Adding a DownloadRestrictions group policy.

components/policy/resources/policy_templates.json

Index: components/policy/resources/policy_templates.json
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json
index 9dda903feb39723a2ca50d8d0a239f65a80e40f1..6f6d1c40b791bca847819c887468fe721886d729 100644
--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -143,7 +143,7 @@
 #   persistent IDs for all fields (but not for groups!) are needed. These are
 #   specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
 #   because doing so would break the deployed wire format!
-#   For your editing convenience: highest ID currently used: 370
+#   For your editing convenience: highest ID currently used: 371
 #   And don't forget to also update the EnterprisePolicies enum of
 #   histograms.xml (run 'python tools/metrics/histograms/update_policies.py').
 #
@@ -1712,6 +1712,60 @@
       'label': '''Set media disk cache size''',
     },
     {
+      'name': 'DownloadRestrictions',
+      'type': 'int-enum',
+      'schema': {
+        'type': 'integer',
+        'enum': [ 0, 1, 2, 3 ],
+      },
+      'items': [
+        {
+          'name': 'AllowDownloads',
+          'value': 0,
+          'caption': '''No restrictions''',
+        },
+        {
+          'name': 'DisableBlockedFiles',
+          'value': 1,
+          'caption': '''Disable blocked files''',
+        },
+        {
+          'name': 'DisableBlockedAndDangerousFiles',
+          'value': 2,
+          'caption': '''Disable blocked and dangerous files''',
+        },
+        {
+          'name': 'DisableDownloads',
+          'value': 3,
+          'caption': '''No downloads allowed''',
+        },
+      ],

[asanka, 2017/06/06 03:00:36]

The policy value names and their descriptions should probably be run by UI
folks. In particular, the term "blocked" may be confusing since "blocked"
implies that the download can't proceed with or without the policy.

One way to phrase it would be to consider what the user is allowed or not
allowed to do. In the case of "DisableBlockedFiles", the user is not allowed to
bypass the SafeBrowsing warning. And with "DisableBlockedAndDangerousFiles", the
user is not allowed to bypass any download warning.

Also, I'd suggest sticking to Alllow/Disallow for consistency.

FTR: there are three download warning types -- in decreasing order of severity:
* Malicious downloads : Flagged by SB due to file content, file source or
something else.
* Potentially unwanted : Flagged by SB.
* Uncommon : SB doesn't have sufficient data to consider this file safe. Should
be considered more dangerous than 'Potentially dangerous'
* Potentially dangerous : Flagged simply because of the file type.

As enterprise use cases go, it's worth looking at how an enterprise might deploy
their custom binaries and installers as downloads. Also most MS Office file
types are in the "dangerous files" bucket, which may be an obstacle if folks are
expected to pass around documents over email etc... As currently laid out, such
use cases currently cannot be accommodated without opening the floodgates and
allowing all dangerous file types.

[MAD, 2017/06/06 18:00:28]

OK, I'll check with UX and Chrome Enterprise PM for the namings.

As for the floodgate, I have another CL I just started to add another policy to
complement this one, which will allow whitelisting certain downloads.

+      'supported_on': ['chrome.*:58-', 'chrome_os:58-'],
+      'features': {
+        'can_be_recommended': True,
+        'dynamic_refresh': True,
+        'per_profile': True,
+      },
+      'example_value': 2,
+      'id': 371,
+      'caption': '''Allow download restrictions''',
+      'tags': ['local-data-access'],
+      'desc': '''Configures the type of downloads that <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will allow.
+
+      If you set this policy, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will prevent certain types of downloads.
+
+      When the 'Disabled blocked files' option is chosen, all downloads are allowed, except for those that carry SafeBrowsing warnings.
+
+      When the 'Disable blocked and dangerous files' option is chosen, all downloads allowed, except for those that carry SafeBrowsing warnings or are of potentially dangerous filetypes.
+
+      When the 'No downloads allowed' option is chosen, download functionality is completely disabled.
+
+      Note that these restrictions apply to downloads triggered from web page content, as well as the 'download link...' context menu option.
+
+      But these restrictions do not apply to the save / download of the currently displayed page, nor does it apply to saving as PDF from the printing options.''',
+      'label': '''Download restrictions''',
+    },
+    {
       'name': 'DownloadDirectory',
       'type': 'string',
       'schema': { 'type': 'string' },