| OLD | NEW |
|---|
| 1 { | 1 { |
| 2 # policy_templates.json - Metafile for policy templates | 2 # policy_templates.json - Metafile for policy templates |
| 3 # | 3 # |
| 4 # The content of this file is evaluated as a Python expression. | 4 # The content of this file is evaluated as a Python expression. |
| 5 # | 5 # |
| 6 # This file is used as input to generate the following policy templates: | 6 # This file is used as input to generate the following policy templates: |
| 7 # ADM, ADMX+ADML, MCX/plist and html documentation. | 7 # ADM, ADMX+ADML, MCX/plist and html documentation. |
| 8 # | 8 # |
| 9 # Policy templates are user interface definitions or documents about the | 9 # Policy templates are user interface definitions or documents about the |
| 10 # policies that can be used to configure Chrome. Each policy is a name-value | 10 # policies that can be used to configure Chrome. Each policy is a name-value |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 130 # templates and documentation. The policy definition list that Chrome sees | 130 # templates and documentation. The policy definition list that Chrome sees |
| 131 # will include policies marked with 'future'. If a WIP policy isn't meant to | 131 # will include policies marked with 'future'. If a WIP policy isn't meant to |
| 132 # be seen by the policy providers either, the 'supported_on' key should be set | 132 # be seen by the policy providers either, the 'supported_on' key should be set |
| 133 # to an empty list. | 133 # to an empty list. |
| 134 # | 134 # |
| 135 # IDs: | 135 # IDs: |
| 136 # Since a Protocol Buffer definition is generated from this file, unique and | 136 # Since a Protocol Buffer definition is generated from this file, unique and |
| 137 # persistent IDs for all fields (but not for groups!) are needed. These are | 137 # persistent IDs for all fields (but not for groups!) are needed. These are |
| 138 # specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs, | 138 # specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs, |
| 139 # because doing so would break the deployed wire format! | 139 # because doing so would break the deployed wire format! |
| 140 # For your editing convenience: highest ID currently used: 334 | 140 # For your editing convenience: highest ID currently used: 335 |
| 141 # | 141 # |
| 142 # Placeholders: | 142 # Placeholders: |
| 143 # The following placeholder strings are automatically substituted: | 143 # The following placeholder strings are automatically substituted: |
| 144 # $1 -> Google Chrome / Chromium | 144 # $1 -> Google Chrome / Chromium |
| 145 # $2 -> Google Chrome OS / Chromium OS | 145 # $2 -> Google Chrome OS / Chromium OS |
| 146 # $3 -> Google Chrome Frame / Chromium Frame | 146 # $3 -> Google Chrome Frame / Chromium Frame |
| 147 # $6 is reserved for doc_writer | 147 # $6 is reserved for doc_writer |
| 148 # | 148 # |
| 149 # Device Policy: | 149 # Device Policy: |
| 150 # An additional flag 'device_only' (optional, defaults to False) indicates | 150 # An additional flag 'device_only' (optional, defaults to False) indicates |
| (...skipping 7771 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 7922 'tags': ['system-security'], | 7922 'tags': ['system-security'], |
| 7923 'desc': '''Warning: The TLS version fallback will be removed from <ph name
="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 52 (around September
2016) and this policy will stop working then. | 7923 'desc': '''Warning: The TLS version fallback will be removed from <ph name
="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> after version 52 (around September
2016) and this policy will stop working then. |
| 7924 | 7924 |
| 7925 When a TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</e
x></ph> would previously retry the connection with a lesser version of TLS in or
der to work around bugs in HTTPS servers. This setting configures the version at
which this fallback process will stop. If a server performs version negotiation
correctly (i.e. without breaking the connection) then this setting doesn't appl
y. Regardless, the resulting connection must still comply with SSLVersionMin. | 7925 When a TLS handshake fails, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</e
x></ph> would previously retry the connection with a lesser version of TLS in or
der to work around bugs in HTTPS servers. This setting configures the version at
which this fallback process will stop. If a server performs version negotiation
correctly (i.e. without breaking the connection) then this setting doesn't appl
y. Regardless, the resulting connection must still comply with SSLVersionMin. |
| 7926 | 7926 |
| 7927 If this policy is not configured or if it is set to "tls1.2" then <ph name
="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> no longer performs this fallback.
Note this does not disable support for older TLS versions, only whether <ph name
="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will work around buggy servers whi
ch cannot negotiate versions correctly. | 7927 If this policy is not configured or if it is set to "tls1.2" then <ph name
="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> no longer performs this fallback.
