CORS still enforced after disabling Chrome web security? - javascript

I'm trying to grab data from one website and use it to write something into another website (using JQuery/Javascript). Understandably, the same origin rules weren't going to let that happen, but I figured disabling web security/CORS on my browser should fix that problem. For some reason, I can't get the policy disabled in Chrome, and I can't figure out why.
I've tried launching Chrome with --disable-web-security --user-data-dir=
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="C:\Users\<username>\Desktop\chromeTemp"
I expected to be able to open a new tab, access 'document' in the console, and find a link I want to 'click', but instead I got
VM186:1 Uncaught DOMException: Blocked a frame with origin <url> from accessing a cross-origin frame.
I thought this would no longer be blocked?

Looks like there might be an open bug for this, possibly try an older chrome version.
https://bugs.chromium.org/p/chromium/issues/detail?id=840124
See Last Comment on workaround:
"The workaround is to download an old version of Chrome as a portable app : https://sourceforge.net/projects/portableapps/files/Google%20Chrome%20Portable/ (version 66.0.3359.181 still works). It's the one I use when I'm developing..."

Related

Why am I getting this error chrome-extension://invalid

I am facing a wierd problem accessing the Chromecast extension in Chrome.
I made a web page and when the user press connect it call the Cast Api and open the dialog to connect to a Chromecast.
In some pcs it doesn't work the error that appears is:
chrome-extension://invalid Failed to load resource: net::ERR_FAILED
The error just occurs in Windows in non administrator accounts.
I thought it was the proxy, or the company network firewall, but it wasn't we tested without the proxy and the error occurs.
If the account is a Windows Administrator it works!
My guess is that the Chrome or Windows is blocking the access to the extension because is a javascript calling the cast.js and the cast.js calls extension (Maybe CORS).
My website has https. I set in Internet Options as a trusted site.
In old Chromes the error is different:
GET chrome-extension://pkedcjkdefgpdelpbcmbmeomcjbeemfm/cast_sender.js
net::ERR_FAILED
Does anyone know how to fix it(chrome-extension://invalid)?
In my case when I played audio sound/beep.ogg, it worked but console contained same error. I solved it by adding it to web_accessible_resources in manifest.json:
"web_accessible_resources": [
"tileset/*.json", "layer/*.json", "sound/*.ogg"
],
I discovered what happened.
The corporate network is protected by their proxy.
We monitored the calls and discovered that:
The cast lib tries to call the cast extension "pkedcjkdefgpdelpbcmbmeomcjbeemfm", which is not installed at %appdata% folder.
The Chrome tries to download it at: gvt1.com and the network blocked this domain. After talking to the network administrator, we released the domain and it worked.
Sometimes this happens because of a failed extension. If you go to the Network Tab in Chrome Developer tools, and hover over the Initiator column on the line showing invalid in red, you'll see something like
chrome-extension://jjfblogammkiefalfpafidabbnamoknm ...
Then go to the Extensions page for Chrome, and you'll see an extension with that ID. Disable or Remove that extension.

