Is there any way to disable the Same-origin policy on Google's Chrome browser?
asked Jun 23, 2010 at 15:00
39 Answers
Close Chrome (or Chromium) and restart with the --disable-web-security argument. I just tested this and verified that I can access the contents of an iframe with src="http://google.com" embedded in a page served from localhost (tested under Chromium 5 / Ubuntu).
Note: Kill all Chrome instances before running this command.
For me the exact command was:
chromium-browser --disable-web-security --user-data-dir="[some directory here]"
The browser will warn you that "you are using an unsupported command line" when it first opens, which you can ignore.
From the Chromium source:
// Don't enforce the same-origin policy. (Used by people testing their sites.)
const wchar_t kDisableWebSecurity[] = L"disable-web-security";
Before Chrome 48, you could just use:
chromium-browser --disable-web-security
answered Jul 5, 2010 at 7:20
-
1Make sure the directory exists on Windows. Create one in your personal Users[user]\ folder. Commented Nov 25, 2020 at 7:46
-
9As of latest versions of chrome (e.g. I have version 92), "--disable-web-security" is necessary but not enough. It is also required to use "--disable-site-isolation-trials". See the more recent answer from @user2576266 below. (Note that chrome will still display a warning that "--disable-site-isolation-trials" is not understood. It actually works.) Commented Aug 30, 2021 at 6:26
-
1@AliNakisaee I have version 95, but "--disable-site-isolation-trials" does not work. Commented Oct 27, 2021 at 12:16
-
7for Chrome Version 96 , Use
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --disable-features=IsolateOrigins,site-per-process --user-data-dir="C://ChromeDev"... just add--disable-features=IsolateOrigins,site-per-process, See this Commented Jan 2, 2022 at 10:15 -
Yes, it is possible.
For Mac OS X / macOS, open Terminal and run:
$ open -a Google\ Chrome --args --disable-web-security --user-data-dir
--user-data-dir required on Chrome 49+ on OSX
For Linux run:
$ google-chrome --disable-web-security
Also if you're trying to access local files for dev purposes like AJAX or JSON, you can use this flag too.
--allow-file-access-from-files
For Windows go into the command prompt and go into the folder where Chrome.exe is and type
chrome.exe --disable-web-security
That should disable the same origin policy and allow you to access local files.
UPDATE
For Chrome 22+ you will be presented with an error message that says:
You are using an unsupported command-line flag: --disable-web-security. Stability and security will suffer.
However you can just ignore that message while developing.
-
32I had to add a path after
--user-data-diras in--user-data-dir="tmp"for it to work (Chrome 88.0...)– Ryan H.Commented Mar 10, 2021 at 22:15 -
Chrome 89.0 - I also had to add
--user-data-dir="[PATH]", otherwise it won't work Commented Mar 27, 2021 at 16:02 -
3If you would like your existing user directory, on MacOS you may find it under:
--user-data-dir="/Users/<YOUR_USER>/Library/ApplicationSupport/Google/Chrome". Typewhoamiorpwd -Pin terminal to find your username.– FooBarCommented May 16, 2021 at 16:01 -
C:\Program Files\Google\Chrome\Application- The default installation path for Chrome on Windows (as of 07/2021). Commented Jul 31, 2021 at 9:58 -
you need to specify 2 path one for chrome.exe and second one for data directory where chrome will store, make data-dir has write permissions "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-site-isolation-trials --disable-web-security --user-data-dir="D:\temp" Commented Sep 30, 2021 at 15:39
For Windows users:
The problem with the solution accepted here, in my opinion is that if you already have Chrome open and try to run the chrome.exe --disable-web-security command it won't work.
However, when researching this, I came across a post on Super User, Is it possible to run Chrome with and without web security at the same time?.
Basically, you need to add to the command and run it like this instead (or create a shortcut with it and run a new Chrome instance through that)
chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security
this will open a new "insecure" instance of Chrome at the same time as you keep your other "secure" browser instances open and working as normal.
This works by creating a new folder/directory "Chrome dev session" under C: and tells this new Chrome instance to use that folder/directory for its user and session data. Because of this, the new instance is separated from your "normal" Chrome data and your bookmarks and other saved data will not be available in this instance.
Note: only the first "new" instance of Chrome opened with this method, is effected, hence it is only the first tab in the first new Chrome window, which is effected. If you close that instance, you can use the same command again and for example any bookmarks to your local app or similar will still be there as it's pointing to the same folder.
