Specifies whether to allow websites to make requests to more-private network endpoints

Information

Controls whether websites are allowed to make requests to more-private network endpoints.

When this policy is enabled, all Private Network Access checks are disabled for all origins. This may allow attackers to perform cross-site request forgery (CSRF) attacks on private network servers.

When this policy is disabled or not configured, the default behavior for requests to more-private network endpoints will depend on the user's personal configuration for the BlockInsecurePrivateNetworkRequests, PrivateNetworkAccessSendPreflights, and PrivateNetworkAccessRespectPreflightResults feature flags. These flags may be controlled by experimentation or set via the command line.

This policy relates to the Private Network Access specification. See https://wicg.github.io/private-network-access/ for more details.

A network endpoint is more private than another if:

1) Its IP address is localhost and the other is not.

2) Its IP address is private and the other is public.

In the future, depending on spec evolution, this policy might apply to all cross-origin requests directed at private IPs or localhost.

When this policy enabled, websites are allowed to make requests to any network endpoint, subject to other cross-origin checks.

Solution

Policy Path: Microsoft Edge\Private Network Request Settings
Policy Setting Name: Specifies whether to allow websites to make requests to more-private network endpoints

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-117/ba-p/3930862

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: ce9dfc1824568734bf4d44f3de20c2521c4bd76d7459e2b08e27b457227d5289