Close chrome (or chromium) and restart with the
--disable-web-security argument. I just tested this and verified that I can access the contents of an iframe with src=”http://google.com” embedded in a page served from “localhost” (tested under chromium 5 / ubuntu). For me the exact command was:
Note: Kill all chrome instances before running the command
chromium-browser --disable-web-security --user-data-dir="[some directory here]"
The browser will warn you that “you are using an unsupported command-line” when it first opens, which you can ignore.
From the chromium source:
// Don't enforce the same-origin policy. (Used by people testing their sites.) const wchar_t kDisableWebSecurity = L"disable-web-security";
Before Chrome 48, you could just use:
How to disable same origin policy in Chrome?
- Open the start menu
- Type windows+R or open “Run”
- Execute the following command:
chrome.exe --user-data-dir="C://Chrome dev session" --disable-web-security
- Go to Terminal
- Execute the following command:
open /Applications/Google\ Chrome.app --args --user-data-dir="/var/tmp/Chrome dev session" --disable-web-security
A new web security disabled chrome browser should open with the following message:
If you want to open a new instance of web security disabled Chrome browser without closing existing tabs then use the below command
open -na Google\ Chrome --args --user-data-dir=/tmp/temporary-chrome-profile-dir --disable-web-security
It will open a new instance of web security disabled Chrome browser as shown below:
Can I disable same origin policy in Chrome?
Yep. For OSX, open Terminal and run:
$ open -a Google\ Chrome --args --disable-web-security --user-data-dir
–user-data-dir required on Chrome 49+ on OSX
For Linux run:
$ google-chrome --disable-web-security
Also if you’re trying to access local files for dev purposes like AJAX or JSON, you can use this flag too.
For Windows go into the command prompt and go into the folder where Chrome.exe is and type
That should disable the same origin policy and allow you to access local files.
Update: For Chrome 22+ you will be presented with an error message that says:
You are using an unsupported command-line flag: –disable-web-security. Stability and security will suffer.
However, you can just ignore that message while developing.
How to disable the cross-origin resource policy on Chrome?
Using the current latest chrome Version 100.0.4896.127 (Official Build) (64-bit)
windows : click the start button then copy paste the below (change the D:\temp to your liking).:
chrome.exe --disable-site-isolation-trials --disable-web-security --user-data-dir="D:\temp"
Linux : start a terminal then run the below command (change the ~/tmp directory to your liking)
google-chrome --disable-site-isolation-trials --disable-web-security --user-data-dir="~/tmp"
Note : This solution will start chrome in an isolated sandbox and it will not affect the main chrome profile.
For windows users with Chrome Versions 60.0.3112.78 (the day the solution was tested and worked) and at least until today 19.01.2019 (ver. 71.0.3578.98). You do not need to close any chrome instance.
- Create a shortcut on your desktop
- Right-click on the shortcut and click Properties
- Edit the Target property
- Set it to “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –disable-web-security –user-data-dir=”C:/ChromeDevSession”
- Start chrome and ignore the message that says –disable-web-security is not supported!
BEWARE NOT TO USE THIS PARTICULAR BROWSER INSTANCE FOR BROWSING BECAUSE YOU CAN BE HACKED WITH IT!
I find the best way to do this is duplicate a Chrome or Chrome Canary shortcut on your windows desktop. Rename this shortcut to “NO CORS” then edit the properties of that shortcut.
in the target add
--disable-web-security --user-data-dir="D:/Chrome" to the end of the target path.
your target should look something like this:
Update: New Flags added.
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="D:/Chrome"
Answer #6: A recommendation-
Don’t do this! You’re opening your accounts to attacks. Once you do this any 3rd party site can start issuing requests to other websites, sites that you are logged into.
Instead, run a local server. It’s as easy as opening a shell/terminal/commandline and typing
cd path/to/files python -m SimpleHTTPServer
Then point your browser to
You are opening yourself to attacks. Every single 3rd party script you include on your site remotely or locally like via npm can now upload your data or steal your credentials. You are doing something you have no need to do. The suggested solution is not hard, takes 30 seconds, doesn’t leave you open attack. Why would you choose to make yourself vulnerable when the better thing to do is so simple?
Telling people to disable security is like telling your friends to leave their front door unlocked and/or a key under the doormat. Sure the odds might be low but if they do get burgled, without proof of forced entry they might have a hard time collecting insurance. Similarly, if you disable security you are doing just that disabling security. It’s irresponsible to do this when you can solve the issue so simply without disabling security. I’d be surprised if you couldn’t be fired at some companies for disabling security.
How to disable the same origin policy in Chrome in Linux?
If you are using Google Chrome on Linux, the following command works.
Hope you learned something from this post.
Follow Programming Articles for more!