Don’t disable web security!!!

This basic question is all over stack overflow.

People ask how can they access files when developing HTML locally. They make a .HTML file, then open it in Chrome. They add a script that needs to access an image for canvas or WebGL or whatever and find they can’t. So they ask on Stack Overflow and the most common answer is some form of “Start Chrome with the option –disasble-web-security” (or one of 5 or 6 other similar flags)

I keep screaming DON’T DO THAT! but almost no one listens. In fact not only that the downvote my answers.

Well here’s two proof of concepts of why it’s ill-advised to disable web security.

The first one is an example that will get your stack overflow or github username if you are logged in and you started chrome with --disable-web-security. Of course you probably don’t care that someone is looking up your username on various sites but that’s not really the point. The point is some webpage not related to those sites was able to access data from those sites. The same webpage could access any other site. You bank, your google account, all because you disabled security.

You might say “I’d never run a script like that” but you likely run lots of 3rdparty scripts.

The second example will show files from your hard drive. It could upload them to a remote server. Which files some baddie would want I have no idea. The point is not to show uploading dangerous files. The point is only to show if you disable web security it’s possible for a script, your own or a 3rd party one to access your local files.

Many of you will be thinking “I’d never do either of those” but I think that’s being short sighted. I know I often forget which browser I’m in, the dev one or the non-dev one. If I mistakenly used the dev one with web security disabled then oops.

Of course you might also be thinking you’d never do any of the things above. You’re running your own hand coded webpages with scripts and not using any 3rd party libraries and you never use the wrong browser. But again, that’s not the point. The point is you turned off security. The point is not to enumerate all the ways you might get hacked or have data stolen or accounts manipulated. The point is if you disable web security you’ve made yourself more vulnerable period.

This is especially frustrating because the better solution is so simple. Just run a simple local server! It will take you all of 2 minutes at most. Here’s one I wrote for those people not comfortable with the command line. Here’s also 6 or 7 others.

  • Absolutely agree! One of the points of security measures is preventing human mistake. One simply cannot keep his guard up permanently. Relying only on your own care is like relying only on security by obscurity. It has a value, but is not the definitive answer.