Is there a way to disable the same origin policy on Google's Chrome browser?

This is strictly for development, not production, use.

1 upvote
  flag
See also peter.sh/experiments/chromium-command-line-switches, I am not sure of its authenticity but it appears to be a collection produced by an automated process – Kevin M
1 upvote
  flag
chromium.org links to the peter.sh page, so must be pretty legit. – benjineer
upvote
  flag
Note that disabling SOP, even when only used for development, is dangerous. When you start your browser this way, you are probably not only going to open your app, but also check your mails, read SO… Considering using better alternatives, e.g. web proxies, to resolve these issues. For instance via proxrox: github.com/bripkens/proxrox – BenR
20 upvote
  flag
Since version 49, use this option --disable-web-security --user-data-dir – vanduc1102
2 upvote
  flag
For anyone looking for advice on how to do this in a developer environment using a grunt run server see this: gist.github.com/Vp3n/5340891 – GrayedFox
2 upvote
  flag
@vanduc1102, you are a life-saver. – ramijames

25 Answers 11

up vote 715 down vote accepted

Close chrome (or chromium) and restart with the --disable-web-security argument. I just tested this and verified that I can access the contents of an iframe with src="http://google.com" embedded in a page served from "localhost" (tested under chromium 5 / ubuntu). For me the exact command was:

Note : Kill all chrome instances before running command

chromium-browser --disable-web-security --user-data-dir

The browser will warn you that "you are using an unsupported command line" when it first opens, which you can ignore.

From the chromium source:

// Don't enforce the same-origin policy. (Used by people testing their sites.)
const wchar_t kDisableWebSecurity[] = L"disable-web-security";

Before Chrome 48, you could just use:

chromium-browser --disable-web-security
81 upvote
  flag
How to do this on OS X? – Landon Kuhn
11 upvote
  flag
@landon9720 see the answer by ectype. – ANeves
3 upvote
  flag
how can i re-enable it again? chrome.exe --enable-web-security doesn't work ^^ – Berty
8 upvote
  flag
@Berty Just close chrome and open it without the tag. Chrome will only be in that mode if it was opened with that tag – Nick Miceli
1 upvote
  flag
Excuse me, how to "restart with the --disable-web-security argument " in windows. I don't know how to operate. – Stallman
1 upvote
  flag
I have the same question as @Stallman - I would like to do this with Chrome Canary (only shows Chrome.exe in my Chrome Application folder). – t3rse
2 upvote
  flag
This seems to be no longer working in recent chrome versions – Mister Smith
upvote
  flag
Correction: it is still working, but a yellow misleading alert message appears on top. Just ignore it, the calls are actually being made. – Mister Smith
72 upvote
  flag
@landon9720 Close Chrome, open terminal, type open /Applications/Google\ Chrome.app --args --disable-web-security – Seanonymous
2 upvote
  flag
This does not seem to be working for the current version of chrome anymore – Massimo Fazzolari
6 upvote
  flag
This does still work, but all instances of chrome must be closed prior to running it with the flag set. – servarevitas3
upvote
  flag
I'm using version 28 of Chrome (latest at time of writing) and this method still works. As servarevitas3 said, make sure Chrome is not running in the background when you set the argument. – GFoley83
upvote
  flag
You really shouldn't disable web security. you're opening your machine to being owned. Yes, it's for development but click the wrong link or visit another website and you might just have gotten your machine owned. It's simple to run a server. Open shell/terminal/command line and type cd path/to/files followed by python -m SimpleHTTPServer then point your browser at http://localhost:8000 If that's too slow use this – gman
1 upvote
  flag
@Seanonymous actually a better way: open -a "Google Chrome" --args --disable-web-security also, there is an extension for that! – cregox
1 upvote
  flag
@gman The issue isn't running a server. Most everyone here knows how to run a little python or node server. I'm running one now and still have this problem. – Charlie Martin
upvote
  flag
Then there's some other issue. The solution is never "--disable-web-security" any more than it's "remove the password from root so anyone can log in as root". – gman
2 upvote
  flag
Just in case anyone else runs into the same issue, I found that I had end all running chrome processes before this would work. – Chris
upvote
  flag
I've noticed that google drive does not open with this flag – mishal153
16 upvote
  flag
In Chrome 48 and 49 one has to add --user-data-dir as well. – Jacob Lauritzen
1 upvote
  flag
I am using the Canary version 53, it looks like this stops working, is it? I got a message "you are using an unsupported command line tag: --disable-web-security" – khoailang
upvote
  flag
Just ran chrome with the option, got the warning, still getting "Response for preflight has invalid HTTP status code 401" on an x-origin request. This totally sucks. – John
upvote
  flag
version 55 seems not to work for me :( – Marek Czaplicki
4 upvote
  flag
@MarekCzaplicki On version 55 it requires you to define an actual directory for --user-data-dir (--user-data-dir=<some directory>) Once done, this worked perfectly for me. – lassombra
upvote
  flag
I keep run those commands and it opens Chrome with command-line flag but somehow it behaves as it did not. Why is that happening? – Nuri Engin
upvote
  flag
It worked in Ubuntu 16.04 and chromium latest version the time I'm writing .. :p – Code Cooker

