By default cross-origin requests are not allowed at chrome, chromium from file:
protocol. You can close open instances of chrome, chromium and launch with --disable-web-security
flag
google-chrome --disabled-web-security
or launch with existing instances open by setting a different user-data-dir
google-chrome --disable-web-security --user-data-dir="~/.config/google-chrome-temp"
is there an approach which could accomplish what I need to do, whilst
not requiring me to modify the policies of local web-browsers?
Not at chrome, chromium without modifying default settings; or creating an chromium extension or app to perform network requests - where too, proper permissions
need to be set.
The restriction is there for a purpose. One of the several security issues is that user at a local computer could, possibly unknowingly, upload a listing of all of the files in one or more directories on their computer, and potentially the directories themselves, without necessarily being aware of that fact, see
How FileReader.readAsText in HTML5 File API works?
which; note, could also occur without flags being set. Or, a requested script could perform actions to read or write to local filesystem without user necessarily being aware of their local filesystem being accessed by an external script.
Though, with restrictions in place, the user has to perform an affirmative action to disable default settings restricting access to local file system from file:
protocol, and restricting local file system to fetch resources from null
origin
to a different origin.
As noted by @StefanoBalzarotti
sorry if I am fussy, but this limitation is not related to the 'file:'
protocol, even with 'data:', 'about:' etc... you can't make a cross
origin request. The requirement to make a cross origin request is to
have an host for origin
which should be taken into consideration as to the reasons why browser developers would implement such a default limitation on cross origin request.
Used sparingly, and with awareness of the significance of the flags, the flags --disable-web-security
and --allow-file-access-from-files
, see
are designed for local web development, not as a workaround for a local application which requires resources from a web application.
--disable-web-security
Don't enforce the same-origin policy. (Used
by people testing their sites.)
--allow-file-access-from-files
By default, file:// URIs cannot read
other file:// URIs. This is an override for developers who need the
old behavior for testing.
"testing" term in description of flags should provide emphasis of the usage of the flags. The flags are not designed for production usage.
Alternatives,
where either requires proper permissions
settings at manifest.json
.