| Index: components/policy/resources/policy_templates.json
|
| diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json
|
| index 3d12b3bdf6cab3fdd8ce75b034c841f05f3fef0b..f5eb5b1885321a012a96417c4d92b24de1056e81 100644
|
| --- a/components/policy/resources/policy_templates.json
|
| +++ b/components/policy/resources/policy_templates.json
|
| @@ -1747,8 +1747,19 @@
|
| 'enum': ['blocked', 'allowed', 'force_installed', 'normal_installed']
|
| },
|
| 'update_url': { 'type': 'string' },
|
| - }
|
| - }
|
| + 'blocked_permissions': {
|
| + 'type': 'array',
|
| + 'items': {
|
| + 'type': 'string',
|
| + 'pattern': '^[a-z][a-zA-Z.]*$',
|
| + },
|
| + 'id': 'ListOfPermissions',
|
| + },
|
| + 'allowed_permissions': {
|
| + '$ref': 'ListOfPermissions',
|
| + },
|
| + },
|
| + },
|
| },
|
| 'properties': {
|
| '*': {
|
| @@ -1758,15 +1769,18 @@
|
| 'type': 'string',
|
| 'enum': ['blocked', 'allowed']
|
| },
|
| + 'blocked_permissions': {
|
| + '$ref': 'ListOfPermissions',
|
| + },
|
| 'install_sources': {
|
| '$ref': 'ExtensionInstallSources',
|
| },
|
| 'allowed_types': {
|
| '$ref': 'ExtensionAllowedTypes',
|
| },
|
| - }
|
| - }
|
| - }
|
| + },
|
| + },
|
| + },
|
| },
|
| 'future': True,
|
| 'supported_on': ['chrome.*:40-', 'chrome_os:40-'],
|
| @@ -1777,13 +1791,16 @@
|
| 'example_value': {
|
| 'abcdefghijklmnopabcdefghijklmnop' : {
|
| 'installation_mode': 'allowed',
|
| + 'blocked_permissions': ['history'],
|
| },
|
| 'bcdefghijklmnopabcdefghijklmnopa' : {
|
| 'installation_mode': 'force_installed',
|
| 'update_url': 'http://example.com/update_url',
|
| + 'allowed_permissions': ['downloads'],
|
| },
|
| '*': {
|
| 'installation_mode': 'blocked',
|
| + 'blocked_permissions': ['downloads', 'bookmarks'],
|
| 'install_sources': ['http://company-intranet/chromeapps'],
|
| 'allowed_types': ['hosted_app'],
|
| },
|
| @@ -1806,6 +1823,10 @@
|
|
|
| If the mode is set to "force_installed" or "normal_installed" then an "update_url" must be configured too. The update URL should point to an Update Manifest XML document as described at <ph name="LINK_TO_EXTENSION_DOC1">https://developer.chrome.com/extensions/autoupdate</ph>. Note that the update URL set in this policy is only used for the initial installation; subsequent updates of the extension will use the update URL indicated in the extension's manifest.
|
|
|
| + "blocked_permissions": maps to a list of strings indicating the blocked API permissions for the extension. The permissions names are same as the permission strings declared in manifest of extension as described at <ph name="LINK_TO_EXTENSION_DOC3">https://developer.chrome.com/extensions/declare_permissions</ph>. This setting also can be configured for "*" extension. If the extension requires a permission which is on the blocklist, it will not be allowed to load. If it contains a blocked permission as optional requirement, it will be handled in the normal way, but requesting conflicting permissions will be declined automatically at runtime.
|
| +
|
| + "allowed_permissions": similar to "blocked_permissions", but instead explicitly allow some permissions which might be blocked by global blocked permission list, thus can not be configured for "*" extension. Note that this setting doesn't give granted permissions to extensions automatically.
|
| +
|
| The following settings can be used only for the default "*" configuration:
|
|
|
| "install_sources": Each item in this list is an extension-style match pattern (see https://developer.chrome.com/extensions/match_patterns). Users will be able to easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (i.e. the referrer) must be allowed by these patterns.
|
|
|
Chromium Code Reviews
Issue 595363002:
Add policy controlled permission block list for extensions (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@ext-fix