Yep. For OSX, open Terminal and run:

$ open -a Google\ Chrome --args --disable-web-security --user-data-dir

--user-data-dir required on Chrome 49+ on OSX

For Linux run:

$ google-chrome --disable-web-security

Also if you're trying to access local files for dev purposes like AJAX or JSON, you can use this flag too.

-–allow-file-access-from-files

For Windows go into the command prompt and go into the folder where Chrome.exe is and type

chrome.exe --disable-web-security

That should disable the same origin policy and allow you to access local files.

Update: For Chrome 22+ you will be presented with an error message that says:

You are using an unsupported command-line flag: --disable-web-security. Stability and security will suffer.

However you can just ignore that message while developing.

4 upvote
  flag
Just tried this on pc (chrome 29) and i am still getting these lovely Origin *** is not allowed by Access... – Sam
21 upvote
  flag
@Sam Make sure you have closed all chrome processes, then try again. Chrome will issue a warning header if you have done it correctly: "You are using an unsupported command-line flag: --disable-web-security. Stability and security will suffer" – Morten Haraldsen
upvote
  flag
Yeh that was it. I had google hangouts lingering around. Thanks Morten – Sam
2 upvote
  flag
Is there a way to prevent the error message from appearing as well? I'm using this flag on digital wallboard without keyboard or mouse. – Bart van Heukelom
1 upvote
  flag
Thanks for adding the OSX command line.. worked charmful for me! This answer needs the checkmark! – rhigdon
1 upvote
  flag
Thanks. This worked. One more detail to note for others finding this: Chrome needs to be CLOSED before you run this command. – timothykc
1 upvote
  flag
I found I needed to use this on Mac OSX: open -a /Applications/Google\ Chrome.app --args --disable-web-security – Alex
53 upvote
  flag
And apparently now --disable-web-security does not work unless you also explicitly give a --user-data-dir. ie OSX /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-web-security --user-data-dir=~/ChromeUserData/. – WiseOldDuck
3 upvote
  flag
@WiseOldDuck you save my life!!! :) It'd be good if someone update the answer with the --user-data-dir args – Jesús Quintana
1 upvote
  flag
It's Chrome 49 where it changed – WiseOldDuck
upvote
  flag
is there anyway to enable the web security again? I couldn't turn it back on even delete the app and all associate web application support files. My browser looks ugly. :( – Frank Wang
upvote
  flag
For windows, inside the same directory as chrome.exe , create a .bat file like this : echo chrome.exe --disable-web-security --user-data-dir=C:\YOUR_CHROME_USR_DATA_DIR > chrome.bat Then create a shortcut on your desktop – Ronan Quillevere
4 upvote
  flag
You don't have to close all Chrome processes first. You can use open -n. Simply run open -n -a Google\ Chrome --args --disable-web-security --user-data-dir=/tmp/chrome. This will open a second Chrome app instance on your mac, and you can use them side by side. – Pelle ten Cate
1 upvote
  flag
thanks @WiseOldDuck ! adding argument --user-data-dir worked for me – Amey P Naik
upvote
  flag
@PelletenCate this should be the accepted answer now – mbdavis

For Selenium Webdriver, you can have selenium start Chrome with the appropriate arguments (or "switches") in this case.

