2010-06-23 15:00

在 Chrome 浏览器中禁用相同的原产地政策

Is there any way to disable the Same-origin policy on Google's Chrome browser?

This is strictly for development, not production use.


  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • csdnceshi51 旧行李 11年前

    Close chrome (or chromium) and restart with the --disable-web-security argument. I just tested this and verified that I can access the contents of an iframe with src="http://google.com" embedded in a page served from "localhost" (tested under chromium 5 / ubuntu). For me the exact command was:

    Note : Kill all chrome instances before running command

    chromium-browser --disable-web-security --user-data-dir="[some directory here]"

    The browser will warn you that "you are using an unsupported command line" when it first opens, which you can ignore.

    From the chromium source:

    // Don't enforce the same-origin policy. (Used by people testing their sites.)
    const wchar_t kDisableWebSecurity[] = L"disable-web-security";

    Before Chrome 48, you could just use:

    chromium-browser --disable-web-security
    点赞 28 评论 复制链接分享
  • csdnceshi64 游.程 10年前

    Yep. For OSX, open Terminal and run:

    $ open -a Google\ Chrome --args --disable-web-security --user-data-dir

    --user-data-dir required on Chrome 49+ on OSX

    For Linux run:

    $ google-chrome --disable-web-security

    Also if you're trying to access local files for dev purposes like AJAX or JSON, you can use this flag too.


    For Windows go into the command prompt and go into the folder where Chrome.exe is and type

    chrome.exe --disable-web-security

    That should disable the same origin policy and allow you to access local files.

    Update: For Chrome 22+ you will be presented with an error message that says:

    You are using an unsupported command-line flag: --disable-web-security. Stability and security will suffer.

    However you can just ignore that message while developing.

    点赞 28 评论 复制链接分享
  • csdnceshi58 Didn"t forge 8年前

    For Windows users:

    The problem with the solution accepted here, in my opinion is that if you already have Chrome open and try to run this it won't work.

    However, when researching this, I came across a post on Super User, Is it possible to run Chrome with and without web security at the same time?.

    Basically, by running the following command (or creating a shortcut with it and opening Chrome through that)

    chrome.exe --user-data-dir="C:/Chrome dev session" --disable-web-security

    you can open a new "insecure" instance of Chrome at the same time as you keep your other "secure" browser instances open and working as normal. Important: delete/clear C:/Chrome dev session folder every time when you open a window as second time --disable-web-security is not going to work. So you cannot save your changes and then open it again as a second insecure instance of Chrome with --disable-web-security.

    点赞 28 评论 复制链接分享
  • csdnceshi57 perhaps? 5年前

    Following on Ola Karlsson answer, indeed the best way would be to open the unsafe Chrome in a different session. This way you don't need to worry about closing all of the currently opened tabs, and also can continue to surf the web securely with the original Chrome session.

    These batch files should just work for you on Windows.

    Put it in a Chrome_CORS.bat file for easy use

    start "" "c:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --user-data-dir="c:/_chrome_dev" --disable-web-security

    This one is for Chrome Canary. Canary_CORS.bat

    start "" "c:\Users\%USERNAME%\AppData\Local\Google\Chrome SxS\Application\chrome.exe" --user-data-dir="c:/_canary_dev" --disable-web-security
    点赞 10 评论 复制链接分享
  • csdnceshi69 YaoRaoLov 5年前

    I find the best way to do this is duplicate a Chrome or Chrome Canary shortcut on your windows desktop. Rename this shortcut to "NO CORS" then edit the properties of that shortcut.

    in the target add --disable-web-security --user-data-dir="D:/Chrome" to the end of the target path.

    your target should look something like this:

    Update: New Flags added.

    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="D:/Chrome"

    enter image description here

    点赞 9 评论 复制链接分享
  • csdnceshi80 胖鸭 6年前

    For Windows:

    (using windows 8.1, chrome 44.0)

    First, close google chrome.

    Then, open command prompt and go to the folder where 'chrome.exe' is.

    ( for me: 'chrome.exe' is here "C:\Program Files (x86)\Google\Chrome\Application".

    So I type: cd C:\Program Files (x86)\Google\Chrome\Application )

    now type: chrome.exe --disable-web-security

    a new window of chrome will open.

    点赞 8 评论 复制链接分享
  • weixin_41568174 from.. 5年前
    chromium-browser --disable-web-security --user-data-dir=~/ChromeUserData/
    点赞 8 评论 复制链接分享
  • weixin_41568184 叼花硬汉 8年前

    For Windows... create a Chrome shortcut on your desktop.
    Right-click > properties > Shortcut
    Edit "target" path :

    "C:\Program Files\Google\Chrome\Application\chrome.exe" --args --disable-web-security

    (Change the 'C:....\chrome.exe' to where ever your chrome is located).

    et voilà :)

    点赞 8 评论 复制链接分享
  • csdnceshi65 larry*wei 4年前

    For windows users with Chrome Version 60.0.3112.78. You do not need to close any chrome instance.

    1. Create a shortcut on your desktop
    2. Right-click on the shortcut and click Properties
    3. Edit the Target property
    4. Set it to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="C:/ChromeDevSession"
    5. Start chrome and ignore the message that says --disable-web-security is not supported!


    点赞 8 评论 复制链接分享
  • csdnceshi60 ℡Wang Yan 7年前

    This Chrome plugin works for me: Allow-Control-Allow-Origin: * - Chrome Web Store

    点赞 8 评论 复制链接分享
  • csdnceshi53 Lotus@ 7年前

    On a Windows PC, use an older version of Chrome and the command will work for all you guys. I downgraded my Chrome to 26 version and it worked.

    点赞 7 评论 复制链接分享
  • csdnceshi64 游.程 5年前

    There is a Chrome extension called CORS Toggle.

    Click here to access it and add it to Chrome.

    After adding it, toggle it to the on position to allow cross-domain requests.

    点赞 7 评论 复制链接分享
  • csdnceshi57 perhaps? 3年前

    On Linux- Ubuntu, to run simultaneously a normal session and an unsafe session run the following command:

    google-chrome  --user-data-dir=/tmp --disable-web-security
    点赞 7 评论 复制链接分享
  • csdnceshi79 python小菜 4年前

    For Windows:

    1. Open the start menu
    2. Type windows+R or open "Run"
    3. Execute the following command:

      chrome.exe --user-data-dir="C://Chrome dev session" --disable-web-security

    For Mac:

    1. Go to Terminal
    2. Execute the following command:

      open /Applications/Google\ Chrome.app --args --user-data-dir="/var/tmp/Chrome dev session" --disable-web-security

    A new web security disabled chrome browser should open with the following message:

    enter image description here

    点赞 6 评论 复制链接分享
  • weixin_41568196 撒拉嘿哟木头 5年前

    for mac users:

    open -a "Google Chrome" --args --disable-web-security --user-data-dir

    and before Chrome 48, you could just use:

    open -a "Google Chrome" --args --disable-web-security
    点赞 6 评论 复制链接分享
  • weixin_41568183 零零乙 7年前

    I didn't want to restart Chrome and disable my web security (because I was browsing while developing) and stumbled onto this Chrome extension.

    Chrome Web Store Allow-Control-Allow-Origin: *

    Basically it's a little toggle switch to toggle on and off the Allow-Access-Origin-Control check. Works perfectly for me for what I'm doing.

    EDIT: I tried using the just the other day for another project and it stopped working. Uninstalling and reinstalling the extension fixed it (to reset the defaults).

    点赞 6 评论 复制链接分享
  • csdnceshi66 必承其重 | 欲带皇冠 4年前

    You can use this chrome plugin called "Allow-Control-Allow-Origin: *" ... It make it a dead simple and work very well. check it here: *

    Chrome extenstion

    点赞 6 评论 复制链接分享
  • csdnceshi59 ℙℕℤℝ 4年前

    Try this command on Mac terminal-

    open -n -a "Google Chrome" --args --user-data-dir=/tmp/temp_chrome_user_data_dir http://localhost:8100/ --disable-web-security 

    It opens another instance of chrome with disabled security and there is no CORS issue anymore. Also, you don't need to close other chrome instances anymore. Change localhost URL to your's one.

