Hi, I want to pass --disable-web-security --user-data-dir=c:\my\data as additional chromium args, so that I can disable the web security.
As https://stackoverflow.com/a/36939693/10038051 suggests, we also need to pass the user-data-dir value to make this flag work.
I need this to do some cross-site scripting in javascript that would otherwise throw a DomException.
I tried setting the args in the Additional Chromium Args box but nothing seem to have changed.
Please help me on this.
Have you tried to change the WebSecurity property of the “Rendering Engine” component in ExeOutput?
Yes, tried setting it to STATE_DISABLED, still no change at all.
Also tried checking DisableSafeBrowsing, no help.
And if you try to run the EXE made with ExeOutput with parameter --disable-web-security, does it work?
Just gave it a try, nope it does not work either.
Then, it may be that the flag simply does not work…
So, I was digging around for ways to build my own chromium from source, with these flags in-built, while I ran into this life-saving comment by Charles Reis on this page that shows a piecce of email received from chromium developers:
The change in behavior is probably because cross-site pages no longer run in the same process, once Site Isolation launched. Thus, even when you turn off security in the renderer process, it’s not possible to access pages running in a different process. You can probably work around that for now using --disable-site-isolation-trials together with --disable-web-security.
SoI added the flag --disable-site-isolation-trials alongwith the other flags in question, and (voila!) it worked!
Just posting here in a hope to help others like me. Having JS access to cross-domain pages really opens doors to countless possible applications!
Although of course use this flag with caution.