Chrome cannot technically satisfy PCI/HIPAA/NIST workstation data‑clearing controls because it does not expose a real “clear on exit” control
Posted by Trick-Requirement948@reddit | sysadmin | View on Reddit | 123 comments
For anyone deploying Chrome in regulated or shared workstation environments, there’s an architectural limitation worth being aware of.
Chrome has closed the “clear on exit” issue as “Won’t Fix (Intended Behavior)”. Even with all enterprise policies enabled, Chrome does not expose a control that fully clears persisted data when the browser exits. As a result, Chrome retains:
- service workers
- IndexedDB
- localStorage
- cache partitions
- session tokens
- other site data
This creates a compliance gap for environments that must clear session data at logout or session termination. Chrome’s current design makes it impossible to meet the workstation data‑clearing requirements in:
- PCI DSS 4.0 (3.2.1, 3.3, 3.4, 8.2.8, 12.3.3)
- HIPAA Security Rule (164.310(d)(2))
- SOX 404 internal control expectations
- NIST 800‑53 (SC‑28, MP‑6, SI‑12)
- CJIS workstation requirements
These frameworks require that session data and locally stored artifacts be cleared when a user session ends — especially on shared or regulated workstations.
Because Chrome does not expose a real “clear on exit” capability — and because enterprise policies do not fully clear all persisted data — organizations cannot achieve technical compliance using Chrome on shared or regulated endpoints.
This is not a vulnerability; it’s simply a design choice. But it has real implications for anyone managing clinical stations, teller workstations, dispatch terminals, kiosk environments, or any shared regulated endpoint.
Posting this as an FYI for anyone evaluating Chrome in regulated environments, since the underlying issue has been closed as intended behavior.
SirBrownHammer@reddit
Does autism and compliance go hand in hand?
cbiggers@reddit
I disagree in regards to PCI. If you have a properly setup infrastructure, SAD/PAN is never exposed to a web browser in the first place. With tokenization, I can't recall the last time we even viewed full details, let alone masked ones. 8.2.8 specifies timeout, not wiping of data. Don't see what 12.3.3 has to do with this either.
Trick-Requirement948@reddit (OP)
Let’s look at what you’re saying. I agree that SAD/PAN exposure is covered — no argument there. But the PCI issue here isn’t about PANs flowing through the browser. It’s about residual session artifacts being left behind on a shared workstation after logout.
PCI 8.2.8 covers timeout, yes. But PCI also expects that authentication artifacts, session state, and cached content from one user session aren’t exposed to the next user on the same device. Firefox and Edge meet that expectation because they clear all site data on exit. Chrome doesn’t.
So this isn’t about PANs showing up in the DOM — it’s about preventing cross‑user exposure on shared systems. And to do that, Chromium just needs to expose the damn control.
How hard is ‘clear cache on exit’? Firefox has it. Edge has it. Chrome doesn’t
Ihaveasmallwang@reddit
Sure it does. It’s in group policy.
Trick-Requirement948@reddit (OP)
Chrome’s Group Policy can clear browsing history - yes. BUT It cannot clear all site data exit — cookies, local storage, IndexedDB, service workers, cache storage, etc. And remember - - that is by their design.
Edge and Firefox have a policy to clear all of that on exit. Chrome does not. That’s the difference.
Ihaveasmallwang@reddit
There are more group policy settings besides just that singular one.
If you aren’t aware of what settings are actually available via group policy, you’re not qualified to speak on this subject. Repeating yourself over and over basically copy pasting the same thing does not change that.
neploxo@reddit
Agreed, but can't you work around that by placing the cache on an ephemeral/RAM partition that you wipe on exit?
Trick-Requirement948@reddit (OP)
That is a clever workaround - but from a compliance view - this still is not acceptable. Compliance requires the browser to enforce session boundaries - not the OS. Firefox and Edge have a direct setting -- clear all site data on exit. Chrome does not. Think about it -- if you need to bolt on a RAM disk, make a script, or custom wipe logic, that means the browser itself is failing you. Also, in a regulatory environment, I do not think an unsupported engineering workaround would be an acceptable compensating control - although it is better than nothing,
JustTechIt@reddit
Where does compliance require the browser specifically to enforce session boundaries?
