1813
votes

Is there any way to disable the Same-origin policy on Google's Chrome browser?

30
See also peter.sh/experiments/chromium-command-line-switches, I am not sure of its authenticity but it appears to be a collection produced by an automated processCSSian
chromium.org links to the peter.sh page, so must be pretty legit.Benjineer
Note that disabling SOP, even when only used for development, is dangerous. When you start your browser this way, you are probably not only going to open your app, but also check your mails, read SO… Considering using better alternatives, e.g. web proxies, to resolve these issues. For instance via proxrox: github.com/bripkens/proxroxBenR
Since version 49, use this option --disable-web-security --user-data-dirvanduc1102
For anyone looking for advice on how to do this in a developer environment using a grunt run server see this: gist.github.com/Vp3n/5340891GrayedFox

30 Answers

1146
votes

Close chrome (or chromium) and restart with the --disable-web-security argument. I just tested this and verified that I can access the contents of an iframe with src="http://google.com" embedded in a page served from "localhost" (tested under chromium 5 / ubuntu). For me the exact command was:

Note : Kill all chrome instances before running command

chromium-browser --disable-web-security --user-data-dir="[some directory here]"

The browser will warn you that "you are using an unsupported command line" when it first opens, which you can ignore.

From the chromium source:

// Don't enforce the same-origin policy. (Used by people testing their sites.)
const wchar_t kDisableWebSecurity[] = L"disable-web-security";

Before Chrome 48, you could just use:

chromium-browser --disable-web-security
1119
votes

Yep. For OSX, open Terminal and run:

$ open -a Google\ Chrome --args --disable-web-security --user-data-dir

--user-data-dir required on Chrome 49+ on OSX

For Linux run:

$ google-chrome --disable-web-security

Also if you're trying to access local files for dev purposes like AJAX or JSON, you can use this flag too.

-–allow-file-access-from-files

For Windows go into the command prompt and go into the folder where Chrome.exe is and type

chrome.exe --disable-web-security

That should disable the same origin policy and allow you to access local files.

Update: For Chrome 22+ you will be presented with an error message that says:

You are using an unsupported command-line flag: --disable-web-security. Stability and security will suffer.

However you can just ignore that message while developing.

578
votes

For Windows users:

The problem with the solution accepted here, in my opinion is that if you already have Chrome open and try to run the chrome.exe --disable-web-security command it won't work.

However, when researching this, I came across a post on Super User, Is it possible to run Chrome with and without web security at the same time?.

Basically, you need to add to the command and run it like this instead (or create a shortcut with it and run a new Chrome instance through that)

chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security

which will open a new "insecure" instance of Chrome at the same time as you keep your other "secure" browser instances open and working as normal.

This works by creating a new folder/directory "Chrome dev session" under C: and tells this new Chrome instance to use that folder/directory for its user and session data. Because of this, the new instance is separated from your "normal" Chrome data and your bookmarks and other saved data will not be available in this instance.

Note: only the first "new" instance of Chrome opened with this method, is effected, hence it is only the first tab in the first new Chrome window, which is effected. If you close that instance, you can use the same command again and for example any bookmarks to your local app or similar will still be there as it's pointing to the same folder.

If you want to run multiple "insecure" instances, each one will need its own folder/directory, so you will need to runt he command again with a different folder name. This however also means that each insecure instance will be separated from the others, so any bookmarks or other saves user or session data will not be available across instances.

278
votes

For Windows:

  1. Open the start menu

  2. Type windows+R or open "Run"

  3. Execute the following command:

     chrome.exe --user-data-dir="C://Chrome dev session" --disable-web-security
    

For Mac:

  1. Go to Terminal

  2. Execute the following command:

     open /Applications/Google\ Chrome.app --args --user-data-dir="/var/tmp/Chrome dev session" --disable-web-security
    

A new web security disabled chrome browser should open with the following message:

enter image description here

For Mac

If you want to open new instance of web security disabled Chrome browser without closing existing tabs then use below command

open -na Google\ Chrome --args --user-data-dir=/tmp/temporary-chrome-profile-dir --disable-web-security

It will open new instance of web security disabled Chrome browser as shown below

enter image description here

90
votes

For windows users with Chrome Versions 60.0.3112.78 (the day the solution was tested and worked) and at least until today 19.01.2019 (ver. 71.0.3578.98). You do not need to close any chrome instance.

  1. Create a shortcut on your desktop
  2. Right-click on the shortcut and click Properties
  3. Edit the Target property
  4. Set it to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="C:/ChromeDevSession"
  5. Start chrome and ignore the message that says --disable-web-security is not supported!

