How to: Disable Same-Origin Policy in Chrome

I’ve been doing some Chrome extension development in the past week and as you may or may not know, chrome extensions are allowed to make cross-domain ajax calls. This is allowed because of the Chrome extension permission model which requires a user installing an extension to agree to that the installed application may access your data on the domain in question.

However, by default, the extension only has this capability when the extension is installed and activated (say by clicking on the app icon on the chrome toolbar).

If you’re developing an extension, this means you have to constantly refresh the extension and click the button in order to test your XHR requests.

It turns out, you can start Chrome with a couple of flags that will allow you to simply browse to your files directly and execute cross-domain XMLHttpRequest calls.

For additional ease, I’ve created a shortcut on my desktop with the flags appended. Your shortcut should look something like this:

C:\Users\YOUR_USER\AppData\Local\Google\Chrome\Application\chrome.exe --allow-file-access-from-files --disable-web-security

The Flags

You’ll notice the two flags appended to the shortcut path.

–allow-file-access-from-files

–disable-web-security

Together, both of these flags will allow a developer to test cross-domain ajax requests from a local file.

P.S. I labeled the extension “UNSECURED CHROME” so that I don’t risk always running Chrome with these flags.

Published byJosh McGinnis

Josh is a software engineer, leader, startup advisor for the LA Chamber of Commerce and consultant residing in the Los Angeles area. Josh is passionate about helping entrepreneurs and businesses reach their maximum potential.

10 Comments

  • adam16ster

    December 24, 2011 at 12:48 am Reply

    is this supposed to work for all operating systems running chrome or just mac/linux?

    • Joshua McGinnis

      December 26, 2011 at 2:08 pm Reply

      It should work across all instances.

  • Erwin Vedar

    March 7, 2012 at 12:55 am Reply

    Wow! I didn’t even know this was possible. Might just have saved my piece of the project I’m working on.

    AND I was pleasantly surprised to find out you’re a fellow Intuiteer. ๐Ÿ™‚

  • Firestryke31

    April 18, 2012 at 12:42 pm Reply

    For a Windows copy-pasta-able shortcut, no modification needed:
    %userprofile%\AppData\Local\Google\Chrome\Application\chrome.exe –allow-file-access-from-files –disable-web-security

    If Mac and linux are similar (note I have no idea where chrome installs itself to on Mac/linux and am assuming it’s just their equivalent, so don’t be surprised if this doesn’t work):
    ~/Google/Chrome/Application/chrome –allow-file-access-from-files –disable-web-security

    Also, for your blog comments, I just found that the fancy “clicking in the box clears the default text” is really “clicking in the box clears everything any time you click in it” so I have to use the arrow keys to move back, Shift-arrowkey to highlight, make changes, then arrow key back to the end to continue. It’s kind of annoying. Solution: [pseudocode] if(box.content == “Comment”) clear(); else doNothing();[/pseudocode]

  • yi2ng2

    April 24, 2012 at 5:24 am Reply

    Hey dude, just drop by to say thank you for the trick. A good one ๐Ÿ˜‰

  • […] with these switches enabled. The above syntax was lifted from Joshua McGinnisโ€™s excellent blog post on the same […]

  • Kevin Mack

    August 16, 2012 at 2:14 pm Reply

    I initially could not get this to work on my Windows machine, but tried old_chrome.exe in my “*\Google\Chrome\Application\old_chrome.exe” and it worked. I thought I’d share for anyone that had the same problem

    • kumar

      October 5, 2012 at 4:21 pm Reply

      The –disable-web-security does not seem to be working for the current (Oct 5/2012) version of chrome

  • damselle_in_distress

    May 31, 2013 at 5:22 am Reply

    thanks! ๐Ÿ™‚

  • […] browsers will not allow cross-origin requests unless authorized by the server. It is fairly easy to enable cross-origin requests in […]

Post a Comment