Login/Register
How to launch html using Chrome at "--allow-file-access-from-files" mode?
Asked Answered
Solved javascripthtmlgoogle-chrome
P

12

154

I have the same situation with HERE

And to solve this problem I have to launch html file using Chrome at "--allow-file-access-from-files" mode. I tried next steps many times, but it doesn't work.

  1. start cmd under windows 7
  2. direct to chrome.exe folder
  3. do this chrome --allow-file-access-from-files file:///C:/test%20-%203.html
Purapurblind answered 3/9, 2013 at 7:53 Comment(3)
@RobertParcus That plugin does not seem to work if you're using the file protocol.Impervious
Is this still a thing? I think the parameter does no longer exists...Festal
Google Chrome 118.0.5993.88 (Official Build) (64-bit) . . . Command Line /usr/bin/google-chrome-stable --allow-file-access-from-files --flag-switches-begin --flag-switches-end --desktop-startup-id=xfce4-panel/|usr|bin|google-chrome-stable/1640-18-graham-MacBookPro_TIME300740210 --origin-trial-disabled-features=WebGPU ...and yes it works (Jan 2024)Leaf
F
95

Search for the path of your Chrome executable and then, on your cmd, try :

> "C:\PathTo\Chrome.exe" --allow-file-access-from-files

Source

EDIT : As I see on your question, don't forget that Windows is a little bit similar to Unix, so when you type "chrome ...", cmd will search for Chrome in the PATH, but in general the Chrome folder isn't on the PATH. Also, you don't specify an extension for your executable... So if you move to Chrome's folder, this command will probably work too :

> .\chrome.exe --allow-file-access-from-files
Frontiersman answered 3/9, 2013 at 8:0 Comment(12)
Amine thank you. But I could get the Chrome launched, just also get the 'FileError.SECURITY_ERR'.Purapurblind
I go to chrome://version and get this:"Command Line chrome --allow-access-from-files --flag-switches-begin --flag-switches-end" Does this mean I already at the "–allow-file-access-from-files". I am not sure "–allow-file-access-from-files" and "--allow-access-from-files" are the same.Purapurblind
I restarted my computer and do the same as you say, and it seems fine. Thank you.Purapurblind
As per Philippe's comment, you need to exit all chrome processes and restart with the command line option. (Windows 7)Bacteriolysis
If it's not working after restarting Chrome, check running background processes (chrome icon near the clocks). You might have "Let Google Chrome run in the background" option ON.Humfried
@Amine Stupid question, but just restarting Chromium will turn off the flag right? The allow-file-access-from-files isn't a permanent flag, correct?Adopted
@Abdul Yes, exactly, unless you create a shortcut with the flag and start Chrome from it.Frontiersman
I wanted to upvote this answer, but I like number 42) Thank you for useful answer!Rasputin
Star Chrome from Windows PowerShell: Start-Process "chrome.exe" "--allow-file-access-from-files"Gimbals
@PeppeL-G 's answer is the easiest solutionSchwejda
Any alternatives since in 2018-10-21 that solution no longer works? (i'm using chrome 70)Drawee
It should work (does for me Jan 2024)Leaf
D
152

That flag is dangerous!! Leaves your file system open for access. Documents originating from anywhere, local or web, should not, by default, have any access to local file:/// resources.

Much better solution is to run a little http server locally.

--- For Windows ---

The easiest is to install http-server globally using node's package manager:

npm install -g http-server

Then simply run http-server in any of your project directories:

Eg. d:\my_project> http-server

Starting up http-server, serving ./
Available on:
 http:169.254.116.232:8080
 http:192.168.88.1:8080
 http:192.168.0.7:8080
 http:127.0.0.1:8080
Hit CTRL-C to stop the server

Or as prusswan suggested, you can also install Python under windows, and follow the instructions below.

--- For Linux ---

Since Python is usually available in most linux distributions, just run python -m SimpleHTTPServer in your project directory, and you can load your page on http://localhost:8000

In Python 3 the SimpleHTTPServer module has been merged into http.server, so the new command is python3 -m http.server.

Easy, and no security risk of accidentally leaving your browser open vulnerable.