Note this does not disable support for older TLS versions, only whether <ph name
="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will work around buggy servers whi
ch cannot negotiate versions correctly. |
| 7928 | 7928 |
| 7929 Otherwise, if compatibility with a buggy server must be maintained, this p
olicy may be set to "tls1.1". This is a stopgap measure and the server should be
rapidly fixed.''', | 7929 Otherwise, if compatibility with a buggy server must be maintained, this p
olicy may be set to "tls1.1". This is a stopgap measure and the server should be
rapidly fixed.''', |
| 7930 }, | 7930 }, |
| 7931 { | 7931 { |
| 7932 'name': 'CertificateTransparencyEnforcementDisabledForUrls', |
| 7933 'type': 'list', |
| 7934 'schema': { |
| 7935 'type': 'array', |
| 7936 'items': { 'type': 'string' }, |
| 7937 }, |
| 7938 'supported_on': [ |
| 7939 'chrome.*:53-', |
| 7940 'chrome_os:53-', |
| 7941 'android:53-', |
| 7942 ], |
| 7943 'features': { |
| 7944 'dynamic_refresh': True, |
| 7945 'per_profile': False, |
| 7946 }, |
| 7947 'example_value': ['example.com', '.example.com'], |
| 7948 'id': 335, |
| 7949 'caption': '''Disable Certificate Transparency enforcement for a list of U
RLs''', |
| 7950 'tags': ['system-security'], |
| 7951 'desc': '''Disables enforcing Certificate Transparency requirements to the
listed URLs. |
| 7952 |
| 7953 This policy allows certificates for the hostnames in the specified URLs to
not be disclosed via Certificate Transparency. This allows certificates that wo
uld otherwise be untrusted, because they were not properly publicly disclosed, t
o continue to be used, but makes it harder to detect misissued certificates for
those hosts. |
| 7954 |
| 7955 A URL pattern is formatted according to https://www.chromium.org/administr
ators/url-blacklist-filter-format. However, because certificates are valid for a
given hostname independent of the scheme, port, or path, only the hostname port
ion of the URL is considered. Wildcard hosts are not supported. |
| 7956 |
| 7957 If this policy is not set, any certificate that is required to be disclose
d via Certificate Transparency will be treated as untrusted if it is not disclos
ed according to the Certificate Transparency policy.''', |
| 7958 }, |
| 7959 { |
| 7932 'name': 'RC4Enabled', | 7960 'name': 'RC4Enabled', |
| 7933 'type': 'main', | 7961 'type': 'main', |
| 7934 'schema': { | 7962 'schema': { |
| 7935 'type': 'boolean', | 7963 'type': 'boolean', |
| 7936 }, | 7964 }, |
| 7937 'supported_on': [ | 7965 'supported_on': [ |
| 7938 'chrome.*:48-52', | 7966 'chrome.*:48-52', |
| 7939 'chrome_os:48-52', | 7967 'chrome_os:48-52', |
| 7940 'android:48-52', | 7968 'android:48-52', |
| 7941 'ios:48-52', | 7969 'ios:48-52', |
| (...skipping 849 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8791 'desc': '''Text appended in parentheses next to the policies top-level con
tainer to indicate that those policies are of the Recommended level''', | 8819 'desc': '''Text appended in parentheses next to the policies top-level con
tainer to indicate that those policies are of the Recommended level''', |
| 8792 'text': 'Default Settings (users can override)', | 8820 'text': 'Default Settings (users can override)', |
| 8793 }, | 8821 }, |
| 8794 'doc_complex_policies_on_windows': { | 8822 'doc_complex_policies_on_windows': { |
| 8795 'desc': '''Text pointing the user to a help article for complex policies o
n Windows''', | 8823 'desc': '''Text pointing the user to a help article for complex policies o
n Windows''', |
| 8796 'text': '''encoded as a JSON string, for details see <ph name="COMPLEX_POL
ICIES_URL">https://www.chromium.org/administrators/complex-policies-on-windows<e
x>https://www.chromium.org/administrators/complex-policies-on-windows</ex></ph>'
'', | 8824 'text': '''encoded as a JSON string, for details see <ph name="COMPLEX_POL
ICIES_URL">https://www.chromium.org/administrators/complex-policies-on-windows<e
x>https://www.chromium.org/administrators/complex-policies-on-windows</ex></ph>'
'', |
| 8797 }, | 8825 }, |
| 8798 }, | 8826 }, |
| 8799 'placeholders': [], | 8827 'placeholders': [], |
| 8800 } | 8828 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2102783003:
Add enterprise policy to exempt hosts from Certificate Transparency (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@enterprise_ct