Disable same origin policy in Chrome


Is there any way to disable the Same-origin policy on Google's Chrome browser?

5/15/2019 4:11:44 PM

Accepted Answer

Close chrome (or chromium) and restart with the --disable-web-security argument. I just tested this and verified that I can access the contents of an iframe with src="" embedded in a page served from "localhost" (tested under chromium 5 / ubuntu). For me the exact command was:

Note : Kill all chrome instances before running command

chromium-browser --disable-web-security --user-data-dir="[some directory here]"

The browser will warn you that "you are using an unsupported command line" when it first opens, which you can ignore.

From the chromium source:

// Don't enforce the same-origin policy. (Used by people testing their sites.)
const wchar_t kDisableWebSecurity[] = L"disable-web-security";

Before Chrome 48, you could just use:

chromium-browser --disable-web-security
6/5/2018 6:05:58 PM

For Windows users:

The problem with the solution accepted here, in my opinion is that if you already have Chrome open and try to run this it won't work.

However, when researching this, I came across a post on Super User, Is it possible to run Chrome with and without web security at the same time?.

Basically, by running the following command (or creating a shortcut with it and opening Chrome through that)

chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security

you can open a new "insecure" instance of Chrome at the same time as you keep your other "secure" browser instances open and working as normal. Important: delete/clear C:/Chrome dev session folder every time when you open a window as second time --disable-web-security is not going to work. So you cannot save your changes and then open it again as a second insecure instance of Chrome with --disable-web-security.


For Windows:

  1. Open the start menu

  2. Type windows+R or open "Run"

  3. Execute the following command:

     chrome.exe --user-data-dir="C://Chrome dev session" --disable-web-security

For Mac:

  1. Go to Terminal

  2. Execute the following command:

     open /Applications/Google\ --args --user-data-dir="/var/tmp/Chrome dev session" --disable-web-security

A new web security disabled chrome browser should open with the following message:

enter image description here

For Mac

If you want to open new instance of web security disabled Chrome browser without closing existing tabs then use below command

open -na Google\ Chrome --args --user-data-dir=/tmp/temporary-chrome-profile-dir --disable-web-security

It will open new instance of web security disabled Chrome browser as shown below

enter image description here


For windows users with Chrome Versions 60.0.3112.78 (the day the solution was tested and worked) and at least until today 19.01.2019 (ver. 71.0.3578.98). You do not need to close any chrome instance.

  1. Create a shortcut on your desktop
  2. Right-click on the shortcut and click Properties
  3. Edit the Target property
  4. Set it to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="C:/ChromeDevSession"
  5. Start chrome and ignore the message that says --disable-web-security is not supported!



EDIT 3: Seems that the extension no longer exists... Normally to get around CORS these days I set up another version of Chrome with a separate directory or I use Firefox with instead.

EDIT 2: I can no longer get this to work consistently.

EDIT: I tried using the just the other day for another project and it stopped working. Uninstalling and reinstalling the extension fixed it (to reset the defaults).

Original Answer:

I didn't want to restart Chrome and disable my web security (because I was browsing while developing) and stumbled onto this Chrome extension.

Chrome Web Store Allow-Control-Allow-Origin: *

Basically it's a little toggle switch to toggle on and off the Allow-Access-Origin-Control check. Works perfectly for me for what I'm doing.


Seems none of above solutions are actually working. The --disable-web-security is no longer supported in recent chrome versions.

Allow-Control-Allow-Origin: * - chrome extension partially solved the problem. It works only if your request is using GET method and there's no custom HTTP Header. Otherwise, chrome will send OPTIONS HTTP request as a pre-flight request. If the server doesn't support CORS, it will respond with 404 HTTP status code. The plugin can't modify the response HTTP status code. So chrome will reject this request. There's no way for chrome plugin to modify the response HTTP status code based on current chrome extension API. And you can't do a redirect as well for XHR initiated request.

Not sure why Chrome makes developers life so difficult. It blocks all the possible ways to disable XSS security check even for development use which is totally unnecessary.

After days struggle and research, one solution works perfectly for me: to use corsproxy. You have two options here: 1. use [] 2. install corsproxy in the local box: npm install -g corsproxy

[Updated on Jun 23, 2018] Recent I'm developing an SPA app which need to use corsproxy again. But seem none of the corsproxy on the github can meet my requirement.

  • need it to run inside firewall for security reason. So I can't use
  • It has to support https as chrome will block no-https ajax request in an https page.
  • I need to run on nodejs. I don't want to maintain another language stack.

So I decide to develop my own version of corsproxy with nodejs. It's actually very simple. I have published it as a gist on the github. Here is the source code gist:

  • It's in plain nodejs code without any additional dependencies
  • You can run in http and https mode (by passing the https port number in command line), to run https, you need to generate cert and key and put them in the webroot directory.
  • It also serves as static file server
  • It supports pre-flight OPTION request as well.

To start the CORSProxy server (http port 8080): node static_server.js 8080

to access the proxy: http://host:8080/


Licensed under: CC-BY-SA with attribution
Not affiliated with: Stack Overflow
Email: [email protected]