    点赞 4 评论 复制链接分享
  • csdnceshi77 狐狸.fox 4年前


    open -n -a /Applications/Google\ Chrome.app --args --user-data-dir="/tmp/someFolderName" --disable-web-security
    点赞 3 评论 复制链接分享
  • csdnceshi67 bug^君 6年前

    On Windows 10, the following will work.

    <<path>>\chrome.exe --allow-file-access-from-files --allow-file-access --allow-cross-origin-auth-prompt
    点赞 3 评论 复制链接分享
  • csdnceshi61 derek5. 7年前

    Don't do this! You're opening your accounts to attacks. Once you do this any 3rd party site can start issuing requests to other websites, sites that you are logged into.

    Instead run a local server. It's as easy as opening a shell/terminal/commandline and typing

    cd path/to/files
    python -m SimpleHTTPServer

    Then pointing your browser to


    If you find it's too slow consider this solution

    点赞 2 评论 复制链接分享
  • csdnceshi61 derek5. 6年前

    Seems none of above solutions are actually working. The --disable-web-security is no longer supported in recent chrome versions.

    Allow-Control-Allow-Origin: * - chrome extension partially solved the problem. It works only if your request is using GET method and there's no custom HTTP Header. Otherwise, chrome will send OPTIONS HTTP request as a pre-flight request. If the server doesn't support CORS, it will respond with 404 HTTP status code. The plugin can't modify the response HTTP status code. So chrome will reject this request. There's no way for chrome plugin to modify the response HTTP status code based on current chrome extension API. And you can't do a redirect as well for XHR initiated request.

    Not sure why Chrome makes developers life so difficult. It blocks all the possible ways to disable XSS security check even for development use which is totally unnecessary.

    After days struggle and research, one solution works perfectly for me: to use corsproxy. You have two options here: 1. use corsproxy.com 2. install corsproxy in the local box: npm install -g corsproxy

    [Updated on Jun 23, 2018] Recent I'm developing an SPA app which need to use corsproxy again. But seem none of the corsproxy on the github can meet my requirement.

    • need it to run inside firewall for security reason. So I can't use https://cors-anywhere.herokuapp.com/.
    • It has to support https as chrome will block no-https ajax request in an https page.
    • I need to run on nodejs. I don't want to maintain another language stack.

    So I decide to develop my own version of corsproxy with nodejs. It's actually very simple. I have published it as a gist on the github. Here is the source code gist: https://gist.github.com/jianwu/8e76eaec95d9b1300c59596fbfc21b10

    • It's in plain nodejs code without any additional dependencies
    • You can run in http and https mode (by passing the https port number in command line), to run https, you need to generate cert and key and put the webroot directory.
    • It also serves as static file server
    • It supports pre-flight OPTION request as well.
    点赞 2 评论 复制链接分享
  • csdnceshi62 csdnceshi62 9年前

    For Selenium Webdriver, you can have selenium start Chrome with the appropriate arguments (or "switches") in this case.

     @driver = Selenium::WebDriver.for(:Chrome, { 
           :detach => false,
           :switches => ["--disable-web-security"]
    点赞 1 评论 复制链接分享
  • csdnceshi77 狐狸.fox 6年前

    You can simply use this chrome extension Allow-Control-Allow-Origin

    just click the icon of the extensnion to turn enable cross-resource sharing ON or OFF as you want

    点赞 1 评论 复制链接分享
  • csdnceshi64 游.程 9年前

    If you are using Google Chrome on Linux, following command works.

    google-chrome  --disable-web-security
    点赞 1 评论 复制链接分享
  • weixin_41568127 ?yb? 4年前

    I use this sometimes, for posting a localhost front-end site to a localhost back-end API (e.g. React to an old .NET API). I created a separate shortcut on my Windows 10 desktop, so that it never is used for normal browsing, only for debugging locally. I did the following:-

    1. Right click on desktop, add new shortcut
    2. Add the target as "[PATH_TO_CHROME]\chrome.exe" --disable-web-security
    3. Click OK.

    You will get a warning on load of this browser, that it is not secure, just take care with what you browser on it. I tend to rename this new shortcut on the desktop, something in capital, and move it away from my other icons, so it can't be confused for normal Chrome.

    Hope this helps!

    点赞 评论 复制链接分享