How to launch html using Chrome at "--allow-file-access-from-files" mode?

Question

I have the same situation with HERE

And to solve this problem I have to launch html file using Chrome at "--allow-file-access-from-files" mode. I tried next steps many times, but it doesn't work.

start cmd under windows 7
direct to chrome.exe folder
do this chrome --allow-file-access-from-files file:///C:/test%20-%203.html

You can also use a chrome plugin for that. I find it the most practical way. This is just one example: https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?hl=en — Robert Parcus, May 28 '15 at 15:03
@RobertParcus That plugin does not seem to work if you're using the `file` protocol. — Andrew Thaddeus Martin, Jun 17 '15 at 15:35
Is this still a thing? I think the parameter does no longer exists... — Xan-Kun Clark-Davis, Nov 22 '20 at 22:38

score 129 · Answer 1 · edited Oct 09 '17 at 20:05

129

That flag is dangerous!! Leaves your file system open for access. Documents originating from anywhere, local or web, should not, by default, have any access to local file:/// resources.

Much better solution is to run a little http server locally.

--- For Windows ---

The easiest is to install http-server globally using node's package manager:

npm install -g http-server

Then simply run http-server in any of your project directories:

Eg. d:\my_project> http-server

Starting up http-server, serving ./
Available on:
 http:169.254.116.232:8080
 http:192.168.88.1:8080
 http:192.168.0.7:8080
 http:127.0.0.1:8080
Hit CTRL-C to stop the server

Or as prusswan suggested, you can also install Python under windows, and follow the instructions below.

--- For Linux ---

Since Python is usually available in most linux distributions, just run python -m SimpleHTTPServer in your project directory, and you can load your page on http://localhost:8000

In Python 3 the SimpleHTTPServer module has been merged into http.server, so the new command is python3 -m http.server.

Easy, and no security risk of accidentally leaving your browser open vulnerable.

edited Oct 09 '17 at 20:05

Diriector_Doc

416
1
10
24

answered Nov 19 '15 at 10:29

orszaczky

7,461
5
38
49

9

THIS should be the accepted answer! I came here looking for the right way to use the `--allow-file-access-to-files` command line option with Chrome (and Opera). Your answer lets me know my question is wrong, for an important reason. On top of all that, you've written your solution in a concise, easy-to-follow way. Thanks a billion! I would also suggest, @orszaczky, that you write essentially the same answer for the SO question that was linked in this original question, i.e. [this other question](http://stackoverflow.com/q/16487803/5218951). I could write it but you deserve the credit. – Andrew Willems Mar 04 '16 at 23:49
Brilliant answer. Hosting correctly is the most important thing to do – Bobby Mar 23 '16 at 20:32
27

This may indeed be a great suggestion, but it is not in fact an answer to the question. The question was not "what is the best way to access local files in chrome" it was specifically "how do I launch with this flag". If you are aware of the risks and don't open anything you didn't create, or if you aren't even online.. it's perfectly fine. There are reasons why this is useful.. which I would assume is the reason google made it an option. – TinMonkey Apr 17 '16 at 03:26
Thanks, you save my life! – LucaA May 16 '16 at 22:35
2

It is funny that you would recommend people to install node rather than python on Windows, just for hosting this simple server. As if the python option would be unsuitable for Windows (which it isn't). **When all you have is a hammer, everything looks like a nail?** – prusswan Oct 06 '16 at 13:21
1

@prusswan I use npm under Windows, but never needed to use Python, while most of the Linux distros I know already have Python available by default. Thanks for the tip, I updated the answer... ;) – orszaczky Oct 06 '16 at 19:07
@prusswan, node is much smaller (install size) and for this use case much faster than python. In fact there's [a Q&A dedicated to alternatives to python for this use case because it's often too slow to be usable](https://stackoverflow.com/questions/12905426/what-is-a-faster-alternative-to-pythons-http-server-or-simplehttpserver). – gman Jul 18 '17 at 05:14
18

This answer is just spreading fear. The `--allow-file-access-from-files` option allows a `file://` webpage access to other `file://` resources, that's all. It does not leave your file system open. – GetFree Oct 23 '17 at 03:11
3

It's not the answer to the question. Some people may really need this, e.g. I am using a special webkit app library Coherent UIGT. When I am testing, I need local file access. BTW, Firefox supports file:// loading another local file. – Eric Jan 09 '18 at 08:24
1

@GetFree, --allow-file-access-to-files does leave your filesystem open. Any script you use on your test page can XHR/fetch the contents of your drive and upload to bad.com. That includes every library you're using, every CDN you access via a script tag or module, etc... Why do it when the correct solution takes 30 seconds to setup? – gman Jul 06 '18 at 17:14
1