If you want to run multiple "insecure" instances, each one will need its own folder/directory, so you will need to runt he command again with a different folder name. This however also means that each insecure instance will be separated from the others, so any bookmarks or other saves user or session data will not be available across instances.
answered Oct 11, 2013 at 12:13
-
This worked for me, but how come this seems not to be documented anywhere?– GDavoliCommented Nov 8, 2021 at 8:12
-
I don't know but maybe it's because in general, Google/Chrome probably don't want you to disable the security. Commented Nov 9, 2021 at 9:17
-
1Does not work for the latest chrome versions i.imgur.com/VhFiecY.png Commented Aug 30, 2022 at 13:55
-
OMG thank you sir. Geez chrome have a dev mode my goodness Commented Sep 29, 2022 at 1:37
-
For Windows:
Open the start menu
Type windows+R or open "Run"
Execute the following command:
chrome.exe --user-data-dir="C://Chrome dev session" --disable-web-security
For Mac:
Go to Terminal
Execute the following command:
open /Applications/Google\ Chrome.app --args --user-data-dir="/var/tmp/Chrome dev session" --disable-web-security
A new web security disabled chrome browser should open with the following message:
For Mac
If you want to open new instance of web security disabled Chrome browser without closing existing tabs then use below command
open -na Google\ Chrome --args --user-data-dir=/tmp/temporary-chrome-profile-dir --disable-web-security
It will open new instance of web security disabled Chrome browser as shown below
answered Feb 3, 2017 at 12:59
-
2this one is great answer, helped me on MAC start second window with disabled web security. 2022/12 Commented Dec 11, 2022 at 6:33
-
Using the current latest chrome Version 118.0.5993.89 (Official Build) (64-bit).
Windows
Click the start button then copy paste the below (change the D:\temp to your liking):
chrome.exe --disable-site-isolation-trials --disable-web-security --user-data-dir="D:\temp"
Linux
Start a terminal then run the below command (change the ~/tmp directory to your liking):
google-chrome --disable-site-isolation-trials --disable-web-security --user-data-dir="~/tmp"
NOTE
This solution will start Chrome in an isolated sandbox and it will not affect the main Chrome profile.
answered Mar 31, 2019 at 14:53
-
13This is the only solution works for me. I have run this
chrome.exe --disable-site-isolation-trials --disable-web-security --user-data-dir="D:\temp"onrunwindow on windows 10. Thanks a lot.– SampathCommented Apr 7, 2019 at 8:10 -
1HAIR PULLING ARGHGHGH - doesn't seem to work anymore Commented May 9, 2019 at 20:28
-
4Adding --disable-site-isolation-trials really helped me in my case, Chrome v 75.0, Selenium Web Driver, Java. Thanks! Commented Aug 24, 2019 at 16:52
-
3It works for me on Linux, but with a little modification
google-chrome --disable-site-isolation-trials --disable-web-security --user-data-dir="/tmp"Commented Feb 25, 2021 at 11:04 -
3I have version 95, but adding --disable-site-isolation-trials does not work. Any workaround for this? Commented Oct 27, 2021 at 12:18
For windows users with **Chrome Versions 60.0.3112.78 (the day the solution was tested and worked) and at least until today 24.11.2022 (ver. 106.0.5249.119 (Official Build) (64-bit)). You do not need to close any chrome instance.
- Create a shortcut on your desktop
- Right-click on the shortcut and click Properties
- Edit the Target property
- Set it to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="C:/ChromeDevSession"
- Start chrome and ignore the message that says --disable-web-security is not supported!
BEWARE NOT TO USE THIS PARTICULAR BROWSER INSTANCE FOR BROWSING BECAUSE YOU CAN BE HACKED WITH IT!
answered Aug 1, 2017 at 9:27
-
1Worked like a charm. I can't believe Chrome doesn't allow developers to disable this without starting a new session. At least they have a way though. Commented Sep 15, 2017 at 22:47
-
-
-
1This method still works: Version 106.0.5249.119 (Official Build) (64-bit)– verismCommented Nov 23, 2022 at 18:16
-
2Basically any site can make a request to another site as you if you disable web security Say you visit hack3rs-site.com which makes a post request to facebook.com to create a post, normally that request would be blocked by CORS, but by disabling this security the request will go through and if you were authenticated that request will use your existing cookies– TofandelCommented Feb 20, 2023 at 10:41
EDIT 3: Seems that the extension no longer exists... Normally to get around CORS these days I set up another version of Chrome with a separate directory or I use Firefox with https://addons.mozilla.org/en-US/firefox/addon/cors-everywhere/ instead.
EDIT 2: I can no longer get this to work consistently.
EDIT: I tried using the just the other day for another project and it stopped working. Uninstalling and reinstalling the extension fixed it (to reset the defaults).