Chrome SecurityError loading jQuery Mobile page from local file system

I get the following error in Chrome when loading a trivially simple html file with a jQuery Mobile reference. The error is not present with just the jQuery reference.
Uncaught SecurityError: Failed to execute 'replaceState' on 'History':
A history state object with URL 'http://stacksnippets.net/js' cannot
be created in a document with origin 'null'.
<html>
<head>
<script src="https://code.jquery.com/jquery-2.1.4.js"></script>
<script src="https://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.js"></script>
</head>
<body></body>
</html>
You can also "Run code snippet" and see the error in the console.
This error did not happen before today. I have not changed my code or method of loading the html file in the browser. It used to work perfectly - I use the same code for all my PhoneGap apps.
Does anyone know if there was a Chrome security update that causes this SecurityError or whether I'm missing something? How would you go about debugging this? Thank you.
UPDATE
This discussion I think points out what is going on, which I suspected, since the error does not appear when running with a web server: Origin null is not allowed by Access-Control-Allow-Origin .
But I am still wondering why this changed in the past day, whether Chrome has had a change in their security policy, or why it was working before, and whether any of my PhoneGap apps will be affected.
This error is same as the origin is null error. This error occurs because of the security feature of Chrome.
A simple solution to test the application is to bypass this security on chrome.
Steps:
create a chrome browser shortcut on desktop.
Close all the instances of chrome on your machine.
Right click on the desktop shortcut of chrome and click on Properties.
in Target field, append " -allow-file-access-from-files" at the end.
Save and close properties.
Open chrome via this shortcut only.
Hurry, the error has gone. App works perfectly.
NOTE: This is just a work-around I use to test my cordova apps on desktop browser for UI testing.
Temporary solution: I've commented out all history.replaceState calls in jquery mobile, didn't need to manipulate browser history in my app anyways.
I wonder if it's chrome security bug or model and future behavior.
On a Mac I was able to fix this by running a webserver instead of loading it from a "file://" url:
http://lifehacker.com/start-a-simple-web-server-from-any-directory-on-your-ma-496425450?utm_expid=66866090-49.VYy4WCNHSyuP6EmjnM93MQ.0&utm_referrer=https%3A%2F%2Fwww.google.com%2F
python -m SimpleHTTPServer 8000
In the directory should make it available from Chrome via 0.0.0.0
I don't seem to have the same problem, not on the stable version of Chrome (45) or the Dev version (47).
However, I have personally seen issues with the CORS header, too. If you can cause the problem to happen reliably, I suggest filing a bug at crbug.com and a Chrome developer will have a look at it.

Cross-origin image load denied on a local image with THREE.js on Chrome

I'm using THREE.js and I get this error in the developer console:
Cross-origin image load denied by Cross-Origin Resource Sharing policy.
when I open my script with Chrome.
The code looks like this:
var particle_system_material = new THREE.ParticleSystemMaterial({
color: 0xffffff,
map: THREE.ImageUtils.loadTexture("images/circle.png"),
});
So as you can guess, the:
map: THREE.ImageUtils.loadTexture("images/circle.png");
is the problem.
With Firefox it works very well.
I've read the tips in the following links :
Chrome, three.js: Cross-origin image load denied,
https://github.com/mrdoob/three.js/wiki/How-to-run-things-locally,
https://www.google.fr/search?q=Access-Control-Allow-Origin
I also realized the commands given:
Start Chrome executable with a command line flag:
chrome --allow-file-access-from-files
nothing works and I'm going crazy. It is just an image on my hard drive with HTML and JS files, no server, no "origin".
Are you running a local server, or are you just opening the html file?
Most likely, running a localhost server will fix this issue. Mamp / Wamp are super easy to use.
If that doesn't work, you can do something drastic like chrome --disable-web-security
Keep in mind that if you start chrome with the disable web security flag, you must first shut down all other instances of chrome in order for it to work as you expect.

Chrome create extention to avoid origin file // is not allowed by access-control-allow-origin

I am getting origin file // is not allowed by access-control-allow-origin. chrome
when calling an https//abc.com using xmlHttpRequest().
Works fine in IE10 but not in Chrome. I get the above error in Chrome. Searching online i saw I need to make a packaged extension and mention http://*/ in that file under 'permissions'. How to create this extension and install? Am i missing something, can somebody give a tutorial.
Your solution definitely has nothing to do with creating a chrome extension. What you read with regards to that is only for those actually developing a Chrome extension and will not help you on your site. Read the link given by Satya in the comments. Here it is again:
Cross Domain Requests

Header Origin not allowed

I want to bring a web application from PhoneGap to pc browser just because I need to do some tests. Inside the WebApp there are some XMLHttpRequest which fail because the Header origin is null.
I've already tried to run Chrome with this command :
chromium-browser index.html --allow-file-access-from-files
I've got the same error :
Origin file:// is not allowed by Access-Control-Allow-Origin.
I can't understand why with android emulator everything works properly.
Also phonegap loads the local file :
super.loadUrl("file:///android_asset/www/index.html", 1);
More or less I've solved it with this add On for Firefox!
It might be useful for others people :
Firefox add-ons Force CORS
Try using this flag --disable-web-security when launching chromium. Obviously, it's for dev purposes only.

Categories

Resources