@gman, you just repeated what I said. The flag allows a webpage in your harddrive to have access to your harddrive. That's like allowing a .exe program to have access to your harddrive, which is what everybody expects. – GetFree Jul 06 '18 at 20:49
One should not have to install a web server to open an HTML or SVG file from one's own local file system and have it work (do the thing the web page or SVG graphic javascript should do). Because of the strange need to restrict FILE:// access is why folks are needing this option. This does NOT disable sandboxing of the local file system from the document. – Minok Sep 24 '18 at 23:09
@gman it's a trade off I guess, by now I can see that node's server is more efficient, but also comes with bigger footprint for people who have no other reason to install node/npm on Windows (e.g. Python users not primarily interested in web development) – prusswan Jan 25 '19 at 04:04
1

it's not the same as installing an exe. Lots of people use external scripts in their local webpages. They put ``. It's extremely common to do that. Every one of those script suddenly has access to your hard drive. That is not the same as installing a single exe. It's the same as installing a new exe every single time you reload the page. – gman Jan 25 '19 at 06:46

score 86 · Accepted Answer · edited Mar 17 '14 at 10:47

86

Search for the path of your Chrome executable and then, on your cmd, try :

> "C:\PathTo\Chrome.exe" --allow-file-access-from-files

Source

EDIT : As I see on your question, don't forget that Windows is a little bit similar to Unix, so when you type "chrome ...", cmd will search for Chrome in the PATH, but in general the Chrome folder isn't on the PATH. Also, you don't specify an extension for your executable... So if you move to Chrome's folder, this command will probably work too :

> .\chrome.exe --allow-file-access-from-files

edited Mar 17 '14 at 10:47

Saran

3,729
3
33
54

answered Sep 03 '13 at 08:00

Mohamed Amine

2,116
1
19
36

Amine thank you. But I could get the Chrome launched, just also get the 'FileError.SECURITY_ERR'. – AmyWuGo Sep 03 '13 at 08:11
I go to chrome://version and get this:"Command Line chrome --allow-access-from-files --flag-switches-begin --flag-switches-end" Does this mean I already at the "–allow-file-access-from-files". I am not sure "–allow-file-access-from-files" and "--allow-access-from-files" are the same. – AmyWuGo Sep 03 '13 at 08:44
2

I restarted my computer and do the same as you say, and it seems fine. Thank you. – AmyWuGo Sep 03 '13 at 09:50
Great ! Glad it helped you :) – Mohamed Amine Sep 03 '13 at 11:36
2

As per Philippe's comment, you need to exit all chrome processes and restart with the command line option. (Windows 7) – yoyo Oct 16 '14 at 05:08
2

If it's not working after restarting Chrome, check running background processes (chrome icon near the clocks). You might have "Let Google Chrome run in the background" option ON. – Alex Klaus Feb 09 '15 at 00:15
@Amine Stupid question, but just restarting Chromium will turn off the flag right? The `allow-file-access-from-files` isn't a permanent flag, correct? – Abdul Dec 04 '15 at 21:01
1

@Abdul Yes, exactly, unless you create a shortcut with the flag and start Chrome from it. – Mohamed Amine Dec 07 '15 at 14:04
I wanted to upvote this answer, but I like number 42) Thank you for useful answer! – Evgeniy Kosjakov Feb 22 '17 at 11:28
3

Star Chrome from Windows PowerShell: `Start-Process "chrome.exe" "--allow-file-access-from-files"` – Peppe L-G May 09 '17 at 10:43
1

@PeppeL-G 's answer is the easiest solution – Chunky Chunk Jul 27 '17 at 05:56
1

Any alternatives since in 2018-10-21 that solution no longer works? (i'm using chrome 70) – Paulo Lima Oct 21 '18 at 20:20

score 34 · Answer 3 · edited Jun 28 '18 at 13:34

34

You may want to try Web Server for Chrome, which serves web pages from a local folder using HTTP. It's simple to use and would avoid the flag, which, as someone mentioned above, might make your file system vulnerable.

edited Jun 28 '18 at 13:34

Boghyon Hoffmann

13,472
7
49
114

answered Nov 16 '17 at 01:29

Gail Parsloe

481
4
6

3

Brilliant. This is the user friendly solution I was looking for, thanks. – jay-danger Jun 04 '18 at 01:47
1

that's great. Exactly what need for this problem. – A. Denis Jan 24 '19 at 20:03

score 21 · Answer 4 · answered Aug 22 '14 at 23:17

As of this writing, in OS X, it will usually look like this

"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --allow-file-access-from-files

If you are a freak like me, and put your apps in ~/Applications, then it will be

"/Users/yougohere/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --allow-file-access-from-files

If neither of those are working, then type chrome://version in your Chrome address bar, and it will tell you what "command line" invocation you should be using. Just add --allow-file-access-from-files to that.

