Disable Content-Security-Policy

Disable Content-Security-Policy

Disable Content-Security-Policy for web application testing. When the icon is colored, CSP headers are disabled.

Disable Content-Security-Policy promo image
What is Disable Content-Security-Policy?

Disable Content-Security-Policy is a Chrome extension by Phil Grayson. This extension has 58,844 weekly active users, an average user rating of 3.71, and is most similar to Always Disable Content-Security-Policy and Content Security Policy Override. The latest version, 3.0.0, was updated 3 years ago.

Stats date:
Rating: 3.71 (72)
Version: 3.0.0 (Last updated: 2020-05-06)
Creation date: 2020-05-06
Manifest version: 2
  • webRequest
  • webRequestBlocking
  • browsingData
  • activeTab
Size: 24.09K
URLs: Website
Risk impact: Moderate risk impact
Risk likelihood: Very low risk likelihood
Found a bug?

Other platforms

Not available on Firefox
Use at your own risk. This disables the Content-Security-Policy header for a tab. Use this when testing what resources a new third-party tag includes onto the page.

Click the extension icon to disable Content-Security-Policy header for the tab. Click the extension icon again to re-enable Content-Security-Policy header.

Use this only as a last resort. Disabling Content-Security-Policy means disabling features designed to protect you from cross-site scripting. Prefer to use report-uri which instructs the browser to send CSP violations to a URI. That allows you keep Content-Security-Policy enabled in your browser but still know what got blocked. 
 is a free tool that gives you a web interface to inspect CSP violations on your site.
Risk impact

Disable Content-Security-Policy requires some risky permissions and may not be safe to use. Exercise caution when installing this extension. Review carefully before installing.

Risk impact measures the level of extra permissions an extension has access to. A low risk impact extension cannot do much harms, whereas a high risk impact extension can do a lot of damage like stealing your password, bypass your security settings, and access your personal data. High risk impact extensions are not necessarily malicious. However, if they do turn malicious, they can be very harmful.

Risk likelihood

Disable Content-Security-Policy has earned a good reputation and can be trusted.

Risk likelihood measures the probability that a Chrome extension may turn malicious. This is determined by the publisher and the Chrome extension reputation on Chrome Web Store, the amount of time the Chrome extension has been around, and other signals about the Chrome extension. Our algorithms are not perfect, and are subject to change as we discover new ways to detect malicious extensions. We recommend that you always exercise caution when installing a Chrome extension, especially ones with higher risk impact and/or higher risk likelihood.

Subscribe to the premium plan to see more risk analysis details
User reviews
I tried other CORS stuff, but this one seems to do Content Security Policies (CSPs) and avoid Cross-Origin Resource Sharing (CORS) errors in Chrome.
by Cees Timmerman Cees Timmerman, 2023-02-14

It does not work on a website which adds CSP using HTML meta tag.
by Vaibhav Nigam Vaibhav Nigam, 2022-12-19

There is a small issue - the CSP setting does not remain set. I need to toggle it again and reload the page if I want to see it working. It used to remember its state before.
by Horia Cristescu Horia Cristescu, 2022-11-28
View all user reviews
Similar extensions

Here are some Chrome extensions that are similar to Disable Content-Security-Policy:

Always Disable Content-Security-Policy Always Disable Content-Security-Policy
Publisher: oskarsommer3
User count: 11,217
Rating: 12
Always Disable Content-Security-Policy for web application testing. When the icon is colored, CSP headers are disabled.
Content Security Policy Override Content Security Policy Override
User count: 2,216
Rating: 8
Modify the Content Security Policy of web pages.
CORS Unblock CORS Unblock
Publisher: balvin.perrie
User count: 152,652
Rating: 108
No more CORS error by appending 'Access-Control-Allow-Origin: *' header to local and remote web requests when enabled