For starters one might ask why would anyone want to switch CORS off?
Cross-Origin Resource Sharing (CORS) is a part of HTTP header that indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.
It’s security measure against plenty of web attack vectors. In simple terms CORS (Cross-Origin Resource Sharing) mean you can’t get web resource from different domain, only from the same domain from which your original resource is loaded. Practically, if your web page is on domain xy.com then some JavaScript inside your page will only be allowed to get resources from xy.com. But what if you still want CORS switched off?
Web applications usually have client part of application and server part of application. Client part of application works on client side, usually in browser, gets data from server, provides visual interface and forms for user interaction and sends modified data to server. If client and server side use the same web domain so the CORS works fine with that. But the problem arise when you want your client app to work with different web domain, for example get data from some website that doesn’t set CORS permissions to allow third party applications’ access.
In practice, I had a need to turn off CORS in Chrome browser only when I was testing code that is intended to work as mobile application through Apache Cordova framework. I usually start writing bits of code for my project in codepen or jsbin just to confirm proof of concept or to solve some complexities I thought could be challenging for the project. In some future blog posts I’ll write in more details about my coding process, and frameworks I found interesting for JavaScript developers.
Without any further explanation here is the command to start Chrome with disabled CORS in Windows:
"C:\Users\webmaster\AppData\Local\Google\Chrome\Application\chrome.exe" --test-type --disable-web-security --disable-gpu --user-data-dir=~/chromeTemp
Similar commands are in Linux and MacOS as well. You will need to change path to your instance of Chrome. Arguments(switches) to the command are necessary to modify Chrome behavior and you can make shortcut out of it. If you omit –test-type argument you will get an Chrome warning that you are operating insecure instance of Chrome, so I suggest you keep other instances of Chrome open for the sake of surfing web. –disable-web-security is the argument that turns off CORS and –disable-gpu will turn off hardware acceleration. It’s important to set –user-data-dir to some temporary folder you have made for CORS-off instance of Chrome.
Finally keep in mind that you are running insecure instance of Chrome and use it only for your own testing purposes and not for general use like surfing web because there are many web attacks that exploit issues with CORS.