├── images ├── icon128.png ├── icon48.png ├── icon38-off.png └── icon38-on.png ├── _locales ├── en │ └── messages.json └── en_GB │ └── messages.json ├── README.md ├── manifest.json ├── LICENSE └── background.js /images/icon128.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/chrome-sec-disable/master/images/icon128.png -------------------------------------------------------------------------------- /images/icon48.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/chrome-sec-disable/master/images/icon48.png -------------------------------------------------------------------------------- /images/icon38-off.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/chrome-sec-disable/master/images/icon38-off.png -------------------------------------------------------------------------------- /images/icon38-on.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/chrome-sec-disable/master/images/icon38-on.png -------------------------------------------------------------------------------- /_locales/en/messages.json: -------------------------------------------------------------------------------- 1 | { 2 | "extDescription": { 3 | "message": "Disable some security features for web application testing. When the icon is colored, security features are disabled.", 4 | "description": "The description of this extention" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /_locales/en_GB/messages.json: -------------------------------------------------------------------------------- 1 | { 2 | "extDescription": { 3 | "message": "Disable some security features for web application testing. When the icon is colored, security features are disabled.", 4 | "description": "The description of this extention" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # chrome-sec-disable 2 | 3 | Disable some security features in Chromium browers for web application testing. 4 | 5 | * Content-Security-Policy 6 | * X-Frame-Options 7 | * X-XSS-Protection 8 | * X-Content-Type-Options 9 | * X-Permitted-Cross-Domain-Policies 10 | 11 | Based on https://github.com/PhilGrayson/chrome-csp-disable 12 | 13 | ## Contributors 14 | 15 | * [Phil Grayson](https://github.com/PhilGrayson) 16 | * [Denis Gorbachev](https://github.com/DenisGorbachev) 17 | * [md5_salt](https://github.com/5alt) -------------------------------------------------------------------------------- /manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Disable Browser Security", 3 | "default_locale": "en", 4 | "description": "__MSG_extDescription__", 5 | "version": "1.0.0", 6 | "author": "md5_salt", 7 | "homepage_url": "https://github.com/5alt/chrome-security-disable", 8 | "manifest_version": 2, 9 | "permissions": [ 10 | "webRequest", 11 | "webRequestBlocking", 12 | "browsingData", 13 | "http://*/*", 14 | "https://*/*" 15 | ], 16 | "background": { 17 | "scripts": ["background.js"], 18 | "persistent": true 19 | }, 20 | "browser_action": { 21 | "default_title": "Browser security headers are enabled", 22 | "default_icon": { 23 | "16": "images/icon38-off.png" 24 | } 25 | }, 26 | "icons": { 27 | "48": "images/icon48.png", 28 | "128": "images/icon128.png" 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 5alt 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /background.js: -------------------------------------------------------------------------------- 1 | //https://www.owasp.org/index.php/OWASP_Secure_Headers_Project 2 | 3 | var isSecDisabled = false; 4 | 5 | var onHeadersReceived = function(details) { 6 | if (!isSecDisabled) { 7 | for (var i = 0; i < details.responseHeaders.length; i++) { 8 | if ('content-security-policy' === details.responseHeaders[i].name.toLowerCase()) { 9 | details.responseHeaders[i].value = details.responseHeaders[i].value.replace('report-uri', 'nope').replace('report-to', 'nope'); 10 | }else if ('content-security-policy-report-only' === details.responseHeaders[i].name.toLowerCase()) { 11 | details.responseHeaders[i].value = details.responseHeaders[i].value.replace('report-uri', 'nope').replace('report-to', 'nope'); 12 | } 13 | } 14 | }else{ 15 | for (var i = 0; i < details.responseHeaders.length; i++) { 16 | if ('content-security-policy' === details.responseHeaders[i].name.toLowerCase()) { 17 | details.responseHeaders[i].value = ''; 18 | }else if ('content-security-policy-report-only' === details.responseHeaders[i].name.toLowerCase()) { 19 | details.responseHeaders[i].value = ''; 20 | }else if ('x-frame-options' === details.responseHeaders[i].name.toLowerCase()) { 21 | details.responseHeaders[i].value = 'allow-from: *'; 22 | }else if ('x-xss-protection' === details.responseHeaders[i].name.toLowerCase()) { 23 | details.responseHeaders[i].value = '0'; 24 | }else if ('x-content-type-options' === details.responseHeaders[i].name.toLowerCase()) { 25 | details.responseHeaders[i].value = 'sniff'; 26 | }else if ('x-permitted-cross-domain-policies' === details.responseHeaders[i].name.toLowerCase()) { 27 | details.responseHeaders[i].value = 'all'; 28 | } 29 | } 30 | } 31 | 32 | return { 33 | responseHeaders: details.responseHeaders 34 | }; 35 | }; 36 | 37 | var updateUI = function() { 38 | var iconName = isSecDisabled ? 'on' : 'off'; 39 | var title = isSecDisabled ? 'disabled' : 'enabled'; 40 | 41 | chrome.browserAction.setIcon({ path: "images/icon38-" + iconName + ".png" }); 42 | chrome.browserAction.setTitle({ title: 'Content-Security-Policy headers are ' + title }); 43 | }; 44 | 45 | var filter = { 46 | urls: ["*://*/*"], 47 | types: ["main_frame", "sub_frame"] 48 | }; 49 | 50 | chrome.webRequest.onHeadersReceived.addListener(onHeadersReceived, filter, ["blocking", "responseHeaders"]); 51 | 52 | chrome.browserAction.onClicked.addListener(function() { 53 | isSecDisabled = !isSecDisabled; 54 | 55 | if (isSecDisabled) { 56 | chrome.browsingData.remove({}, {"serviceWorkers": true}, function () {}); 57 | } 58 | 59 | updateUI() 60 | }); 61 | 62 | updateUI(); 63 | --------------------------------------------------------------------------------