IT

User · Answer

chromium-browser --disable-web-security --user-data-dir   ChromeUserData

User · Answer

this is an ever moving target     today I needed to add another flag to get it to work  --disable-site-isolation-trials  OS X  open  Applications Google  Chrome app --args --user-data-dir   var tmp Chrome dev 2  --disable-web-security --disable-site-isolation-trials

User · Answer

On a Windows PC  use an older version of Chrome and the command will work for all you guys   I downgraded my Chrome to 26 version and it worked

User · Answer

For Windows users   The problem with the solution accepted here  in my opinion is that if you already have Chrome open and try to run this it won t work    However  when researching this  I came across a post on Super nbsp User  Is it possible to run Chrome with and without web security at the same time    Basically  by running the following command  or creating a shortcut with it and opening Chrome through that   chrome exe --user-data-dir  C  Chrome dev session  --disable-web-security   you can open a new  insecure  instance of Chrome at the same time as you keep your other  secure  browser instances open and working as normal   Important  delete clear C  Chrome dev session folder every time when you open a window as second time --disable-web-security is not going to work  So you cannot save your changes and then open it again as a second insecure instance of Chrome with --disable-web-security

User · Answer

Try going to this page and disabling the domain security policy for your website domain   chrome   net-internals  hsts

User · Answer

Used below command in Ubuntu to start chrome  disable same origin policy and open chrome in detached mode    nohup google-chrome --disable-web-security --user-data-dir   tmp   amp

User · Answer

Try this command on Mac terminal-  open -n -a  Google Chrome  --args --user-data-dir  tmp temp chrome user data dir http   localhost 8100  --disable-web-security    It opens another instance of chrome with disabled security and there is no CORS issue anymore  Also  you don t need to close other chrome instances anymore  Change localhost URL to your s one

User · Answer

For Windows    using windows 8 1  chrome 44 0    First  close google chrome   Then  open command prompt and go to the folder where  chrome exe  is     for me   chrome exe  is here  C  Program Files  x86  Google Chrome Application     So I type       cd C  Program Files  x86  Google Chrome Application    now type  chrome exe --disable-web-security  a new window of chrome will open

User · Answer

I find the best way to do this is duplicate a Chrome or Chrome Canary shortcut on your windows desktop  Rename this shortcut to  NO CORS  then edit the properties of that shortcut    in the target add --disable-web-security --user-data-dir  D  Chrome  to the end of the target path    your target should look something like this   Update  New Flags added    C  Program Files  x86  Google Chrome Application chrome exe  --disable-web-security --user-data-dir  D  Chrome

User · Answer

Yep  For OSX  open Terminal and run    open -a Google  Chrome --args --disable-web-security --user-data-dir  --user-data-dir required on Chrome 49  on OSX For Linux run    google-chrome --disable-web-security  Also if you re trying to access local files for dev purposes like AJAX or JSON  you can use this flag too  -   allow-file-access-from-files  For Windows go into the command prompt and go into the folder where Chrome exe is and type chrome exe --disable-web-security  That should disable the same origin policy and allow you to access local files  Update  For Chrome 22  you will be presented with an error message that says   You are using an unsupported command-line flag  --disable-web-security  Stability and security will suffer   However you can just ignore that message while developing

User · Answer

Create a new shortcut      Paste the following path    quot C  Program Files  x86  Google Chrome Application chrome exe quot   quot C  Program Files Google Chrome Application chrome exe quot  --disable-web-security --user-data-dir  quot c  temp chrome quot     Name it   Unsafe Chrome exe   Now you have an unsafe version of Google Chrome on desktop to use it for debugging front-end applications without any CORS problems

User · Answer

You can use this chrome plugin called  Allow-Control-Allow-Origin         It make it a dead simple and work very well  check it here

User · Answer

For Selenium Webdriver  you can have selenium start Chrome with the appropriate arguments  or  switches   in this case     driver   Selenium  WebDriver for  Chrome             detach   gt  false          switches   gt    --disable-web-security

User · Answer

For Windows   Open the start menu  Type windows R or open  quot Run quot   Execute the following command   chrome exe --user-data-dir  quot C   Chrome dev session quot  --disable-web-security     For Mac   Go to Terminal  Execute the following command   open  Applications Google  Chrome app --args --user-data-dir  quot  var tmp Chrome dev session quot  --disable-web-security     A new web security disabled chrome browser should open with the following message   For Mac If you want to open new instance of web security disabled Chrome browser without closing existing tabs then use below command open -na Google  Chrome --args --user-data-dir  tmp temporary-chrome-profile-dir --disable-web-security  It will open new instance of web security disabled Chrome browser  as shown below

User · Answer

You can simply use this chrome extension Allow-Control-Allow-Origin  just click the icon of the extensnion to turn enable cross-resource sharing  ON or OFF as you want

User · Answer

For OSX  run the following command from the terminal   open -na Google  Chrome --args --disable-web-security --user-data-dir  HOME profile-folder-name   This will start a new instance of Google Chrome with a warning on top

