Compare Chrome extensions: Disable Content-Security-Policy vs CORS Unblock

Stats Disable Content-Security-Policy Disable Content-Security-Policy CORS Unblock CORS Unblock
User count 60,000+ 200,000+
Average rating 3.63 4.20
Rating count 81 142
Last updated 2020-05-06 2024-02-11
Size 24.09K 207.87K
Version 3.0.0 0.3.8
Short description
Disable Content-Security-Policy for web application testing. When the icon is colored, CSP headers are disabled. No more CORS error by appending 'Access-Control-Allow-Origin: *' header to local and remote web requests when enabled
Full summary

Use at your own risk. This disables the Content-Security-Policy header for a tab. Use this when testing what resources a new third-party tag includes onto the page.

Click the extension icon to disable Content-Security-Policy header for the tab. Click the extension icon again to re-enable Content-Security-Policy header.

Use this only as a last resort. Disabling Content-Security-Policy means disabling features designed to protect you from cross-site scripting. Prefer to use report-uri which instructs the browser to send CSP violations to a URI. That allows you keep Content-Security-Policy enabled in your browser but still know what got blocked. https://report-uri.com is a free tool that gives you a web interface to inspect CSP violations on your site.

This extension bypasses the "XMLHttpRequest" and "fetch" rejections by altering the "Access-Control-Allow-Origin" and "Access-Control-Allow-Methods" headers for every request that the browser receives. You can activate the extension by pressing the action button. Also, use the right-click context menu over the action button to modify which headers the extension manipulates. You can also ask the extension not to overwrite these headers when the server returns values for them.

The default values for the headers:

Access-Control-Allow-Origin: request initiator or empty Access-Control-Allow-Methods": GET, PUT, POST, DELETE, HEAD, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK Access-Control-Allow-Methods: request initiator or empty Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: request initiator or *

Additional Features:

  1. It can remove the following CSP-related headers: "Content-Security-Policy", "Content-Security-Policy-Report-Only", "X-WebKit-CSP" and "X-Content-Security-Policy".

  2. It can overwrite the returned 4xx status code from the server. Use this feature when a server does not support a method, but you want to pretend it does.

See more