Is there any way to disable the Same-origin policy on Google's Chrome browser?
Close chrome (or chromium) and restart with the --disable-web-security argument. I just tested this and verified that I can access the contents of an iframe with src="http://google.com" embedded in a page served from "localhost" (tested under chromium 5 / ubuntu). For me the exact command was:
Note : Kill all chrome instances before running command
chromium-browser --disable-web-security --user-data-dir="[some directory here]"
The browser will warn you that "you are using an unsupported command line" when it first opens, which you can ignore.
From the chromium source:
// Don't enforce the same-origin policy. (Used by people testing their sites.)
const wchar_t kDisableWebSecurity[] = L"disable-web-security";
Before Chrome 48, you could just use:
chromium-browser --disable-web-security
Yep. For OSX, open Terminal and run:
$ open -a Google\ Chrome --args --disable-web-security --user-data-dir
--user-data-dir required on Chrome 49+ on OSX
For Linux run:
$ google-chrome --disable-web-security
Also if you're trying to access local files for dev purposes like AJAX or JSON, you can use this flag too.
--allow-file-access-from-files
For Windows go into the command prompt and go into the folder where Chrome.exe is and type
chrome.exe --disable-web-security
That should disable the same origin policy and allow you to access local files.
Update: For Chrome 22+ you will be presented with an error message that says:
You are using an unsupported command-line flag: --disable-web-security. Stability and security will suffer.
However you can just ignore that message while developing.
For Windows users:
The problem with the solution accepted here, in my opinion is that if you already have Chrome open and try to run the chrome.exe --disable-web-security command it won't work.
However, when researching this, I came across a post on Super User, Is it possible to run Chrome with and without web security at the same time?.
Basically, you need to add to the command and run it like this instead (or create a shortcut with it and run a new Chrome instance through that)
chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security
which will open a new "insecure" instance of Chrome at the same time as you keep your other "secure" browser instances open and working as normal.
This works by creating a new folder/directory "Chrome dev session" under C: and tells this new Chrome instance to use that folder/directory for its user and session data. Because of this, the new instance is separated from your "normal" Chrome data and your bookmarks and other saved data will not be available in this instance.
Note: only the first "new" instance of Chrome opened with this method, is effected, hence it is only the first tab in the first new Chrome window, which is effected.
If you close that instance, you can use the same command again and for example any bookmarks to your local app or similar will still be there as it's pointing to the same folder.
If you want to run multiple "insecure" instances, each one will need its own folder/directory, so you will need to runt he command again with a different folder name. This however also means that each insecure instance will be separated from the others, so any bookmarks or other saves user or session data will not be available across instances.
For Windows:
Open the start menu
Type windows+R or open "Run"
Execute the following command:
chrome.exe --user-data-dir="C://Chrome dev session" --disable-web-security
For Mac:
Go to Terminal
Execute the following command:
open /Applications/Google\ Chrome.app --args --user-data-dir="/var/tmp/Chrome dev session" --disable-web-security
A new web security disabled chrome browser should open with the following message:
For Mac
If you want to open new instance of web security disabled Chrome browser without closing existing tabs then use below command
open -na Google\ Chrome --args --user-data-dir=/tmp/temporary-chrome-profile-dir --disable-web-security
It will open new instance of web security disabled Chrome browser as shown below
Using the current latest chrome Version 103.0.5060.134 (Official Build) (64-bit)
windows : click the start button then copy paste the below (change the D:\temp to your liking).:
chrome.exe --disable-site-isolation-trials --disable-web-security --user-data-dir="D:\temp"
Linux : start a terminal then run the below command (change the ~/tmp directory to your liking)
google-chrome --disable-site-isolation-trials --disable-web-security --user-data-dir="~/tmp"
Note : This solution will start chrome in an isolated sandbox and it will not affect the main chrome profile.
For windows users with **Chrome Versions 60.0.3112.78 (the day the solution was tested and worked) and at least until today 24.11.2022 (ver. 106.0.5249.119 (Official Build) (64-bit)). You do not need to close any chrome instance.
Create a shortcut on your desktop
Right-click on the shortcut and click Properties
Edit the Target property
Set it to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="C:/ChromeDevSession"
Start chrome and ignore the message that says --disable-web-security is not supported!
BEWARE NOT TO USE THIS PARTICULAR BROWSER INSTANCE FOR BROWSING BECAUSE YOU CAN BE HACKED WITH IT!
EDIT 3: Seems that the extension no longer exists... Normally to get around CORS these days I set up another version of Chrome with a separate directory or I use Firefox with https://addons.mozilla.org/en-US/firefox/addon/cors-everywhere/ instead.
