1.70 Ensure 'Control where security restrictions on insecure origins apply' is set to 'Disabled'

Information

This policy setting allows for a specified list of origins (URLs) or hostname patterns (like '*.contoso.com') for which security restrictions on insecure origins don't apply.

Allowed origins for legacy applications that can't deploy TLS or set up a staging server for internal web development so that developers can test features requiring secure contexts without having to deploy TLS on the staging server. This policy also prevents the origin from being labeled Not Secure in the omnibox.

The recommended state for this setting is: Disabled.

Rationale:

Insecure contexts should always be labeled as insecure.

Impact:

None - This is the default behavior.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Control where security restrictions on insecure origins apply

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from: Download Microsoft Edge for Business - Microsoft.

Default Value:

Enabled.

See Also

https://workbench.cisecurity.org/benchmarks/11865

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Windows

Control ID: 0015e2738faa38796de9a770648ac0f107910bd8d986dd2b3663d4e250df431c