2.2.1 Ensure 'Control use of insecure content exceptions' is set to 'Enabled: Do not allow any site to load mixed content'

Information

Setting controls whether users can add exceptions to allow mixed content for specific sites.

Do not allow any site to load mixed content (2)

Allow users to add exceptions to allow mixed content (3)

The recommended state for this setting is: Enabled with the value of Do not allow any site to load mixed content (2)

NOTE: This policy can be overridden for specific URL patterns using the InsecureContentAllowedForUrls and InsecureContentBlockedForUrls policies.

Rationale:

Allowing mixed (secure / insecure) content from a site can lead to malicious content being loaded. Mixed content occurs if the initial request is secure over HTTPS, but HTTPS and HTTP content is subsequently loaded to display the web page. HTTPS content is secure. HTTP content is insecure.

Impact:

Users will not be able to mix content.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Enabled: Do not allow any site to load mixed content:

Computer Configuration\Polices\Administrative Templates\Google\Google Chrome\Content Settings\Do not allow any site to load mixed content

Default Value:

Unset (Same as Enabled: Allow users to add exceptions to allow mixed content, but user can change)

See Also

https://workbench.cisecurity.org/files/3653

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(3), 800-53|SC-7(4), CSCv7|7.5

Plugin: Windows

Control ID: 06f7ef77841e20fd5dcda45559afaec1991bf99533e4ce69dc3312ad3ae0494c