Specifies whether to allow insecure websites to make requests to more-private network endpoints

Controls whether insecure websites are allowed to make requests to more-private network endpoints.

This policy relates to the CORS-RFC1918 specification. See https://wicg.github.io/cors-rfc1918 for more details.

A network endpoint is more private than another if:
1) Its IP address is localhost and the other is not.
2) Its IP address is private and the other is public.
In the future, depending on spec evolution, this policy might apply to all cross-origin requests directed at private IPs or localhost.

A website is deemed secure if it meets the definition of a secure context in https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts. Otherwise, it will be treated as an insecure context.

When this policy is either not set or set to false, the default behavior for requests from insecure contexts to more-private network endpoints will depend on the user's personal configuration for the BlockInsecurePrivateNetworkRequests feature, which may be set by a field trial or on the command line.

When this policy is set to true, insecure websites are allowed to make requests to any network endpoint, subject to other cross-origin checks.

Supported on: At least Microsoft Windows 7 or Windows Server 2008 family

Registry PathSoftware\Policies\Google\Chrome
Value NameInsecurePrivateNetworkRequestsAllowed
Enabled Value1
Disabled Value0


Administrative Templates (Computers)

Administrative Templates (Users)