caption: Origins or hostname patterns for which restrictions on insecure origins should not apply
deprecated: true
desc: |-
Deprecated in M69. Use OverrideSecurityRestrictionsOnInsecureOrigin instead.
The policy specifies a list of origins (URLs) or hostname patterns (such as "*.example.com") for which security restrictions on insecure origins will not apply.
The intent is to allow organizations to allow origins for legacy applications that cannot deploy TLS, or to set up a staging server for internal web development so that their developers can test out features requiring secure contexts without having to deploy TLS on the staging server. This policy will also prevent the origin from being labeled "Not Secure" in the omnibox.
Setting a list of URLs in this policy has the same effect as setting the command-line flag '--unsafely-treat-insecure-origin-as-secure' to a comma-separated list of the same URLs. If the policy is set, it will override the command-line flag.
This policy is deprecated in M69 in favor of OverrideSecurityRestrictionsOnInsecureOrigin. If both policies are present, OverrideSecurityRestrictionsOnInsecureOrigin will override this policy.
For more information on secure contexts, see https://www.w3.org/TR/secure-contexts/
example_value:
- http://testserver.example.com/
- '*.example.org'
features:
dynamic_refresh: false
per_profile: false
future_on:
- fuchsia
owners:
- [email protected]
- [email protected]
schema:
items:
type: string
type: array
supported_on:
- chrome.*:65-
tags:
- system-security
type: list
Codebase Browser
chromium