[tutorial] chrome turns off cross domain policies CORS and samesite, and brings cookies across domains

Google browser allows cross domain origin,disable samesite, Convenient for local development and debugging , test csrf Cross-site requests forge vulnerabilities

Writing time ：2022 year 6 month 30 Japan

I still remember two years ago , test csrf Loopholes are handy . Today, ,csrf It's history

chrome,Firefox Update iteration to now , The cross domain request has been made to the last gasp

Developers who suffer from local debugging , One port on the front , One port at the back end , Cross domain cannot be brought cookie 了

The widely circulated method of opening cross domain on the Internet , Start with the following command chrome：

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --user-data-dir="D:\ChromeDevUserData"

This will start one with you originally chrome Non interfering browsers , But at present, the latest version of browser has been tested , Still can not be reproduced csrf, But use the following enhanced version , It seems to be able to solve the cross domain problem before and after local debugging

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-site-isolation-trials --disable-web-security --disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure --user-data-dir="D:\ChromeDevUserData"

Still can not be reproduced csrf, Want to reproduce , Can only Use the old version chrome

Old edition chrome You can download it directly here ：https://www.chromedownloads.net/chrome64win-stable/

If you don't want to use Baidu cloud disk , And if you want to download it on the official website , You can do this

1. according to chrome Version number , Find the internal version number

https://omahaproxy.appspot.com/

2. According to the build number , Go to download offline package

https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html

Test the available version ：722274,19 year 12 The version of the month

choose win64 zip Use the above enhanced parameters to start