From ff379446b229057f38c87e3ff4cab8963258a003 Mon Sep 17 00:00:00 2001 From: tcecyk Date: Mon, 13 Oct 2025 12:27:23 +0200 Subject: [PATCH] fix direct and any reverse dependencies of default preferences Modify-default-preferences.patch relies on add-browser-policy.patch to enact default options set to false, otherwise they'd be toothless. A second order effect is reverse dependencies from add-browser-policy.patch itself, thus adding Keep-Side-Panel-Companion-disabled.patch. One pitfall of cromites patch method is: they aren't sliced per-feature, dependencies aren't obvious. issue was found as SafeBrowsing is in a broken state, closes https://gitlab.e.foundation/e/backlog/-/issues/8921 --- .../Keep-Side-Panel-Companion-disabled.patch | 22 + .../cromite_patches/add-browser-policy.patch | 1079 +++++++++++++++++ build/cromite_patches_list.txt | 2 + 3 files changed, 1103 insertions(+) create mode 100644 build/cromite_patches/Keep-Side-Panel-Companion-disabled.patch create mode 100644 build/cromite_patches/add-browser-policy.patch diff --git a/build/cromite_patches/Keep-Side-Panel-Companion-disabled.patch b/build/cromite_patches/Keep-Side-Panel-Companion-disabled.patch new file mode 100644 index 00000000..c81499c0 --- /dev/null +++ b/build/cromite_patches/Keep-Side-Panel-Companion-disabled.patch @@ -0,0 +1,22 @@ +From: uazo +Date: Mon, 17 Jul 2023 15:24:16 +0000 +Subject: Keep Side Panel Companion disabled + +License: GPL-2.0-or-later - https://spdx.org/licenses/GPL-2.0-or-later.html +--- + chrome/browser/ui/side_search/side_search_prefs.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/chrome/browser/ui/side_search/side_search_prefs.cc b/chrome/browser/ui/side_search/side_search_prefs.cc +--- a/chrome/browser/ui/side_search/side_search_prefs.cc ++++ b/chrome/browser/ui/side_search/side_search_prefs.cc +@@ -14,7 +14,7 @@ namespace side_search_prefs { + const char kSideSearchEnabled[] = "side_search.enabled"; + + void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry) { +- registry->RegisterBooleanPref(kSideSearchEnabled, true); ++ registry->RegisterBooleanPref(kSideSearchEnabled, false); + } + + } // namespace side_search_prefs +-- diff --git a/build/cromite_patches/add-browser-policy.patch b/build/cromite_patches/add-browser-policy.patch new file mode 100644 index 00000000..10161400 --- /dev/null +++ b/build/cromite_patches/add-browser-policy.patch @@ -0,0 +1,1079 @@ +From: uazo +Date: Tue, 22 Nov 2022 16:49:58 +0000 +Subject: Add browser policy + +License: GPL-2.0-or-later - https://spdx.org/licenses/GPL-2.0-or-later.html +--- + base/win/win_util.cc | 68 +-------- + chrome/android/java/AndroidManifest.xml | 4 - + .../privacy_preferences_manager_impl.cc | 5 + + .../metrics/chrome_feature_list_creator.cc | 12 ++ + .../search_engine_preconnector.cc | 1 + + .../policy/chrome_browser_policy_connector.cc | 3 - + ...nfiguration_policy_handler_list_factory.cc | 11 +- + .../account_consistency_mode_manager.cc | 7 +- + ...ccount_consistency_mode_manager_factory.cc | 2 +- + .../throttled_gaia_auth_fetcher.cc | 5 + + chrome/browser/signin/chrome_signin_client.cc | 7 +- + .../browser/signin/dice_response_handler.cc | 4 +- + .../ui/webui/policy/policy_ui_handler.cc | 104 ++++++++++++- + .../ui/webui/policy/policy_ui_handler.h | 2 + + .../strings/android/browser_ui_strings.grd | 2 +- + .../commerce/core/commerce_feature_list.cc | 61 +------- + .../core/browser/browser_policy_connector.cc | 3 + + .../common/command_line_policy_provider.cc | 3 + + .../core/common/policy_loader_command_line.cc | 138 ++++++++++++++++-- + .../policy/core/common/policy_pref_names.cc | 3 + + .../policy/core/common/policy_pref_names.h | 1 + + .../policy/core/common/policy_service_impl.cc | 3 + + .../policy/core/common/policy_switches.cc | 2 + + .../policy/core/common/policy_switches.h | 1 + + .../ExtensionManifestV2Availability.yaml | 5 +- + .../Miscellaneous/SyncDisabled.yaml | 2 +- + .../policy/resources/webui/policy_row.html | 1 + + .../policy/resources/webui/policy_row.ts | 12 ++ + components/policy_strings.grdp | 4 +- + components/search/ntp_features.cc | 1 + + components/signin/features.gni | 2 +- + .../gaia_cookie_manager_service.cc | 4 + + extensions/common/extension_features.cc | 1 + + google_apis/gaia/gaia_auth_fetcher.cc | 1 + + net/socket/ssl_client_socket_impl.cc | 3 + + 35 files changed, 326 insertions(+), 162 deletions(-) + +diff --git a/base/win/win_util.cc b/base/win/win_util.cc +--- a/base/win/win_util.cc ++++ b/base/win/win_util.cc +@@ -157,80 +157,18 @@ bool EnablePerMonitorV2() { + } + + bool* GetDomainEnrollmentStateStorage() { +- static bool state = IsOS(OS_DOMAINMEMBER); ++ static bool state = false; + return &state; + } + + bool* GetRegisteredWithManagementStateStorage() { +- static bool state = [] { +- // Mitigate the issues caused by loading DLLs on a background thread +- // (http://crbug/973868). +- SCOPED_MAY_LOAD_LIBRARY_AT_BACKGROUND_PRIORITY(); +- +- ScopedNativeLibrary library( +- FilePath(FILE_PATH_LITERAL("MDMRegistration.dll"))); +- if (!library.is_valid()) { +- return false; +- } +- +- using IsDeviceRegisteredWithManagementFunction = +- decltype(&::IsDeviceRegisteredWithManagement); +- IsDeviceRegisteredWithManagementFunction +- is_device_registered_with_management_function = +- reinterpret_cast( +- library.GetFunctionPointer("IsDeviceRegisteredWithManagement")); +- if (!is_device_registered_with_management_function) { +- return false; +- } +- +- BOOL is_managed = FALSE; +- HRESULT hr = +- is_device_registered_with_management_function(&is_managed, 0, nullptr); +- return SUCCEEDED(hr) && is_managed; +- }(); +- ++ static bool state = false; + return &state; + } + + // TODO (crbug/1300219): return a DSREG_JOIN_TYPE* instead of bool*. + bool* GetAzureADJoinStateStorage() { +- static bool state = [] { +- base::ElapsedTimer timer; +- +- // Mitigate the issues caused by loading DLLs on a background thread +- // (http://crbug/973868). +- SCOPED_MAY_LOAD_LIBRARY_AT_BACKGROUND_PRIORITY(); +- +- ScopedNativeLibrary netapi32( +- base::LoadSystemLibrary(FILE_PATH_LITERAL("netapi32.dll"))); +- if (!netapi32.is_valid()) { +- return false; +- } +- +- const auto net_get_aad_join_information_function = +- reinterpret_cast( +- netapi32.GetFunctionPointer("NetGetAadJoinInformation")); +- if (!net_get_aad_join_information_function) { +- return false; +- } +- +- const auto net_free_aad_join_information_function = +- reinterpret_cast( +- netapi32.GetFunctionPointer("NetFreeAadJoinInformation")); +- DPCHECK(net_free_aad_join_information_function); +- +- DSREG_JOIN_INFO* join_info = nullptr; +- HRESULT hr = net_get_aad_join_information_function(/*pcszTenantId=*/nullptr, +- &join_info); +- const bool is_aad_joined = SUCCEEDED(hr) && join_info; +- if (join_info) { +- net_free_aad_join_information_function(join_info); +- } +- +- base::UmaHistogramTimes("EnterpriseCheck.AzureADJoinStatusCheckTime", +- timer.Elapsed()); +- return is_aad_joined; +- }(); ++ static bool state = false; + return &state; + } + +diff --git a/chrome/android/java/AndroidManifest.xml b/chrome/android/java/AndroidManifest.xml +--- a/chrome/android/java/AndroidManifest.xml ++++ b/chrome/android/java/AndroidManifest.xml +@@ -82,9 +82,7 @@ by a child template that "extends" this file. + + + +- + +- + + + +@@ -101,7 +99,6 @@ by a child template that "extends" this file. + resizeTo, moveBy}|). + --> + +- + + + +@@ -148,7 +145,6 @@ by a child template that "extends" this file. + + + +- + + {% block extra_uses_permissions %} + {% endblock %} +diff --git a/chrome/browser/android/preferences/privacy_preferences_manager_impl.cc b/chrome/browser/android/preferences/privacy_preferences_manager_impl.cc +--- a/chrome/browser/android/preferences/privacy_preferences_manager_impl.cc ++++ b/chrome/browser/android/preferences/privacy_preferences_manager_impl.cc +@@ -58,6 +58,11 @@ static jboolean + JNI_PrivacyPreferencesManagerImpl_IsMetricsReportingDisabledByPolicy( + JNIEnv* env) { + const PrefService* local_state = g_browser_process->local_state(); ++ // this point (policy with 'future') gave me false, false ++ // LOG(INFO) << "---IsMetricsReportingDisabledByPolicy " ++ // << local_state->IsManagedPreference(metrics::prefs::kMetricsReportingEnabled) ++ // << " " ++ // << local_state->GetBoolean(metrics::prefs::kMetricsReportingEnabled); + return local_state->IsManagedPreference( + metrics::prefs::kMetricsReportingEnabled) && + !local_state->GetBoolean(metrics::prefs::kMetricsReportingEnabled); +diff --git a/chrome/browser/metrics/chrome_feature_list_creator.cc b/chrome/browser/metrics/chrome_feature_list_creator.cc +--- a/chrome/browser/metrics/chrome_feature_list_creator.cc ++++ b/chrome/browser/metrics/chrome_feature_list_creator.cc +@@ -57,6 +57,8 @@ + #include "content/public/common/content_switches.h" + #include "services/network/public/cpp/network_switches.h" + #include "ui/base/resource/resource_bundle.h" ++#include "components/policy/core/common/policy_pref_names.h" ++#include "components/policy/core/common/policy_switches.h" + + #if BUILDFLAG(IS_CHROMEOS) + #include "chrome/browser/ash/policy/core/browser_policy_connector_ash.h" +@@ -199,6 +201,16 @@ void ChromeFeatureListCreator::CreatePrefService() { + // ManagementService's cache. + if (local_state_pref_store->ReadPrefs() == + JsonPrefStore::PREF_READ_ERROR_NONE) { ++ // add list of user disabled policies to command line ++ base::CommandLine* command_line = base::CommandLine::ForCurrentProcess(); ++ const base::Value* stored_value = nullptr; ++ if (local_state_pref_store->GetValue(policy::policy_prefs::kDisabledDefaultPoliciesList, &stored_value) && ++ stored_value->is_string()) { ++ std::string disabled_policies = stored_value->GetString(); ++ if (!disabled_policies.empty()) { ++ command_line->AppendSwitchASCII(policy::switches::kForceDisabledPolicies, disabled_policies); ++ } ++ } + auto* platform_management_service = + policy::ManagementServiceFactory::GetForPlatform(); + platform_management_service->UsePrefStoreAsCache(local_state_pref_store); +diff --git a/chrome/browser/navigation_predictor/search_engine_preconnector.cc b/chrome/browser/navigation_predictor/search_engine_preconnector.cc +--- a/chrome/browser/navigation_predictor/search_engine_preconnector.cc ++++ b/chrome/browser/navigation_predictor/search_engine_preconnector.cc +@@ -52,6 +52,7 @@ namespace features { + + BASE_FEATURE(kPreconnectFromKeyedService, base::FEATURE_DISABLED_BY_DEFAULT); + BASE_FEATURE(kPreconnectToSearch, base::FEATURE_ENABLED_BY_DEFAULT); ++SET_CROMITE_FEATURE_DISABLED(kPreconnectToSearch); + } // namespace features + + WebContentVisibilityManager::WebContentVisibilityManager() +diff --git a/chrome/browser/policy/chrome_browser_policy_connector.cc b/chrome/browser/policy/chrome_browser_policy_connector.cc +--- a/chrome/browser/policy/chrome_browser_policy_connector.cc ++++ b/chrome/browser/policy/chrome_browser_policy_connector.cc +@@ -134,9 +134,6 @@ bool ChromeBrowserPolicyConnector::HasMachineLevelPolicies() { + return true; + } + #endif // !BUILDFLAG(IS_CHROMEOS) +- if (ProviderHasPolicies(command_line_provider_)) { +- return true; +- } + return false; + } + +diff --git a/chrome/browser/policy/configuration_policy_handler_list_factory.cc b/chrome/browser/policy/configuration_policy_handler_list_factory.cc +--- a/chrome/browser/policy/configuration_policy_handler_list_factory.cc ++++ b/chrome/browser/policy/configuration_policy_handler_list_factory.cc +@@ -2488,9 +2488,9 @@ bool AreFuturePoliciesEnabledByDefault() { + if (base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kTestType)) { + return true; + } +- version_info::Channel channel = chrome::GetChannel(); +- return channel != version_info::Channel::STABLE && +- channel != version_info::Channel::BETA; ++ // Future policies are allowed but not active without ++ // kEnableExperimentalPolicies policy ++ return true; + } + + } // namespace +@@ -3320,7 +3320,10 @@ std::unique_ptr BuildHandlerList( + key::kExtensionInstallCloudPolicyChecksEnabled, + extensions::pref_names::kExtensionInstallCloudPolicyChecksEnabled, + base::Value::Type::BOOLEAN)); +- ++ handlers->AddHandler(std::make_unique( ++ key::kExtensionManifestV2Availability, ++ extensions::pref_names::kManifestV2Availability, /*min=*/0, /*max=*/3, ++ /*clamp=*/false)); + #endif // BUILDFLAG(ENABLE_EXTENSIONS) + + #if BUILDFLAG(ENABLE_PRINT_PREVIEW) +diff --git a/chrome/browser/signin/account_consistency_mode_manager.cc b/chrome/browser/signin/account_consistency_mode_manager.cc +--- a/chrome/browser/signin/account_consistency_mode_manager.cc ++++ b/chrome/browser/signin/account_consistency_mode_manager.cc +@@ -170,7 +170,7 @@ void AccountConsistencyModeManager::SetIgnoreMissingOAuthClientForTesting() { + // static + bool AccountConsistencyModeManager::ShouldBuildServiceForProfile( + Profile* profile) { +- return profile->IsRegularProfile(); ++ return false; + } + + AccountConsistencyMethod +@@ -201,7 +201,8 @@ AccountConsistencyModeManager::ComputeAccountConsistencyMethod( + #endif + + #if BUILDFLAG(ENABLE_MIRROR) +- return AccountConsistencyMethod::kMirror; ++ // always disabled ++ return AccountConsistencyMethod::kDisabled; + #elif BUILDFLAG(ENABLE_DICE_SUPPORT) + if (!profile->GetPrefs()->GetBoolean(prefs::kSigninAllowed)) { + VLOG(1) << "Desktop Identity Consistency disabled as sign-in to Chrome " +@@ -209,7 +210,7 @@ AccountConsistencyModeManager::ComputeAccountConsistencyMethod( + return AccountConsistencyMethod::kDisabled; + } + +- return AccountConsistencyMethod::kDice; ++ return AccountConsistencyMethod::kDisabled; + #else + NOTREACHED(); + #endif +diff --git a/chrome/browser/signin/account_consistency_mode_manager_factory.cc b/chrome/browser/signin/account_consistency_mode_manager_factory.cc +--- a/chrome/browser/signin/account_consistency_mode_manager_factory.cc ++++ b/chrome/browser/signin/account_consistency_mode_manager_factory.cc +@@ -52,5 +52,5 @@ void AccountConsistencyModeManagerFactory::RegisterProfilePrefs( + + bool AccountConsistencyModeManagerFactory::ServiceIsCreatedWithBrowserContext() + const { +- return true; ++ return false; + } +diff --git a/chrome/browser/signin/bound_session_credentials/throttled_gaia_auth_fetcher.cc b/chrome/browser/signin/bound_session_credentials/throttled_gaia_auth_fetcher.cc +--- a/chrome/browser/signin/bound_session_credentials/throttled_gaia_auth_fetcher.cc ++++ b/chrome/browser/signin/bound_session_credentials/throttled_gaia_auth_fetcher.cc +@@ -15,6 +15,7 @@ + #include "net/cookies/cookie_util.h" + #include "services/network/public/cpp/shared_url_loader_factory.h" + #include "services/network/public/mojom/fetch_api.mojom-shared.h" ++#include "build/build_config.h" + + ThrottledGaiaAuthFetcher::ThrottledGaiaAuthFetcher( + GaiaAuthConsumer* consumer, +@@ -41,6 +42,7 @@ void ThrottledGaiaAuthFetcher::CreateAndStartGaiaFetcher( + const GURL& gaia_gurl, + network::mojom::CredentialsMode credentials_mode, + const net::NetworkTrafficAnnotationTag& traffic_annotation) { ++#if BUILDFLAG(ENABLE_BOUND_SESSION_CREDENTIALS) + if ((IsListAccountsUrl(gaia_gurl) || IsMultiloginUrl(gaia_gurl)) && + credentials_mode == network::mojom::CredentialsMode::kInclude && + GoogleURLLoaderThrottle::GetRequestBoundSessionStatus( +@@ -59,6 +61,7 @@ void ThrottledGaiaAuthFetcher::CreateAndStartGaiaFetcher( + GaiaAuthFetcher::CreateAndStartGaiaFetcher(body, body_content_type, headers, + gaia_gurl, credentials_mode, + traffic_annotation); ++#endif + } + + void ThrottledGaiaAuthFetcher::OnGaiaFetcherResumedOrCancelled( +@@ -70,6 +73,7 @@ void ThrottledGaiaAuthFetcher::OnGaiaFetcherResumedOrCancelled( + const net::NetworkTrafficAnnotationTag& traffic_annotation, + BoundSessionRequestThrottledHandler::UnblockAction unblock_action, + chrome::mojom::ResumeBlockedRequestsTrigger resume_trigger) { ++#if BUILDFLAG(ENABLE_BOUND_SESSION_CREDENTIALS) + switch (unblock_action) { + case BoundSessionRequestThrottledHandler::UnblockAction::kResume: + GaiaAuthFetcher::CreateAndStartGaiaFetcher( +@@ -81,4 +85,5 @@ void ThrottledGaiaAuthFetcher::OnGaiaFetcherResumedOrCancelled( + /*response_code=*/0); + break; + } ++#endif + } +diff --git a/chrome/browser/signin/chrome_signin_client.cc b/chrome/browser/signin/chrome_signin_client.cc +--- a/chrome/browser/signin/chrome_signin_client.cc ++++ b/chrome/browser/signin/chrome_signin_client.cc +@@ -265,7 +265,9 @@ void ChromeSigninClient::DoFinalInit() { + bool ChromeSigninClient::ProfileAllowsSigninCookies(Profile* profile) { + scoped_refptr cookie_settings = + CookieSettingsFactory::GetForProfile(profile); +- return signin::SettingsAllowSigninCookies(cookie_settings.get()); ++ // Make ChromeSigninClient compliant to SigninAllowed policy ++ bool cookiesAllowed = signin::SettingsAllowSigninCookies(cookie_settings.get()); ++ return cookiesAllowed && profile->GetPrefs()->GetBoolean(prefs::kSigninAllowed); + } + + PrefService* ChromeSigninClient::GetPrefs() { +@@ -386,6 +388,9 @@ bool ChromeSigninClient::AreNetworkCallsDelayed() { + } + + void ChromeSigninClient::DelayNetworkCall(base::OnceClosure callback) { ++ // Make ChromeSigninClient compliant to SigninAllowed policy ++ if (!AreSigninCookiesAllowed()) return; ++ + wait_for_network_callback_helper_->DelayNetworkCall(std::move(callback)); + } + +diff --git a/chrome/browser/signin/dice_response_handler.cc b/chrome/browser/signin/dice_response_handler.cc +--- a/chrome/browser/signin/dice_response_handler.cc ++++ b/chrome/browser/signin/dice_response_handler.cc +@@ -53,7 +53,7 @@ namespace { + // The UMA histograms that logs events related to Dice responses. + const char kDiceResponseHeaderHistogram[] = "Signin.DiceResponseHeader"; + const char kDiceTokenFetchResultHistogram[] = "Signin.DiceTokenFetchResult"; +-const