| Risk | Mitigation | | :--- | :--- | | | Malicious sites could read data from other sites you are logged into. | Only use the disabled instance for localhost development. | | Data Theft | Cookies and local storage are accessible across origins. | Never log into banking, email, or social media in the "insecure" window. | | Session Hijacking | Attackers can perform actions on behalf of the user on other sites. | Close the insecure window immediately after testing is complete. |
The primary flag that turns off the Same-Origin Policy (SOP) and CORS checks. --user-data-dir="/tmp/chrome_dev" chrome disable cors mac
Upon launching, you will see a warning banner at the top of the browser window: | Risk | Mitigation | | :--- |
#!/bin/bash open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_test" --disable-web-security | Never log into banking, email, or social
This will launch a new instance of Chrome with CORS disabled.