Disable-web-security in Chrome 48+
I'm seeing the same thing. A quick google found this question and a bug on the chromium forums. It seems that the --user-data-dir
flag is now required.Edit to add user-data-dir guide
Update 2020-04-30
As of Chrome 81, it is mandatory to pass both --disable-site-isolation-trials
and a non-empty profile path via --user-data-dir
in order for --disable-web-security
to take effect:
# MacOSopen -na Google\ Chrome --args --user-data-dir=/tmp/temporary-chrome-profile-dir --disable-web-security --disable-site-isolation-trials
(Speculation) It is likely that Chrome requires a non-empty profile path to mitigate the high security risk of launching the browser with web security disabled on the default profile. See --user-data-dir=
vs --user-data-dir=/some/path
for more details below.
Thanks to @Snæbjørn for the Chrome 81 tip in the comments.
Update 2020-03-06
As of Chrome 80 (possibly even earlier), the combination of flags --user-data-dir=/tmp/some-path --disable-web-security --disable-site-isolation-trials
no longer disables web security.
It is unclear when the Chromium codebase regressed, but downloading an older build of Chromium (following "Not-so-easy steps" on the Chromium download page) is the only workaround I found. I ended up using Version 77.0.3865.0, which properly disables web security with these flags.
Original Post 2019-11-01
In Chrome 67+, it is necessary to pass the --disable-site-isolation-trials
flag alongside arguments --user-data-dir=
and --disable-web-security
to truly disable web security.
On MacOS, the full command becomes:
open -na Google\ Chrome --args --user-data-dir= --disable-web-security --disable-site-isolation-trials
Regarding --user-data-dir
Per David Amey's answer, it is still necessary to specify --user-data-dir=
for Chrome to respect the --disable-web-security
option.
--user-data-dir=
vs --user-data-dir=/some/path
Though passing in an empty path via --user-data-dir=
works with --disable-web-security
, it is not recommended for security purposes as it uses your default Chrome profile, which has active login sessions to email, etc. With Chrome security disabled, your active sessions are thus vulnerable to additional in-browser exploits.
Thus, it is recommended to use an alternative directory for your Chrome profile with --user-data-dir=/tmp/chrome-sesh
or equivalent. Credit to @James B for pointing this out in the comments.
Source
This fix was discoreved within the browser testing framework Cypress: https://github.com/cypress-io/cypress/issues/1951
Mac OS:
open -a Google\ Chrome --args --disable-web-security --user-data-dir=
UPD: add =
to --user-data-dir
because newer chrome versions require it in order to work