Chromium Code Reviews Chromium Code Reviews
Issue 2087743002:
Add Enterprise Policy for whitelisting hosts as exempt from CT (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@symantec_ct| OLD | NEW |
|---|---|
| 1 { | 1 { |
| 2 # policy_templates.json - Metafile for policy templates | 2 # policy_templates.json - Metafile for policy templates |
| 3 # | 3 # |
| 4 # The content of this file is evaluated as a Python expression. | 4 # The content of this file is evaluated as a Python expression. |
| 5 # | 5 # |
| 6 # This file is used as input to generate the following policy templates: | 6 # This file is used as input to generate the following policy templates: |
| 7 # ADM, ADMX+ADML, MCX/plist and html documentation. | 7 # ADM, ADMX+ADML, MCX/plist and html documentation. |
| 8 # | 8 # |
| 9 # Policy templates are user interface definitions or documents about the | 9 # Policy templates are user interface definitions or documents about the |
| 10 # policies that can be used to configure Chrome. Each policy is a name-value | 10 # policies that can be used to configure Chrome. Each policy is a name-value |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 130 # templates and documentation. The policy definition list that Chrome sees | 130 # templates and documentation. The policy definition list that Chrome sees |
| 131 # will include policies marked with 'future'. If a WIP policy isn't meant to | 131 # will include policies marked with 'future'. If a WIP policy isn't meant to |
| 132 # be seen by the policy providers either, the 'supported_on' key should be set | 132 # be seen by the policy providers either, the 'supported_on' key should be set |
| 133 # to an empty list. | 133 # to an empty list. |
| 134 # | 134 # |
| 135 # IDs: | 135 # IDs: |
| 136 # Since a Protocol Buffer definition is generated from this file, unique and | 136 # Since a Protocol Buffer definition is generated from this file, unique and |
| 137 # persistent IDs for all fields (but not for groups!) are needed. These are | 137 # persistent IDs for all fields (but not for groups!) are needed. These are |
| 138 # specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs, | 138 # specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs, |
| 139 # because doing so would break the deployed wire format! | 139 # because doing so would break the deployed wire format! |
| 140 # For your editing convenience: highest ID currently used: 333 | 140 # For your editing convenience: highest ID currently used: 334 |
| 141 # | 141 # |
| 142 # Placeholders: | 142 # Placeholders: |
| 143 # The following placeholder strings are automatically substituted: | 143 # The following placeholder strings are automatically substituted: |
| 144 # $1 -> Google Chrome / Chromium | 144 # $1 -> Google Chrome / Chromium |
| 145 # $2 -> Google Chrome OS / Chromium OS | 145 # $2 -> Google Chrome OS / Chromium OS |
| 146 # $3 -> Google Chrome Frame / Chromium Frame | 146 # $3 -> Google Chrome Frame / Chromium Frame |
| 147 # $6 is reserved for doc_writer | 147 # $6 is reserved for doc_writer |
| 148 # | 148 # |
| 149 # Device Policy: | 149 # Device Policy: |
| 150 # An additional flag 'device_only' (optional, defaults to False) indicates | 150 # An additional flag 'device_only' (optional, defaults to False) indicates |
| (...skipping 7760 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 7911 'tags': ['system-security'], | 7911 'tags': ['system-security'], |
| 7912 'desc': '''Warning: The TLS version fallback will be removed from <ph name ="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 52 (around September 2016) and this policy will stop working then. | 7912 'desc': '''Warning: The TLS version fallback will be removed from <ph name ="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 52 (around September 2016) and this policy will stop working then. |
| 7913 | 7913 |
| 7914 When a TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</e x></ph> would previously retry the connection with a lesser version of TLS in or der to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly (i.e. without breaking the connection) then this setting doesn't appl y. Regardless, the resulting connection must still comply with SSLVersionMin. | 7914 When a TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</e x></ph> would previously retry the connection with a lesser version of TLS in or der to work around bugs in HTTPS servers. This setting configures the version at which this fallback process will stop. If a server performs version negotiation correctly (i.e. without breaking the connection) then this setting doesn't appl y. Regardless, the resulting connection must still comply with SSLVersionMin. |
| 7915 | 7915 |
