Title

URLs must be allowlisted for Autoplay use. (Cat II impact)

Discussion

Controls the allowlist of URL patterns that autoplay will always be enabled on. If the "AutoplayAllowed" policy is set to "True" then this policy will have no effect. If the "AutoplayAllowed" policy is set to "False", then any URL patterns set in this policy will still be allowed to play.

Check Content

Universal method: 1. In the omnibox (address bar), type chrome://policy. 2. If “AutoplayAllowlist” under the “Policy Name” column may be set to a list of administrator-approved URLs under the “Policy Value” column. This requirement is optional. Windows method: 1. Start regedit. 2. Navigate to HKLM\Software\Policies\Google\Chrome\ 3. If the “AutoplayAllowlist” key may contain a list of administrator-approved URLs. This requirement is optional.

Fix Text

Windows group policy: 1. Open the “group policy editor” tool with gpedit.msc. 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome - Policy Name: Allow media autoplay on a allowlist of URL patterns. - Policy State: Enabled - Policy Value 1: [*.]mil - Policy Value 2: [*.]gov Note: Policy values are examples.

Additional Identifiers

Rule ID: SV-221596r879630_rule

Vulnerability ID: V-221596

Group Title: SRG-APP-000210

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.