components/policy/resources/policy_templates.json - Issue 2735733003: Disable commonName matching for certificates

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: components/policy/resources/policy_templates.json

Issue 2735733003: Disable commonName matching for certificates (Closed)

Patch Set: Created 3 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: components/policy/resources/policy_templates.json

diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json

index 3b5378a626607dc41dd10fdfa47c661dc144f3fa..96cc3f46dd8dec62918065bf5ddfe85d050e8070 100644

--- a/components/policy/resources/policy_templates.json

+++ b/components/policy/resources/policy_templates.json

@@ -139,7 +139,7 @@

# persistent IDs for all fields (but not for groups!) are needed. These are

# specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,

# because doing so would break the deployed wire format!

-# For your editing convenience: highest ID currently used: 365

+# For your editing convenience: highest ID currently used: 366

# And don't forget to also update the EnterprisePolicies enum of

# histograms.xml (run tools/metrics/histograms/update_policies.py).

@@ -4850,6 +4850,25 @@

If this policy is not set, or it is set to false, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> follows the publicly announced SHA-1 deprecation schedule.''',

{

+ 'name': 'EnableCommonNameFallbackForLocalAnchors',

+ 'type': 'main',

+ 'schema': { 'type': 'boolean' },

+ 'supported_on': ['chrome.*:58-65', 'chrome_os:58-65', 'android:58-65'],

+ 'features': {

+ 'dynamic_refresh': True,

+ 'per_profile': False,

+ },

+ 'example_value': False,

+ 'id': 366,

+ 'caption': '''Whether to allow certificates issued by local trust anchors that are missing the subjectAlternativeName extension''',

+ 'tags': ['system-security'],

+ 'desc': '''When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will use the commonName of a server certificate to match a hostname if the certificate is missing a subjectAlternativeName extension, as long as it successfully validates and chains to a locally-installed CA certificates.

+ Note that this is not recommended, as this may allow bypassing the nameConstraints extension that restricts the hostnames that a given certificate can be authorized for.

+ If this policy is not set, or is set to false, server certificates that lack a subjectAlternativeName extension containing either a DNS name or IP address will not be trusted.''',

+ },

+ {

'name': 'ForceEphemeralProfiles',

'type': 'main',

'schema': { 'type': 'boolean' },

« no previous file with comments | « chrome/test/data/policy/policy_test_cases.json ('k') | components/ssl_config/ssl_config_prefs.h » ('j') | no next file with comments »