JavaScript must be enabled for approved domains

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35796	DTBC-0042	SV-47083r1_rule	ECSC-1	Medium

Description
"Allows you to set a list of url patterns that specify sites which are allowed to run JavaScript. If this policy is left not set the global default value will be used for all sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the user's personal configuration otherwise.." - Google Chrome Administrators Policy List Javascript is one of the most common attack vectors used to compromise a system, as such all sites should be blocked by default. Only trusted sites should be whitelisted.

Description

"Allows you to set a list of url patterns that specify sites which are allowed to run JavaScript. If this policy is left not set the global default value will be used for all sites either from the 'DefaultJavaScriptSetting' policy if it is set, or the user's personal configuration otherwise.." - Google Chrome Administrators Policy List Javascript is one of the most common attack vectors used to compromise a system, as such all sites should be blocked by default. Only trusted sites should be whitelisted.

STIG	Date
Google Chrome v23 Windows STIG	2013-01-11

Details

Check Text ( C-44142r1_chk )
Universal method(Requires Chrome Browser v15 or later): 1. In the omnibox(address bar) type chrome://policy 2. If the policy "JavaScriptAllowedForUrls" is not shown or is not set to "[.]gov", "[.]mil", , and organizationally defined and approved sites or a subset, this is a finding. Windows: Start regedit Navigate to HKLM\Software\Policies\Google\Chrome\JavaScriptAllowedForUrls If this key does not exist or is not set to "[.]gov", "[.]mil", and organizationally defined and approved sites or a subset, then this is a finding.

Check Text ( C-44142r1_chk )

Universal method(Requires Chrome Browser v15 or later):
1. In the omnibox(address bar) type chrome://policy
2. If the policy "JavaScriptAllowedForUrls" is not shown or is not set to "[*.]gov", "[*.]mil", , and organizationally defined and approved sites or a subset, this is a finding.

Windows:
Start regedit
Navigate to HKLM\Software\Policies\Google\Chrome\JavaScriptAllowedForUrls
If this key does not exist or is not set to "[*.]gov", "[*.]mil", and organizationally defined and approved sites or a subset, then this is a finding.

Fix Text (F-40344r1_fix)
Valid for Chrome Browser version 11 or later. Windows Registry: Registry Path: HKLM\Software\Policies\Google\Chrome\ Value Name: JavaScriptAllowedForUrls Value Type: List of strings Value Data: "[.]gov", "[.]mil", and organizationally defined and approved sites (or a subset) Windows group policy: Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ Policy Name: "Allow JavaScript on these sites" Policy State: Enabled Policy Value: "[.]gov", "[.]mil", and organizationally defined and approved sites (or a subset)

Fix Text (F-40344r1_fix)

Valid for Chrome Browser version 11 or later.

Windows Registry:
Registry Path: HKLM\Software\Policies\Google\Chrome\
Value Name: JavaScriptAllowedForUrls
Value Type: List of strings
Value Data: "[*.]gov", "[*.]mil", and organizationally defined and approved sites (or a subset)

Windows group policy:
Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\
Policy Name: "Allow JavaScript on these sites"
Policy State: Enabled
Policy Value: "[*.]gov", "[*.]mil", and organizationally defined and approved sites (or a subset)