[jira] [Created] (CB-10132) Disable Chrome web security when launching the browser

Thu, 03 Dec 2015 12:26:11 -0800 

Mark Holmes created CB-10132:
--------------------------------

             Summary: Disable Chrome web security when launching the browser
                 Key: CB-10132
                 URL: https://issues.apache.org/jira/browse/CB-10132
             Project: Apache Cordova
          Issue Type: Improvement
          Components: CordovaServe
    Affects Versions: Master
         Environment: Mac OS X Yosemite (10.10.5) Chrome 47.0.2526.73
            Reporter: Mark Holmes
            Assignee: Tim Barham
            Priority: Minor


h1. Background

I have been running into issues with a Cordova project of mine where the 
security settings on Chrome force the browser to run an OPTIONS HTTP request 
before any POST request is made. When debugging on Android and iOS, I 
discovered that these OPTIONS requests are not sent before the POST requests.

h1. Problem

I did some research and found that these OPTIONS requests are being sent 
because of Chrome's same origin policy settings:

http://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome

I used {code:none}cordova run browser{code} to test this and found that after 
running this command and then running chrome with

{code:none}open -n -a "Google Chrome" --args 
--user-data-dir=/tmp/temp_chrome_user_data_dir_for_cordova 
http://localhost:8000/index.html --disable-web-security{code}

My application worked and the HTTP OPTIONS requests were no longer being sent

h1. Solution

I think that Chrome would more closely replicate the other platforms if we 
disabled its "Same Origin Policy" security settings using the 
{code:none}--disable-web-security{code} flag when launching Chrome.

The flag's function is documented below:

http://peter.sh/experiments/chromium-command-line-switches/#disable-web-security

referenced by

https://www.chromium.org/developers/how-tos/run-chromium-with-flags

h1. Pull Request

I see where in the code this can be done and I am wondering if this is worth 
submitting a pull request for.

src/browser.js Line 93:

Before:
{code:javascript}var chromeArgs = ' --user-data-dir=/tmp/' + dataDir;{code}
After:
{code:javascript}var chromeArgs = ' --disable-web-security 
--user-data-dir=/tmp/' + dataDir;{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org

Reply via email to