1.16 Ensure 'Enable globally scoped HTTP auth cache' is set to 'Disabled'

Information

This setting controls whether HTTP auth credentials may be automatically used in the context of another web site visited in Google Chrome.

The recommended state for this setting is: Disabled (0)

NOTE: This setting is intended to give enterprises depending on the legacy behavior a chance to update their login procedures and will be removed in the future.

Rationale:

Allowing HTTP auth credentials to be shared without the user's consent could lead to a user sharing sensitive information without their knowledge. Enabling this setting could also lead to some types of cross-site attacks that would allow users to be tracked across sites without the use of cookies.

Impact:

None - This is the default behavior.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Enable globally scoped HTTP auth cache

Default Value:

Unset (Same as Disabled, but user can change)

See Also

https://workbench.cisecurity.org/benchmarks/8691

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Windows

Control ID: 1aa0998cccadaa1c6c5da577e00d8bd9c500b569e039678aead3596666fdbaa4