User · Answer

If you are using Google Chrome on Linux  following command works   google-chrome  --disable-web-security

User · Answer

Close chrome  or chromium  and restart with the --disable-web-security argument  I just tested this and verified that I can access the contents of an iframe with src  http   google com  embedded in a page served from  localhost   tested under chromium 5   ubuntu   For me the exact command was   Note     Kill all chrome instances before running command  chromium-browser --disable-web-security --user-data-dir   some directory here     The browser will warn you that  you are using an unsupported command line  when it first opens  which you can ignore   From the chromium source      Don t enforce the same-origin policy   Used by people testing their sites   const wchar t kDisableWebSecurity     L disable-web-security       Before Chrome 48  you could just use   chromium-browser --disable-web-security

User · Answer

Seems none of above solutions are actually working  The --disable-web-security is no longer supported in recent chrome versions    Allow-Control-Allow-Origin    - chrome extension partially solved the problem  It works only if your request is using GET method and there s no custom HTTP Header  Otherwise  chrome will send OPTIONS HTTP request as a pre-flight request  If the server doesn t support CORS  it will respond with 404 HTTP status code  The plugin can t modify the response HTTP status code  So chrome will reject this request  There s no way for chrome plugin to modify the response HTTP status code based on current chrome extension API  And you can t do a redirect as well for XHR initiated request   Not sure why Chrome makes developers life so difficult  It blocks all the possible ways to disable XSS security check even for development use which is totally unnecessary   After days struggle and research  one solution works perfectly for me  to use corsproxy  You have two options here   1  use  https   cors-anywhere herokuapp com   2  install corsproxy in the local box  npm install -g corsproxy   Updated on Jun 23  2018  Recent I m developing an SPA app which need to use corsproxy again  But seem none of the corsproxy on the github can meet my requirement     need it to run inside firewall for security reason  So I can t use https   cors-anywhere herokuapp com    It has to support https as chrome will block no-https ajax request in an https page   I need to run on nodejs  I don t want to maintain another language stack    So I decide to develop my own version of corsproxy with nodejs  It s actually very simple  I have published it as a gist on the github  Here is the source code gist   https   gist github com jianwu 8e76eaec95d9b1300c59596fbfc21b10   It s in plain nodejs code without any additional dependencies You can run in http and https mode  by passing the https port number in command line   to run https  you need to generate cert and key and put them in the webroot directory   It also serves as static file server It supports pre-flight OPTION request as well    To start the CORSProxy server  http port 8080   node static server js 8080  to access the proxy  http   host 8080 http   www somesite com

User · Answer

FOR MAC USER ONLY   open -n -a  Applications Google  Chrome app --args --user-data-dir   tmp someFolderName  --disable-web-security

User · Answer

for mac users   open -a  Google Chrome  --args --disable-web-security --user-data-dir   and before Chrome 48  you could just use   open -a  Google Chrome  --args --disable-web-security

User · Answer

On Windows 10  the following will work    lt  lt path gt  gt  chrome exe --allow-file-access-from-files --allow-file-access --allow-cross-origin-auth-prompt

User · Answer

For Windows    create a Chrome shortcut on your desktop  Right-click   properties   Shortcut Edit  target  path       C  Program Files Google Chrome Application chrome exe  --args --disable-web-security    Change the  C      chrome exe  to where ever your chrome is located    et voil

User · Answer

If you use your web server  you ca use Header On Apache  lt VirtualHost gt  or in an  htaccess file  Header set Access-Control-Allow-Origin  origin-list   On Nginx add header  Access-Control-Allow-Origin   origin-list

User · Answer

This Chrome plugin works for me  Allow-Control-Allow-Origin    - Chrome Web Store

User · Answer

Don t do this  You re opening your accounts to attacks  Once you do this any 3rd party site can start issuing requests to other websites  sites that you are logged into  Instead run a local server  It s as easy as opening a shell terminal commandline and typing cd path to files python -m SimpleHTTPServer  Then pointing your browser to http   localhost 8000  If you find it s too slow consider this solution Update People downvoting this answer should go over here and downvote this one too to be consistent  No idea why my answer is so downvoted and the same answer over here is the top voted answer  You are opening yourself to attacks  Every single 3rd party script you include on your site remotely or locally like via npm can now upload your data or steal your credentials  You are doing something you have no need to do  The suggested solution is not hard  takes 30 seconds  doesn t leave you open attack  Why would you choose to make yourself vulnerable when the better thing to do is so simple  Telling people to disable security is like telling your friends to leave their front door unlocked and or a key under the doormat  Sure the odds might be low but if they do get burgled  without proof of forced entry they might have a hard time collecting insurance  Similarly if you disable security you are doing just that disabling security  It s irresponsible to do this when you can solve the issue so simply without disabling security  I d be surprised if you couldn t be fired at some companies for disabling security

[javascript] Disable same origin policy in Chrome

Examples related to javascript

Examples related to ajax

Examples related to google-chrome