New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 842040 link

Starred by 1 user
Status: Duplicate
Owner:
creis@chromium.org
Closed: May 2018
Cc:
sindhu.chelamcherla@chromium.org
lukasza@chromium.org
wfh@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Can no longer disable localhost restrictions for AJAX requests to a server using CORS

Reported by glenn.ma...@avaxa.com, May 11 2018 
Chrome Version       : 66.0.3359.170 (Official Build) (64-bit)
URLs (if applicable) : N/A
Other browsers tested: N/A

Prior to version 66, I have been running Chrome in my development environment with the '--disable-web-security' switch to allow me to successfully connect my web application, running on http://localhost:8100 with a web service server running on the same PC using HTTPS and the hostname of the server (eg https://mymachine.domain.local). 

Since version 66 this no longer works. I believe the new Site Isolation is now getting in the way.

What steps will reproduce the problem?

(1) Start Chrome with --disable-web-security

(2) Open a web application hosted on a localhost custom port (eg http://localhost:8100)

(3) Have that web application perform an AJAX call to a web service running CORS.

What is the expected result?

Request should succeed.

What happens instead?

Request fails with CORS violation.


Please provide any additional information below. Attach a screenshot if
possible.

If I manually opt out of chrome://flags/#site-isolation-trial-opt-out the requests work. However, our development workflow requires a command-line switch to do this and I can't find one.

Comment 1 by sindhu.chelamcherla@chromium.org, May 11 2018

Cc: sindhu.chelamcherla@chromium.org
Labels: Needs-Feedback Triaged-ET Needs-Triage-M66
@Reporter: As per steps-2 and #3 please provide sample URL/test file to test this issue from TE end. Any further information on reproducing the issue would help in further debugging of this. Also please let us know on which OS you are facing this issue.

Thanks!

Comment 2 by creis@chromium.org, May 11 2018

Cc: lukasza@chromium.org
Labels: -Needs-Feedback
Mergedinto: 829877
Owner: creis@chromium.org
Status: Duplicate (was: Unconfirmed)
Thanks for the report!  This is fixed in Chrome 67 in issue 829877.  In the meantime, you can use the following flag in Chrome 66 to get it to work while Site Isolation is enabled:
--disable-features=CrossSiteDocumentBlockingIfIsolating,CrossSiteDocumentBlockingAlways


(For reference you can also use --disable-features=IsolateOrigins,site-per-process to turn off Site Isolation, but hopefully that's not necessary given the flag above.)

Comment 3 by glenn.ma...@avaxa.com, May 12 2018 

Fantastic response everyone. 

Unfortunately, neither of the workarounds seem to work for me. Even with all four of the features disabled I still have to manually opt out of the trial for the connections to work.

I can wait for the next release and use the manual workaround.

For the record I'm running on Windows 10.

Thanks.

Comment 4 by alex...@chromium.org, May 12 2018 

#3: Can you try passing --disable-site-isolation-trials?

Comment 5 by glenn.ma...@avaxa.com, May 12 2018 

I apologise. I was passing the command line arguments incorrectly in Chrome Debugger for Visual Studio Code. I was concatenating the args when I should have been passing them separately in an array.

I can confirm, now that I'm doing it correctly, that the first workaround does fix the problem.

Thanks.

Comment 6 by douglasl...@gmail.com, Jun 14 2018 

I can verify that --disable-site-isolation-trials solved the issue for us. We were getting iframe cross origin security errors after upgrading to Chrome 67.  We do our oauth2 flow via an iframe when testing on a browser (for our hybrid mobile app).  This helps us.  Thanks.

Sign in to add a comment