Also you can always submit the engineering workaround to be an official control and become approved instead of remaining a workaround.
Ihaveasmallwang@reddit
How much did AI help in the writing of this post? Don’t lie.
This post is full of AI-like formatting, hallucinations, and overly confident definitive conclusions, not to mention flat out not actually understanding what any of those frameworks actually mean.
If you don’t actually understand the policy controls or compliance frameworks, don’t post about them.
Trick-Requirement948@reddit (OP)
My 35 years of compliance experience should tell you that AI is no substitute for real work. Everything I wrote comes from real-world work and shared device environments. The point I am making is very specific:
Chrome persists site data across sessions and does not provide a built‑in way to clear all of it on exit. Edge and Firefox do. That is just a fact.
Ihaveasmallwang@reddit
You don’t have 35 years of compliance work. If you did, you’d know that those frameworks don’t say what you say they do.
You are right though, AI is no substitute for real work. Your AI post proves it.
Aromatic_Leave726@reddit
If you've been doing compliance for 35 years, god help the sysadmins of the past who had to listen to you.
Trick-Requirement948@reddit (OP)
Ha! It paid the bills and gave me a happy retirement - and I was pretty good at it, too! Good luck to you.
SquashNo7817@reddit
Happy?
Are you?
Retired? Then move on.
Trick-Requirement948@reddit (OP)
LOL!!! I’m just pointing out a documented WAI behavior that has compliance implications. Retirement doesn’t change whether the behavior exists. Some people just do not like to hear it.
SquashNo7817@reddit
Do you honestly think everything that is so called compliant is 100% compliant? No. Wake up. In 35 years you didn't learn that?
Nobody cares!
Try to apply for some security conference. Nobody cares.
imightbeautistic@reddit
Mate, 35 years of compliance experience should tell you that the only people who give a shit about compliance are the same ones who wrote the white paper or sell the certificates. Google wasn’t built on a “let’s follow the rules” mindset. Every lawsuit against Alphabet in the past decade has shown that Chrome does all sorts of undocumented behavior that collects and exports user activity. Telling a SysAdmin subreddit your “discovery” is just asking to get mocked.
Trick-Requirement948@reddit (OP)
If you feel that way, that’s fine. But if you look at the engagement numbers, clearly a lot of people do care. I’m not trying to go against Google — I’m simply pointing out that Chrome doesn’t provide this capability, while Edge and Firefox do. Why do you think that is?
heinternets@reddit
ai:dr
Extras@reddit
Have you counted the number of emdashes in OP's replies?
Also every single time someone brings up how much AI was used in this thread OP creatively turns the subject to something else instead.
This is a very strange thread to be a human and read through.
DesignerGoose5903@reddit
Why even bother with permanent storage if you don't want it? Just run it in memory and avoid storage all together.
dustojnikhummer@reddit
Others suggested that to OP but he doesn't seem to be interested. Sounds to me like a compliance person who wants a specific checkbox, not workarounds that get to the same goal.
Mindestiny@reddit
Just because the tool itself does not have the control built in does not mean "organizations cannot achieve technical compliance using Chrome on shared or regulated endpoints."
It's trivial to build this control out via your endpoint management suite of choice and continue to use Chrome while also being in compliance.
imightbeautistic@reddit
It would be trivial, if the OP was an actual SysAdmin. But they’re not.
dustojnikhummer@reddit
Compliance people aren't technical people, they only need the checkbox.
pangapingus@reddit
Back in the MSP world our endpoints were Deepfreeze-ed with even non-persistant user space storage local to the machine, some clients I had where I deployed read-only fs Debian/Ubuntu for were similar and used firejail instances of browsers. It is possible to design for it's just not by default. Was very transparent with cyber insurance underwriters on the setup along with PCI ASVs, never got a caution/fail, but this was a few years ago up to 2021ish, are even these methods insufficient now?
Trick-Requirement948@reddit (OP)
Honestly, all of those approaches can still work — DeepFreeze, non‑persistent profiles, read‑only FS, Firejail, kiosk overlays, etc. They’re all valid ways to keep the endpoint itself clean.
