"unsafely-treat-insecure-origin-as-secure" flag is not working on Chrome

Question

I am using geo-location for a site running locally on my machine using HTTP on Chrome. However this does not work as I am running on HTTP as opposed to HTTPS.

On the console it says:

getCurrentPosition() and watchPosition() no longer work on insecure origins.
To use this feature, you should consider switching your application to a 
secure origin, such as HTTPS. See https://sites.google.com/a/chromium.org/dev/Home/chromium-security/deprecating-powerful-features-on-insecure-origins 
for more details.

According to Deprecating Powerful Features on Insecure Origins its says to start chrome using --unsafely-treat-insecure-origin-as-secure="http://example.com" flag. The command I ran was similar to:

chrome.exe --unsafely-treat-insecure-origin-as-secure="http://hello.app"

However, the same error message still appears.

How can I fix this issue.

Version 64.0.3282.167 (Official Build) (64-bit), is my version of chrome and I am having the same problem. — Rizvan, Apr 03 '18 at 05:37
Make sure to specify the port, if needed. That's what bit me. — CletusW, Apr 17 '18 at 22:36
I know this is an old question. But still, I thought let's share how it worked for me. While doing some testing I needed to treat HTTP as secure and stumbled upon this question. I tested on chromium v74.0.3729.0 [This](https://stackoverflow.com/a/53388534/14212989) worked for me with a catch. After enabling the flag, relaunch the browser. Then in the input field, write your HTTP link. The browser will again ask to relaunch but don't. Open a new tab and go to your link and it is secure now. — sayemzaman, Jul 12 '21 at 13:49

score 142 · Answer 1 · edited May 15 '19 at 19:57

142

None of the solutions worked for me.

I achieved this by following steps.

Type chrome://flags/#unsafely-treat-insecure-origin-as-secure in the address bar.
Add the origin which you need to treat as secure as shown in the below image.

Relaunch chrome.

edited May 15 '19 at 19:57

Chuck Le Butt

47,570
62
203
289

answered Nov 20 '18 at 07:58

Kartik Sharma

1,521
1
9
7

4

This worked for me, though I had to add the specific port, in my case. Also, I have to set it every time and Chrome still complains that it's an "unsupported" flag – Jan 04 '19 at 19:00
21

This works on the browser on mac but when I click restart in chrome on android it never remembers the whitelisted url – Vincent Feb 14 '19 at 09:37
4

How to save the values? If i click on the link the relaunch button shows up but after relaunch the entered values are missing. – Honsa Stunna Apr 16 '19 at 09:45
3

@HonsaStunna did you select 'Enabled'? – statut May 04 '19 at 13:08
@Vincent A bit late now, but I noticed it did this if I failed to include http:// at the beginning – Chuck Le Butt May 15 '19 at 20:02
@ChuckLeButt I'm entering a value with http:// and it still forgets the URL on relaunch... – Chris H. May 30 '19 at 19:57
I'm no longer with this problem, but with fresh eyes I wonder if it needs to be https:// (it's the insecure origin that needs to be treated as secure). Probably not – Chuck Le Butt Jun 08 '19 at 19:32
6

@Vincent Apparently [you need device root](https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins) to set this flag on Android devices. Google recommends setting up [port forwarding](https://developers.google.com/web/tools/chrome-devtools/remote-debugging/local-server) instead. – Wolfgang Jun 26 '19 at 15:51
Unfortunately this appears to put up a banner on every launch, making Edge less useful for Enterprise Intranet sites that do not have https support available. Back to IE11! – NetMage May 21 '20 at 20:33
2

I set up the flag chrome://flags/#allow-insecure-localhost to Enabled, but still getting insecure padlock warning. I filed my steps [here](https://stackoverflow.com/questions/62503177/can-not-debug-service-worker-on-an-android-phone) – Avner Moshkovitz Jun 21 '20 at 20:17
I also set up the flag "chrome://flags/#insecure origins treated as secure" to Enabled with https://192.168.1.74, but I'm still getting insecure padlock warning. (this even happens on my Desktop, not just in the phone) I filed my steps [here](https://stackoverflow.com/questions/62503177/can-not-debug-service-worker-on-an-android-phone) – Avner Moshkovitz Jun 21 '20 at 20:34
Not working any more – Khris Vandal Jan 06 '23 at 17:53

JkAlombro · Answer 2 · 2018-01-31T07:57:12.813

8

You must have missed some steps. Try to follow this

Go to File Explorer then paste this to address bar >> C:\Program Files (x86)\Google\Chrome\Application (or just go to where you can find your chrome.exe)
Right click chrome.exe > send to > Desktop (Create Shortcut)
Go to your desktop then find the chrome shortcut you've created.
Rename it to ChromeForTesting (this step is optional)
Right click the shortcut, then Click Properties
At the "Target", paste the following at the end of the link

--user-data-dir=/tmp/foo --unsafely-treat-insecure-origin-as-secure=http://example.com

so Target should look somewhat similar to this

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --user-data-dir=/tmp/foo --unsafely-treat-insecure-origin-as-secure=http://example.com

Click Ok..
During testing close all of your opened google chrome browser. Then double click ChromeForTesting shortcut (the one you've created), when a prompt appears, just click ok..