EDIT 2: I can no longer get this to work consistently.
EDIT: I tried using the just the other day for another project and it stopped working. Uninstalling and reinstalling the extension fixed it (to reset the defaults).
Original Answer:
I didn't want to restart Chrome and disable my web security (because I was browsing while developing) and stumbled onto this Chrome extension.
Chrome Web Store Allow-Control-Allow-Origin: * (https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?hl=en)
Basically it's a little toggle switch to toggle on and off the Allow-Access-Origin-Control check. Works perfectly for me for what I'm doing.
Try this command on Mac terminal-
open -n -a "Google Chrome" --args --user-data-dir=/tmp/temp_chrome_user_data_dir http://localhost:8100/ --disable-web-security
It opens another instance of chrome with disabled security and there is no CORS issue anymore. Also, you don't need to close other chrome instances anymore. Change localhost URL to your's one.
Seems none of above solutions are actually working. The --disable-web-security is no longer supported in recent chrome versions.
Allow-Control-Allow-Origin: * - chrome extension partially solved the problem. It works only if your request is using GET method and there's no custom HTTP Header. Otherwise, chrome will send OPTIONS HTTP request as a pre-flight request. If the server doesn't support CORS, it will respond with 404 HTTP status code. The plugin can't modify the response HTTP status code. So chrome will reject this request. There's no way for chrome plugin to modify the response HTTP status code based on current chrome extension API. And you can't do a redirect as well for XHR initiated request.
Not sure why Chrome makes developers life so difficult. It blocks all the possible ways to disable XSS security check even for development use which is totally unnecessary.
After days struggle and research, one solution works perfectly for me: to use corsproxy. You have two options here:
1. use [https://cors-anywhere.herokuapp.com/]
2. install corsproxy in the local box: npm install -g corsproxy
[Updated on Jun 23, 2018] Recent I'm developing an SPA app which need to use corsproxy again. But seem none of the corsproxy on the github can meet my requirement.
need it to run inside firewall for security reason. So I can't use https://cors-anywhere.herokuapp.com/.
It has to support https as chrome will block no-https ajax request in an https page.
I need to run on nodejs. I don't want to maintain another language stack.
So I decide to develop my own version of corsproxy with nodejs. It's actually very simple. I have published it as a gist on the github. Here is the source code gist:
https://gist.github.com/jianwu/8e76eaec95d9b1300c59596fbfc21b10
It's in plain nodejs code without any additional dependencies
You can run in http and https mode (by passing the https port
number in command line), to run https, you need to generate cert and
key and put them in the webroot directory.
It also serves as static file server
It supports pre-flight OPTION request as well.
To start the CORSProxy server (http port 8080):
node static_server.js 8080
to access the proxy:
http://host:8080/http://www.somesite.com
I find the best way to do this is duplicate a Chrome or Chrome Canary shortcut on your windows desktop. Rename this shortcut to "NO CORS" then edit the properties of that shortcut.
in the target add --disable-web-security --user-data-dir="D:/Chrome" to the end of the target path.
your target should look something like this:
Update: New Flags added.
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="D:/Chrome"
For Windows... create a Chrome shortcut on your desktop.
Right-click > properties > Shortcut
Edit "target" path :
"C:\Program Files\Google\Chrome\Application\chrome.exe" --args --disable-web-security
(Change the 'C:....\chrome.exe' to where ever your chrome is located).
et voilà :)
Create a shortcut:
Paste the command:
cmd /c start chrome --disable-web-security --user-data-dir="c:\temp\chrome"
Run as administrator
For OSX, run the following command from the terminal:
open -na Google\ Chrome --args --disable-web-security --user-data-dir=$HOME/profile-folder-name
This will start a new instance of Google Chrome with a warning on top.
CAUTION: if you use --user-data-dir then chrome disconnect with you user-data folder (and logout you from all your sites) - even if you run it again without any params. To rollback this, you need to open in above way but without that prameter.
For Selenium Webdriver, you can have selenium start Chrome with the appropriate arguments (or "switches") in this case.