Original Answer:
I didn't want to restart Chrome and disable my web security (because I was browsing while developing) and stumbled onto this Chrome extension.
Basically it's a little toggle switch to toggle on and off the Allow-Access-Origin-Control check. Works perfectly for me for what I'm doing.
-
1how I achieve and integrate with my extension as my extension needs to access cross domain. I cannot force user to open the browser wth disable-web-security Commented Apr 14, 2015 at 3:01
-
1This extension won't work for local files, unfortunately. Stick to the
--disable-web-securityswitch in that case.– brycCommented Jul 15, 2015 at 2:25 -
2@bryc It's not really meant to. Consider though that you can use
--allow-file-access-from-filesinstead of disabling all web security.– CobertosCommented Jul 15, 2015 at 2:29 -
1Warning! Some sites won't let you log in with this extension enabled! Firebase console, for example.– campsjosCommented Mar 23, 2017 at 13:08
-
2“the extension no longer exists” can you delete your answer or at least put Edit 3 at the top in bold Commented Nov 23, 2019 at 0:17
Try this command on Mac terminal-
open -n -a "Google Chrome" --args --user-data-dir=/tmp/temp_chrome_user_data_dir http://localhost:8100/ --disable-web-security
It opens another instance of chrome with disabled security and there is no CORS issue anymore. Also, you don't need to close other chrome instances anymore. Change localhost URL to your's one.
answered Dec 26, 2017 at 9:04
-
Most of the command-line answers above made no improvement for me on macOS. However this post alfilatov.com/posts/run-chrome-without-cors and the command line open worked for me. It is the same as the command above so voting up. Commented Feb 12, 2020 at 12:00
-
This worked for me in 2023, on Chrome 119.0.6045.159 (Official Build) (64-bit), in Debian 12. Small difference: I have to drop
open -n -aand change"Google Chrome"togoogle-chrome, like this:google-chrome --user-data-dir=/tmp/temp_chrome_user_data_dir http://localhost:8100/ --disable-web-security. I just added an ampersand and output redirection to/dev/null, but thanks for this.– RicardoCommented Nov 17, 2023 at 16:54
Seems none of above solutions are actually working. The --disable-web-security is no longer supported in recent chrome versions.
Allow-Control-Allow-Origin: * - chrome extension partially solved the problem. It works only if your request is using GET method and there's no custom HTTP Header. Otherwise, chrome will send OPTIONS HTTP request as a pre-flight request. If the server doesn't support CORS, it will respond with 404 HTTP status code. The plugin can't modify the response HTTP status code. So chrome will reject this request. There's no way for chrome plugin to modify the response HTTP status code based on current chrome extension API. And you can't do a redirect as well for XHR initiated request.
Not sure why Chrome makes developers life so difficult. It blocks all the possible ways to disable XSS security check even for development use which is totally unnecessary.
After days struggle and research, one solution works perfectly for me: to use corsproxy. You have two options here: 1. use [https://cors-anywhere.herokuapp.com/] 2. install corsproxy in the local box: npm install -g corsproxy
[Updated on Jun 23, 2018] Recent I'm developing an SPA app which need to use corsproxy again. But seem none of the corsproxy on the github can meet my requirement.
- need it to run inside firewall for security reason. So I can't use https://cors-anywhere.herokuapp.com/.
- It has to support https as chrome will block no-https ajax request in an https page.
- I need to run on nodejs. I don't want to maintain another language stack.
So I decide to develop my own version of corsproxy with nodejs. It's actually very simple. I have published it as a gist on the github. Here is the source code gist: https://gist.github.com/jianwu/8e76eaec95d9b1300c59596fbfc21b10
- It's in plain nodejs code without any additional dependencies
- You can run in http and https mode (by passing the https port number in command line), to run https, you need to generate cert and key and put them in the webroot directory.
- It also serves as static file server
- It supports pre-flight OPTION request as well.