| 7916 If this policy is not configured or if it is set to "tls1.2" then <ph name ="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> no longer performs this fallback. Note this does not disable support for older TLS versions, only whether <ph name ="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will work around buggy servers whi ch cannot negotiate versions correctly. | 7916 If this policy is not configured or if it is set to "tls1.2" then <ph name ="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> no longer performs this fallback. Note this does not disable support for older TLS versions, only whether <ph name ="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will work around buggy servers whi ch cannot negotiate versions correctly. |
| 7917 | 7917 |
| 7918 Otherwise, if compatibility with a buggy server must be maintained, this p olicy may be set to "tls1.1". This is a stopgap measure and the server should be rapidly fixed.''', | 7918 Otherwise, if compatibility with a buggy server must be maintained, this p olicy may be set to "tls1.1". This is a stopgap measure and the server should be rapidly fixed.''', |
| 7919 }, | 7919 }, |
| 7920 { | 7920 { |
| 7921 'name': 'CertificateTransparencyEnforcementDisabledForUrls', | |
| 7922 'type': 'list', | |
| 7923 'schema': { | |
| 7924 'type': 'array', | |
| 7925 'items': { 'type': 'string' }, | |
| 7926 }, | |
| 7927 'supported_on': [ | |
| 7928 'chrome.*:53-', | |
| 7929 'chrome_os:53-', | |
| 7930 'android:53-', | |
| 7931 ], | |
| 7932 'features': { | |
| 7933 'dynamic_refresh': True, | |
| 7934 'per_profile': False, | |
| 7935 }, | |
| 7936 'example_value': ['example.com', '[.*].example.com'], | |
| 7937 'id': 334, | |
| 7938 'caption': '''Disable Certificate Transparency enforcement for a list of U RLs''', | |
| 7939 'tags': ['system-security'], | |
| 7940 'desc': '''Disables enforcing Certificate Transparency requirements to the listed URLs. | |
| 7941 | |
| 7942 This policy allows certificates for the hostnames in the specified URLs to not be disclosed via Certificate Transparency. This allows certificates that wo uld otherwise be untrusted, because they were not properly publicly disclosed, t o continue to be used, but makes it harder to detect misissued certificates for those hosts. | |
|
Andrew T Wilson (Slow)
2016/06/21 08:37:48
This is fine, but I'm curious why we need this pol
Ryan Sleevi
2016/06/21 17:01:01
That's our preferred/recommended path.
However, i
| |
| 7943 | |
| 7944 A URL pattern is formatted according to https://www.chromium.org/administr ators/url-blacklist-filter-format, but because certificates are valid for any po rt and path on the server, only the hostname will be considered. | |
|
Thiemo Nagel
2016/06/21 10:54:06
I think it's fair to re-use the blacklist filter f
Ryan Sleevi
2016/06/21 17:01:01
Correct - everything but the hostname is ignored.
| |
| 7945 | |
| 7946 If this policy is not set, any certificate that is required to be disclose d via Certificate Transparency will be treated as untrusted if it is not disclos ed.''', | |
| 7947 }, | |
| 7948 { | |
| 7921 'name': 'RC4Enabled', | 7949 'name': 'RC4Enabled', |
| 7922 'type': 'main', | 7950 'type': 'main', |
| 7923 'schema': { | 7951 'schema': { |
| 7924 'type': 'boolean', | 7952 'type': 'boolean', |
| 7925 }, | 7953 }, |
| 7926 'supported_on': [ | 7954 'supported_on': [ |
| 7927 'chrome.*:48-52', | 7955 'chrome.*:48-52', |
| 7928 'chrome_os:48-52', | 7956 'chrome_os:48-52', |
| 7929 'android:48-52', | 7957 'android:48-52', |
| 7930 'ios:48-52', | 7958 'ios:48-52', |
| (...skipping 823 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 8754 'desc': '''Text appended in parentheses next to the policies top-level con tainer to indicate that those policies are of the Recommended level''', | 8782 'desc': '''Text appended in parentheses next to the policies top-level con tainer to indicate that those policies are of the Recommended level''', |
| 8755 'text': 'Default Settings (users can override)', | 8783 'text': 'Default Settings (users can override)', |
| 8756 }, | 8784 }, |
| 8757 'doc_complex_policies_on_windows': { | 8785 'doc_complex_policies_on_windows': { |
| 8758 'desc': '''Text pointing the user to a help article for complex policies o n Windows''', | 8786 'desc': '''Text pointing the user to a help article for complex policies o n Windows''', |
| 8759 'text': '''encoded as a JSON string, for details see <ph name="COMPLEX_POL ICIES_URL">https://www.chromium.org/administrators/complex-policies-on-windows<e x>https://www.chromium.org/administrators/complex-policies-on-windows</ex></ph>' '', | 8787 'text': '''encoded as a JSON string, for details see <ph name="COMPLEX_POL ICIES_URL">https://www.chromium.org/administrators/complex-policies-on-windows<e x>https://www.chromium.org/administrators/complex-policies-on-windows</ex></ph>' '', |
| 8760 }, | 8788 }, |
| 8761 }, | 8789 }, |
| 8762 'placeholders': [], | 8790 'placeholders': [], |
| 8763 } | 8791 } |
| OLD | NEW |