"chrome://version in your Chrome address bar, and it will tell you what "command line" invocation you should be using" That the point — JCH77, Mar 21 '20 at 20:06

gman · Answer 5 · 2017-07-18T05:11:04.867

17

Don't do this! You're opening your machine to attacks. Instead run a local server. It's as easy as opening a shell/terminal/commandline and typing

cd path/to/files
python -m SimpleHTTPServer

Then pointing your browser to

http://localhost:8000

If you find it's too slow consider this solution

edited Jul 18 '17 at 05:11

answered Feb 03 '14 at 03:37

gman

83,286
25
191
301

+1 to the link to https://stackoverflow.com/questions/12905426/what-is-a-faster-alternative-to-pythons-http-server-or-simplehttpserver – ESRogs Jun 15 '18 at 01:08
1

Those attacks are for `--disable-web-security`, not `--allow-file-access-from-files`, so they won't work - just so people know. There's a risk, but it's no where near that size. – Jul 06 '18 at 10:55
Did you even read the article? At least one of the attacks is possible with just `--allow-file-access-from-files` which. Why take the risk at all when the zero risk way is so simple? – gman Jul 06 '18 at 14:46
@JoeRocc, thanks for the downvote and thank you for helping people to unsecure their machines. You're a real hero – gman Jul 06 '18 at 17:06
I almost fully agree with you, except for the semi-conflation of the two flags, and of open web vs local file. I imagine a fair number of people may misread the risk with the way your post reads. I don't downvote as a way to disrespect you - only to help curate the answers. But I undid the downvote because I'd prefer not to argue further. Honestly had no intention to do any harm here. Edit: turns out it won't let me undo the vote until an edit is made, sorry :/ – Jul 06 '18 at 18:10
love how this is continously downvoted because people dislike the answer and yet the same exact answer posted by someone else a year later is the top voted answer. – gman Aug 06 '18 at 15:12
1

This, like all other variations of this, is not the correct answer, nor even the problem. Its factually wrong what you are suggesting. Launching with that option doesn't open your machine to attacks. It, in a controlled way' disables myopic/lazy implementation of a security clamp down that is too broad. A local HTML or SVG file should absolutely have access to file: protocol content, such as its own .css file. – Minok Jan 22 '20 at 23:58
Sounds like you didn't follow the links. They should proof of the possible attacks. Not theory. Real proof. – gman Jan 23 '20 at 02:06

score 6 · Answer 6 · edited May 15 '16 at 18:04

6

If you are using a mac you can use the following terminal command:

open -a Google\ Chrome --args --allow-file-access-from-files

edited May 15 '16 at 18:04

m00am

4,974
11
45
60

answered May 15 '16 at 17:00

taz

135
2
3

score 1 · Answer 7 · answered Oct 30 '17 at 19:16

1

Quit (force quit) all instances of chrome. Otherwise the below command will not work.

open -a "Google Chrome" --args --allow-file-access-from-files

Executing this command in terminal will open Chrome regardless of where it is installed.

answered Oct 30 '17 at 19:16

Matt Perejda

479
5
14

1

"Quit all instances" -- This is true in my experience (on Linux). This is apparently a shared state that can only be set on a fresh launch. – Brent Bradburn Jan 11 '18 at 02:37

YJDev · Answer 8 · 2019-09-18T20:55:04.237

1

REM Kill all existing instance of chrome 
taskkill /F /IM chrome.exe /T
REM directory path where chrome.exe is located
set chromeLocation="C:\Program Files (x86)\Google\Chrome\Application"
cd %chromeLocation%
cd c:
start chrome.exe --allow-file-access-from-files

save above lines as .bat file

edited Sep 18 '19 at 20:55

answered Sep 18 '19 at 20:49

YJDev

377
2
5

taskkill /F /IM chrome.exe /T Useful to not reboot my computer – JCH77 Mar 21 '20 at 20:06

OO7 · Answer 9 · 2020-03-21T23:22:28.403

Depending on the file which will be put into filesystem, as long as that file is not a malware, then that would be safe.

But don't worry to write/read file(s) to File System directory, cause you can tighten that directory security (include it's inheritance) by give a proper access right and security restriction. eg: read/write/modify.

By default, File System, Local Storage, and Storage directory are located on "\Users[Current User]\AppData\Local\Google\Chrome\User Data\Default" directory.

However you can customize it by using "--user-data-dir" flag.

And this is a sample:

"C:\Program Files (x86)\Google\Application\chrome.exe" --user-data-dir="C:\Chrome_Data\OO7" --allow-file-access-from-files

Hope this helps anyone.

score 1 · Answer 10 · answered May 31 '20 at 14:11

1

Well there is quick to run a html which needs permission or blocked by CORS Just simply open the folder using VSCODE and install an extension called "live server"

And then just click on the bottom which says go live, thats it. Screenshot

answered May 31 '20 at 14:11

Prosenjeet Paul

79
1
6

score 0 · Answer 11 · answered Jan 20 '19 at 06:05

0

On windows:

chrome --allow-file-access-from-files file:///C:/test%20-%203.html

On linux:

google-chrome --allow-file-access-from-files file:///C:/test%20-%203.html

answered Jan 20 '19 at 06:05

Bonn

165
11

How to launch html using Chrome at "--allow-file-access-from-files" mode?

11 Answers11

Linked