Can I disable SOP (Same Origin Policy) on any browser for development?

Question

I want to develop JavaScript on my Windows machine. Do you know a browser where I can turn off Same Origin Policy so I can develop locally? Firefox would be optimal.

Or if you know a proxy I could use for a SOAP/WSDL site it would be great too.

I am trying to work with the JavaSCript SOAP Client.

I had the exact same desire for when I was developing a MySpace application. — Daniel Lucraft, Dec 01 '08 at 10:15

miek · Answer 1 · 2012-06-08T10:07:06.143

15

UPDATE 6/2012: This used to work at the time of the writing, but obviously no more. Sorry.

In Firefox (might apply to other Gecko-based browsers as well) you can use the following JavaScript snippet to allow cross-domain calls:

if (navigator.userAgent.indexOf("Firefox") != -1) {
    try {
        netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
    } 
    catch (e) {
        alert("Permission UniversalBrowserRead denied -- not running Mozilla?");
    }
}

It looks like there's an issue created in the Chromium issue tracker for achieving the same functionality, so you could try starting Chrome with the argument --disable-web-security. I don't know which builds this works on exactly, but at least Nokia's WRT Tools comes with a Chrome installation that does in fact allow loading content from other sites.

edited Jun 08 '12 at 10:07

answered May 05 '10 at 07:44

miek

3,446
2
29
31

This is, indeed, the way to test your code. Pops up a warning and then Just Works. Thanks so much! – Shermozle Jun 17 '10 at 06:32
1

For the record, this is pretty much the equivalent Chrome/Chromium startup parameter string for development: "--allow-file-access-from-files --disable-web-security --enable-file-cookies --disk-cache-size=1 --media-cache-size=1" – miek Nov 11 '10 at 12:02

score 6 · Answer 2 · edited May 31 '12 at 06:15

6

Unfortunately, using the following:

netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");

has been disabled in Firefox 5.

https://bugzilla.mozilla.org/show_bug.cgi?id=667312

edited May 31 '12 at 06:15

dplante

2,445
3
21
27

answered Jul 05 '11 at 01:54

user828878

398
4
8

I wanna point a obviosly thing here. If Firefox 5 don't let me do that and i really need to, i'll use Firefox 4 instead. Is not the end of the world. – m3nda Feb 16 '15 at 06:38

score 2 · Answer 3 · answered Dec 03 '08 at 19:07

Make a page on your local server that calls the remote server and answer the same as the remote server.

Example, javascript calls local server for a JSON. The local server makes the call to the remote server for that JSON. The local server receives the JSON from the remote server and send it to the javascript.

score 2 · Answer 4 · answered Aug 30 '11 at 00:19

2

Using the Chromium 13.07, you can start it with security disabled:

/usr/bin/chromium-browser --disable-web-security

That's on Ubuntu 11, but change the location as your system.

answered Aug 30 '11 at 00:19

Chris Lee

21
1

/opt/google/chrome/google-chrome --disable-web-security That worked for me on Linux Mint 11.04, Google Chrome 14.0.8 – so_mv Oct 24 '11 at 23:52

score 1 · Answer 5 · answered Dec 03 '08 at 20:21

All of the given answers are good ones when it comes to getting around the same origin policy in production.

For development, there is no convenient way to "disable" this security check. There are workarounds (see other answers) or hacks (you could use Greasemonkey to wrap up the JavaScript and use their GM_xmlhttprequest as a temporary measure), but no way to actually "turn it off" as you describe.

score 1 · Answer 6 · answered May 31 '19 at 08:29

1

i run this command on mac, it works on me when i use google chrome to run my project.

open -a Google\ Chrome --args --disable-web-security --user-data-dir

answered May 31 '19 at 08:29

Miftah Mizwar

3,722
2
13
20

score 0 · Answer 7 · answered Nov 25 '09 at 16:43

0

I have no real experience with this, but FireFox 3.5 allows Cross-Site JS according to the W3C Cross-Origin Resource Sharing Draft.

See: https://developer.mozilla.org/En/HTTP_access_control

answered Nov 25 '09 at 16:43

wilth

705
2
8
19

but web servers have to enable CORS by sending an HTTP response header: Access-Control-Allow-Origin: * for example – baptx Feb 05 '13 at 18:55

score 0 · Answer 8 · edited Feb 23 '11 at 12:50

0

Firefox would be optimal.

If you can live with Internet Explorer, you may be able to use an .hta application

http://msdn.microsoft.com/en-us/library/ms536496(VS.85).aspx

(This is one of the ways the Selenium test automation tool deals with the issue)

edited Feb 23 '11 at 12:50

ThiefMaster

310,957
84
592
636

answered Dec 01 '08 at 10:19

The Archetypal Paul

41,321
20
104
134

score 0 · Answer 9 · answered Sep 05 '16 at 17:00

0

In Chrome (& Chromium) 48 and above you should add the flag --user-data-dir like this:

chromium-browser --disable-web-security --user-data-dir

And it works.

answered Sep 05 '16 at 17:00

Johann Echavarria

9,695
4
26
32

score -2 · Answer 10 · answered Mar 05 '09 at 17:51

-2

You can also redirect a local port to the remote server and port via ssh.

answered Mar 05 '09 at 17:51

Can I disable SOP (Same Origin Policy) on any browser for development?

10 Answers10

Linked