Index: components/policy/resources/policy_templates.json |
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json |
index 75582b6d87d6160d1c404b05780bd10a52548596..0b3d8e3400c4f9423616d7a5a78e40b55a5a0f52 100644 |
--- a/components/policy/resources/policy_templates.json |
+++ b/components/policy/resources/policy_templates.json |
@@ -137,7 +137,7 @@ |
# persistent IDs for all fields (but not for groups!) are needed. These are |
# specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs, |
# because doing so would break the deployed wire format! |
-# For your editing convenience: highest ID currently used: 333 |
+# For your editing convenience: highest ID currently used: 334 |
# |
# Placeholders: |
# The following placeholder strings are automatically substituted: |
@@ -7918,6 +7918,34 @@ |
Otherwise, if compatibility with a buggy server must be maintained, this policy may be set to "tls1.1". This is a stopgap measure and the server should be rapidly fixed.''', |
}, |
{ |
+ 'name': 'CertificateTransparencyEnforcementDisabledForUrls', |
+ 'type': 'list', |
+ 'schema': { |
+ 'type': 'array', |
+ 'items': { 'type': 'string' }, |
+ }, |
+ 'supported_on': [ |
+ 'chrome.*:53-', |
+ 'chrome_os:53-', |
+ 'android:53-', |
+ ], |
+ 'features': { |
+ 'dynamic_refresh': True, |
+ 'per_profile': False, |
+ }, |
+ 'example_value': ['example.com', '[.*].example.com'], |
+ 'id': 334, |
+ 'caption': '''Disable Certificate Transparency enforcement for a list of URLs''', |
+ 'tags': ['system-security'], |
+ 'desc': '''Disables enforcing Certificate Transparency requirements to the listed URLs. |
+ |
+ This policy allows certificates for the hostnames in the specified URLs to not be disclosed via Certificate Transparency. This allows certificates that would otherwise be untrusted, because they were not properly publicly disclosed, to continue to be used, but makes it harder to detect misissued certificates for those hosts. |
Andrew T Wilson (Slow)
2016/06/21 08:37:48
This is fine, but I'm curious why we need this pol
Ryan Sleevi
2016/06/21 17:01:01
That's our preferred/recommended path.
However, i
|
+ |
+ A URL pattern is formatted according to https://www.chromium.org/administrators/url-blacklist-filter-format, but because certificates are valid for any port and path on the server, only the hostname will be considered. |
Thiemo Nagel
2016/06/21 10:54:06
I think it's fair to re-use the blacklist filter f
Ryan Sleevi
2016/06/21 17:01:01
Correct - everything but the hostname is ignored.
|
+ |
+ If this policy is not set, any certificate that is required to be disclosed via Certificate Transparency will be treated as untrusted if it is not disclosed.''', |
+ }, |
+ { |
'name': 'RC4Enabled', |
'type': 'main', |
'schema': { |