To start the CORSProxy server (http port 8080): node static_server.js 8080
to access the proxy: http://host:8080/http://www.somesite.com
answered Jan 12, 2015 at 7:51
-
If you're going to go to that extent, you could always just host a web server locally or remotely that pulls the content from the webpage you desire and then set the proper CORS headers on that.– CobertosCommented Mar 3, 2015 at 20:51
-
I have thought of this route before. But this need some coding, especially in my case, I need to call several services which are originated from different domains. So I have to map different URL pattern to different domains. This is exactly what corsproxy has done for us. And it works perfectly. Commented Apr 22, 2015 at 0:11
-
4Not true.. The way mentioned in accepted answer worked for me.. As it mentions, Chrome 49 onwards command 'chrome.exe --disable-web-security --user-data-dir' worked for me.. Commented May 24, 2016 at 6:15
-
2Chromium 53, --disable-web-security --user-data-dir didn't work for me Commented Sep 29, 2016 at 1:57
-
4In 53+ you need to actual provide a unique user data directory which is different from your normal directory. This creates a new profile for the insecure environment. --user-data-dir needs to be set equal to something, such as in Olas answer above. If you really want to, you CAN set it equal to your actual normal user profile folder, but this is highly discouraged as it leaves your normal profile open to accidental attacks if you start normal browsing while in that mode. Commented Jan 10, 2017 at 14:27
I find the best way to do this is duplicate a Chrome or Chrome Canary shortcut on your windows desktop. Rename this shortcut to "NO CORS" then edit the properties of that shortcut.
in the target add --disable-web-security --user-data-dir="D:/Chrome" to the end of the target path.
your target should look something like this:
Update: New Flags added.
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="D:/Chrome"
-
-
A 404 error would be a server related error and not a Google Chrome error.– etoxinCommented Aug 24, 2016 at 2:13
-
2@etoxin This answer is no longer valid in the latest version of chrome. You have to add --disable-web-security --user-data-dir="D:/Chrome" Commented Sep 24, 2016 at 13:00
-
It works for me in Chrome latest (Version 119.0.6045.160 (Official Build) (64-bit)) Commented Nov 28, 2023 at 15:40
For Windows... create a Chrome shortcut on your desktop.
Right-click > properties > Shortcut
Edit "target" path :
"C:\Program Files\Google\Chrome\Application\chrome.exe" --args --disable-web-security
(Change the 'C:....\chrome.exe' to where ever your chrome is located).
et voilà :)
answered Aug 27, 2013 at 12:43
-
As of today 08/27/20013 it's works for me, allowing me to do Ajax on my own localhost. Commented Aug 27, 2013 at 12:45
-
got "you are using an unsupported command line tag: --disable-web-security" with Canary version 53 Commented Jun 28, 2016 at 10:27
-
4@khoailang you can still use the switch. That warning is part of Google's war on insecurity (a good thing). Also, as of version 55+ you need to also use --user-data-dir=<some other directory here> so Google doesn't want you mixing insecure rules with your normal profiles. Commented Jan 10, 2017 at 14:33
-
Thank you, I have forgotten about my Chrome is not in path, which mean I have to direct it to its folder. Commented Dec 17, 2021 at 4:18
- Create a shortcut:
- Paste the command:
cmd /c start chrome --disable-web-security --user-data-dir="c:\temp\chrome"
- Run as administrator
answered Apr 11, 2020 at 20:42
-
2
For OSX, run the following command from the terminal:
open -na Google\ Chrome --args --disable-web-security --user-data-dir=$HOME/profile-folder-name
This will start a new instance of Google Chrome with a warning on top.
CAUTION: if you use --user-data-dir then chrome disconnect with you user-data folder (and logout you from all your sites) - even if you run it again without any params. To rollback this, you need to open in above way but without that prameter.
For Selenium Webdriver, you can have selenium start Chrome with the appropriate arguments (or "switches") in this case.
@driver = Selenium::WebDriver.for(:Chrome, {
:detach => false,
:switches => ["--disable-web-security"]
})
-
1that's two preceeding dashes for disable-web-security. it my browser it made them look like one looong dash.– mikelupoCommented Mar 27, 2012 at 13:09
-
You can use this chrome plugin called "Allow-Control-Allow-Origin: *" ... It make it a dead simple and work very well. check it here: *
answered Mar 2, 2017 at 14:21
-
4
-
7No longer functional as per the date of this comment. Would recommend just using the flag route. Commented Aug 6, 2018 at 14:57
FOR MAC USER ONLY
open -n -a /Applications/Google\ Chrome.app --args --user-data-dir="/tmp/someFolderName" --disable-web-security
answered May 16, 2017 at 9:00
-
-
@MohasinAli close all chrome windows and just run it like normally. It only affects the instance you ran with this argument. If you run it again without any arguments, this change is not applied. Commented Jan 30, 2019 at 12:32
You can simply use this chrome extension Allow-Control-Allow-Origin
just click the icon of the extensnion to turn enable cross-resource sharing ON or OFF as you want
answered Jan 29, 2015 at 14:49
-
-
It is not. And yeah it's working. But we are here cause we now what a command means so use the above solutions before this! Commented Feb 4, 2020 at 14:30
-
@Jánosi-BorsosRóbert who are included in your "we", and how could your knowledge of the meaning of a command bring you here? FYI: Your command is imprecise, and I did not obey ;)– SuperoleCommented Apr 15, 2020 at 20:24
-
True that @Superole. I meant that I think it's better to use a command than installing an extension. Commented Jun 25, 2020 at 16:25
-
It doesn't work for iframe. It disables only part of CORS Commented Oct 5, 2020 at 19:14
If you are using Google Chrome on Linux, following command works.