 @driver = Selenium::WebDriver.for(:Chrome, { 
       :detach => false,
       :switches => ["--disable-web-security"]
    })
1 upvote
  flag
that's two preceeding dashes for disable-web-security. it my browser it made them look like one looong dash. – mikelupo

If you are using Google Chrome on Linux, following command works.

google-chrome  --disable-web-security

For Windows... create a Chrome shortcut on your desktop.
Right-clic > properties > Shortcut
Edit "target" path :

"C:\Program Files\Google\Chrome\Application\chrome.exe" --args --disable-web-security

et voilà :)

upvote
  flag
As of today 08/27/20013 it's works for me, allowing me to do Ajax on my own localhost. – molokoloco
3 upvote
  flag
Unfortunately, this is not working for me. – Tod Birdsall
upvote
  flag
got "you are using an unsupported command line tag: --disable-web-security" with Canary version 53 – khoailang
1 upvote
  flag
@khoailang you can still use the switch. That warning is part of Google's war on insecurity (a good thing). Also, as of version 55+ you need to also use --user-data-dir=<some other directory here> so Google doesn't want you mixing insecure rules with your normal profiles. – lassombra

For Windows users:

The problem with the solution accepted here, in my opinion is that if you already have Chrome open and try to run this it won't work.

However, when researching this, I came across a post on Super User, Is it possible to run Chrome with and without web security at the same time?.

Basically, by running the following command (or creating a shortcut with it and opening Chrome through that)

chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security

you can open a new "unsecure" instance of Chrome at the same time as you keep your other "secure" browser instances open and working as normal.

11 upvote
  flag
awesome thanks. thanks to this, I've been able to launch a webpage as an independent application "C:\..\chrome.exe" --disable-web-security --user-agent="Android" --user-data-dir="C:/temp-chrome-eng" --app="file:///C:/apps/index.html" – Elvis Ciotti
1 upvote
  flag
Precisely what I was needing when attempting to do development against an API on my local machine. – generalopinion
2 upvote
  flag
This worked a treat. It also left my normal instance of chrome with security turned on and functioning normal. Just a side note when it does work Chrome will notify you that "Stability and Security will suffer". – etoxin
upvote
  flag
How can I do this in a Mac? Tried using open -a Google\ Chrome --args --disable-web-security -–allow-file-access-from-files --user-data-dir="/Users/myuser/temp/chromeData", it just made the existing chrome window gain focus, nothing else? – user3648895
upvote
  flag
@user3648895 I'm not a Mac/OSX user, so I'm afraid I don't know. Look into the OSX answer on this question. – Ola Karlsson
3 upvote
  flag
You must close all chrome windows and kill chrome process before attempting this. – sibidiba
9 upvote
  flag
This command work in OSX by starting a second instance: open -n -a /Applications/Google\ Chrome.app --args --user-data-dir="/tmp/chrome_dev_session" --disable-web-security (You may need to make the temp folder first) – chilltemp
upvote
  flag
In Windows, you can also use the Google Chrome plugin to add the allow-control-allow-origin header to your requests. – Chris - Jr

Don't do this! You're opening your accounts to attacks. Once you do this any 3rd party site can start issuing requests to other websites, sites that you are logged into.

Instead run a local server. It's as easy as opening a shell/terminal/commandline and typing

cd path/to/files
python -m SimpleHTTPServer

Then pointing your browser to

http://localhost:8000

If you find it's too slow consider this solution

2 upvote
  flag
This wouldn't open "your machine" to attacks. A malicious JavaScript code wouldn't be able to do much on the client machine itself. You, however, would allow malicious JavaScript code to potentially manipulate your accounts on other websites (facebook/administrations/banks/...). This certainly isn't any less dangerous, but it's completely different. – dim
upvote
  flag
upvote
  flag

On a Windows PC, use an older version of Chrome and the command will work for all you guys. I downgraded my Chrome to 26 version and it worked.

1 upvote
  flag
U dont need a older version of chrome use this full command --disable-web-security --user-data-dir="D:/Chrome" – vignesh sivakumar

I didn't want to restart Chrome and disable my web security (because I was browsing while developing) and stumbled onto this Chrome extension.

Chrome Web Store Allow-Control-Allow-Origin: *
(https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?hl=en)

Basically it's a little toggle switch to toggle on and off the Allow-Access-Origin-Control check. Works perfectly for me for what I'm doing.

EDIT: I tried using the just the other day for another project and it stopped working. Uninstalling and reinstalling the extension fixed it (to reset the defaults).

