93

I have a problem with the --disable-web-security flag. It is not working in Chrome 48 and Chrome 49 beta on Windows.

I've tried killing all of the instances, reboot and run Chrome with the flag first of all, tried different machines as well. In the beta I can see the warning popup ("You are using unsupported flag.."), but CORS is still being enforced. Public version seems to ignore the flag completely.

There seems to be no news or people reports about that, so it might be a local issue. Will be grateful for help or any related info.

sideshowbarker
  • 62,215
  • 21
  • 143
  • 153
Anatoly Sazanov
  • 1,500
  • 1
  • 11
  • 23
  • Responsible developers don't disable web security https://stackoverflow.com/a/33801287/128511 – gman Jul 24 '19 at 07:26
  • @gman: It's a simple and reliable solution for a problem that you sometimes have during development. Just remember to close that browser instance again. No need for FUD. – wortwart Mar 05 '21 at 12:55

13 Answers13

87

I'm seeing the same thing. A quick google found this question and a bug on the chromium forums. It seems that the --user-data-dir flag is now required. Edit to add user-data-dir guide

David Amey
  • 1,382
  • 1
  • 12
  • 11
  • 4
    Thank you, it works! Empty --user-data-dir doesnt work in beta anymore, though. One should provide a value to user data for both flags to work. – Anatoly Sazanov Feb 20 '16 at 10:00
  • Thanks for the answer. I still had trouble, as I never implemented this before, so if people are still confused after reading the above, please see my answer below. – Dan Zuzevich Nov 23 '16 at 03:44
60

Mac OS:

open -a Google\ Chrome --args --disable-web-security --user-data-dir=

UPD: add = to --user-data-dir because newer chrome versions require it in order to work

mxxk
  • 6,943
  • 4
  • 30
  • 41
jirikolarik
  • 1,233
  • 1
  • 12
  • 25
  • 2
    Since [this](https://bugs.chromium.org/p/chromium/issues/detail?id=575690) was fixed, you'll need to specify a user-data-dir so: `open -a Google\ Chrome --args --disable-web-security --user-data-dir=/some/dir` – David Amey Mar 11 '16 at 08:10
  • 9
    For Chrome Version 50+ for Mac Users. Close all opened chrome first and run the below command `open -a Google\ Chrome --args --disable-web-security --user-data-dir=""` – Velu S Gautam May 06 '17 at 06:17
  • Note: A banner should appear that states "web security is disabled". If this banner doesn't appear you need to make sure to force quit chrome before running the command (right click quick launch icon -> quit -> re-run command). – Z. Bagley Feb 11 '19 at 15:59
  • *Please note*! From Chrome version 80 the `--user-data-dir=""` is not working anymore with `--disable-web-security`. You need to put a real path like `--user-data-dir="/tmp/temppropfile"` – keul Feb 25 '20 at 08:13
60

Update 2020-04-30

As of Chrome 81, it is mandatory to pass both --disable-site-isolation-trials and a non-empty profile path via --user-data-dir in order for --disable-web-security to take effect:

# MacOS
open -na Google\ Chrome --args --user-data-dir=/tmp/temporary-chrome-profile-dir --disable-web-security --disable-site-isolation-trials

(Speculation) It is likely that Chrome requires a non-empty profile path to mitigate the high security risk of launching the browser with web security disabled on the default profile. See --user-data-dir= vs --user-data-dir=/some/path for more details below.

Thanks to @Snæbjørn for the Chrome 81 tip in the comments.

Update 2020-03-06

As of Chrome 80 (possibly even earlier), the combination of flags --user-data-dir=/tmp/some-path --disable-web-security --disable-site-isolation-trials no longer disables web security.

It is unclear when the Chromium codebase regressed, but downloading an older build of Chromium (following "Not-so-easy steps" on the Chromium download page) is the only workaround I found. I ended up using Version 77.0.3865.0, which properly disables web security with these flags.

Original Post 2019-11-01

In Chrome 67+, it is necessary to pass the --disable-site-isolation-trials flag alongside arguments --user-data-dir= and --disable-web-security to truly disable web security.

On MacOS, the full command becomes:

open -na Google\ Chrome --args --user-data-dir= --disable-web-security --disable-site-isolation-trials

Regarding --user-data-dir

Per David Amey's answer, it is still necessary to specify --user-data-dir= for Chrome to respect the --disable-web-security option.

--user-data-dir= vs --user-data-dir=/some/path

Though passing in an empty path via --user-data-dir= works with --disable-web-security, it is not recommended for security purposes as it uses your default Chrome profile, which has active login sessions to email, etc. With Chrome security disabled, your active sessions are thus vulnerable to additional in-browser exploits.

Thus, it is recommended to use an alternative directory for your Chrome profile with --user-data-dir=/tmp/chrome-sesh or equivalent. Credit to @James B for pointing this out in the comments.