char kDiceTokenBindingOutcomeHistogram[] = ++[[maybe_unused]] const char kDiceTokenBindingOutcomeHistogram[] = + "Signin.DiceTokenBindingOutcome"; + + // Used for UMA. Do not reorder, append new values at the end. +@@ -387,8 +387,10 @@ void DiceResponseHandler::ProcessDiceSignoutHeader( + // - If there is a policy restriction on removing the primary account. + bool invalidate_only_primary_account = + identity_manager_->HasPrimaryAccount(signin::ConsentLevel::kSync) || ++#if BUILDFLAG(ENABLE_BOUND_SESSION_CREDENTIALS) + !signin::IsImplicitBrowserSigninOrExplicitDisabled( + identity_manager_, signin_client_->GetPrefs()) || ++#endif + !signin_client_->IsClearPrimaryAccountAllowed(); + + CoreAccountId primary_account = +diff --git a/chrome/browser/ui/webui/policy/policy_ui_handler.cc b/chrome/browser/ui/webui/policy/policy_ui_handler.cc +--- a/chrome/browser/ui/webui/policy/policy_ui_handler.cc ++++ b/chrome/browser/ui/webui/policy/policy_ui_handler.cc +@@ -26,6 +26,7 @@ + #include "base/memory/weak_ptr.h" + #include "base/metrics/histogram_functions.h" + #include "base/notreached.h" ++#include "base/strings/string_split.h" + #include "base/strings/utf_string_conversions.h" + #include "base/task/task_traits.h" + #include "base/task/thread_pool.h" +@@ -72,6 +73,7 @@ + #include "components/policy/core/common/policy_details.h" + #include "components/policy/core/common/policy_logger.h" + #include "components/policy/core/common/policy_pref_names.h" ++#include "components/policy/core/common/policy_pref_names.h" + #include "components/policy/core/common/policy_scheduler.h" + #include "components/policy/core/common/policy_types.h" + #include "components/policy/core/common/policy_utils.h" +@@ -215,6 +217,10 @@ void PolicyUIHandler::RegisterMessages() { + "exportPoliciesJSON", + base::BindRepeating(&PolicyUIHandler::HandleExportPoliciesJson, + base::Unretained(this))); ++ web_ui()->RegisterMessageCallback( ++ "setEnabledPolicy", ++ base::BindRepeating(&PolicyUIHandler::HandleSetEnabledPolicy, ++ base::Unretained(this))); + web_ui()->RegisterMessageCallback( + "listenPoliciesUpdates", + base::BindRepeating(&PolicyUIHandler::HandleListenPoliciesUpdates, +@@ -505,8 +511,102 @@ void PolicyUIHandler::SendPolicies() { + "policies-updated", + base::Value( + policy_value_and_status_aggregator_->GetAggregatedPolicyNames()), +- base::Value( +- policy_value_and_status_aggregator_->GetAggregatedPolicyValues())); ++ base::Value(GetPolicyValues())); ++} ++ ++base::Value::Dict PolicyUIHandler::GetPolicyValues() { ++ base::Value::Dict policy = ++ policy_value_and_status_aggregator_->GetAggregatedPolicyValues(); ++ base::Value::Dict* policy_values = ++ policy.FindDict(policy::kPolicyValuesKey); ++ DCHECK(policy_values); ++ ++ PrefService* local_state = g_browser_process->local_state(); ++ DCHECK(local_state); ++ ++ // get user disabled list from local state ++ std::string disabled_policies_pref = ++ local_state->GetString(policy::policy_prefs::kDisabledDefaultPoliciesList); ++ std::vector disabled_policies = ++ base::SplitString(disabled_policies_pref, ",", ++ base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); ++ ++ auto* root = policy_values->FindDict(policy::kChromePoliciesId); ++ if (root) { ++ auto* list = root->FindDict(policy::kPoliciesKey); ++ if (list) { ++ // for each policy check if is disabled by the user ++ for (const auto name : *list) { ++ bool disabled = base::Contains(disabled_policies, name.first); ++ name.second.GetDict().Set("disabled", base::Value(disabled)); ++ } ++ ++ // add disabled policies so user can enable them ++ for (const std::string& name : disabled_policies) { ++ base::Value::Dict value; ++ value.Set("disabled", base::Value(true)); ++ ++ // set with some value (only for the ui) ++ // see components/policy/core/browser/policy_conversions_client.cc ++ value.Set("value", base::Value(false)); ++ value.Set("scope", base::Value("machine")); ++ value.Set("level", base::Value("mandatory")); ++ value.Set("source", base::Value("sourceDefault")); ++ list->Set(name, std::move(value)); ++ } ++ } ++ } ++ return policy; ++} ++ ++void PolicyUIHandler::HandleSetEnabledPolicy( ++ const base::Value::List& args) { ++ CHECK_EQ(2u, args.size()); ++ const std::string policy_name = args[0].GetString(); ++ bool enabled = args[1].GetBool(); ++ ++ // Check if policy exists ++ base::Value::Dict policy = ++ policy_value_and_status_aggregator_->GetAggregatedPolicyValues(); ++ base::Value::Dict* policy_values = ++ policy.FindDict(policy::kPolicyValuesKey); ++ DCHECK(policy_values); ++ ++ bool exists = false; ++ auto* root = policy_values->FindDict(policy::kChromePoliciesId); ++ if (root && g_browser_process) { ++ auto* list = root->FindDict(policy::kPoliciesKey); ++ if (list) { ++ for (const auto name : *list) { ++ if (name.first == policy_name) { ++ exists = true; ++ break; ++ } ++ } ++ } ++ } ++ ++ PrefService* local_state = g_browser_process->local_state(); ++ DCHECK(local_state); ++ ++ // get user disabled list from local state ++ std::string disabled_policies_pref = ++ local_state->GetString(policy::policy_prefs::kDisabledDefaultPoliciesList); ++ std::vector disabled_policies = ++ base::SplitString(disabled_policies_pref, ",", ++ base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); ++ ++ // remove policy ++ std::erase_if(disabled_policies, ++ [policy_name](const std::string& name) { return name == policy_name; }); ++ ++ // readd if exists and enabled ++ if (exists && !enabled) ++ disabled_policies.push_back(policy_name); ++ ++ // save current user disabled policy in local state ++ local_state->SetString(policy::policy_prefs::kDisabledDefaultPoliciesList, ++ base::JoinString(disabled_policies, ",")); + } + + void PolicyUIHandler::SendStatus() { +diff --git a/chrome/browser/ui/webui/policy/policy_ui_handler.h b/chrome/browser/ui/webui/policy/policy_ui_handler.h +--- a/chrome/browser/ui/webui/policy/policy_ui_handler.h ++++ b/chrome/browser/ui/webui/policy/policy_ui_handler.h +@@ -81,6 +81,8 @@ class PolicyUIHandler : public content::WebUIMessageHandler, + + private: + void HandleExportPoliciesJson(const base::Value::List& args); ++ void HandleSetEnabledPolicy(const base::Value::List& args); ++ base::Value::Dict GetPolicyValues(); + void HandleListenPoliciesUpdates(const base::Value::List& args); + void HandleReloadPolicies(const base::Value::List& args); + void HandleCopyPoliciesJson(const base::Value::List& args); +diff --git a/components/browser_ui/strings/android/browser_ui_strings.grd b/components/browser_ui/strings/android/browser_ui_strings.grd +--- a/components/browser_ui/strings/android/browser_ui_strings.grd ++++ b/components/browser_ui/strings/android/browser_ui_strings.grd +@@ -383,7 +383,7 @@ + + + +- Managed by your organization ++ This setting is enforced by Cromite. + + + Managed by your parents +diff --git a/components/commerce/core/commerce_feature_list.cc b/components/commerce/core/commerce_feature_list.cc +--- a/components/commerce/core/commerce_feature_list.cc ++++ b/components/commerce/core/commerce_feature_list.cc +@@ -67,56 +67,6 @@ const CountryLocaleMap& GetAllowedCountryToLocaleMap() { + return *allowed_map; + } + +-constexpr base::FeatureParam kRulePartnerMerchantPattern{ +- &ntp_features::kNtpChromeCartModule, "partner-merchant-pattern", +- // This regex does not match anything. +- "\\b\\B"}; +- +-constexpr base::FeatureParam kCouponPartnerMerchantPattern{ +- &commerce::kRetailCoupons, "coupon-partner-merchant-pattern", +- // This regex does not match anything. +- "\\b\\B"}; +- +-const re2::RE2& GetRulePartnerMerchantPattern() { +-#if !BUILDFLAG(IS_ANDROID) +- auto* pattern_from_component = +- commerce_heuristics::CommerceHeuristicsData::GetInstance() +- .GetRuleDiscountPartnerMerchantPattern(); +- if (pattern_from_component && kRulePartnerMerchantPattern.Get() == +- kRulePartnerMerchantPattern.default_value) { +- CommerceHeuristicsDataMetricsHelper::RecordPartnerMerchantPatternSource( +- CommerceHeuristicsDataMetricsHelper::HeuristicsSource::FROM_COMPONENT); +- return *pattern_from_component; +- } +-#endif // !BUILDFLAG(IS_ANDROID) +- re2::RE2::Options options; +- options.set_case_sensitive(false); +- static base::NoDestructor instance( +- kRulePartnerMerchantPattern.Get(), options); +- CommerceHeuristicsDataMetricsHelper::RecordPartnerMerchantPatternSource( +- CommerceHeuristicsDataMetricsHelper::HeuristicsSource:: +- FROM_FEATURE_PARAMETER); +- return *instance; +-} +- +-const re2::RE2& GetCouponPartnerMerchantPattern() { +-#if !BUILDFLAG(IS_ANDROID) +- auto* pattern_from_component = +- commerce_heuristics::CommerceHeuristicsData::GetInstance() +- .GetCouponDiscountPartnerMerchantPattern(); +- if (pattern_from_component && +- kCouponPartnerMerchantPattern.Get() == +- kCouponPartnerMerchantPattern.default_value) { +- return *pattern_from_component; +- } +-#endif // !BUILDFLAG(IS_ANDROID) +- re2::RE2::Options options; +- options.set_case_sensitive(false); +- static base::NoDestructor instance( +- kCouponPartnerMerchantPattern.Get(), options); +- return *instance; +-} +- + } // namespace + + BASE_FEATURE(kCommerceAllowLocalImages, base::FEATURE_DISABLED_BY_DEFAULT); +@@ -293,16 +243,15 @@ const base::FeatureParam kRevertIconOnFailure{ + &kShoppingList, kRevertIconOnFailureParam, false}; + + bool IsPartnerMerchant(const GURL& url) { +- return commerce::IsCouponDiscountPartnerMerchant(url) || +- IsRuleDiscountPartnerMerchant(url); ++ return false; + } + + bool IsRuleDiscountPartnerMerchant(const GURL& url) { +- return RE2::PartialMatch(url.spec(), GetRulePartnerMerchantPattern()); ++ return false; + } + + bool IsCouponDiscountPartnerMerchant(const GURL& url) { +- return RE2::PartialMatch(url.spec(), GetCouponPartnerMerchantPattern()); ++ return false; + } + + bool IsCartDiscountFeatureEnabled() { +@@ -354,6 +303,7 @@ bool IsEnabledForCountryAndLocale(const base::Feature& feature, + bool IsRegionLockedFeatureEnabled(const base::Feature& feature, + const std::string& country_code, + const std::string& locale) { ++ if ((true)) return false; + auto* feature_list = base::FeatureList::GetInstance(); + + // If the feature has a server-side config, this check will ensure that +@@ -386,6 +336,7 @@ base::TimeDelta GetDiscountFetchDelay() { + } + + bool IsNoDiscountMerchant(const GURL& url) { ++ if ((true)) return true; + auto* pattern_from_component = + commerce_heuristics::CommerceHeuristicsData::GetInstance() + .GetNoDiscountMerchantPattern(); +@@ -397,4 +348,6 @@ bool IsNoDiscountMerchant(const GURL& url) { + return RE2::PartialMatch(url.host_piece(), *pattern_from_component); + } + #endif ++ ++SET_CROMITE_FEATURE_DISABLED(kEnableDiscountInfoApi); + } // namespace commerce +diff --git a/components/policy/core/browser/browser_policy_connector.cc b/components/policy/core/browser/browser_policy_connector.cc +--- a/components/policy/core/browser/browser_policy_connector.cc ++++ b/components/policy/core/browser/browser_policy_connector.cc +@@ -155,6 +155,9 @@ void BrowserPolicyConnector::RegisterPrefs(PrefRegistrySimple* registry) { + CloudPolicyRefreshScheduler::kDefaultRefreshDelayMs); + registry->RegisterBooleanPref( + policy_prefs::kCloudManagementEnrollmentMandatory, false); ++ // register the pref for user disabled policies ++ registry->RegisterStringPref( ++ policy_prefs::kDisabledDefaultPoliciesList, std::string()); + } + + } // namespace policy +diff --git a/components/policy/core/common/command_line_policy_provider.cc b/components/policy/core/common/command_line_policy_provider.cc +--- a/components/policy/core/common/command_line_policy_provider.cc ++++ b/components/policy/core/common/command_line_policy_provider.cc +@@ -21,6 +21,9 @@ std::unique_ptr + CommandLinePolicyProvider::CreateIfAllowed( + const base::CommandLine& command_line, + version_info::Channel channel) { ++ if ((true)) ++ return base::WrapUnique(new CommandLinePolicyProvider(command_line)); ++ + #if BUILDFLAG(IS_ANDROID) + if (channel == version_info::Channel::STABLE || + channel == version_info::Channel::BETA) { +diff --git a/components/policy/core/common/policy_loader_command_line.cc b/components/policy/core/common/policy_loader_command_line.cc +--- a/components/policy/core/common/policy_loader_command_line.cc ++++ b/components/policy/core/common/policy_loader_command_line.cc +@@ -11,6 +11,31 @@ + #include "components/policy/core/common/policy_bundle.h" + #include "components/policy/core/common/policy_switches.h" + #include "components/policy/core/common/policy_types.h" ++#include "base/strings/string_split.h" ++#include "components/policy/core/common/policy_map.h" ++#include "components/policy/core/common/policy_namespace.h" ++#include "components/policy/policy_constants.h" ++ ++#include "chrome/browser/preloading/preloading_prefs.h" ++#include "chrome/browser/policy/browser_signin_policy_handler.h" ++ ++namespace { ++ // adds the policy if the user has allowed it ++ void AddPolicy( ++ const std::vector& disabled_policies, ++ policy::PolicyMap& policy_map, ++ const std::string& policy_name, ++ base::Value value) { ++ ++ if (std::find(disabled_policies.begin(), disabled_policies.end(), policy_name) ++ == disabled_policies.end()) { ++ policy_map.Set(policy_name, ++ policy::POLICY_LEVEL_MANDATORY, policy::POLICY_SCOPE_MACHINE, ++ policy::POLICY_SOURCE_COMMAND_LINE, ++ std::move(value), nullptr); ++ } ++ } ++} + + namespace policy { + +@@ -21,25 +46,106 @@ PolicyLoaderCommandLine::~PolicyLoaderCommandLine() = default; + + PolicyBundle PolicyLoaderCommandLine::Load() { + PolicyBundle bundle; +- if (!command_line_->HasSwitch(switches::kChromePolicy)) +- return bundle; + +- auto policies = base::JSONReader::ReadAndReturnValueWithError( +- command_line_->GetSwitchValueASCII(switches::kChromePolicy), +- base::JSONParserOptions::JSON_ALLOW_TRAILING_COMMAS); ++ PolicyMap& policy_map = ++ bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string())); + +- if (!policies.has_value()) { +- VLOG(1) << "Command line policy error: " << policies.error().message; +- return bundle; +- } +- if (!policies->is_dict()) { +- VLOG(1) << "Command line policy is not a dictionary"; +- return bundle; +- } ++ // get disabled policies ++ std::string disabled_policies = ++ command_line_->GetSwitchValueASCII(switches::kForceDisabledPolicies); ++ std::vector disabled_policies_list = ++ base::SplitString(disabled_policies, ",", ++ base::KEEP_WHITESPACE, base::SPLIT_WANT_NONEMPTY); ++ ++ // whitelist a future policy. ++ base::Value::List enabled_future_policies; ++ ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kSafeBrowsingEnabled, base::Value(false)); ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kSafeBrowsingExtendedReportingEnabled, base::Value(false)); ++ ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kScrollToTextFragmentEnabled, base::Value(false)); ++ ++#if BUILDFLAG(IS_ANDROID) ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kContextualSearchEnabled, base::Value(false)); ++#endif ++ ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kEnableMediaRouter, base::Value(false)); ++ ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kUrlKeyedAnonymizedDataCollectionEnabled, base::Value(false)); ++ ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kTranslateEnabled, base::Value(false)); ++ ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kNetworkPredictionOptions, ++ base::Value(static_cast( ++ prefetch::NetworkPredictionOptions::kDisabled))); ++ ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kBrowserSignin, ++ base::Value(static_cast( ++ policy::BrowserSigninMode::kDisabled))); ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kSigninAllowed, base::Value(false)); ++ ++ // SyncDisabled need a change in policy_templates.json ++ // because is unofficially supported ++ // 1) remove future_on ++ // 2) add android supported_on ++ // and need some changes in code ++ // see https://bugs.chromium.org/p/chromium/issues/detail?id=1141797 ++ enabled_future_policies.Append(policy::key::kSyncDisabled); ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kSyncDisabled, base::Value(true)); ++ ++ // MetricsReportingEnabled need a change in policy_templates.json ++ // because is unofficially supported ++ // 1) remove future_on ++ // 2) add android supported_on ++ // and need some changes in code ++ // set metrics::prefs::kMetricsReportingEnabled to false ++ // same of "Disable various metrics" patch ++ // and deactivate the ui under IsManagedPreference() ++ enabled_future_policies.Append(policy::key::kMetricsReportingEnabled); ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kMetricsReportingEnabled, base::Value(false)); ++ ++ // Disable shopping list ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kShoppingListEnabled, base::Value(false)); ++ ++#if !BUILDFLAG(IS_ANDROID) ++ // Disable Google Search Side Panel ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kGoogleSearchSidePanelEnabled, base::Value(false)); ++#endif ++ ++ // Disable automatic https upgrade ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kHttpsUpgradesEnabled, base::Value(false)); ++ ++#if !BUILDFLAG(IS_ANDROID) ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kSideSearchEnabled, base::Value(false)); ++#endif ++ ++#if BUILDFLAG(IS_WIN) ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kExtensionManifestV2Availability, base::Value(/*Enabled*/ 2)); ++ //kExtensionUnpublishedAvailability ++ AddPolicy(disabled_policies_list, policy_map, policy::key::kDynamicCodeSettings, base::Value(/*DisabledForBrowser*/ 1)); ++#endif ++ ++ // kFirstPartySetsEnabled ++ // kLensCameraAssistedSearchEnabled ++ // kPasswordLeakDetectionEnabled ++ // kPasswordManagerEnabled ++ // kPromptForDownloadLocation ++ ++ // kAssistantWebEnabled ++ // BrowsingDataLifetime ?? ++ // ClickToCallEnabled ++ // UrlParamFilterEnabled ++ // kSSLErrorOverrideAllowed ++ // kAdvancedProtectionAllowed ++ // kUserFeedbackAllowed ++ // DesktopSharingHubEnabled ++ // kSigninInterceptionEnabled ++ ++ policy_map.Set(policy::key::kEnableExperimentalPolicies, ++ policy::POLICY_LEVEL_MANDATORY, policy::POLICY_SCOPE_MACHINE, ++ policy::POLICY_SOURCE_COMMAND_LINE, ++ base::Value(enabled_future_policies.Clone()), nullptr); + +- bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string())) +- .LoadFrom(policies->GetDict(), POLICY_LEVEL_MANDATORY, +- POLICY_SCOPE_MACHINE, POLICY_SOURCE_COMMAND_LINE); + return bundle; + } + +diff --git a/components/policy/core/common/policy_pref_names.cc b/components/policy/core/common/policy_pref_names.cc +--- a/components/policy/core/common/policy_pref_names.cc ++++ b/components/policy/core/common/policy_pref_names.cc +@@ -95,6 +95,9 @@ const char kBackForwardCacheEnabled[] = "policy.back_forward_cache_enabled"; + const char kReadAloudEnabled[] = "policy.read_aloud_enabled"; + #endif // BUILDFLAG(IS_ANDROID) + ++const char kDisabledDefaultPoliciesList[] = ++ "policy.disabled_default_policies_list"; ++ + #if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_IOS) + // Last time that a check for cloud policy management was done. This time is + // recorded on Android and iOS so that retries aren't attempted on every +diff --git a/components/policy/core/common/policy_pref_names.h b/components/policy/core/common/policy_pref_names.h +--- a/components/policy/core/common/policy_pref_names.h ++++ b/components/policy/core/common/policy_pref_names.h +@@ -65,6 +65,7 @@ extern const char kIncognitoModeBlocklist[]; + extern const char kIncognitoModeAllowlist[]; + extern const char kUserPolicyRefreshRate[]; + extern const char kIntensiveWakeUpThrottlingEnabled[]; ++extern const char kDisabledDefaultPoliciesList[]; + #if BUILDFLAG(IS_ANDROID) + extern const char kBackForwardCacheEnabled[]; + extern const char kReadAloudEnabled[]; +diff --git a/components/policy/core/common/policy_service_impl.cc b/components/policy/core/common/policy_service_impl.cc +--- a/components/policy/core/common/policy_service_impl.cc ++++ b/components/policy/core/common/policy_service_impl.cc +@@ -52,6 +52,9 @@ namespace { + // Metrics should not be enforced so if this policy is set as mandatory + // downgrade it to a recommended level policy. + void DowngradeMetricsReportingToRecommendedPolicy(PolicyMap* policies) { ++ // skip the change to 'Recommended' if the MetricsReportingEnabled ++ // policy is 'Mandatory'. ++ if ((true)) return; + // Capture both the Chrome-only and device-level policies on Chrome OS. + const std::vector metrics_keys = { + #if BUILDFLAG(IS_CHROMEOS) +diff --git a/components/policy/core/common/policy_switches.cc b/components/policy/core/common/policy_switches.cc +--- a/components/policy/core/common/policy_switches.cc ++++ b/components/policy/core/common/policy_switches.cc +@@ -28,6 +28,8 @@ const char kFileStorageServerUploadUrl[] = "file-storage-server-upload-url"; + // line flag. Can be used only for unit tests or browser tests. + const char kPolicyVerificationKey[] = "policy-verification-key"; + ++const char kForceDisabledPolicies[] = "force-disable-policies"; ++ + #if BUILDFLAG(IS_CHROMEOS) + // Disables the verification of policy signing keys. It just works on Chrome OS + // test images and crashes otherwise. +diff --git a/components/policy/core/common/policy_switches.h b/components/policy/core/common/policy_switches.h +--- a/components/policy/core/common/policy_switches.h ++++ b/components/policy/core/common/policy_switches.h +@@ -19,6 +19,7 @@ extern const char kChromePolicy[]; + extern const char kSecureConnectApiUrl[]; + extern const char kFileStorageServerUploadUrl[]; + extern const char kPolicyVerificationKey[]; ++extern const char kForceDisabledPolicies[]; + #if BUILDFLAG(IS_CHROMEOS) + extern const char kDisablePolicyKeyVerification[]; + #endif // BUILDFLAG(IS_CHROMEOS) +diff --git a/components/policy/resources/templates/policy_definitions/Extensions/ExtensionManifestV2Availability.yaml b/components/policy/resources/templates/policy_definitions/Extensions/ExtensionManifestV2Availability.yaml +--- a/components/policy/resources/templates/policy_definitions/Extensions/ExtensionManifestV2Availability.yaml ++++ b/components/policy/resources/templates/policy_definitions/Extensions/ExtensionManifestV2Availability.yaml +@@ -17,9 +17,8 @@ desc: |- + + Extensions availability are still controlled by other policies. + supported_on: +-- chrome.*:110-138 +-- chrome_os:110-138 +-deprecated: true ++- chrome.*:110- ++- chrome_os:110- + features: + dynamic_refresh: true + per_profile: true +diff --git a/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml b/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml +--- a/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml ++++ b/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml +@@ -14,7 +14,6 @@ features: + dynamic_refresh: true + per_profile: true + future_on: +-- android + - fuchsia + items: + - caption: Disable Chrome Sync +@@ -31,6 +30,7 @@ supported_on: + - chrome.*:8- + - chrome_os:11- + - ios:96- ++- android:8- + tags: + - filtering + - google-sharing +diff --git a/components/policy/resources/webui/policy_row.html b/components/policy/resources/webui/policy_row.html +--- a/components/policy/resources/webui/policy_row.html ++++ b/components/policy/resources/webui/policy_row.html +@@ -163,6 +163,7 @@ a { +
+