google-chrome --disable-web-security
This Chrome plugin works for me: Allow-Control-Allow-Origin: * - Chrome Web Store
-
6This plugin broke in my browser and started breaking all the XHR things. Use with caution.– etoxinCommented Jan 13, 2016 at 23:50
-
2
On Linux- Ubuntu, to run simultaneously a normal session and an unsafe session run the following command:
google-chrome --user-data-dir=/tmp --disable-web-security
answered Sep 14, 2018 at 4:23
Following on Ola Karlsson answer, indeed the best way would be to open the unsafe Chrome in a different session. This way you don't need to worry about closing all of the currently opened tabs, and also can continue to surf the web securely with the original Chrome session.
These batch files should just work for you on Windows.
Put it in a Chrome_CORS.bat file for easy use
start "" "c:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --user-data-dir="c:/_chrome_dev" --disable-web-security
This one is for Chrome Canary. Canary_CORS.bat
start "" "c:\Users\%USERNAME%\AppData\Local\Google\Chrome SxS\Application\chrome.exe" --user-data-dir="c:/_canary_dev" --disable-web-security
-
This is a pointless use of a batch file. A shortcut would be much better for this. Just put everything after the first pair of quotes into the shortcut target. Commented Jan 10, 2017 at 14:29
-
It doesn't really matter. Yet in a batch you can do more things like deleting the user-data-dir after you close the browser, for example.– guyaCommented Jan 14, 2017 at 21:21
-
True, adding behavior outside of just launching would be useful, but for most people who need this at length, having a persistent user directory is helpful (for example with installed extensions) Commented Jan 18, 2017 at 21:30
chromium-browser --disable-web-security --user-data-dir=~/ChromeUserData/
for mac users:
open -a "Google Chrome" --args --disable-web-security --user-data-dir
and before Chrome 48, you could just use:
open -a "Google Chrome" --args --disable-web-security
answered Aug 31, 2016 at 19:41
-
Thanks. This works on the latest Chrome 73 that included the new CORB security policy. Commented Mar 14, 2019 at 10:12
On Windows 10, the following will work.
<<path>>\chrome.exe --allow-file-access-from-files --allow-file-access --allow-cross-origin-auth-prompt
-
I am surprised that your answer was downvoted. It worked very well for me on local files with the latest Chrome version.– WaruyamaCommented Mar 9, 2016 at 10:15
-
@CHANist: That is perhaps why the OP said, "On Windows 10"...? Commented Jul 31, 2018 at 5:24
this is an ever moving target.... today I needed to add another flag to get it to work:
--disable-site-isolation-trials
OS X:
open /Applications/Google\ Chrome.app --args --user-data-dir="/var/tmp/Chrome_dev_2" --disable-web-security --disable-site-isolation-trials
answered Jan 3, 2019 at 15:39
Only for OSX Catalina the below command works for me.
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_test" --disable-web-security
There is a Chrome extension called CORS Toggle.
Click here to access it and add it to Chrome.
After adding it, toggle it to the on position to allow cross-domain requests.
answered Dec 11, 2016 at 3:21
-
1
Used below command in Ubuntu to start chrome (disable same origin policy and open chrome in detached mode):
nohup google-chrome --disable-web-security --user-data-dir='/tmp' &
We can Override network response header which is a new feature in Chrome113 Dev Tools
Open the Network tab then click on the failed request. And at the Response Headers section search for the header request Access-Control-Allow-Origin and set it to allow all origins (*).
Refresh the page and the error of CORS will disappear and data would be fetched!
We can also override multiple requests at once by just clicking on Header overrrides at the Response Headers section. And sets Apply to property to *.json and reloads the page again.
For Windows:
(using windows 8.1, chrome 44.0)
First, close google chrome.
Then, open command prompt and go to the folder where 'chrome.exe' is.
( for me: 'chrome.exe' is here "C:\Program Files (x86)\Google\Chrome\Application".
So I type:
cd C:\Program Files (x86)\Google\Chrome\Application )
now type: chrome.exe --disable-web-security
a new window of chrome will open.
peter.shpage, so must be pretty legit.--disable-web-security --user-data-dir