The only real issue today is that Chrome doesn’t expose a proper clear‑on‑exit control like Firefox and Edge already do. If they just exposed that one setting the whole problem goes away and all of those setups become fully compliant again because you can click that control on.
That’s really the entire point here — the fix is simple, they just don’t expose the control.
TCB13sQuotes@reddit
Sure, and why would you want to deploy Chrome if you can get the same level of performance and control on Edge installed by default in every windows machine? Just use edge.
Trick-Requirement948@reddit (OP)
LOL! I know, right? Problem is Chrome is dominant and is has Vivaldi, Brave and other held hostage to their design decision. If they would just expose the control......
itskdog@reddit
Edge has all the same controls as Chrome, and then some
Trick-Requirement948@reddit (OP)
Yes - Edge has the "clear cache on exit control" available because Microsoft wrote that functionality themselves.
dustojnikhummer@reddit
In that case can't you move to Edge? Or do you rely on Google Accounts?
pangapingus@reddit
But for as-is, if the OS session flushes on logout per read-only fs or kiosk mode windows + deepfreeze is that about as best as you can do? Most of these folks just need dumb terminals that can open the medical client-server app or payment processor SaaS or whatever.
Trick-Requirement948@reddit (OP)
Honestly, yeah — if the OS session is truly ephemeral (DeepFreeze, read‑only FS, kiosk mode, non‑persistent profiles, etc.), that’s about the best you can do at the endpoint level. I believe those setups absolutely still work.
The only catch today is that Chrome keeps certain site data between browser sessions, even on a non‑persistent OS, unless the whole machine reboots or the overlay resets. Firefox and Edge avoid that because they expose a real clear‑on‑exit control you can actually turn on.
So the endpoint controls are still solid — Chrome just doesn’t give you the browser‑level clearing that the compliance frameworks expect. If they exposed that one setting, all of this becomes a non‑issue.
Angelworks42@reddit
Chrome itself does have an ephemeral mode - maybe this would help? https://support.google.com/chrome/a/answer/3538894?hl=en
FloatingMilkshake@reddit
Sigh, LLM-written comments. Is it that hard to have a conversation with someone else yourself, instead of running it all through a chatbot?
Trick-Requirement948@reddit (OP)
Sign, yourself. This is not LLM‑written. I've just had to explain this exact issue to auditors, compliance teams, and engineers more times than I can count.” The bottom line - Chrome just needs to expose the damn control. PERIOD.
Frothyleet@reddit
I don't know if every comment you make is going through an LLM but your original post really stinks of it.
If you genuinely did not draft with an LLM, I can only offer you condolences that your writing sounds attributable to one.
sylvaron@reddit
He just sounds like someone that can articulate their thoughts well using the structures available to us in the English language — not every emdash (or parenthetical list, italicized or bolded word to provide emphasis) needs to get the finger wag.
Seems like we're going to see AI absolutely destroy good writing practice credibility, unfortunately.
FloatingMilkshake@reddit
I would typically agree with you, as someone who will never use an LLM to write stuff like this and who uses em dashes constantly—but there are other tells of LLM-written text. They use formatting for emphasis in a particular way that feels a bit unnatural (to me at least), begin messages with "Honestly," often say "This is not X, it's Y," etc.
Frothyleet@reddit
Yeah, it's not the em dashes so much for me. It's wording like the above, as well as the way he's itemizing, which smells to me like someone who stumbled on what they perceive as an issue, then had ChatGPT help flesh out their argument to support their position ("Find examples of other frameworks where Chrome is going to be a problem!") Or simply after a LLM "discussion", asked for the chat to be summarized in a format where they could communicate it to others.
dark_frog@reddit
I put time and energy into learning to use semicolons correctly. I've stopped using them and I drop parentheticals when I can, even though it makes things more wordy. F'in clankers.
tofu_b3a5t@reddit
Nah, don’t let clankers take your language. Spit your grammar with a pinky up.
tofu_b3a5t@reddit
As someone who had proper English drilled into them by competent English teachers in primary school, with specifically high school teachers treating “The Elements of Style” by Struck(?) as holy scripture, it is annoying that I am now mistaken as an AI bot.
