URLs must be whitelisted for plugin use

From Google Chrome Current Windows STIG

Part of DTBC0051 - Plugins allowed for urls

Associated with: CCI-002756

SV-67011r3_rule URLs must be whitelisted for plugin use

Vulnerability discussion

This policy allows you to set a list of URL patterns that specify sites which are allowed to run the Flash plugin. If this policy is left not set, the global default value will be used for all sites either from the "DefaultPluginsSetting" policy if it is set, or the user’s personal configuration otherwise.

Check content

Universal method: 1. In the omnibox (address bar) type chrome://policy 2. If PluginsAllowedForUrls is not displayed under the Policy Name column or it is not set to a list of administrator approved URLs under the Policy Value column, then this is a finding. Windows method: 1. Start regedit 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the PluginsAllowedForUrls key does not exist and it does not contain a list of administrator approved URLs then this is a finding. Suggested: the set or subset of *.mil and *.gov

Fix text

Windows group policy: 1. Open the group policy editor tool with gpedit.msc 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings Policy Name: Allow the Flash plugin on these sites Policy State: Enabled Policy Value 1: *.mil Policy Value 2: *.gov

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer