Disable Web Security in Chrome 48+ – How to Guide

google-chromesame-origin-policysecurity

I have a problem with the --disable-web-security flag. It is not working in Chrome 48 and Chrome 49 beta on Windows.

I've tried killing all of the instances, reboot and run Chrome with the flag first of all, tried different machines as well. In the beta I can see the warning popup ("You are using unsupported flag.."), but CORS is still being enforced. Public version seems to ignore the flag completely.

There seems to be no news or people reports about that, so it might be a local issue.
Will be grateful for help or any related info.

Best Answer

Update 2021-10-18

As of Chrome 95, on MacOS and Windows, --disable-site-isolation-trials remains a required flag in order to disable web security, so the command-line arguments to Chrome seen below are still valid. (Some of the arguments are not formally supported by Chrome, as it will warn you.)

To test whether you've successfully launched Chrome with web security disabled, run the snippet in Web Security Test at the bottom of this post.

Update 2020-04-30

As of Chrome 81, it is mandatory to pass both --disable-site-isolation-trials and a non-empty profile path via --user-data-dir in order for --disable-web-security to take effect:

# MacOS (in Terminal)
open -na Google\ Chrome --args --user-data-dir=/tmp/temporary-chrome-profile-dir --disable-web-security --disable-site-isolation-trials

# Windows (from "Run" dialog [Windows+R] or start menu in Windows 8+)
chrome.exe --user-data-dir=%TMP%\temporary-chrome-profile-dir --disable-web-security --disable-site-isolation-trials

(Speculation) It is likely that Chrome requires a non-empty profile path to mitigate the high security risk of launching the browser with web security disabled on the default profile. See --user-data-dir= vs --user-data-dir=/some/path for more details below.

Thanks to @Snæbjørn for the Chrome 81 tip in the comments.

Update 2020-03-06

As of Chrome 80 (possibly even earlier), the combination of flags --user-data-dir=/tmp/some-path --disable-web-security --disable-site-isolation-trials no longer disables web security.

It is unclear when the Chromium codebase regressed, but downloading an older build of Chromium (following "Not-so-easy steps" on the Chromium download page) is the only workaround I found. I ended up using Version 77.0.3865.0, which properly disables web security with these flags.

Original Post 2019-11-01

In Chrome 67+, it is necessary to pass the --disable-site-isolation-trials flag alongside arguments --user-data-dir= and --disable-web-security to truly disable web security.

On MacOS, the full command becomes:

open -na Google\ Chrome --args --user-data-dir= --disable-web-security --disable-site-isolation-trials

Regarding `--user-data-dir`

Per David Amey's answer, it is still necessary to specify --user-data-dir= for Chrome to respect the --disable-web-security option.

`--user-data-dir=` vs `--user-data-dir=/some/path`

Though passing in an empty path via --user-data-dir= works with --disable-web-security, it is not recommended for security purposes as it uses your default Chrome profile, which has active login sessions to email, etc. With Chrome security disabled, your active sessions are thus vulnerable to additional in-browser exploits.

Thus, it is recommended to use an alternative directory for your Chrome profile with --user-data-dir=/tmp/chrome-sesh or equivalent. Credit to @James B for pointing this out in the comments.

Source

This fix was discovered within the browser testing framework Cypress: https://github.com/cypress-io/cypress/issues/1951

Web Security Test

Run this snippet to confirm that this solution actually disabled web security in Google Chrome:

window.addEventListener("DOMContentLoaded", () => {
  const iframe = document.querySelector("iframe");
  iframe.addEventListener("load", () => {
    const canAccessIframeDocument = !!iframe.contentDocument;
    document
      .querySelector(
        canAccessIframeDocument ? ".security-disabled" : ".security-enabled"
      )
      .classList.remove("hidden");
  });
  // To ensure the `load` event always fires, only set iframe src after the
  // event listener is attached.
  iframe.src = "https://google.com";
});

body {
  font-family: sans-serif;
}

.hidden {
  display: none;
}

/* Web security should normally be enabled, so this is colored green, despite
   the objective of this solution to disable it. */
.security-enabled {
  font-weight: bold;
  color: darkgreen;
}

.security-disabled {
  font-weight: bold;
  color: darkred;
}

<h1>Web Security Test</h1>
<p>
  This test attempts to access the inner contents of a cross-origin iframe,
  which is normally disallowed.
</p>
<p class="security-enabled hidden">
  Web security is enabled. The cross-origin iframe document could not be
  accessed.
</p>
<p class="security-disabled hidden">
  Web security is disabled. The cross-origin iframe document was
  successfully accessed.
</p>
<iframe class="hidden">
  Iframes are not supported.
</iframe>

Related Solutions

Disable Same Origin Policy in Chrome – How to Disable

Close chrome (or chromium) and restart with the --disable-web-security argument. I just tested this and verified that I can access the contents of an iframe with src="http://google.com" embedded in a page served from "localhost" (tested under chromium 5 / ubuntu). For me the exact command was:

Note : Kill all chrome instances before running command

chromium-browser --disable-web-security --user-data-dir="[some directory here]"

The browser will warn you that "you are using an unsupported command line" when it first opens, which you can ignore.

From the chromium source:

// Don't enforce the same-origin policy. (Used by people testing their sites.)
const wchar_t kDisableWebSecurity[] = L"disable-web-security";

Before Chrome 48, you could just use:

chromium-browser --disable-web-security

Chrome DevTools – How to Disable Cache for Website Development

The Chrome DevTools can disable the cache.

Right-click and choose Inspect Element to open the DevTools. Or use one of the following keyboard shortcuts:

F12
Control+Shift+i
Command+Shift+i

Click Network in the toolbar to open the network pane.
Check the Disable cache checkbox at the top.

screenshot of development tools panel

Keep in mind, as a tweet from @ChromiumDev stated, this setting is only active while the devtools are open.

Note that this will result in all resources being reloaded. Should you desire to disable the cache only for some resources, you can modify the HTTP header that your server sends alongside your files.

If you do not want to use the Disable cache checkbox, a long press on the refresh button with the DevTools open will show a menu with the options to Hard Reload or Empty Cache and Hard Reload which should have a similar effect. Read about the difference between the options to know which option to choose. The following shortcuts are available:

Command+Shift+R on Mac
Control+Shift+R on Windows or Linux

long press