Dayton answered 19/11, 2015 at 10:29 Comment(16)
THIS should be the accepted answer! I came here looking for the right way to use the --allow-file-access-to-files command line option with Chrome (and Opera). Your answer lets me know my question is wrong, for an important reason. On top of all that, you've written your solution in a concise, easy-to-follow way. Thanks a billion! I would also suggest, @orszaczky, that you write essentially the same answer for the SO question that was linked in this original question, i.e. this other question. I could write it but you deserve the credit.Inboard
Brilliant answer. Hosting correctly is the most important thing to doRadicalism
This may indeed be a great suggestion, but it is not in fact an answer to the question. The question was not "what is the best way to access local files in chrome" it was specifically "how do I launch with this flag". If you are aware of the risks and don't open anything you didn't create, or if you aren't even online.. it's perfectly fine. There are reasons why this is useful.. which I would assume is the reason google made it an option.Iconography
It is funny that you would recommend people to install node rather than python on Windows, just for hosting this simple server. As if the python option would be unsuitable for Windows (which it isn't). When all you have is a hammer, everything looks like a nail?Watthour
@Watthour I use npm under Windows, but never needed to use Python, while most of the Linux distros I know already have Python available by default. Thanks for the tip, I updated the answer... ;)Dayton
@prusswan, node is much smaller (install size) and for this use case much faster than python. In fact there's a Q&A dedicated to alternatives to python for this use case because it's often too slow to be usable.Leonialeonid
This answer is just spreading fear. The --allow-file-access-from-files option allows a file:// webpage access to other file:// resources, that's all. It does not leave your file system open.Chlorothiazide
It's not the answer to the question. Some people may really need this, e.g. I am using a special webkit app library Coherent UIGT. When I am testing, I need local file access. BTW, Firefox supports file:// loading another local file.Gwenny
@GetFree, --allow-file-access-to-files does leave your filesystem open. Any script you use on your test page can XHR/fetch the contents of your drive and upload to bad.com. That includes every library you're using, every CDN you access via a script tag or module, etc... Why do it when the correct solution takes 30 seconds to setup?Leonialeonid
@gman, you just repeated what I said. The flag allows a webpage in your harddrive to have access to your harddrive. That's like allowing a .exe program to have access to your harddrive, which is what everybody expects.Chlorothiazide
One should not have to install a web server to open an HTML or SVG file from one's own local file system and have it work (do the thing the web page or SVG graphic javascript should do). Because of the strange need to restrict FILE:// access is why folks are needing this option. This does NOT disable sandboxing of the local file system from the document.Honeysucker
@Leonialeonid it's a trade off I guess, by now I can see that node's server is more efficient, but also comes with bigger footprint for people who have no other reason to install node/npm on Windows (e.g. Python users not primarily interested in web development)Watthour
it's not the same as installing an exe. Lots of people use external scripts in their local webpages. They put <script src="https://someuntrustedsite.com/theiruntrustedscript.js"></script>. It's extremely common to do that. Every one of those script suddenly has access to your hard drive. That is not the same as installing a single exe. It's the same as installing a new exe every single time you reload the page.Leonialeonid
While you aren't wrong, it isn't really an answer to the question nor a full solution. This is a good solution for what the poster is actually facing, and reasonably for most others coming here. Still, consider a non-tech user with HTML documents who does not have access to the project which generated said document.Swathe
Why do people say "The easiest..." then go on to describe something stupidly convoluted like installing layers of packages. No it's not the easiest to install node, then npm, then the npm http-server plus all the bloody dependencies you nodejs freaks! The (second) easiest thing (behind just adding the flag to the command line) is to run up a bash webserver! No package installs (Win10 has bash, so does OSX) and no time spending hours unpicking dependency hell. FFS!Leaf
Also the flag is treating the local machine as a server, which is exactly what a server does, so where's the problem?Leaf
F
95

Search for the path of your Chrome executable and then, on your cmd, try :

> "C:\PathTo\Chrome.exe" --allow-file-access-from-files

Source

EDIT : As I see on your question, don't forget that Windows is a little bit similar to Unix, so when you type "chrome ...", cmd will search for Chrome in the PATH, but in general the Chrome folder isn't on the PATH. Also, you don't specify an extension for your executable... So if you move to Chrome's folder, this command will probably work too :

