caption: Origins or hostname patterns for which restrictions on insecure origins should not apply
desc: |-
Setting the policy specifies a list of origins (URLs) or hostname patterns (such as *.example.com) for which security restrictions on insecure origins won't apply. Organizations can specify origins for legacy applications that can't deploy TLS or set up a staging server for internal web development, so developers can test out features requiring secure contexts without having to deploy TLS on the staging server. This policy also prevents the origin from being labeled "Not Secure" in the address bar.
Setting a list of URLs in this policy amounts to setting the command-line flag --unsafely-treat-insecure-origin-as-secure to a comma-separated list of the same URLs. The policy overrides the command-line flag and UnsafelyTreatInsecureOriginAsSecure, if present.
For more information on secure contexts, see Secure Contexts ( https://www.w3.org/TR/secure-contexts ).
example_value:
- http://testserver.example.com/
- '*.example.org'
features:
dynamic_refresh: false
per_profile: false
future_on:
- fuchsia
owners:
- [email protected]
schema:
items:
type: string
type: array
supported_on:
- chrome.*:69-
- chrome_os:69-
- android:69-
tags:
- system-security
type: list
Codebase Browser
chromium