144

When trying to do a HTTP request using XMLHttpRequest from a local file, it basically fails due to Access-Control-Allow-Origin violation.

However, I'm using the local web page myself, so I was wondering if there is any way to make Google Chrome allow these requests, which are from a local file to a URL on the Internet.

E.g., $.get('http://www.google.com/') fails when executing in a local file, but I've scripted the page myself and I'm using it myself, so it would be extremely useful if I could suppress it and load the URL.

So, how can I allow Google Chrome to load URLs using XMLHttpRequest from local files?

pimvdb
  • 151,816
  • 78
  • 307
  • 352
  • 1
    `Access-Control-Allow-Origin: null` by the website works. (ofc. not by google.com) – inf3rno May 27 '14 at 18:29
  • 3
    @JessamynSmith: The order of answers changes, and the accepted answer may also change, so it's better to link to an answer than saying anything like 'the answer below the accepted answer'. Use the URL that the answer's 'share' link leads to. – Michael Scheper May 01 '15 at 02:33
  • 2
    @MichaelScheper Your comment is somewhat irrelevant given that I pasted in the actual command that worked. However, in case there is value in including the link, I deleted and resposted. In modern Chrome, errors look like: XMLHttpRequest cannot load file:///path/to/file/css/base.css. Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https, chrome-extension-resource. This answer http://stackoverflow.com/a/4819114/1649165 worked for me, i.e. run chrome from the command line: chrome --allow-file-access-from-files – Jessamyn Smith May 01 '15 at 03:10
  • @JessamynSmith: Sorry you thought my advice was irrelevant. Since you thought a particular answer was relevant, I thought you might like to future-proof your comment. My mistake. – Michael Scheper May 01 '15 at 06:05

4 Answers4

264

Using --disable-web-security switch is quite dangerous! Why disable security at all while you can just allow XMLHttpRequest to access files from other files using --allow-file-access-from-files switch?

Before using these commands be sure to end all running instances of Chrome.

On Windows:

chrome.exe --allow-file-access-from-files

On Mac:

open /Applications/Google\ Chrome.app/ --args --allow-file-access-from-files

Discussions of this "feature" of Chrome:

Cœur
  • 37,241
  • 25
  • 195
  • 267
Konstantin Smolyanin
  • 17,579
  • 12
  • 56
  • 56
  • 6
    Is it possible to make this the default behavior without having to open a terminal/command line or a custom shortcut every time? – Kokodoko Sep 30 '14 at 12:38
  • 1
    @Kokodoko I think no. – Konstantin Smolyanin Oct 03 '14 at 16:34
  • Rather than disabling web security in the browser you could instead host the file making the cross-domain ajax request on a web server running on the local machine so that the scheme used does not have access to your filesystem. Reverse proxies are another way to handle this, and can be configured with relative ease using Node-based tools like Hapi or Express. – vhs Dec 16 '14 at 20:19
  • 2
    @JoshH I completely agree that it's much better to use local web server for web site development then accessing local files directly by the browser. However the exact question was asked and I've just answered it. – Konstantin Smolyanin Dec 31 '14 at 16:45
  • 17
    In case someone else is going to try this: this flag is *not* available/modifyable in `chrome://flags` – Blaise Apr 19 '15 at 06:50
  • 2
    Is it safe to browse internet using this instance? In my case, when I opened the same local file in Iceweasel, there was no error. They don't have the same security check as Chrome does? So I'm guessing it's still okay to surf the web in this browser instance. – Neerkoli May 08 '16 at 06:27
  • 1
    @BlackPanda I think it's safe because of [Same Origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy). Sites from internet still can't access local files. – Konstantin Smolyanin May 08 '16 at 13:54
  • On Windows it won't work if chrome is already running and is sharing its instances. – Supersharp Jan 04 '17 at 10:10
  • Please note, you may have extensions to chrome that don't shutdown when you close chrome, leaving chrome running in the background. In this case changing the shortcut will appear to do nothing. I had to end task all the `chrome.exe` instances running to get this to work this time. – Maslow Aug 17 '17 at 14:38
  • @Kokodoko You can consider downloading Chromium and using it ONLY for debugging. If you do in this way, you need launching the Chromium with the `--allow-file-access-from-files` flag only once - and it will be MORE CONVENIENT if you set Chromium as the default app for HTML file. – Alan Zhiliang Feng Feb 20 '18 at 06:17
  • This should be the accepted answer. @Kokodoko yes it is. You have to change the "launcher settings". Under Windows: Open start menu -> find chromium -> right click -> properties -> somewhere here you find the path to the executable file. Just add the command line parameter after the executable call. – DarkTrick Sep 24 '20 at 02:37
49

startup chrome with --disable-web-security

On Windows:

chrome.exe --disable-web-security

On Mac:

open /Applications/Google\ Chrome.app/ --args --disable-web-security

This will allow for cross-domain requests.
I'm not aware of if this also works for local files, but let us know !

And mention, this does exactly what you expect, it disables the web security, so be careful with it.

Jonny White
  • 875
  • 10
  • 21
jAndy
  • 231,737
  • 57
  • 305
  • 359
  • You can also use Safari on a Mac. It allows AJAX to local files by default when the request is made from a local file. Also, about '.exe', nothing in the Q is said about Windows. Pim is a Windows dev, but still, nothing said about Windows. –  Jan 27 '11 at 16:40
  • 1
    Yes I'm on Windows, sorry about that. Will try this out now, thanks. By the way, I'm running Chrome always when my computer is on, so is there a way to only allow cross domain request with local files or only in a specific tab? Because this way, I actually cannot browse the Internet safely at the same time... – pimvdb Jan 27 '11 at 17:07
  • 1
    I just downloaded the latest Chromium build so as to have a standalone, unsafe version running for testing, and the 'real', installed Chrome for safe Internet browsing. And it does work, thanks! – pimvdb Jan 27 '11 at 17:26
  • @Tom - you should be able to do this on Mac with Safari, without any setting changes, as long as you use the "file:///" protocol and not "http://localhost" – Near Privman Jan 21 '12 at 15:00
  • Go with @Konstantin Smolyanin's suggestion – daniel.gindi Aug 21 '14 at 12:18
  • Better answer below to just allow file access. – Maladon Jun 10 '15 at 12:50
  • I have done this and it works just fine. Please be aware that if you do this and then open a new chrome browser is it still running with web security disabled. You would need to kill all chrome instances and restart chrome to re-enable web security. @pimvdb 's solution works. I also have chrome canary and have used one for disabled security for testing. I just wante to mention this as it is easy to forget! Don't go online with web-security diasabled! – Carl Armbruster Jul 08 '16 at 15:47
  • 4
    I tried it on Safari 10.1 and it gave me: `XMLHttpRequest cannot load file:///. Cross origin requests are only supported for HTTP.` so the statement about Safari browser from this thread is no longer valid. – Michal Cichon Jun 05 '17 at 08:11
  • The application cannot be opened for an unexpected reason, error=Error Domain=NSOSStatusErrorDomain Code=-10673 "(null)" UserInfo={_LSLine=3845, _LSFunction=_LSOpenStuffCallLocal} – Kingname May 02 '22 at 06:47
22

Mac version. From terminal run:

open /Applications/Google\ Chrome.app/ --args --allow-file-access-from-files
Nek
  • 1,909
  • 20
  • 31
3

On Ubuntu:

chromium-browser --disable-web-security

For more details/switches:

http://peter.sh/experiments/chromium-command-line-switches/

Referenced from

Taimoor Changaiz
  • 10,250
  • 4
  • 49
  • 53