Public Sessions whitelisting - removed privacy sensitive permissions

chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.h"
 
 #include <stddef.h>
 
 #include <cstddef>
 #include <string>
@@ skipping 419 matching lines @@
     // This is risky, but blocking extensions just because they declare
     // clipboardRead is unfortunate. Options: (1) Make clipboardRead return
     // empty string (2) confirmation dialog.
     // "clipboardRead",
 
     // Writing to clipboard is safe.
     "clipboardWrite",
 
     "contentSettings",
 
-    // Provides access to URLs.
-    "contextMenus",
+    // Privacy sensitive URL access.
+    // "contextMenus",
 
     // This would provie access to auth cookies, so needs to be blocked.
     // "cookies",
 
     // Provides access to the DOM, so block.
     // "debugger",
 
     // This is mostly fine, but has a RequestContentScript action that'd allow
     // access to page content, which we can't allow.
     // "declarativeContent",
@@ skipping 53 matching lines @@
     "gcm",
 
     // It's fair game for a kiosk device owner to locate their device. Could
     // just as well do this via IP-geolocation mechanism, so little difference.
     "geolocation",
 
     // Somewhat risky as this opens up the ability to intercept user input.
     // However, keyboards and mice are apparently not surfaced via this API.
     "hid",
 
-    // Just URLs and meta data.
-    "history",
+    // Privacy sensitive URL access.
+    // "history",
 
     // Not really useful as there's no signed-in user, so OK to allow.
     "identity",
 
     "identity.email",
 
     // Detection of idle state.
     "idle",
 
     // IME extensions see keystrokes. This might be useful though, might rely on
@@ skipping 64 matching lines @@
 
     // Looking at the code, this feature is declared but used nowhere.
     // "screensaver",
 
     // Access serial port.  It's hard to conceive a case in which private data
     // is stored on a serial device and being read without the user's consent.
     // Minor risk of intercepting input events from serial input devices - given
     // that serial input devices are exceedingly rare, OK to allow.
     "serial",
 
-    // Access to URLs.
-    "sessions",
+    // Privacy sensitive URL access.
+    // "sessions",
 
     "socket",
 
     // Per-app sandbox.  User cannot log into Public Session, thus storage
     // cannot be sync'ed to the cloud.
     "storage",
 
     // Not very useful since no signed-in user.
     "syncFileSystem",
 
     // Returns CPU parameters.
     "system.cpu",
 
     // Display parameters query/manipulation.
     "system.display",
 
     // Memory parameters access.
     "system.memory",
 
     // Enumerates network interfaces.
     "system.network",
 
     // Enumerates removable storage.
     "system.storage",
 
     // Provides access to screen contents, so block. Alternatively, (1) prompt
     // for user consent or (2) return blank capture.
     // "tabCapture",
 
-    // URLs and page titles.
-    "tabs",
+    // Privacy sensitive URL access.
+    // "tabs",
 
-    // URLs and page titles.
-    "topSites",
+    // Privacy sensitive URL access.
+    // "topSites",
 
     // Allows to generate TTS, but no content access. Just UX.
     "tts",
 
     // Might need this, but has content access. Manual whitelisting?
     // "ttsEngine",
 
     // Excessive resource usage is not a risk.
     "unlimitedStorage",
 
     // Plugging the USB device is sufficient as consent gesture.
     "usb",
 
     // Belongs to the USB API.
     "usbDevices",
 
     // Need to surface notification to the user. Check what existing UI we have
     // and whether that's sufficient for PS.
     // "videoCapture",
 
     // Admin controls network config anyways.
     "vpnProvider",
 
     // Just UX.
     "wallpaper",
 
-    // Access to URLs.
-    "webNavigation",
+    // Privacy sensitive URL access.
+    // "webNavigation",
 
     // Provides access to cookies and form upload data. Options: (1) block,
     // (2) strip all content in events.
     // "webRequest",
 
     // Fine once webRequest is adjusted.
     // "webRequestBlocking",
 
     // This allows content scripts and capturing. However, the webview runs
     // within a separate storage partition, i.e. doesn't share cookies and other
@@ skipping 252 matching lines @@
   if (error) {
     *error = l10n_util::GetStringFUTF16(
           IDS_EXTENSION_CANT_INSTALL_IN_DEVICE_LOCAL_ACCOUNT,
           base::UTF8ToUTF16(extension->name()),
           base::UTF8ToUTF16(extension->id()));
   }
   return false;
 }
 
 }  // namespace chromeos