#driver = Selenium::WebDriver.for(:Chrome, {
:detach => false,
:switches => ["--disable-web-security"]
})
You can use this chrome plugin called "Allow-Control-Allow-Origin: *" ... It make it a dead simple and work very well.
check it here: *
FOR MAC USER ONLY
open -n -a /Applications/Google\ Chrome.app --args --user-data-dir="/tmp/someFolderName" --disable-web-security
You can simply use this chrome extension Allow-Control-Allow-Origin
just click the icon of the extensnion to turn enable cross-resource sharing ON or OFF as you want
If you are using Google Chrome on Linux, following command works.
google-chrome --disable-web-security
This Chrome plugin works for me:
Allow-Control-Allow-Origin: * - Chrome Web Store
On Linux- Ubuntu, to run simultaneously a normal session and an unsafe session run the following command:
google-chrome --user-data-dir=/tmp --disable-web-security
Following on Ola Karlsson answer, indeed the best way would be to open the unsafe Chrome in a different session. This way you don't need to worry about closing all of the currently opened tabs, and also can continue to surf the web securely with the original Chrome session.
These batch files should just work for you on Windows.
Put it in a Chrome_CORS.bat file for easy use
start "" "c:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --user-data-dir="c:/_chrome_dev" --disable-web-security
This one is for Chrome Canary. Canary_CORS.bat
start "" "c:\Users\%USERNAME%\AppData\Local\Google\Chrome SxS\Application\chrome.exe" --user-data-dir="c:/_canary_dev" --disable-web-security
chromium-browser --disable-web-security --user-data-dir=~/ChromeUserData/
On Windows 10, the following will work.
<<path>>\chrome.exe --allow-file-access-from-files --allow-file-access --allow-cross-origin-auth-prompt
for mac users:
open -a "Google Chrome" --args --disable-web-security --user-data-dir
and before Chrome 48, you could just use:
open -a "Google Chrome" --args --disable-web-security
this is an ever moving target.... today I needed to add another flag to get it to work:
--disable-site-isolation-trials
OS X:
open /Applications/Google\ Chrome.app --args --user-data-dir="/var/tmp/Chrome_dev_2" --disable-web-security --disable-site-isolation-trials
There is a Chrome extension called CORS Toggle.
Click here to access it and add it to Chrome.
After adding it, toggle it to the on position to allow cross-domain requests.
Used below command in Ubuntu to start chrome (disable same origin policy and open chrome in detached mode):
nohup google-chrome --disable-web-security --user-data-dir='/tmp' &
For Windows:
(using windows 8.1, chrome 44.0)
First, close google chrome.
Then, open command prompt and go to the folder where 'chrome.exe' is.
( for me: 'chrome.exe' is here "C:\Program Files (x86)\Google\Chrome\Application".
So I type:
cd C:\Program Files (x86)\Google\Chrome\Application )
now type: chrome.exe --disable-web-security
a new window of chrome will open.
Only for OSX Catalina the below command works for me.
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_test" --disable-web-security
On a Windows PC, use an older version of Chrome and the command will work for all you guys.
I downgraded my Chrome to 26 version and it worked.
Related
I am trying to open multiple windows via batch file in Chrome Canary. I can do it via regular Chrome, but when I try inserting info for Canary and launch it opens up a data file so I think the issue is maybe a directory issue.
Regular Chrome (works)
start "" "c:\program files (x86)\google\chrome\application\chrome.exe" --app="data:text/html,<html><body><script>window.moveTo(300,50);window.resizeTo(250,200);window.location='URL-HERE';</script></body></html>
Chrome Canary (that I cant get working)
start "" "C:\Users\Owner\AppData\Local\Google\Chrome SxS\Application\chrome.exe" —app="data:text/html,<html><body><script>window.moveTo(50,250);window.resizeTo(250,200);window.location='URL_HERE';</script></body></html>
try the following :
start "" "C:\Users\YOURUSERNAME\AppData\Local\Google\Chrome SxS\Application\chrome.exe" --app="data:text/html,<html><body><script>window.moveTo(50,250);window.resizeTo(250,200);window.location='http://www.google.com';</script></body></html>"
It worked on my side.
I'm looking to automate an existing Electron app. It gives access to the Developer Tools, so I could just paste Javascript code into the console, but there must be a way to do this remotely, ideally using Node or from the Terminal?
I've seen this option for running Chrome : --remote-debugging-port=9222 ... that hints at a solution but I can't seem to get closer.
If you launch your Electron app with --remote-debugging-port=9222 then you will enable remote debugging via Chrome DevTools protocol. You can use a Chrome developer tools instance as a client, or use one of the clients here: https://github.com/ChromeDevTools/awesome-chrome-devtools#chrome-devtools-protocol
The debuggable Chrome instance will be running on localhost:9222. Which means as long as you are trying to debug from the same machine you are fine. However if you want to debug from a remote machine you need some additional setup.
Setup an SSH tunnel on the source machine:
ssh -L 0.0.0.0:9223:localhost:9222 localhost -N
This will accept incoming traffic on the 9223 port and route it to Chrome remote debugging.
