What exactly does disablewebsecurity do when used with Chrome/Chromium or a <webview>?

378 views

Skip to first unread message

James Fox

unread,

Jul 21, 2016, 1:15:26 AM7/21/16

to Chromium-discuss

I'm interested in understanding exactly what the attribute disablewebsecurity does when used with a webview element like this: <webview src=www.somesite.com disablewebsecurity>

I have an electron app that is a wrapper around a web app, and were using <webview> elements to iframe pages.

However, I want to completely understand what I'm exposing my application to wrt using the disablewebsecurity flag.

I know that this allows CORS requests and ignores the X-FRAME-OPTIONS header, but what else does it do? Im particularly curious about its access to cookie namespaces.

Also, is this attribute the same as opening Chrome/Chromium with the command line flag --disable-web-security?

Any insight is appreciated (I couldn't find it documented anywhere).

Thanks!

PhistucK

unread,

Jul 21, 2016, 1:23:18 AM7/21/16

to jamis...@gmail.com, Chromium-discuss

You can access cross origin scripting contexts, say, if you have an <iframe> from a different domain, you can still access its contentWindow property and do whatever you want. That means that you can set cookies for that domain, yes.

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

Reply all

Reply to author

Forward

0 new messages