1.26 Ensure 'Origins or hostname patterns for which restrictions on insecure origins should not apply' is set to 'Disabled'

Information

Google Chrome can use a list of origins (URLs) or hostname patterns (such as '*.example.com') for which security restrictions on insecure origins will not apply and are prevented from being labeled as 'Not Secure' in the omnibox.

The recommended state for this setting is: Disabled (0)

Rationale:

Insecure contexts shall always be labeled as insecure.

Impact:

None - This is the default behavior.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Origins or hostname patterns for which restrictions on
insecure origins should not apply

Note: The UI path defined in the chrome.adml includes a line break between the on and the insecure. In some views, the line break is correctly rendered, in others not.

Default Value:

Unset (Same as Disabled, but user can change)

See Also

https://workbench.cisecurity.org/benchmarks/8691

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: 8d0f2814d6222580aa0cd14bbcd18422d081ae247e8c1121b3ff6f20b8fb4d1f