1 upvote
  flag
how I achieve and integrate with my extension as my extension needs to access cross domain. I cannot force user to open the browser wth disable-web-security – codebased
upvote
  flag
It only allows AJAX requests not normal webpages and extensions to access webpages. – Lothar
1 upvote
  flag
This extension won't work for local files, unfortunately. Stick to the --disable-web-security switch in that case. – bryc
2 upvote
  flag
@bryc It's not really meant to. Consider though that you can use --allow-file-access-from-files instead of disabling all web security. – Coburn
upvote
  flag
Extension is useful, works as expected. BUT If I toggle on this extension then I can't browse youtube, google docs etc.. I'm sure problem in extension. – MyTitle
upvote
  flag
Yup, you are right, I am getting this same problem. The specific error in the Javascript console is this one (no idea if there's a work around) //allinonescript.com/questions/19743396/… – Coburn
upvote
  flag
Warning! Some sites won't let you log in with this extension enabled! Firebase console, for example. – campsjos

This Chrome plugin works for me: Allow-Control-Allow-Origin: * - Chrome Web Store

4 upvote
  flag
This plugin broke in my browser and started breaking all the XHR things. Use with caution. – etoxin

Seems none of above solutions are actually working. The --disable-web-security is no longer supported in recent chrome versions.

Allow-Control-Allow-Origin: * - chrome extension partially solved the problem. It works only if your request is using GET method and there's no custom HTTP Header. Otherwise, chrome will send OPTIONS http request as pre-flight request. If the server doesn't support CORS, it will response with 404 HTTP status code. The plugin can't modify the response HTTP status code. So chrome will reject this request. There's no way for chrome plugin to modify the response HTTP status code based on current chrome extension API. And you can't do a redirect as well for XHR initiated request.

Not sure why Chrome makes developers life so difficult. It blocks all the possible ways to disable XSS security check even for development use which is totally un-necessary.

After days struggle and research, one solution works perfect for me: to use corsproxy. You have two options here: 1. use corsproxy.com 2. install corsproxy in local box: npm install -g corsproxy

upvote
  flag
If you're going to go to that extent, you could always just host a web server locally or remotely that pulls the content from the webpage you desire and then set the proper CORS headers on that. – Coburn
upvote
  flag
I have thought of this route before. But this need some coding, especially in my case, I need to call several services which are originated from different domains. So I have to map different URL pattern to different domains. This is exactly what corsproxy has done for us. And it works perfectly. – Jianwu Chen
upvote
  flag
Of course doesn't work with https which is something google and mozilla want to enforce now on every page. – Lothar
3 upvote
  flag
Not true.. The way mentioned in accepted answer worked for me.. As it mentions, Chrome 49 onwards command 'chrome.exe --disable-web-security --user-data-dir' worked for me.. – Gaurang Patel
upvote
  flag
--disable-web-security is "unsupported" but continue to work just fine – guya
1 upvote
  flag
Chromium 53, --disable-web-security --user-data-dir didn't work for me – Dark Star1
2 upvote
  flag
In 53+ you need to actual provide a unique user data directory which is different from your normal directory. This creates a new profile for the insecure environment. --user-data-dir needs to be set equal to something, such as in Olas answer above. If you really want to, you CAN set it equal to your actual normal user profile folder, but this is highly discouraged as it leaves your normal profile open to accidental attacks if you start normal browsing while in that mode. – lassombra

You can simply use this chrome extension Allow-Control-Allow-Origin

just click the icon of the extensnion to turn enable cross-resource sharing ON or OFF as you want

For Windows:

(using windows 8.1, chrome 44.0)

First, close google chrome.

Then, open command prompt and go to the folder where 'chrome.exe' is.

( for me: 'chrome.exe' is here "C:\Program Files (x86)\Google\Chrome\Application".

So I type: cd C:\Program Files (x86)\Google\Chrome\Application )

now type: chrome.exe --disable-web-security

a new window of chrome will open.

On Windows 10, the following will work.

<<path>>\chrome.exe --allow-file-access-from-files --allow-file-access --allow-cross-origin-auth-prompt
upvote
  flag
I am surprised that your answer was downvoted. It worked very well for me on local files with the latest Chrome version. – Waruyama
upvote
  flag
I am using Windows 7, and it does not work – CHANist

I find the best way to do this is duplicate a Chrome or Chrome Canary shortcut on your windows desktop. Rename this shortcut to "NO CORS" then edit the properties of that shortcut.

in the target add --disable-web-security --user-data-dir="D:/Chrome" to the end of the target path.

your target should look something like this:

Update: New Flags added.

