4

I need to know what the --disable-web-security parameter does in chrome. I know that it disables same origin policy.

But I also noticed that it messes with your websockets (I first experienced it with googles gmail, now with my own nodeapp)

So what does it do exactly?

edit: with messing I mean that I often fail to connect or lose connections to websocket-webapplications (while my chrome runs with the --disable-web-security parameter ). bear in mind that this is only an empirical diagnosis - I am not perfectly sure whether this parameter corelates with my connection issues.

InsOp
  • 2,425
  • 3
  • 27
  • 42
  • What does " messes with your websockets" mean in your question? Can you be more specific? Do you realize that every webSocket starts as an HTTP request so anything that disables cross origin protections for web requests will also disable cross origin protections for webSockets too? – jfriend00 Apr 26 '16 at 23:24
  • Related questions: http://stackoverflow.com/questions/17679399/does-disable-web-security-work-in-chrome-anymore and http://stackoverflow.com/questions/22026984/trying-to-disable-chrome-same-origin-policy and http://stackoverflow.com/questions/24290149/creating-google-chrome-shortcut-with-disable-web-security – jfriend00 Apr 26 '16 at 23:25
  • @jfriend00: [Websockets are not protected by the Same Origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy#WebSockets) which makes the OP's statement even more intruiging. – SilverlightFox Apr 27 '16 at 07:20
  • @SilverlightFox - That page is not correct (or is misleading). webSocket connections are subject to same origin protections. The server may allow cross origin connections, but the browser will ONLY connect if the server allows it and supports the proper procedure for allowing it. – jfriend00 Apr 27 '16 at 07:22
  • @jfriend00: Yes, that's correct. The point is that is is all down to the server to correctly validate the `Origin` header, nothing in the browser will protect it automatically. I wonder if `--disable-web-security` prevents this header from being sent for cross-origin WS connections (I've not tried it)? – SilverlightFox Apr 27 '16 at 07:35
  • @jfriend00 since my client only connects to the domain it was called on (i.e. localhost) i doubt my problem relates to the `same origin policy` – InsOp Apr 27 '16 at 11:03
  • Disconnection issues will have nothing to do with the `--disable-web-security` setting. Disconnection issues are likely temporary networking issues in your connection path. FYI, the socket.io layer that runs on top of webSocket adds disconnection detection and auto reconnection precisely for this type of situation. You can either switch to use socket.io at both ends or emulate the functionality it adds. – jfriend00 Apr 27 '16 at 15:19
  • I know this was 4+ years ago, but to anybody who finds this question in the future: please, please do not sign into your Gmail in a Chrome session that has `disable-web-security` turned on. Web security is there for a reason! The flag is there so you can debug your own web applications. You should really use a separate (web-security-protected) session to sign into accounts. – Coderer Jul 08 '20 at 09:23

0 Answers0