Chrome Extensions

How to: Disable Same-Origin Policy in Chrome

Added by on February 28th, 2011, filed under Chrome Extensions, Google

I’ve been doing some Chrome extension development in the past week and as you may or may not know, chrome extensions are allowed to make cross-domain ajax calls. This is allowed because of the Chrome extension permission model which requires a user installing an extension to agree to that the installed application may access your data on the domain in question.

However, by default, the extension only has this capability when the extension is installed and activated (say by clicking on the app icon on the chrome toolbar).

If you’re developing an extension, this means you have to constantly refresh the extension and click the button in order to test your XHR requests.

It turns out, you can start Chrome with a couple of flags that will allow you to simply browse to your files directly and execute cross-domain XMLHttpRequest calls.

For additional ease, I’ve created a shortcut on my desktop with the flags appended. Your shortcut should look something like this:

C:\Users\YOUR_USER\AppData\Local\Google\Chrome\Application\chrome.exe --allow-file-access-from-files --disable-web-security

The Flags

You’ll notice the two flags appended to the shortcut path.



Together, both of these flags will allow a developer to test cross-domain ajax requests from a local file.

P.S. I labeled the extension “UNSECURED CHROME” so that I don’t risk always running Chrome with these flags.

Enjoy this Post?

Spread the word by promoting this post on FaceBook and Twitter.

Reader Comments (10)

  1. adam16ster December 24, 2011 at 12:48 am

    is this supposed to work for all operating systems running chrome or just mac/linux?

    • Joshua McGinnis December 26, 2011 at 2:08 pm

      It should work across all instances.

  2. Erwin Vedar March 7, 2012 at 12:55 am

    Wow! I didn’t even know this was possible. Might just have saved my piece of the project I’m working on.

    AND I was pleasantly surprised to find out you’re a fellow Intuiteer. 🙂

  3. Firestryke31 April 18, 2012 at 12:42 pm

    For a Windows copy-pasta-able shortcut, no modification needed:
    %userprofile%\AppData\Local\Google\Chrome\Application\chrome.exe –allow-file-access-from-files –disable-web-security

    If Mac and linux are similar (note I have no idea where chrome installs itself to on Mac/linux and am assuming it’s just their equivalent, so don’t be surprised if this doesn’t work):
    ~/Google/Chrome/Application/chrome –allow-file-access-from-files –disable-web-security

    Also, for your blog comments, I just found that the fancy “clicking in the box clears the default text” is really “clicking in the box clears everything any time you click in it” so I have to use the arrow keys to move back, Shift-arrowkey to highlight, make changes, then arrow key back to the end to continue. It’s kind of annoying. Solution: [pseudocode] if(box.content == “Comment”) clear(); else doNothing();[/pseudocode]

  4. yi2ng2 April 24, 2012 at 5:24 am

    Hey dude, just drop by to say thank you for the trick. A good one 😉

  5. Kevin Mack August 16, 2012 at 2:14 pm

    I initially could not get this to work on my Windows machine, but tried old_chrome.exe in my “*\Google\Chrome\Application\old_chrome.exe” and it worked. I thought I’d share for anyone that had the same problem

    • kumar October 5, 2012 at 4:21 pm

      The –disable-web-security does not seem to be working for the current (Oct 5/2012) version of chrome

  6. damselle_in_distress May 31, 2013 at 5:22 am

    thanks! 🙂

What do you think?