At Recovery Homey Not Responding -- RootCause: CORS policy enforced by Chrome (v94 and higher) -- How to disable CORS

Hi all,

I´ve had troubles recovering my Homey. I could see packets exchanged to & from my Homey, but recovery procedure did not progress(halted) after “Connect to HomeySetup” & changing towards the “HomeySetup XXXX” wifi.

A support request at athom/homey is still pending. As they did not come back yet, i was eager to find out more myself…

Further investigation showed, Chrome CORS´s policy was blocking access towards Homey:
Access to XMLHttpRequest at ‘’ from origin ‘’ has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space private.

Reading up, Chrome has changed its "private network access " policies (CORS-RFC1918: interaction local, private & public networks), enforcing https…However, the current Homey recovery still uses http…

Guess this issue must hit more people trying to recover Homey with a new Chrome (v94 and higher) instance…

My work around consisted of 2 parts:

  1. Run chrome browser without CORS
  2. Alter chrome flags: Set “Block insecure private network requests” to “disabled”

The full detailed solution including reference links is outlined in next posts (1st post within this community only allows upto 2 embedded links…I have more).

This worked for me:-)… Hope it works for you too:-)
Marcel Coelman.

Im not sure if step 1 is necessary…In trying to find a solution I started with step 1…

  1. Run Chrome browser without CORS

a. Right click on desktop, add new shortcut.
b. Add the target as “[PATH_TO_CHROME]\chrome.exe” --disable-web-security --disable-gpu --user-data-dir=C:/tmp/chrome
(note: Win 10 approach, directory to be aligned with OS)
c. Click OK.

Alternatively run/execute from CMD line: “[PATH_TO_CHROME]\chrome.exe” --disable-web-security --disable-gpu --user-data-dir=C:/tmp/chrome


1 Like
  1. Alter chrome flags: Set “Block insecure private network requests” to “disabled”
    a. Type within chrome bar: chrome://flags/
    b. Next look for “Block insecure private network requests” and set this to “disabled”
    c. restart browser
    (See: answer of android - Chrome future update Restrict "private network requests". Will it affect scanning hardware on devices that make local connections? - Stack Overflow)
1 Like

Chrome report wrt CORS:

1 Like

Great to read it worked for you too :grinning:

from now you finally can use the Mobile App

1 Like