Does the --disable-web-security flag affect cookies in any way?

[Gregory Rosenbaum]

So we're a place that runs a security scanner that uses headless chromium to scan our customers for security vulnerabilities and malicious code.

We have lots of clients like HSBC, Lowes, and stuff like that. We scan a lot of the web repeatedly, so sometimes we run up against issues that don’t seem to bother other people who use chromium for testing their own applications.

So far, we’ve been running our browsers with --disable-web-security. Here is our reasoning — we don’t care about the security of our browsers. We don’t care if they get attacked since they run in temporary virtual environments that don’t contain sensitive information. In fact, catching these attacks is the whole purpose of our system.

On the other hand, --disable-web-security gives us lots of cool abilities, like the ability to access the top frame from other iframes, to ignore CORS for some infrastructure requests that we make, and generally helps grease the wheels that make our task less difficult.

The thing is, despite our reliance on --disable-web-security, we’ve never been completely sure about what it does. There is a lot of web security and much of it is not affected by the flag. So far, we’ve been assuming it's something along these lines:

1. Attempts to access iframes can succeed when they would’ve failed before.

2. Requests that don’t pass CORS are allowed to pass.

3. Other actions that used to fail due to security policies will now succeed.

Recently, though, we encountered something strange. Our scans were failing on one of our client’s sites, and after a lot of work trying things, we finally found the culprit — this flag I’m talking about.

What I expected was some sort of weird, elaborate coincidence. One scenario I imagined was a request for JS that fails for normal users succeeds on our scanners, leading to different runtime behavior and causing errors. But it turned out the problem was different.

It seems that the flag has been causing extra cookies to be sent out with requests. I believe this is because attributes such as SameSite, Domain, or others are disabled for some or all cookies, in some or all cases.

While these technically count as web security features, in practice they change the payloads of successful requests, which isn't really in line with the idea of just turning off security policies. Sites can and do rely on these differences.

In fact, in the case of our customer, the extra cookies were confusing the server side and leading to garbage responses.

My main conclusion is that we need to do more research, review the chromium source code, and so forth.

But first, I’d like to simply ask:
What does the --disable-web-security flag actually do?

1. What is its effect on iframes?

2. What is its effect on cookies?

3. What is its effect on CORS?

4. What is its scope in general?

5. Why is its name so frustratingly generic and vague?

As a parting bit, I'm going to leave you with the many attempts people have made to answer this question in the past.

• Disables the web security flag.
• Cancels all of the cross origin blockage.
•  Disables the same origin check.
• Makes JavaScript development easier.
• Disables http --> https and same-origin policy
• It's required to record or replay cross origin documents.
• Disables "web security."
• Disables CORS protections, and possibly other features.

Thank you!