On the flip side, at least LLMs are communicating with proper grammar.
SupraCollider@reddit
Nobody is going out of their way to include so many em-dashes to be grammatically correct in social media posts. Everyone who says they use it themselves all the time is full of shit, they are definitely just pretending they don’t use LLMs. The percentage of people that are the exception are extremely close to proofing text and it’s not nearly as many as claim on Reddit tech subs.
thorin85@reddit
Pangram shows 100% ai written on his original post and 100% ai assisted/written on most of his comments, I agreed with your assessment even prior to checking.
mnvoronin@reddit
"Our study [...] concludes that the findings of AI detectors are prone to generate more false accusations than correct identifications."
https://www.sciencedirect.com/science/article/abs/pii/S305047592600093X
thorin85@reddit
This is useless, unfortunately. They used GPTzero as the detector, and that has always been wrong constantly. Pangram is much more recent and has a 99.8% accuracy. (I am not affiliated with Pangram, btw, just find it useful for wading through the slop)
mnvoronin@reddit
99.8% accuracy according to Pangram or reliable 3rd party?
"We have investigated ourselves and found no signs of wrongdoing on our part"
thorin85@reddit
Multiple independent sources validated this number, as a quick google search would show you. Here's one since you can't be bothered:
https://bfi.uchicago.edu/working-papers/artificial-writing-and-automated-detection/
mnvoronin@reddit
First of all, I am of the opinion that the onus on providing evidence is on the person asserting the claim, unless they're asserting an obvious null hypothesis.
Back to the point, you shat on my source because they used GPTzero (and found a large FPR >10%). And then you gave a source where the same GPTzero has a FPR ~<1% (even though it's worse than Pangram). Looks like differing methodology to me.
luke1lea@reddit
To be fair, LLMs were trained to format its sentence structures based on human provided data. I assume that means there's a decent amount of us out there that write exactly like LLMs.
lcnielsen@reddit
You're absolutely right—LLM-writen comments make it seem like you're not engaging with your inerlocutor. And honestly? That's the whole point. It's not just communication, it's a whole dialectic.
The best part? 1 LLM. 2 people. 1000 readers.
ExceptionEX@reddit
I'm curious why you ran this through an LLM, like did you have an original response, or did you just have it generate one for you. It is better to sound like yourself, than to try and have an LLM fix it up. just runs the genuine nature of a conversation.
pangapingus@reddit
I see, have a link to the Chrome PR where they say "won't fix" I've been interested in making a rudimentary "compliance safe" Chromium browser by removing some of the guts from Chromium and whatnot just to see if this engine is even worth saving in this space. Something like Checkpoint but even more barebones as a hobby project.
Khulod@reddit
Just Chrome? Or all Chromium browsers including Edge?
Trick-Requirement948@reddit (OP)
The behavior originates in Chromium, so all Chromium browsers inherit it. Chrome exposes it the most (because they do not have a clear browser cache on exit). Edge mitigates it the most because Microsoft added one.
voidstarcpp@reddit
Your post was written by an LLM and is just name dropping a bunch of regulations with imagined requirements you are not expert in.
I cannot find any online references saying that HIPAA requires burn-after-reading self destructing app data throughout the entire computer as you imply. If I google the cited regulation and data clearing the top result is simply this very reddit thread in which you allude to such a requirement.
You will find that rarely is something so specific required explicitly by the law. IT people in this sub love to imagine strict rules they can say prohibit all existing software or some other such ridiculous conclusions.
Trick-Requirement948@reddit (OP)
I’m not claiming HIPAA (or any other framework) literally says ‘browsers must self‑destruct all data. And technically, you are correct — regulations almost never spell things out that specific.
The point here is much simpler. On shared machines, the expectation is that one user shouldn’t inherit another user’s leftover session data. That’s a very common operational requirement in places like libraries, hospitals, call centers, kiosks, etc.
Firefox and Edge provide a supported way to wipe all site data on exit. Chrome doesn’t. That’s the whole issue.
It’s not about violating laws or imagining requirements. It’s just that Chrome’s design (keeping data around by default) doesn’t line up well with environments where multiple people use the same device throughout the day. This is not anyone's fault; it is simply how Chrome is designed.
imightbeautistic@reddit
If your point basically boils down to “Hey! Houses have windows AND doors!” then why are you spending so much energy making these posts?
