Add policy controlled permission block list for extensions

components/policy/resources/policy_templates.json

Index: components/policy/resources/policy_templates.json
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json
index f9c8c865fd8a28192955f9adccd8c5ef72e85c5d..25de2fb0cd562f5f294dbfa0ac685779da6d5ae2 100644
--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -1747,8 +1747,19 @@
                     'enum': ['blocked', 'allowed', 'force_installed', 'normal_installed']
                   },
                   'update_url': { 'type': 'string' },
-                }
-              }
+                  'blocked_permissions': {
+                    'type': 'array',
+                    'items': {
+                      'type': 'string',
+                      'pattern': '^[a-z][a-zA-Z.]*$',
+                    },
+                    'id': 'ListOfPermissions',
+                  },
+                  'allowed_permissions': {
+                    '$ref': 'ListOfPermissions',
+                  },
+                },
+              },
             },
             'properties': {
               '*': {
@@ -1758,15 +1769,18 @@
                     'type': 'string',
                     'enum': ['blocked', 'allowed']
                   },
+                  'blocked_permissions': {
+                    '$ref': 'ListOfPermissions',
+                  },
                   'install_sources': {
                     '$ref': 'ExtensionInstallSources',
                   },
                   'allowed_types': {
                     '$ref': 'ExtensionAllowedTypes',
                   },
-                }
-              }
-            }
+                },
+              },
+            },
           },
           'future': True,
           'supported_on': ['chrome.*:40-', 'chrome_os:40-'],
@@ -1777,13 +1791,16 @@
           'example_value': {
             'abcdefghijklmnopabcdefghijklmnop' : {
               'installation_mode': 'allowed',
+              'blocked_permissions': ['history'],
             },
             'bcdefghijklmnopabcdefghijklmnopa' : {
               'installation_mode': 'force_installed',
               'update_url': 'http://example.com/update_url',
+              'allowed_permissions': ['downloads'],
             },
             '*': {
               'installation_mode': 'blocked',
+              'blocked_permissions': ['downloads', 'bookmarks'],
               'install_sources': ['http://company-intranet/chromeapps'],
               'allowed_types': ['hosted_app'],
             },
@@ -1806,6 +1823,10 @@
 
           If the mode is set to "force_installed" or "normal_installed" then an "update_url" must be configured too. The update URL should point to an Update Manifest XML document as described at <ph name="LINK_TO_EXTENSION_DOC1">https://developer.chrome.com/extensions/autoupdate</ph>. Note that the update URL set in this policy is only used for the initial installation; subsequent updates of the extension will use the update URL indicated in the extension's manifest.
 
+          "blocked_permissions": maps to a list of strings indicating the blocked API permissions for the extension. The permissions names are same as the permission strings declared in manifest of extension as described at <ph name="LINK_TO_EXTENSION_DOC3">https://developer.chrome.com/extensions/declare_permissions</ph>. This setting also can be configured for "*" extension. If the extension requires a permission which is on the blocklist, it will not be allowed to be loaded. If it contains a blocked permission as optional requirement, it will be handled in normal way, but requests of conflicting permissions will be declined automatically at runtime.

[Finnur, 2014/10/30 14:16:59]

s/to be/to load/
s/normal way/the normal way/
s/requests of/requesting/

[binjin, 2014/10/30 16:41:12]

Done.

+
+          "allowed_permissions": similar to "blocked_permissions", but instead explicitly allow some permissions which might be blocked by global blocked permission list, thus can not be configured for "*" extension. Note that this setting doesn't give granted permissions to extensions automatically.
+
           The following settings can be used only for the default "*" configuration:
 
           "install_sources": Each item in this list is an extension-style match pattern (see https://developer.chrome.com/extensions/match_patterns). Users will be able to easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (i.e.  the referrer) must be allowed by these patterns.