Categories
ajax google-chrome javascript

Disable same origin policy in Chrome

1987

Is there any way to disable the Same-origin policy on Google’s Chrome browser?

12

  • 1

    See also peter.sh/experiments/chromium-command-line-switches, I am not sure of its authenticity but it appears to be a collection produced by an automated process

    – CSSian

    Dec 18, 2013 at 18:01

  • 1

    chromium.org links to the peter.sh page, so must be pretty legit.

    – Benjineer

    Jan 7, 2015 at 13:21

  • 2

    Note that disabling SOP, even when only used for development, is dangerous. When you start your browser this way, you are probably not only going to open your app, but also check your mails, read SO… Considering using better alternatives, e.g. web proxies, to resolve these issues. For instance via proxrox: github.com/bripkens/proxrox

    – BenR

    Dec 26, 2015 at 7:39

  • 35

    Since version 49, use this option --disable-web-security --user-data-dir

    Mar 10, 2016 at 1:37

  • 3

    For anyone looking for advice on how to do this in a developer environment using a grunt run server see this: gist.github.com/Vp3n/5340891

    – GrayedFox

    Apr 13, 2016 at 16:07

1219

Close chrome (or chromium) and restart with the --disable-web-security argument. I just tested this and verified that I can access the contents of an iframe with src=”http://google.com” embedded in a page served from “localhost” (tested under chromium 5 / ubuntu). For me the exact command was:

Note : Kill all chrome instances before running command

chromium-browser --disable-web-security --user-data-dir="[some directory here]"

The browser will warn you that “you are using an unsupported command line” when it first opens, which you can ignore.

From the chromium source:

// Don't enforce the same-origin policy. (Used by people testing their sites.)
const wchar_t kDisableWebSecurity[] = L"disable-web-security";

Before Chrome 48, you could just use:

chromium-browser --disable-web-security

4

  • 1

    Make sure the directory exists on Windows. Create one in your personal Users[user]\ folder.

    Nov 25, 2020 at 7:46

  • 3

    As of latest versions of chrome (e.g. I have version 92), “–disable-web-security” is necessary but not enough. It is also required to use “–disable-site-isolation-trials”. See the more recent answer from @user2576266 below. (Note that chrome will still display a warning that “–disable-site-isolation-trials” is not understood. It actually works.)

    Aug 30, 2021 at 6:26


  • 1

    @AliNakisaee I have version 95, but “–disable-site-isolation-trials” does not work.

    – marek8623

    Oct 27, 2021 at 12:16

  • 2

    for Chrome Version 96 , Use "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --disable-features=IsolateOrigins,site-per-process --user-data-dir="C://ChromeDev" … just add --disable-features=IsolateOrigins,site-per-process , See this

    Jan 2 at 10:15

1171

Yep. For OSX, open Terminal and run:

$ open -a Google\ Chrome --args --disable-web-security --user-data-dir

–user-data-dir required on Chrome 49+ on OSX

For Linux run:

$ google-chrome --disable-web-security

Also if you’re trying to access local files for dev purposes like AJAX or JSON, you can use this flag too.

--allow-file-access-from-files

For Windows go into the command prompt and go into the folder where Chrome.exe is and type

chrome.exe --disable-web-security

That should disable the same origin policy and allow you to access local files.

Update: For Chrome 22+ you will be presented with an error message that says:

You are using an unsupported command-line flag: –disable-web-security. Stability and security will suffer.

However you can just ignore that message while developing.

5

  • 18

    I had to add a path after --user-data-dir as in --user-data-dir="tmp" for it to work (Chrome 88.0…)

    – Ryan H.

    Mar 10, 2021 at 22:15

  • Chrome 89.0 – I also had to add --user-data-dir="[PATH]", otherwise it won’t work

    Mar 27, 2021 at 16:02


  • 1

    If you would like your existing user directory, on MacOS you may find it under: --user-data-dir="/Users/<YOUR_USER>/Library/ApplicationSupport/Google/Chrome". Type whoami or pwd -P in terminal to find your username.

    – FooBar

    May 16, 2021 at 16:01

  • C:\Program Files\Google\Chrome\Application – The default installation path for Chrome on Windows (as of 07/2021).

    Jul 31, 2021 at 9:58


  • you need to specify 2 path one for chrome.exe and second one for data directory where chrome will store, make data-dir has write permissions “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –disable-site-isolation-trials –disable-web-security –user-data-dir=”D:\temp”

    Sep 30, 2021 at 15:39

626

For Windows users:

The problem with the solution accepted here, in my opinion is that if you already have Chrome open and try to run the chrome.exe --disable-web-security command it won’t work.

However, when researching this, I came across a post on Super User, Is it possible to run Chrome with and without web security at the same time?.

Basically, you need to add to the command and run it like this instead (or create a shortcut with it and run a new Chrome instance through that)

chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security

which will open a new “insecure” instance of Chrome at the same time as you keep your other “secure” browser instances open and working as normal.

This works by creating a new folder/directory “Chrome dev session” under C: and tells this new Chrome instance to use that folder/directory for its user and session data. Because of this, the new instance is separated from your “normal” Chrome data and your bookmarks and other saved data will not be available in this instance.

Note: only the first “new” instance of Chrome opened with this method, is effected, hence it is only the first tab in the first new Chrome window, which is effected.
If you close that instance, you can use the same command again and for example any bookmarks to your local app or similar will still be there as it’s pointing to the same folder.

If you want to run multiple “insecure” instances, each one will need its own folder/directory, so you will need to runt he command again with a different folder name. This however also means that each insecure instance will be separated from the others, so any bookmarks or other saves user or session data will not be available across instances.

2

  • This worked for me, but how come this seems not to be documented anywhere?

    – GDavoli

    Nov 8, 2021 at 8:12

  • I don’t know but maybe it’s because in general, Google/Chrome probably don’t want you to disable the security.

    Nov 9, 2021 at 9:17