Trick-Requirement948@reddit (OP)
Funny — 73,000 views and 126 upvotes suggests it’s more important than you’re giving it credit for… but I digress
SquashNo7817@reddit
Views in reddit amount for you? That is pathetic.
Now I see it. You have money, retirement etc but not happiness. No one to feel embrace. No purpose in life. So you need up votes etc.
Do charity. There is happiness.
Trick-Requirement948@reddit (OP)
Um… excuse me… this isn’t about happiness or retirement. It’s about a documented WAI behavior with compliance impact. That’s all I’ve been pointing out.
Frothyleet@reddit
I am not familiar with every requirement but I absolutely disagree with your fundamental proposition that Chrome is an issue across the board.
HIPAA, for example - the fact that Chrome does not annihilate every iota of session data on close does not mean that it is automatically unusable. The cache and cookie clearing that occurs on close (not even touching the fact that you can have separate OS accounts) is perfectly adequate to meet HIPAA standards.
Trick-Requirement948@reddit (OP)
I’m not claiming to be an expert in every framework. My background is compliance. What I can say is this: HIPAA expects that one user’s authenticated session state is not exposed to the next user on a shared workstation. This is pretty universal for all the frameworks. Firefox and Edge meet that expectation because they clear all site data on exit. Chrome does not.”
irsyacton@reddit
Why are you using a shared user account on these workstations? Or if you have to use a shared user account… mandatory profile and log out (and auto log in) on browser exit.
Trick-Requirement948@reddit (OP)
Look -- this scenario is not just limited to shared OS accounts. This applies to any shared workstation where multiple authenticated users access the same web app. Hospitals, clinics, retail. call center, libraries, labs, all sorts of these.
Even with unique accounts, or auto-logout, the browser can still leave behind session artifacts unless it supports clearing all site data on exit. Firefox and Edge currently allow this. Chrome cannot and does not BY DESIGN. That is the entire point.
Constant-K@reddit
I’m confused. Why would user accounts have access to another account’s session data? That is a bigger situation to address.
Trick-Requirement948@reddit (OP)
This is not about users accessing each other's OS account. This is about multiple authenticated users rotating through the same OS account on a shared workstation. Chrome persists cache those user should never inherit. It does it by design because that is the Chrome way of doing things. This is the issue.
Constant-K@reddit
I mean this in the best way possible: your compliance experience and knowledge exceed your technical acumen. This is not an issue you're framing it to be. You can utilize default OS settings and enforce basic policies via your identity provider and mobile device management platform. If those are unavailable to you, use built-in local policies:
If non-privileged users can access another user's browser data, history, auto-complete, or tokens you have a significant security gap unrelated to Google Chrome.
Trick-Requirement948@reddit (OP)
Please don’t misinterpret what I’m saying. Here is the bottom line: Chrome persists browser cache across sessions and does not provide a way to clear that data on exit. Edge and Firefox both provide that capability.
Take that for what it's worth - but from a my perspective - this is an unacceptable compliance risk.
Constant-K@reddit
Got it. This is ragebait.
Trick-Requirement948@reddit (OP)
Cool — if you feel it was ragebait, fine. It wasn’t my intent. It’s just a factual description of Chrome’s behavior. Like it or not, it is what it is.
SquashNo7817@reddit
If it is not ragebait or mental health issue then don't use chrome and move on.
Trick-Requirement948@reddit (OP)
It’s neither. Chromium marks the behavior WAI, and that has compliance implications. I just pointed that out. Some people do not like hearing it, but that does not change that fact.
SquashNo7817@reddit
Why assume? If you were correct then 99% other compliance depts would have not approved or signed. Leave it there.
I think you want some kind of recognition. Sad that you have to come to reddit for that.
See the recent video of veritasium where MKBHB phone is debited 10k without approval. VISA is still fine. Move away from computer in retirement.
sir_mrej@reddit
This is a really weird really specific crusade you've got going on here. WTF is going on?