Then on your client machine use the address: source-machine-ip:9223 to access the remote debugging.
Note: This may not work on Windows without additional SSH setup as SSH is not prepackaged with Windows.
After updating my chrome, I'm unable to disable web security using the --disable-web-security command. I've tried lot of options, but without success, including using the --user-data-dir flag.
This is the command I'm running:
start "" "c:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --user-data-dir="d:/_chrome_dev" --disable-web-security
I'm getting the following error:
You are using unsupported command --disable-web-security
For mac OS, the steps are as follows:
1 - Close down chrome. All instances of chrome must be closed first.
2 - Open Terminal
3 - Run the following command:
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-web-security --user-data-dir
I used this Chrome plugin instead and it wokrs :)
https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi
1)You have to make sure there are no processes already running. Check task manager, and look for chrome.exe, if exist close it.
2) Then open with command "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -disable-web-security -user-data-dir
I'm trying to follow a melonJS tutorial. It says I should disable cross-origin request using one of two methods:
--disable-web-security
--allow-file-access-from-files**
I've tried both of these in my command prompt as such:
C:\Users\danniu>C:\Users\danniu\AppData\Local\Google\Chrome\Application\Chrome.e
xe --allow-file-access-from-files
C:\Users\danniu>C:\Users\danniu\AppData\Local\Google\Chrome\Application\Chrome.e
xe --disable-web-security
When I try to run the game in Chrome I'm still getting this error:
XMLHttpRequest cannot load file:///C:/Users/danniu/Desktop/JavaScript/melonJS/data/map/area01.tmx. Cross origin requests are only supported for HTTP.
What am I doing wrong?
Thanks
You need to use both arguments. This is how I run it on my mac.
open -a Google\ Chrome --args --disable-web-security -–allow-file-access-from-files
This is how it should be for windows:
"C:\PathTo\Chrome.exe" –allow-file-access-from-files -disable-web-security
To disable chrome web security on mac use this command on terminal
$ /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --user-data-dir="/tmp/chrome_dev_session" --disable-web-security
if $ open -a Google\ Chrome --args --disable-web-security -–allow-file-access-from-files
dosen't help
You should request through a HTTP protocol
Here's an answer quite simple to do it: https://stackoverflow.com/a/23118676/1585438
The anti-SOP paramters:
--disable-web-security -–allow-file-access-from-files
To make the parameters effective, there must not be another instance of chrome running. If you have chrome running already and start a new instance with the anti-SOP parameters, it will have no effect.
When you close chrome, make sure that all instances are closed. This includes instances without GUI as well (task manager is your friend)!
I am using samsung galaxy s2 version 2.3.3, i open a web page in android default web browser.
In the Page i put console.log("some info") to debug the page, but i am unable to see the console.log output in my device.Please help me in this.Thanks in advance.
Warning: No Longer Working!
This solution appears to no longer be functional as the web tool has not been maintained over the years.
Try using JSConsole.com. It's a remote debugger for JavaScript. The setup is basically just injecting a <script> tag in your page. Once connected you can read all the console.log calls from the remote page on JSConsole, as well as execute commands on the client.
Steps to Setup
Go to JSConsole Home Page, and type :listen.
Copy the resulting <script src="http://jsconsole.com/remote.js?..."></script>.
Drop that into the page you need to debug.
Open your page in any browser (phone, tablet, desktop, etc). All console.log calls will be forwarded to the JSConsole.com window.
There are more details plus a couple of useful videos on the Remote Debugging Page.
In Two ways we can see console.log messages
Using WEINRE
Using Eclipse
Method 1:
Use WEINRE remote WEb Inspector in REmote. it is a nodejs package. Steps to install WEINRE.
Install nodejs
run this command to install weinre :npm install -g weinre (for
MACsudo npm install -g weinre)
Then launch WEINRE: weinre --boundHost -all- --httpPort 8082, here
8082 is port number where WEINRE is launched.
Then add the following script tag in the HTML/web page you want to
debug or to see console messages, <script
src="http://xx.xx.xx.xx:8082/target/target-script-min.js#weinredemo"></script>
xx.xx.xx.xx is the IP of your machine.
weinredemo is the ID for your page and you can use any of our own.
Then open the page , where you want to see console messages in any mobile device.
Open this page any webkit
browser,http://localhost:8082/client/#weinredemo
There go to console tab and see the messages.
Method 2:
please connect your mobile via USB drive and see the phone listed in ECLIPSE and need to install ANDROID ADT plugin for eclipse to see the console messages in Eclipse.