How do I disable XSS/"Same Origin" checking on Chrome?

Question

I am trying to access the contents of HTML tags within an iframe on a page I am developing. The parent and iframed pages have the same root domain, but different subdomains. I cannot alter the iframed page, but I can alter the parent page.

To this end, I opened Chrome via

open -a Google\ Chrome --args --disable-web-security

to let Chrome ignore the Same Origin Policy pertinent to accessing elements in an Iframe. However, Chrome still returns an error when I try to access the elements of the Iframe:

Uncaught Error: SECURITY_ERR: DOM Exception 18
Refused to display document because display forbidden by X-Frame-Options.

How do I tell Chrome to completely ignore XSS checking? Can I use command line arguments? This page on Dropbox illustrates my intention. I am trying to access the contents of the iframe. http://dl.dropbox.com/u/1531353/Misc/subDomainFrameAccess/index.html

score 1 · Accepted Answer · answered Mar 13 '12 at 06:00

1

X-frame-options is anti-clickjacking, not XSS. The page refuses to be displayed in an iframe. Can you use a popup window instead?

answered Mar 13 '12 at 06:00

Erlend

126

score 0 · Answer 2 · answered May 10 '19 at 03:25

0

Please comment on the chrome bug list so the chrome devs hear our collective cries!

https://bugs.chromium.org/p/chromium/issues/detail?id=857032

answered May 10 '19 at 03:25

Daniel Sokolowski

939

How do I disable XSS/"Same Origin" checking on Chrome?

2 Answers2