Trick-Requirement948@reddit (OP)
Nothing weird about it. Chrome marks this behavior WAI, and it has compliance implications they do not want to look at. I just pointed that out.
antiduh@reddit
To add to this. I know some physicians offices that use MyChart and don't have separate workstation logins. The office leaves one user logged in and providers open MyChart with their user.
matt0_0@reddit
Just to be clear, you're talking that a shared workstation with non-shared unique user sign-ons to the operating system. Is that correct?
Trick-Requirement948@reddit (OP)
Technically -- no. I’m talking about any shared workstation where multiple authenticated users access the same web application throughout the day.
Whether the OS accounts are shared or unique doesn’t change the browser‑level expectation: one user’s authenticated session state should not be exposed to the next user. Firefox and Edge CAN enforce that by clearing all site data on exit. Chrome does not expose this control and that is by design.
Ssakaa@reddit
If you're using separate user accounts at the OS, and you're not doing the dumbest thing possible and giving them all admin, the data from one user session isn't available to the next.
Trick-Requirement948@reddit (OP)
I’m not here to tell anyone what’s right or wrong. But separate OS accounts doen’t change the fact that Chrome persists data within the same OS account and doesn’t give you a reliable way to clear it on exit.
A user on a shared workstation can still access Chromium‑based cached data that remains on disk because the browser never exposed a control to remove that data. That is all I am saying.
Chromium does not provide a full clear‑on‑exit control. Firefox and Edge do. Chromium engineers have explicitly said this is the way Chromoum is designed.
My only goal here is to make people aware of that fact.
Siege9929@reddit
User session data in chrome is segregated in local user data directories per OS user. Unless they have admin access at the OS level, they will only ever have access to the data associated with their user and sessions.
Trick-Requirement948@reddit (OP)
And – your point is…... not pertinent. Within the same OS account, Chrome persists session artifacts (cache) that cannot be cleared on exit. PERIOD. Chrome persists data those users should never inherit. That is the issue.
n3rdyone@reddit
I’m so confused by this. How can one user access another users cache data? This sounds more like a CVE.
Also since chrome and Edge are both using chromium , wouldn’t this also be applicable to Edge?
I work in this domain and when validating a web application, I’ve always checked that the web form data is not saved and encrypted once passed , but that is a function of the web application code, not chromium. There are policies that we apply to certain domains to not save form data between sessions.
Ssakaa@reddit
You're not confused, they've repeatedly conflated shared OS accounts, which Chrome has no reason to defend against, with individual accounts. They've argued it applies even without shared OS accounts, then backtracked that when called out on it without actually acknowledging the whole "don't do this, this is why you don't do this" part.
Amazingly, if your users download or screenshot ANYTHING in the OS profile, the next person that walks up and uses that same OS profile can see it! Windows should really fix that...
Trick-Requirement948@reddit (OP)
I get why this sounds confusing — but this isn’t a case of one user breaking into another user’s account. Nothing like that is happening.
The issue shows up in places where the same computer is used by multiple people throughout the day. Even if they are different users in the web app, Chrome keeps some of the previous person’s browser data around unless the browser itself clears it. That’s the part that becomes a problem on shared machines.
The best example I can give you is a local library. Dozens of people use the same computer. If that machine is running Chrome, some of the previous user's cached data can still be sitting there for the next person.
Edge and Firefox avoid this because they have a built‑in setting to wipe everything when the browser closes. Chrome doesn’t, so the next person can still inherit leftover data from the previous session.
So it’s not a security issue and it’s not about form fields or data integrity. It’s just Chrome not cleaning up after each user on shared devices.
And just side note here — Chrome behaves this way on purpose. Its whole design philosophy is built around keeping data around between sessions. That’s fine for personal devices where you want to target advertising as part of your business model. But it’s the opposite of what you want on shared machines and it technically does line up with the expectations in most compliance standards.
Siege9929@reddit
“What I can say is this: HIPAA expects that one user’s authenticated session state is not exposed to the next user on a shared workstation.”
There is only one web app user session per OS account because Chrome session data isolated to the logged-in OS user. Thus the data does not persist to the next (different) authenticated web user.
Do not under any circumstances allow users to share OS accounts. This is a fundamental best practice for any IT org.