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="D:/Chrome"

enter image description here

upvote
  flag
This just gives me 404 now instead of pre-flight error – L1ghtk3ira
upvote
  flag
A 404 error would be a server related error and not a Google Chrome error. – etoxin
2 upvote
  flag
@etoxin This answer is no longer valid in the latest version of chrome. You have to add --disable-web-security --user-data-dir="D:/Chrome" – vignesh sivakumar
upvote
  flag
updated the answer to work with the latest chrome. – etoxin

Following on Ola Karlsson answer, indeed the best way would be to open the unsafe Chrome in a different session. This way you don't need to worry about closing all of the currently opened tabs, and also can continue to surf the web securely with the original Chrome session.

These batch files should just work for you on Windows.

Put it in a Chrome_CORS.bat file for easy use

start "" "c:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --user-data-dir="c:/_chrome_dev" --disable-web-security

This one is for Chrome Canary. Canary_CORS.bat

start "" "c:\Users\%USERNAME%\AppData\Local\Google\Chrome SxS\Application\chrome.exe" --user-data-dir="c:/_canary_dev" --disable-web-security
upvote
  flag
This is a pointless use of a batch file. A shortcut would be much better for this. Just put everything after the first pair of quotes into the shortcut target. – lassombra
upvote
  flag
It doesn't really matter. Yet in a batch you can do more things like deleting the user-data-dir after you close the browser, for example. – guya
upvote
  flag
True, adding behavior outside of just launching would be useful, but for most people who need this at length, having a persistent user directory is helpful (for example with installed extensions) – lassombra
chromium-browser --disable-web-security --user-data-dir=~/ChromeUserData/

for mac users:

open -a "Google Chrome" --args --disable-web-security --user-data-dir

and before Chrome 48, you could just use:

open -a "Google Chrome" --args --disable-web-security

There is a Chrome extension called CORS Toggle.

Click here to access it and add it to Chrome.

After adding it, toggle it to the on position to allow cross-domain requests.

For Windows:

  1. Open the start menu
  2. Type windows+R or open "Run"
  3. Execute the following command:

    chrome.exe --user-data-dir="C://Chrome dev session" --disable-web-security
    

For Mac:

  1. Go to Terminal
  2. Execute the following command:

    open /Applications/Google\ Chrome.app --args --user-data-dir="/var/tmp/Chrome dev session" --disable-web-security
    

A new web security disabled chrome browser should open with the following message:

enter image description here

upvote
  flag
@downvoters please mention reason for downvote as there is no point of downvote in answer – GSB
upvote
  flag
Worked well for me on Windows 10, didn't need to close other Chrome instances either. – Nick M

You can use this chrome plugin called "Allow-Control-Allow-Origin: *" ... It make it a dead simple and work very well. check it here: *

Chrome extenstion

upvote
  flag
It sets "evil.com" website as a origin, looks suspicious. – Suprido

FOR MAC USER ONLY

open -n -a /Applications/Google\ Chrome.app --args --user-data-dir="/tmp/someFolderName" --disable-web-security
upvote
  flag
how to revert this change @saurab – Mohasin Ali

For windows users with Chrome Version 60.0.3112.78. You do not need to close any chrome instance.

  1. Create a shortcut on your desktop
  2. Right-click on the shortcut and click Properties
  3. Edit the Target property
  4. Set it to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="C:/ChromeDevSession"
  5. Start chrome and ignore the message that says --disable-web-security is not supported!

BEWARE NOT TO USE THIS PARTICULAR BROWSER INSTANCE FOR BROWSING!

upvote
  flag
Worked like a charm. I can't believe Chrome doesn't allow developers to disable this without starting a new session. At least they have a way though. – FearlessFuture
upvote
  flag
and can you still use chrome debugging on your source code? – Righto

Try this command on Mac terminal-

open -n -a "Google Chrome" --args --user-data-dir=/tmp/temp_chrome_user_data_dir http://localhost:8100/ --disable-web-security 

It opens another instance of chrome with disabled security and there is no CORS issue any more. Also you don't need to close other chrome instances anymore. Change localhost url to your's one.

I use this sometimes, for posting a localhost front-end site to a localhost back-end API (e.g. React to an old .NET API). I created a separate shortcut on my Windows 10 desktop, so that it never is used for normal browsing, only for debugging locally. I did the following:-

  1. Right click on desktop, add new shortcut
  2. Add the target as "[PATH_TO_CHROME]\chrome.exe" --disable-web-security
  3. Click OK.

You will get a warning on load of this browser, that it is not secure, just take care with what you browser on it. I tend to rename this new shortcut on the desktop, something in capital, and move it away from my other icons, so it can't be confused for normal Chrome.

Hope this helps!

Not the answer you're looking for? Browse other questions tagged or ask your own question.