j7n Posted April 24 Posted April 24 Yes, I found the "action button" now. When I click on the puzzle button, it lists the extensions and Pin next to each, which brings up the button for accessing the extension's UI. I didn't realize that the list of extensions were a clickable menu (flat design). Unfortunately, when I enable defaults or everything, and go to the https://webbrowsertools.com/test-cors/ the test for OPTIONS always fails. One of the extensions explicitly allows to select GET, PUT, ... OPTIONS. I see in the network log that OPTIONS is sent out, and it fails.
NotHereToPlayGames Posted April 24 Posted April 24 1 hour ago, j7n said: https://xythium.github.io/tidal.html Are you sure your issue with this site is CORS-related? I can not get this site to work in Ungoogled Chromium v144 no matter what I do.
NotHereToPlayGames Posted April 24 Posted April 24 Same for Official Edge v147. Can't get that "tidal" page to do ANYTHING, with or without CORS "blocks/unblocks". Tried MULTIPLE extensions to "block/unblock" CORS.
NotHereToPlayGames Posted April 24 Posted April 24 Okay, I got that "tidal" page to *WORK* in Ungoogled Chromium v144. NO EXTENSION REQUIRED. All I had to do is add the --disable-web-security command line switch to my list of switches. NO NEW PROFILE REQUIRED (at least for my portable config [which already has its own profile directory]). 1
j7n Posted April 24 Posted April 24 I looked in the network log with developer tools to find the reason. One option is to permanently switch to a profile with --user-data-dir. CORS disablement only works in conjuction with this option. I guess this is how you get a portable version. 1
NotHereToPlayGames Posted April 24 Posted April 24 Agreed. The problem is BAD CODING by the creator of that website. Why "trust" a website that REQUIRES "disabling web security" ??? ??? Does that website also require Firefox/Forks to disable CORS?
NotHereToPlayGames Posted April 24 Posted April 24 (edited) I can cofirm that website also does not work in Firefox. TERRIBLE WEBSITE !!! They are literally telling all of their users, "The only way you can visit us and use our website is if you DISABLE standard security measures that have existed SINCE THE 1990s and became a W3C Standard TWENTY YEARS AGO." Edited April 24 by NotHereToPlayGames
j7n Posted April 24 Posted April 24 I've been relying on Xythium for a year or two. It worked so far, but then Tidal decided to tighten their security about a month ago. I wanted to write to the author, but couldn't find contact details other than Twitter, where I don't have an account. I didn't want to open an off-topic issue on github, because there wasn't a section specifically for this tool. It seems to me that CORS is not so much about my security as it is a mechanism for the other website to enforce its access policy, in line what web browsers have been doing with secure DNS and manifest v3.
NotHereToPlayGames Posted April 24 Posted April 24 I'm not fine-tuned on knowledge of CORS. But there were some articles on how disabling CORS resulted in stolen bank accounts in India. But they were also from 2019. Can't find 'em offhand, may look again later, probably not important. I myself do not plan on disabling CORS just for the sake of ONE website (that and I doubt I'd ever visit again anyway, despite it is a bit cool for looking up forgotten music, but I can find the same info from sources that do NOT require me to DISABLE security implementations that have been around since the 1990s).
j7n Posted April 25 Posted April 25 Seems like the extension "Allow CORS: Access-Control-Allow-Origin 0.2.2" with the config I experimented with disabled playback of YouTube video. May be accidental, unintentional. Or not... coming from Google. Since it didn't solve my problem, I will get rid of it. From my limited understanding I see the following scenarios involving a bank. (1) I open a malicious "Site B", which includes a call to my bank through an API that the bank denies. This does not seem very likely because my bank would not have such an open access API to fetch without a login. I can only stay logged in for a short time. (2) I open my bank with has X, Y, Z scripts that it normally uses. There is a DNS hack, which redirects them from bank.example.com to site.b.example.com. Since the denial rests onto Site B, it accepts this intentionally. For now, I have installed New Moon on this PC, where CORS can be disabled with 2 settings. I should have done this earlier, because it took less time than wrestling with Chromium extensions. content.cors.bypass_preflight_request content.cors.disable My bank only works in Supermium since the end of last year where I will have CORS.
NotHereToPlayGames Posted April 25 Posted April 25 (edited) 1 hour ago, j7n said: It seems to me that CORS is not so much about my security as it is a mechanism for the other website to enforce its access policy, in line what web browsers have been doing with secure DNS and manifest v3. 18 minutes ago, j7n said: (2) I open my bank with has X, Y, Z scripts that it normally uses. There is a DNS hack, which redirects them from bank.example.com to site.b.example.com. Since the denial rests onto Site B, it accepts this intentionally. I strongly ADVISE AGAINT using "secure DNS". Supermium's "secure DNS" is owned/operated by Google. Hackers LOVE to hack these servers. It has happened in the past, it will happen in the future. Google will always stop them, but these are called "zero day" hacks for a reason. These are *OFTEN* hijacked. Statistically, your ISP's DNS is much MUCH safer and LESS PRONE TO HIJACKS. Edited April 25 by NotHereToPlayGames
j7n Posted April 25 Posted April 25 Agreed. I don't use it. DNS on my router is my principal adblock.
VistaLover Posted April 25 Posted April 25 On 4/24/2026 at 10:18 PM, NotHereToPlayGames said: All I had to do is add the --disable-web-security command line switch to my list of switches. Run Chrome browser without CORS https://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome
j7n Posted April 27 Posted April 27 For me --disable-web-security makes CloudFlare captcha always fail. I have installed the latest Supermium x64 in portable mode now, so I have a new profile. I guess this is an easier to put the profile onto a hard disk. I spent a lot of time moving individual cache directories off my SSD.
j7n Posted April 29 Posted April 29 There seems to be a feature that stops executing code on tabs that are in the background. Memory consumption doesn't decrease as far as I can see, but CPU load does, and dynamic content on the tab refreshes a moment after I open it instead of all the time. Usually this is a good thing on a weak PC. Is it possible to disable it entirely or for specific tabs? I've looked at settings mentioned here, but either they are off or not present in Supermium. https://support.google.com/chrome/thread/315269640/tabs-are-constantly-being-deactivated-although-it-s-switched-off-in-settings?hl=en Performance > Memory saver is off. In chrome://discards/ it says that the tab is "Freezable" after a few minutes, but it doesn't say when it is frozen. I don't know the difference between Discard and Frozen. Discard count is 0 for all tabs (presumably because memory saver is off).
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now