Trick-Requirement948@reddit (OP)
I get what you’re saying — in an ideal world, every user would have their own OS account. You’re absolutely right. But in some real‑world environments (e.g., hospitals, call centers, retail, kiosks, VDI pools), shared OS accounts are intentional and part of their workflow.
In those setups, several authenticated web users rotate through the same OS login, and that’s where Chrome’s behavior becomes a problem. It persists cache (and other session artifacts) that the next user shouldn’t inherit.
Firefox and Edge handle this cleanly with a supported ‘clear all site data on exit’ control.
Chrome doesn’t — and that’s the issue I’m calling out.
Realistically, all Chrome needs to do is expose the same control that Firefox and Edge already provide — but unfortunately, it will not.
And correct me if I’m wrong, but even with separate OS logins, wouldn’t Chrome still persist certain artifacts unless the browser itself clears them?
matt0_0@reddit
Got it. I can't even imagine a HIPAA compliant environment that has any browser installed and usable by users where sharing OS credentials results in an auditable trail of who did what where.
We all get the appeal of sharing usernames and passwords for shared resources of all kinds. But chrome is the absolute least of your HIPAA worries with that kind of setup.
logicbecauseyes@reddit
Chrome and Edge only difference in the MS vs Google coat of paint the have on. They are all but literally the exact same application. This smells fishy
Trick-Requirement948@reddit (OP)
When was the last time you looked at Edge settings? It's right there -- clear browser cache on exit. Chrome does not have it.
n3rdyone@reddit
… there is a group policy setting for this in enterprise version. Everything is not available via a button or drop down.
stackjr@reddit
Chrome was perfectly fine for us when I was working at our local hospital. We had zero issues with clearing cookies in exit.
AlternateAcc1917@reddit
Who are you quoting?
suttin@reddit
I think you’re forgetting who’s responsible for what in hipaa compliance. It’s up to you to deploy chrome securely. You’re allowed to document this behavior and the mitigating controls you’ve put in place to ensure the residual data is inaccessible on browser close and boom you’re hipaa compliant. Other browsers just aren’t dicks and give you the expected behavior
echo_thev0id@reddit
Why not use Ephemeral Profiles or Enterprise Chrome which has ClearBrowsingDataOnExit policies that can be set?
There are so many other compensating controls that are usually in place, that this is moot for most organizations. DLP Scanning, Cache-control on the http headers, tokenization, logoff GPO scripts, etc. Working in a PCI context, this has never been an issue with our QSA.
Trick-Requirement948@reddit (OP)
Compensating controls? OK. Let’s talk about those:
Those compensating controls do not clear many items (e;g., service workers, indexedDB, localStorage, partitioned cache, extension storage, media keys and site-bound tokens).
Chrome’s own engineers have confirmed this is intentional (‘works as intended’). If you cleared your QSA – prefect – your compensating controls work for your environment.
But that doesn’t change the technical reality: Chrome does not expose a full clear‑on‑exit control, and Firefox/Edge do. My post isn’t about whether organizations can build compensating controls. They can and they should if they are going to use Chrome. It’s about the fact that Chrome itself does not provide the same session‑clearing capabilities as the other major browsers. And without compensating controls, Chrome does not meet the technical requirement for clearing session data on exit. That’s simply the way it is.
echo_thev0id@reddit
Chrome has never advertised that they are compliant with PCI, HIPAA, SOX, NIST 800-53, etc. Why should there be a expectation that they develop a solution and expose it? Chrome and Google are not expected to implement those controls when an audit comes around. Its the orgs responsibility to ensure those artifacts are clear in their environment when they handle them in the browser.
Compensating controls are how orgs meet their audits, and fulfill their requirements to the regulations when a tool/software is not certified by itself...
The compensating controls I mentioned can clear all of those and detect if it does not. A logoff script can definitely delete service workers, local store, IndexedDBs, all the caches.
profanitystar@reddit
https://support.google.com/chrome/a/answer/16188563?hl=en#zippy=
echo_thev0id@reddit
Thanks for the link! However, those are only ISO and SOC compliance certs though, not PCI DSS 4.0, HIPAA, SOX, NIST 800-53, which is where most of the strict data-clearing requirements around secure data (credit card numbers, health records, financial data, etc) come from.
