serial: Move serial policy from profile to local state
This patch makes the experimental SerialAllowAllPortsForUrls and
SerialAllowUsbDevicesForUrls policies no longer apply on a per-profile
basis. Mechanically this means that the policy is read from the global
"local state" preference store associated with the Chrome browser
process instead of the profile-specific preference store.
The reason for this change is to mitigate a privacy concern where an
administrator can grant a site permission to access a serial device on
a machine which they do not own as long as the user is signed into an
account managed by an organization the administrator controls. By making
this policy no longer per-profile it must be applied by an administrator
that already has authority over the entire machine.
Bug: 1001242
Change-Id: I5087ff0c60df59e16da27eda87103f7c0e4bf070
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2914194
Commit-Queue: Reilly Grant <[email protected]>
Reviewed-by: Julian Pastarmov <[email protected]>
Reviewed-by: Marc Treib <[email protected]>
Cr-Commit-Position: refs/heads/master@{#888676}
diff --git a/chrome/browser/prefs/browser_prefs.cc b/chrome/browser/prefs/browser_prefs.cc
index c66bf99..2c0f20c 100644
--- a/chrome/browser/prefs/browser_prefs.cc
+++ b/chrome/browser/prefs/browser_prefs.cc
@@ -719,6 +719,13 @@
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
registry->RegisterListPref(kSpellCheckBlacklistedDictionaries);
+
+#if !defined(OS_ANDROID)
+ registry->RegisterListPref(
+ prefs::kManagedProfileSerialAllowAllPortsForUrlsDeprecated);
+ registry->RegisterListPref(
+ prefs::kManagedProfileSerialAllowUsbDevicesForUrlsDeprecated);
+#endif
}
} // namespace
@@ -759,6 +766,9 @@
RegisterScreenshotPrefs(registry);
safe_browsing::RegisterLocalStatePrefs(registry);
secure_origin_allowlist::RegisterPrefs(registry);
+#if !defined(OS_ANDROID)
+ SerialPolicyAllowedPorts::RegisterPrefs(registry);
+#endif
sessions::SessionIdGenerator::RegisterPrefs(registry);
SSLConfigServiceManager::RegisterPrefs(registry);
subresource_filter::IndexedRulesetVersion::RegisterPrefs(registry);
@@ -1007,9 +1017,6 @@
registry);
security_interstitials::InsecureFormBlockingPage::RegisterProfilePrefs(
registry);
-#if !defined(OS_ANDROID)
- SerialPolicyAllowedPorts::RegisterProfilePrefs(registry);
-#endif
SessionStartupPref::RegisterProfilePrefs(registry);
SharingSyncPreference::RegisterProfilePrefs(registry);
site_engagement::SiteEngagementService::RegisterProfilePrefs(registry);
@@ -1446,6 +1453,14 @@
// Added 05/2021
profile_prefs->ClearPref(kSpellCheckBlacklistedDictionaries);
+#if !defined(OS_ANDROID)
+ // Added 05/2021
+ profile_prefs->ClearPref(
+ prefs::kManagedProfileSerialAllowAllPortsForUrlsDeprecated);
+ profile_prefs->ClearPref(
+ prefs::kManagedProfileSerialAllowUsbDevicesForUrlsDeprecated);
+#endif
+
// Please don't delete the following line. It is used by PRESUBMIT.py.
// END_MIGRATE_OBSOLETE_PROFILE_PREFS
}
