{"pageContext":{"article":{"title":"How to disable CORS errors","id":"cors","description":"An description of how to deal with CORS browser errors.","createdDate":"2022-10-05","updatedDate":"2026-04-15","content":"Browsers have a security feature called [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) that restricts when a web page can make HTTP requests to a different domain. Web pages normally avoid CORS errors through the use of special HTTP headers like [Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin). However, browsers treat CORS differently when a page is [loaded locally from StreamingAssets or a file:// URL](/articles/how-to-load-local-files), and browsers block all cross-origin HTTP requests in that scenario. So, if you're loading a web page locally from StreamingAssets or a file:// URL and the web page makes HTTP requests via [XHR](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest) or [fetch()](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API), then you may encounter CORS errors in the web console, like this:\n\n> Access to XMLHttpRequest at 'file:///{path to project}/Assets/StreamingAssets/{file path}' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, client, chrome-untrusted, https.\n\nIf you encounter this issue, here are some workarounds:\n\n- [Windows and macOS: Disable web security](#standalone)\n- [Other options](#other)\n\n<h2 id=\"standalone\">Windows and macOS: Disable web security</h2>\n\nIf you're encountering this issue on Windows or macOS, one option is to disable CORS checks by using [StandaloneWebView.SetCommandLineArguments()](https://developer.vuplex.com/webview/StandaloneWebView#SetCommandLineArguments) to pass the `--disable-web-security` and `--user-data-dir` flags to Chromium, like this:\n\n```\nvoid Awake() {\n    StandaloneWebView.SetCommandLineArguments($\"--disable-web-security --user-data-dir=\\\"{StandaloneWebView.CachePath}\\\"\");\n}\n```\n\nAs of recent versions of Chromium, it's now necessary to pass the `--user-data-dir` flag in order for the `--disable-web-security` flag to work correctly.\n\n<h2 id=\"other\">Other options</h2>\n\nUnfortunately, other platforms besides Windows and macOS don't provide a way to disable CORS checks. So, if you're encountering this issue on other platforms, like Android or iOS, here are some other options to consider:\n\n- One option is to switch to loading your local files over HTTP (instead of via a streaming-assets:// or file:// URL). For example, you can use .NET's built-in [HttpListener](https://learn.microsoft.com/en-us/dotnet/api/system.net.httplistener) class to create a simple local HTTP server and then load the file over a local HTTP URL like `http://localhost:{port}`.\n\n- Since CORS errors occur when loading data over HTTP, another option is to update your web page to fetch its data using 3D WebView's [message passing APIs](/articles/how-to-send-messages-from-javascript-to-c-sharp) instead of fetching data over HTTP."}}}