> .\chrome.exe --allow-file-access-from-files
Frontiersman answered 3/9, 2013 at 8:0 Comment(12)
Amine thank you. But I could get the Chrome launched, just also get the 'FileError.SECURITY_ERR'.Purapurblind
I go to chrome://version and get this:"Command Line chrome --allow-access-from-files --flag-switches-begin --flag-switches-end" Does this mean I already at the "–allow-file-access-from-files". I am not sure "–allow-file-access-from-files" and "--allow-access-from-files" are the same.Purapurblind
I restarted my computer and do the same as you say, and it seems fine. Thank you.Purapurblind
As per Philippe's comment, you need to exit all chrome processes and restart with the command line option. (Windows 7)Bacteriolysis
If it's not working after restarting Chrome, check running background processes (chrome icon near the clocks). You might have "Let Google Chrome run in the background" option ON.Humfried
@Amine Stupid question, but just restarting Chromium will turn off the flag right? The allow-file-access-from-files isn't a permanent flag, correct?Adopted
@Abdul Yes, exactly, unless you create a shortcut with the flag and start Chrome from it.Frontiersman
I wanted to upvote this answer, but I like number 42) Thank you for useful answer!Rasputin
Star Chrome from Windows PowerShell: Start-Process "chrome.exe" "--allow-file-access-from-files"Gimbals
@PeppeL-G 's answer is the easiest solutionSchwejda
Any alternatives since in 2018-10-21 that solution no longer works? (i'm using chrome 70)Drawee
It should work (does for me Jan 2024)Leaf
S
41

You may want to try Web Server for Chrome, which serves web pages from a local folder using HTTP. It's simple to use and would avoid the flag, which, as someone mentioned above, might make your file system vulnerable.

Screenshot of Web Server for Chrome

Sharisharia answered 16/11, 2017 at 1:29 Comment(0)
C
20

As of this writing, in OS X, it will usually look like this

"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --allow-file-access-from-files

If you are a freak like me, and put your apps in ~/Applications, then it will be

"/Users/yougohere/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --allow-file-access-from-files

If neither of those are working, then type chrome://version in your Chrome address bar, and it will tell you what "command line" invocation you should be using. Just add --allow-file-access-from-files to that.

Circadian answered 22/8, 2014 at 23:17 Comment(1)
"chrome://version in your Chrome address bar, and it will tell you what "command line" invocation you should be using" That the pointSurfperch
L
16

Don't do this! You're opening your machine to attacks. Instead run a local server. It's as easy as opening a shell/terminal/commandline and typing

cd path/to/files
python -m SimpleHTTPServer

Then pointing your browser to

http://localhost:8000

If you find it's too slow consider this solution

Leonialeonid answered 3/2, 2014 at 3:37 Comment(12)
+1 to the link to #12905926Jamila
Those attacks are for --disable-web-security, not --allow-file-access-from-files, so they won't work - just so people know. There's a risk, but it's no where near that size.Brisk
Did you even read the article? At least one of the attacks is possible with just --allow-file-access-from-files which. Why take the risk at all when the zero risk way is so simple?Leonialeonid
@JoeRocc, thanks for the downvote and thank you for helping people to unsecure their machines. You're a real heroLeonialeonid
I almost fully agree with you, except for the semi-conflation of the two flags, and of open web vs local file. I imagine a fair number of people may misread the risk with the way your post reads. I don't downvote as a way to disrespect you - only to help curate the answers. But I undid the downvote because I'd prefer not to argue further. Honestly had no intention to do any harm here. Edit: turns out it won't let me undo the vote until an edit is made, sorry :/Brisk
love how this is continously downvoted because people dislike the answer and yet the same exact answer posted by someone else a year later is the top voted answer.Leonialeonid
This, like all other variations of this, is not the correct answer, nor even the problem. Its factually wrong what you are suggesting. Launching with that option doesn't open your machine to attacks. It, in a controlled way' disables myopic/lazy implementation of a security clamp down that is too broad. A local HTML or SVG file should absolutely have access to file: protocol content, such as its own .css file.Honeysucker
Sounds like you didn't follow the links. They should proof of the possible attacks. Not theory. Real proof.Leonialeonid
Doesn't answer the question. And running a random web server locally on your machine doesn't open you up to attacks?Circadian
Yeah this is the problem: people don't understand what a vulnerability really is. Loads of bandwagon jumping. I run local files on my browser all the time with the added flag (and even before it was a thing) and not one security problem. So gstrap go play with your hacky webserver virus magnets. I'll just keep my airgapped local file running ultimately secure machine thanks.Leaf
@Clay Bridges: Running a simple webserver on a local machine does not open you up to attacks. You can serve to just the local machine. Serving to 127.0.0.1 (just local) instead of 0.0.0.0 (outside your machine) Note: a serve is not some giant thing like apache or nginx or iss. A server can be written in many languages in 5-10 lines of code. It's as simple as wait for request, load file, send over network. The link at the bottom of my answer lists several that are tiny things.Leonialeonid
@TurboElectricLtd, the logic that you've never had a security problem is like saying you often leave things visible in car when you park it in public but never had it broken into. That doesn't mean you're safe. It only means you're lucky.Leonialeonid
P
7

