Details
Setting controls whether users can add exceptions to allow mixed content for specific sites.
Do not allow any site to load mixed content (2)
Allow users to add exceptions to allow mixed content (3)
The recommended state for this setting is: Enabled with the value of Do not allow any site to load mixed content (2)
NOTE: This policy can be overridden for specific URL patterns using the InsecureContentAllowedForUrls and InsecureContentBlockedForUrls policies.
Rationale:
Allowing mixed (secure / insecure) content from a site can lead to malicious content being loaded. Mixed content occurs if the initial request is secure over HTTPS, but HTTPS and HTTP content is subsequently loaded to display the web page. HTTPS content is secure. HTTP content is insecure.
Impact:
Users will not be able to mix content.
Solution
To establish the recommended configuration via Group Policy, set the following UI path to Enabled: Do not allow any site to load mixed content:
Computer ConfigurationPolicesAdministrative TemplatesGoogleGoogle ChromeContent SettingsDo not allow any site to load mixed content
Default Value:
Unset (Same as Enabled: Allow users to add exceptions to allow mixed content, but user can change)
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.