+ ++ + + + +diff --git a/components/policy/resources/webui/policy_row.ts b/components/policy/resources/webui/policy_row.ts +--- a/components/policy/resources/webui/policy_row.ts ++++ b/components/policy/resources/webui/policy_row.ts +@@ -15,6 +15,7 @@ import {getTemplate} from './policy_row.html.js'; + export interface Policy { + ignored?: boolean; + name: string; ++ disabled: boolean; + level: string; + link?: string; + scope: string; +@@ -57,6 +58,9 @@ export class PolicyRowElement extends CustomElement { + const copy = this.shadowRoot!.querySelector('.copy-value'); + copy!.addEventListener('click', () => this.copyValue_()); + ++ const enabledBox = this.shadowRoot!.querySelector('.enabled_box'); ++ enabledBox!.addEventListener('change', () => this.enabledChanged_()); ++ + this.setAttribute('role', 'rowgroup'); + this.classList.add('policy-data'); + } +@@ -94,6 +98,9 @@ export class PolicyRowElement extends CustomElement { + this.toggleAttribute('no-help-link', true); + } + ++ const enabledBox = this.shadowRoot!.querySelector('.enabled_box'); ++ enabledBox.checked = !policy.disabled; ++ + // Populate the remaining columns with policy scope, level and value if a + // value has been set. Otherwise, leave them blank. + if (!this.unset_) { +@@ -227,6 +234,11 @@ export class PolicyRowElement extends CustomElement { + } + } + ++ enabledChanged_() { ++ const enabledBox = this.shadowRoot!.querySelector('.enabled_box'); ++ chrome.send('setEnabledPolicy', [this.policy.name, enabledBox.checked]); ++ } ++ + // Copies the policy's value to the clipboard. + private copyValue_() { + const policyValueDisplay = +diff --git a/components/policy_strings.grdp b/components/policy_strings.grdp +--- a/components/policy_strings.grdp ++++ b/components/policy_strings.grdp +@@ -672,8 +672,8 @@ Additional details: + + Default + +- +- Command line ++ ++ Bromite default + + + Cloud +diff --git a/components/search/ntp_features.cc b/components/search/ntp_features.cc +--- a/components/search/ntp_features.cc ++++ b/components/search/ntp_features.cc +@@ -81,6 +81,7 @@ BASE_FEATURE(kNtpCalendarModule, base::FEATURE_ENABLED_BY_DEFAULT); + + // If enabled, chrome cart module will be shown. + BASE_FEATURE(kNtpChromeCartModule, base::FEATURE_ENABLED_BY_DEFAULT); ++SET_CROMITE_FEATURE_DISABLED(kNtpChromeCartModule); + + #if !defined(OFFICIAL_BUILD) + // If enabled, dummy modules will be shown. +diff --git a/components/signin/features.gni b/components/signin/features.gni +--- a/components/signin/features.gni ++++ b/components/signin/features.gni +@@ -6,7 +6,7 @@ import("//build/config/chrome_build.gni") + + declare_args() { + # Compile time flag for Bound Session Credentials. +- enable_bound_session_credentials = is_linux || is_mac || is_win ++ enable_bound_session_credentials = false + } + + # Dice is supported on the platform (but not necessarily enabled). +diff --git a/components/signin/internal/identity_manager/gaia_cookie_manager_service.cc b/components/signin/internal/identity_manager/gaia_cookie_manager_service.cc +--- a/components/signin/internal/identity_manager/gaia_cookie_manager_service.cc ++++ b/components/signin/internal/identity_manager/gaia_cookie_manager_service.cc +@@ -465,6 +465,8 @@ void GaiaCookieManagerService::RegisterPrefs(PrefRegistrySimple* registry) { + } + + void GaiaCookieManagerService::InitCookieListener() { ++ // Make GaiaCookieManagerService compliant to SigninAllowed policy ++ if (!signin_client_->AreSigninCookiesAllowed()) return; + DCHECK(!cookie_listener_receiver_.is_bound()); + + network::mojom::CookieManager* cookie_manager = +@@ -846,6 +848,8 @@ void GaiaCookieManagerService::OnSetAccountsFinished( + } + + void GaiaCookieManagerService::HandleNextRequest() { ++ // Make GaiaCookieManagerService compliant to SigninAllowed policy ++ if (!signin_client_->AreSigninCookiesAllowed()) requests_.clear(); + // Pop the completed request. + requests_.pop_front(); + OptimizeListAccounts(); +diff --git a/extensions/common/extension_features.cc b/extensions/common/extension_features.cc +--- a/extensions/common/extension_features.cc ++++ b/extensions/common/extension_features.cc +@@ -45,6 +45,7 @@ BASE_FEATURE(kApiRuntimeGetPlatformInfoNaClArch, + + BASE_FEATURE(kAllowWithholdingExtensionPermissionsOnInstall, + base::FEATURE_DISABLED_BY_DEFAULT); ++SET_CROMITE_FEATURE_DISABLED(kExtensionsManifestV3Only); + + BASE_FEATURE(kCheckingNoExtensionIdInExtensionIpcs, + "EMF_NO_EXTENSION_ID_FOR_EXTENSION_SOURCE", +diff --git a/google_apis/gaia/gaia_auth_fetcher.cc b/google_apis/gaia/gaia_auth_fetcher.cc +--- a/google_apis/gaia/gaia_auth_fetcher.cc ++++ b/google_apis/gaia/gaia_auth_fetcher.cc +@@ -469,6 +469,7 @@ void GaiaAuthFetcher::StartListAccounts() { + })"); + net::HttpRequestHeaders headers; + headers.SetHeader("Origin", "https://www.google.com"); ++ LOG(INFO) << "---CreateAndStartGaiaFetcher"; + CreateAndStartGaiaFetcher( + " ", // To force an HTTP POST. + kFormEncodedContentType, headers, +diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc +--- a/net/socket/ssl_client_socket_impl.cc ++++ b/net/socket/ssl_client_socket_impl.cc +@@ -794,6 +794,7 @@ int SSLClientSocketImpl::Init() { + return ERR_UNEXPECTED; + } + ++ // Disable Insecure Handshake Hashes + // Disable SHA-1 server signatures. + // TODO(crbug.com/boringssl/699): Once the default is flipped in BoringSSL, we + // no longer need to override it. +@@ -1216,6 +1217,8 @@ ssl_verify_result_t SSLClientSocketImpl::HandleVerifyResult() { + + cert_verifier_request_.reset(); + ++ SSL_set_enforce_rsa_key_usage(ssl_.get(), true); ++ + // If the connection was good, check HPKP and CT status simultaneously, + // but prefer to treat the HPKP error as more serious, if there was one. + if (result == OK || result == ERR_CERTIFICATE_TRANSPARENCY_REQUIRED) { +-- diff --git a/build/cromite_patches_list.txt b/build/cromite_patches_list.txt index 7009ffd9..13624b91 100644 --- a/build/cromite_patches_list.txt +++ b/build/cromite_patches_list.txt @@ -181,6 +181,8 @@ Use-browser-navigation-handler.patch Compress-libchrome-to-free-up-some-space.patch Disable-Android-Tab-Declutter.patch Temp-disable-UseContextSnapshot.patch +add-browser-policy.patch +Keep-Side-Panel-Companion-disabled.patch eyeo-133.0.6943.49-base.patch eyeo-133.0.6943.49-chrome_integration.patch -- GitLab