BEWARE NOT TO USE THIS PARTICULAR BROWSER INSTANCE FOR BROWSING BECAUSE YOU CAN BE HACKED WITH IT!

78
votes

EDIT 3: Seems that the extension no longer exists... Normally to get around CORS these days I set up another version of Chrome with a separate directory or I use Firefox with https://addons.mozilla.org/en-US/firefox/addon/cors-everywhere/ instead.

EDIT 2: I can no longer get this to work consistently.

EDIT: I tried using the just the other day for another project and it stopped working. Uninstalling and reinstalling the extension fixed it (to reset the defaults).

Original Answer:

I didn't want to restart Chrome and disable my web security (because I was browsing while developing) and stumbled onto this Chrome extension.

Chrome Web Store Allow-Control-Allow-Origin: *
(https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?hl=en)

Basically it's a little toggle switch to toggle on and off the Allow-Access-Origin-Control check. Works perfectly for me for what I'm doing.

63
votes

Using the current latest chrome version (91.0.4472.77 (Official Build) (64-bit)), the only way I could make it work on windows 10 was to start chrome using the below flags (change the D:\temp to your liking). This solution will start chrome as a sandbox for tests and it will not affect the main chrome profile:

--disable-site-isolation-trials --disable-web-security --user-data-dir="D:\temp"

in windows, click the start button then copy paste the below:

chrome.exe  --disable-site-isolation-trials --disable-web-security --user-data-dir="D:\temp"
54
votes

Seems none of above solutions are actually working. The --disable-web-security is no longer supported in recent chrome versions.

Allow-Control-Allow-Origin: * - chrome extension partially solved the problem. It works only if your request is using GET method and there's no custom HTTP Header. Otherwise, chrome will send OPTIONS HTTP request as a pre-flight request. If the server doesn't support CORS, it will respond with 404 HTTP status code. The plugin can't modify the response HTTP status code. So chrome will reject this request. There's no way for chrome plugin to modify the response HTTP status code based on current chrome extension API. And you can't do a redirect as well for XHR initiated request.

Not sure why Chrome makes developers life so difficult. It blocks all the possible ways to disable XSS security check even for development use which is totally unnecessary.

After days struggle and research, one solution works perfectly for me: to use corsproxy. You have two options here: 1. use [https://cors-anywhere.herokuapp.com/] 2. install corsproxy in the local box: npm install -g corsproxy

[Updated on Jun 23, 2018] Recent I'm developing an SPA app which need to use corsproxy again. But seem none of the corsproxy on the github can meet my requirement.

  • need it to run inside firewall for security reason. So I can't use https://cors-anywhere.herokuapp.com/.
  • It has to support https as chrome will block no-https ajax request in an https page.
  • I need to run on nodejs. I don't want to maintain another language stack.

So I decide to develop my own version of corsproxy with nodejs. It's actually very simple. I have published it as a gist on the github. Here is the source code gist: https://gist.github.com/jianwu/8e76eaec95d9b1300c59596fbfc21b10

  • It's in plain nodejs code without any additional dependencies
  • You can run in http and https mode (by passing the https port number in command line), to run https, you need to generate cert and key and put them in the webroot directory.
  • It also serves as static file server
  • It supports pre-flight OPTION request as well.

To start the CORSProxy server (http port 8080): node static_server.js 8080

to access the proxy: http://host:8080/http://www.somesite.com

48
votes

For Windows... create a Chrome shortcut on your desktop.
Right-click > properties > Shortcut
Edit "target" path :

"C:\Program Files\Google\Chrome\Application\chrome.exe" --args --disable-web-security

(Change the 'C:....\chrome.exe' to where ever your chrome is located).

et voilà :)

48
votes

Try this command on Mac terminal-

open -n -a "Google Chrome" --args --user-data-dir=/tmp/temp_chrome_user_data_dir http://localhost:8100/ --disable-web-security 

It opens another instance of chrome with disabled security and there is no CORS issue anymore. Also, you don't need to close other chrome instances anymore. Change localhost URL to your's one.

46
votes

I find the best way to do this is duplicate a Chrome or Chrome Canary shortcut on your windows desktop. Rename this shortcut to "NO CORS" then edit the properties of that shortcut.

in the target add --disable-web-security --user-data-dir="D:/Chrome" to the end of the target path.

your target should look something like this:

Update: New Flags added.

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="D:/Chrome"

enter image description here

23
votes

Don't do this! You're opening your accounts to attacks. Once you do this any 3rd party site can start issuing requests to other websites, sites that you are logged into.

Instead run a local server. It's as easy as opening a shell/terminal/commandline and typing

cd path/to/files
python -m SimpleHTTPServer

Then pointing your browser to

http://localhost:8000

If you find it's too slow consider this solution

Update

People downvoting this answer should go over here and downvote this one too to be consistent. No idea why my answer is so downvoted and the same answer over here is the top voted answer.