Trick-Requirement948@reddit (OP)
I do not want to contradict you, but I am pretty sure a logoff script alone cannot reliability delete all of Chrome's persisted data. The fact remains, Chrome doesn't expose a full clear-on exist control. FireFox and Edge do. That's just a fact. Chrome engineers have even said so. As I said before, if your compensating controls passed QSA that is great.
But it does not change the reality of the situation: Chrome doesn't meet the requirement to clear session data on exit unless you add compensating controls. It is simply the way they have built it and they do not want to change it. My intent was to let people know that.
Vexser@reddit
As if google would ever delete any data..... ha ha ha
MyLegsX2CantFeelThem@reddit
Which is why we are yanking it from our new GCC-high enclave. Vendor slapped it on our cloud device image, so now I get to do the uninstall.
Trick-Requirement948@reddit (OP)
I understand. Because if you complain to Chromium - their only response will be -- Works as intended!
Ferretau@reddit
I'd assume edge and others being based on the chrome code base would also be in the same boat.
Trick-Requirement948@reddit (OP)
Ferretau - Edge is Chromium based - BUT -- Microsoft has added their own clear-browser-cache-on-exit control. They built this themselves. So they are not in the same boat. And here's the thing - Microsoft do not do this just to be nice. Chome has chosen NOT to expose this control.
Ferretau@reddit
Interesting - I wonder if they are hooking into existing Chrome code or have to write code to support it. If it is the latter then I suspect in future releases it will stop working when the underlying code is removed as "cruft" which is what Google does with code they don't like. My other comment outlines my feelings on the why. https://www.reddit.com/r/sysadmin/comments/1t4rzmw/comment/ok5n10u/
Trick-Requirement948@reddit (OP)
Guys (and gals) — look. I’m not saying Chrome is ‘bad.’ I’m saying that Chrome, by design, cannot clear all cache on exit. They have deliberately chosen not to expose that control. Period.
Firefox and Edge expose it. They didn’t add that option to be nice — they added it because compliance frameworks expect session‑end clearing.
Chromium does not provide that capability, and they don’t want to. It's is inherit in their design NOT TO. That’s the entire point.
Ferretau@reddit
It makes sense they don't want to add it when you take into account that it is only a way for them to gain access to you as the end user to be a marketable product for their advertising revenue. Being secure is only done by them when it suits them and doesn't affect their bottom line advertising dollar - over the years they have proved this by the changes in standards and the browser itself to prevent Extensions etc. which blocked their ability to using data collected for advertising revenue.
Trick-Requirement948@reddit (OP)
Can I upvote you 100 times, please and thank you!
finalpolish808@reddit
OP I truly appreciate this post, as I see people use the presented features to attempt kiosk-like utility without the assumed security. Use OS session clearing, folks!
Trick-Requirement948@reddit (OP)
“BINGO! Thank you — exactly what I was getting at.”
GeraldMander@reddit
Are you quoting yourself?
Trick-Requirement948@reddit (OP)
Nope! I am finally acknowledging someone who gets "it"
Sensitive-Guess-1425@reddit
Wrong. https://support.google.com/chrome/a/answer/10686330?hl=en#zippy=%2Cwindows-group-policy
suivethefirst@reddit
Mods, this post is LLM slop and so is every reply by OP. Absolute muck.
Trick-Requirement948@reddit (OP)
Really? OK -- If you think the post is wrong, point out what’s wrong. If you think the facts are incorrect, fix them. Calling it ‘LLM slop’ isn’t a rebuttal — it’s just avoiding the technical point.
Objective-Bear-423@reddit
This is rather interesting. With holding on to stale session tokens I wonder if that could contribute to bad passwords... I know my help desk follows the clear cache creds KB to a T. But If chrome is behaving this way it could make their life harder..
-GenlyAI-@reddit
HIPAA is risk based. It doesn't mandate this. Our risk register has controls that we deem good enough. So they are good for HIPAA and the OCR. Yes we use Chrome.
r4x@reddit
Great, because I absolutely NEED another fucking CTO!