Specifies whether to allow insecure websites to make requests to more-private network endpoints

Information

Controls whether insecure websites are allowed to make requests to more-private network endpoints.

This policy relates to the Private Network Access specification. See https://wicg.github.io/private-network-access/ for more details.

A network endpoint is more private than another if:1) Its IP address is localhost and the other is not.2) Its IP address is private and the other is public.

In the future depending on spec evolution this policy might apply to all cross-origin requests directed at private IPs or localhost.

A website is deemed secure if it meets the definition of a secure context in https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts. Otherwise it will be treated as an insecure context.

When this policy is either not set or set to false the default behavior for requests from insecure contexts to more-private network endpoints will depend on the user's personal configuration for the BlockInsecurePrivateNetworkRequests feature which may be set by a field trial or on the command line.

When this policy is set to true insecure websites are allowed to make requests to any network endpoint subject to other cross-origin checks.

Solution

Policy Path: Microsoft Edge\Private Network Request Settings
Policy Setting Name: Specifies whether to allow insecure websites to make requests to more-private network endpoints

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v96/ba-p/2997665

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: 5739417289657d6bf4a9bdbdff0a155b3c07eb40ee1487ff42873848f3bcf76a