You are opening yourself to attacks. Every single 3rd party script you include on your site remotely or locally like via npm can now upload your data or steal your credentials. You are doing something you have no need to do. The suggested solution is not hard, takes 30 seconds, doesn't leave you open attack. Why would you choose to make yourself vulnerable when the better thing to do is so simple?

Telling people to disable security is like telling your friends to leave their front door unlocked and/or a key under the doormat. Sure the odds might be low but if they do get burgled, without proof of forced entry they might have a hard time collecting insurance. Similarly if you disable security you are doing just that disabling security. It's irresponsible to do this when you can solve the issue so simply without disabling security. I'd be surprised if you couldn't be fired at some companies for disabling security.

19
votes

For Selenium Webdriver, you can have selenium start Chrome with the appropriate arguments (or "switches") in this case.

 @driver = Selenium::WebDriver.for(:Chrome, { 
       :detach => false,
       :switches => ["--disable-web-security"]
    })
19
votes

You can use this chrome plugin called "Allow-Control-Allow-Origin: *" ... It make it a dead simple and work very well. check it here: *

Chrome extenstion

15
votes
  1. Create a new shortcut:

Create new shortcut


  1. Paste the following path:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="c:\temp\chrome"

Paste the path


  1. Name it:

Unsafe Chrome.exe

enter image description here


Now you have an unsafe version of Google Chrome on desktop to use it for debugging front-end applications without any CORS problems.

14
votes

If you are using Google Chrome on Linux, following command works.

google-chrome  --disable-web-security
13
votes
13
votes

For OSX, run the following command from the terminal:

open -na Google\ Chrome --args --disable-web-security --user-data-dir=$HOME/profile-folder-name

This will start a new instance of Google Chrome with a warning on top.

13
votes

You can simply use this chrome extension Allow-Control-Allow-Origin

just click the icon of the extensnion to turn enable cross-resource sharing ON or OFF as you want

12
votes

FOR MAC USER ONLY

open -n -a /Applications/Google\ Chrome.app --args --user-data-dir="/tmp/someFolderName" --disable-web-security
11
votes

On Linux- Ubuntu, to run simultaneously a normal session and an unsafe session run the following command:

google-chrome  --user-data-dir=/tmp --disable-web-security
9
votes
chromium-browser --disable-web-security --user-data-dir=~/ChromeUserData/
8
votes

Following on Ola Karlsson answer, indeed the best way would be to open the unsafe Chrome in a different session. This way you don't need to worry about closing all of the currently opened tabs, and also can continue to surf the web securely with the original Chrome session.

These batch files should just work for you on Windows.

Put it in a Chrome_CORS.bat file for easy use

start "" "c:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --user-data-dir="c:/_chrome_dev" --disable-web-security

This one is for Chrome Canary. Canary_CORS.bat

start "" "c:\Users\%USERNAME%\AppData\Local\Google\Chrome SxS\Application\chrome.exe" --user-data-dir="c:/_canary_dev" --disable-web-security
7
votes

On Windows 10, the following will work.

<<path>>\chrome.exe --allow-file-access-from-files --allow-file-access --allow-cross-origin-auth-prompt
6
votes

for mac users:

open -a "Google Chrome" --args --disable-web-security --user-data-dir

and before Chrome 48, you could just use:

open -a "Google Chrome" --args --disable-web-security
6
votes

this is an ever moving target.... today I needed to add another flag to get it to work: --disable-site-isolation-trials

OS X: open /Applications/Google\ Chrome.app --args --user-data-dir="/var/tmp/Chrome_dev_2" --disable-web-security --disable-site-isolation-trials

5
votes

There is a Chrome extension called CORS Toggle.

Click here to access it and add it to Chrome.

After adding it, toggle it to the on position to allow cross-domain requests.

5
votes

Used below command in Ubuntu to start chrome (disable same origin policy and open chrome in detached mode):

nohup google-chrome --disable-web-security --user-data-dir='/tmp' &
3
votes

For Windows:

(using windows 8.1, chrome 44.0)

First, close google chrome.

Then, open command prompt and go to the folder where 'chrome.exe' is.

( for me: 'chrome.exe' is here "C:\Program Files (x86)\Google\Chrome\Application".

So I type: cd C:\Program Files (x86)\Google\Chrome\Application )

now type: chrome.exe --disable-web-security

a new window of chrome will open.

0
votes

On a Windows PC, use an older version of Chrome and the command will work for all you guys. I downgraded my Chrome to 26 version and it worked.