Source

This fix was discoreved within the browser testing framework Cypress: https://github.com/cypress-io/cypress/issues/1951

mxxk
  • 6,943
  • 4
  • 30
  • 41
  • 3
    Just because a value isn't required to make it work doesn't mean it's a good idea. Running the command you give will open your default Chrome profile, with established sessions to your email / bank / whatever, but no web security to keep those accounts from being compromised by malicious sites. – James B Nov 06 '19 at 11:36
  • Good point @JamesB. I've rolled your insight into the answer. – mxxk Nov 11 '19 at 23:07
  • 1
    On my Mac with Chrome 81, this command worked: `open -na Google\ Chrome --args --disable-web-security --disable-gpu --user-data-dir=~/chromeTemp` I obtain an alert complaining about the `~/chromeTemp` dir, but works – David Mar 17 '20 at 16:32
  • @David though I didn't get the Chrome 81 update yet (it's not available in Settings), web security was not disabled when I ran your command-line. The warning about `~/chromeTemp` happens because the tilde `~` does not get expanded to your home directory as you might expect. This is verifiable by putting an `echo` before the entire command-line and seeing that the `~` is still printed out. – mxxk Mar 17 '20 at 20:47
  • @mxxk Chrome 81 is the beta (develop using the beta version is a way to anticipate to future changes that may break your site). I have been trying different command lines and that was the only one that worked in my case, but I've observed that for other people the previous commands still works... It's weird – David Mar 18 '20 at 09:57
  • 1
    Stuck on Enterprise Chrome 79-ish and I can confirm the security flags still work. – Boris Apr 23 '20 at 11:30
  • 1
    I can confirm that `--user-data-dir=C:\tmp\some-path --disable-web-security --disable-site-isolation-trials` work in Chrome 81 on windows 10 – Snæbjørn Apr 30 '20 at 12:11
  • Good find @Snæbjørn. Just confirmed that these flags work on Chrome 81 on MacOS, _and_ that both `--disable-site-isolation-trials` and a non-empty `--user-data-dir` are both required for web security to be properly disabled. Updated the answer. – mxxk May 01 '20 at 01:32
  • `--disable-site-isolation-trials` is not necessary but a value for `user-data-dir` is (tested on Chrome 89/Win) - see Irrech's answer. – wortwart Mar 05 '21 at 12:51
  • 1
    Thanks for the tip @wortwart. Perhaps Chrome 89 made `--disable-site-isolation-trials` unnecessary in this case. I'm still on Chrome 88 (MacOS), and can confirm that `--disable-site-isolation-trials` still needs to be present. Will update the answer after confirming Chrome 89+ behavior. – mxxk Mar 08 '21 at 23:38
28

On OS X, to open a new Chrome window - without having to close the already open windows first - pass in the additional -n flag. Make sure to specify empty string for data-dir (necessary for newer versions of Chrome, like v50 something+).

open -na /Applications/Google\ Chrome.app/ --args --disable-web-security --user-data-dir=""

I found that using Chrome 60+ on Mac OS X Sierra, the above command no longer worked, but a slight modification does:

open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_sess_1" --disable-web-security

The data directory path is important. Even if you're standing in your home directory when issuing the command, you can't simply refer to a local directory. It needs to be an absolute path.

Per Quested Aronsson
  • 9,570
  • 8
  • 47
  • 70
24

The chosen answer is good, but for those who are still struggling with what they are talking about(your first time dealing with this issue), the following worked for me.

I created a new shortcut to Chrome on my desktop, right clicked it, and set the "Target" field to the following,

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="c:/chromedev"

The directory can be anything you want, I decided to make an empty folder called chrome dev in my C: directory. It has nothing to do where chrome is installed on your computer. It's just a fluff type thing.

This link also has clear directions for other OSes. How to disable web securityin Chrome

Dan Zuzevich
  • 1,935
  • 1
  • 14
  • 28
15

The version 49.0.2623.75 (64-bit) is not in beta anymore.

The command to fix the CORS issue is google-chrome-stable --disable-web-security --user-data-dir

user2634882
  • 179
  • 7
10

Install This Chrome-plugin for Disable-web-security in Chrome::

" Allow-Control-Allow-Origin: * " link Here or you can google above plugin if you want.

it is very easy to enable and disable the security with this plugin.

Mehul D
  • 128
  • 2
  • 8
3

For Chrome Version 50+ for Mac Users. Close all opened chrome first and run the below command

open -a Google\ Chrome --args --disable-web-security --user-data-dir=""

The above will work. Thanks

Velu S Gautam
  • 657
  • 7
  • 16
3

From Chorme v81 the params --user-data-dir= requires an actual parameter, whereas in the past it didn't. Something like this works fine for me 

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="\tmp\chrome_test"
Irrech
  • 909
  • 2
  • 9
  • 17
2

For Mac, using Safari is a good alternate option for local development purpose and the feature is built into the browser (so no need to add browser extension or launch Chrome using bash command like [open -a Google\ Chrome --args --disable-web-security --user-data-dir=""].

To disable cross origin restriction using Safari (v11+): From menu click “Develop > Disable Cross Origin Restriction”.

This does not require relaunching the browser and since its a toggle you can easily switch to secure mode.

Maksood
  • 970
  • 13
  • 18
2

In a terminal put these:

cd C:\Program Files (x86)\Google\Chrome\Application

chrome.exe --disable-web-security --user-data-dir="c:/chromedev"
Tabares
  • 3,291
  • 3
  • 34
  • 40
1

As of the date of this answer (March 2020) there is a plugin for chrome called CORS unblock that allows you to skip that browser policy. The 'same origin policy' is an important security feature of browsers. Please only install this plugin for development or testing purposes. Do not promote its installation in end client browsers because you compromise the security of users and the chrome community will be forced to remove this plugin from the store.

JorgeMora
  • 21
  • 2
0

It working for me. Try using this..it will help you out..

c:\Program Files\Google\Chrome\Application>chrome.exe --disable-web-security --user-data-dir="D:\chrome"

dippas
  • 49,171
  • 15
  • 93
  • 105
Ruchi Prasad
  • 84
  • 9