EDIT: If the steps above does not work for you, you might be using Chrome V63, update it to V64 above cause this flag is messed up in V63.

P.S. If it's still not working follow these extra steps

At your drive C, create a folder and name it "ChromeTempFiles".
Then in your --user-data-dir= you change the value into "C:\ChromeTempFiles"
Add these to your target as well

--allow-running-insecure-content --reduce-security-for-testing

so your target should look like this now

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --user-data-dir=C:\ChromeTempFiles --unsafely-treat-insecure-origin-as-secure=http://example.com --allow-running-insecure-content --reduce-security-for-testing

edited Jan 31 '18 at 07:57

answered Sep 18 '17 at 07:26

JkAlombro

1,696
1
16
30

3

Did not work for me, " --unsafely-treat-insecure-origin-as-secure" seem not anymore recognised by Chrome. – trinity420 Jan 21 '18 at 15:56
@trinity420 now that you mentioned it, I just noticed that it also stopped working on mine. But I found the solution. I updated my answer, it should work for you now. – JkAlombro Jan 31 '18 at 07:59
5

Note: The `unsafely-treat-insecure-origin-as-secure` flag was broken in Chrome 63, and works again in 64+. `--reduce-security-for-testing` no longer does anything at all, and the `--user-data-dir` flag is no longer needed. – EricLaw Feb 20 '18 at 20:20
4

Well. It's not working. As simple as that. I tried all suggestions, read everything about it, with or without user dir, with or without port, the flag is NOT in the "chrome://flags/" page. I am all for security, but this is bordering on the ridiculous. Edited to add version: Chromium Version 67.0.3396.87 (Developer Build) built on Debian 9.4, running on Debian 9.3 (64-bit) Just my two cents. – Michaela.Merz Jul 17 '18 at 19:12
1

As of Chrome 71, @kartik-sharma's answer below worked for me, with the one caveat being you have to set it every time and it still complains that it's an "unsupported" flag. https://stackoverflow.com/a/53388534/241244 – Jan 04 '19 at 19:04
I set up the flag chrome://flags/#allow-insecure-localhost to Enabled, but still getting insecure padlock warning. I filed my steps [here](https://stackoverflow.com/questions/62503177/can-not-debug-service-worker-on-an-android-phone) – Avner Moshkovitz Jun 21 '20 at 20:18

aelbatal · Answer 3 · 2016-12-29T09:41:34.847

2

You should also use a temproary fresh profile for that session. something like this:

chrome.exe --user-data-dir=/test/only/profile/dir --unsafely-treat-insecure-origin-as-secure="http://example.com"

edited Dec 29 '16 at 09:41

answered Dec 26 '16 at 20:23

aelbatal

147
1
5

3

This was necessary prior to Chrome 62. It's no longer needed. – EricLaw Feb 20 '18 at 20:28

vinyllicker · Answer 4 · 2018-12-14T03:10:05.917

2

Just an update to this for Chrome 70. This works perfectly

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --user-data-dir=C:\ChromeTempFiles --allow-running-insecure-content

Now does anybody know if there is an equivalent for firefox?

edited Dec 14 '18 at 03:10

answered Dec 14 '18 at 03:03

vinyllicker

83
1
5

score 1 · Answer 5 · answered Feb 28 '19 at 08:10

1

For Chromium 44 use

--unsafety-treat-insecure-origin-as-secure=http://192.168.0.101:3000

instead

--unsafely-treat-insecure-origin-as-secure=http://192.168.0.101:3000

See that bug

answered Feb 28 '19 at 08:10

Nikolay Makhonin

1,087
12
18

score 1 · Answer 6 · answered May 09 '19 at 15:33

In Google Chrome, you simply type into the address bar, "chrome://flags", and search for, "--unsafely-treat-insecure-origin-as-secure", enable that flag, and enter into the field below (multiples may be entered separated by a comma) the domain you wish to treat as secure. This may or may not compromise your security, but I would assume not as getCurrentPosition() and watchPosition() are somewhat recently deprecated features. this works for publicly served domains, as well.

score -1 · Answer 7 · answered Jan 29 '20 at 15:29

With Chrome 79 this setting doesn't work no matter what.

What I ended up doing was to configure the domain on a VPS to show some test webpage and then generate a valid certificate for it using Let's Encrypt's certbot.

Then I copied that certificate to my machine and it's now valid.

"unsafely-treat-insecure-origin-as-secure" flag is not working on Chrome

7 Answers7

Linked