If you are using a mac you can use the following terminal command: 

open -a Google\ Chrome --args --allow-file-access-from-files
Pina answered 15/5, 2016 at 17:0 Comment(0)
U
5

Quit (force quit) all instances of chrome. Otherwise the below command will not work.

open -a "Google Chrome" --args --allow-file-access-from-files

Executing this command in terminal will open Chrome regardless of where it is installed.

Usury answered 30/10, 2017 at 19:16 Comment(1)
"Quit all instances" -- This is true in my experience (on Linux). This is apparently a shared state that can only be set on a fresh launch.Lahr
M
3

Depending on the file which will be put into filesystem, as long as that file is not a malware, then that would be safe.

But don't worry to write/read file(s) to File System directory, cause you can tighten that directory security (include it's inheritance) by give a proper access right and security restriction. eg: read/write/modify.

By default, File System, Local Storage, and Storage directory are located on "\Users[Current User]\AppData\Local\Google\Chrome\User Data\Default" directory.

However you can customize it by using "--user-data-dir" flag.

And this is a sample:

"C:\Program Files (x86)\Google\Application\chrome.exe" --user-data-dir="C:\Chrome_Data\OO7" --allow-file-access-from-files

Hope this helps anyone.

Maroon answered 21/3, 2020 at 23:15 Comment(0)
G
2

I use

google-chrome-beta --user-data-dir="/tmp/tmp-chrome-user-data-dir" --allow-file-access-from-files --disable-web-security file:///home/myuser/projects/myproject/myhtml.html

to disable has been blocked by CORS policy when I try to request('file://xxx')

Gauldin answered 9/11, 2022 at 9:40 Comment(1)
This is the only answer that actually works for me in 2023-04-24 on Chrome 112.0.5572.0. Omitting any 1 of these 3 doesn't work, and given the huge size of my file (1GB), launching a web server is major overkill, motivated by FUD. (the hoops to reach common sense security have become ridiculous)Phylys
B
1
REM Kill all existing instance of chrome 
taskkill /F /IM chrome.exe /T
REM directory path where chrome.exe is located
set chromeLocation="C:\Program Files (x86)\Google\Chrome\Application"
cd %chromeLocation%
cd c:
start chrome.exe --allow-file-access-from-files

save above lines as .bat file

Barbaric answered 18/9, 2019 at 20:49 Comment(1)
taskkill /F /IM chrome.exe /T Useful to not reboot my computerSurfperch
C
1

Well there is quick to run a html which needs permission or blocked by CORS Just simply open the folder using VSCODE and install an extension called "live server"

And then just click on the bottom which says go live, thats it. Screenshot

Cambist answered 31/5, 2020 at 14:11 Comment(0)
G
0

I tried using the allow file access, but thought there was a better way. Found code that will pipe local file share files through http.

https://gist.github.com/andrii-riabchun/07f854939ce776f6e54ba6b64f43cc92

I added some edit suggestions. I used the revision code along with my edit suggestions. Also added a simple script to create index.html from ls ran on the webserver.

Giza answered 11/9, 2022 at 23:28 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.