Default the PacHttpsUrlStrippingEnabled policy to False for Chrome OS…

… enterprise users. (The plan is to control rollout from the server side, out of concern over compatibility.) BUG=616396 Review-Url: https://codereview.chromium.org/2036983004 Cr-Commit-Position: refs/heads/master@{#398797} (cherry picked from commit 2073364) Review URL: https://codereview.chromium.org/2059673002 . Cr-Commit-Position: refs/branch-heads/2743@{crosswalk-project#310} Cr-Branched-From: 2b3ae3b-refs/heads/master@{#394939}
huningxin · Jun 10, 2016 · b2b73fb · b2b73fb
1 parent 4874cac
commit b2b73fb
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/chrome/browser/policy/cloud/cloud_policy_browsertest.cc b/chrome/browser/policy/cloud/cloud_policy_browsertest.cc
@@ -167,6 +167,9 @@ void GetExpectedDefaultPolicy(PolicyMap* policy_map) {
   policy_map->Set(key::kArcEnabled, POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
                   POLICY_SOURCE_ENTERPRISE_DEFAULT,
                   base::WrapUnique(new base::FundamentalValue(false)), nullptr);
+  policy_map->Set(key::kPacHttpsUrlStrippingEnabled, POLICY_LEVEL_MANDATORY,
+                  POLICY_SCOPE_USER, POLICY_SOURCE_ENTERPRISE_DEFAULT,
+                  base::WrapUnique(new base::FundamentalValue(false)), nullptr);
 #endif
 }
 
@@ -206,6 +209,9 @@ void GetExpectedTestPolicy(PolicyMap* expected, const char* homepage) {
   expected->Set(key::kArcEnabled, POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
                 POLICY_SOURCE_ENTERPRISE_DEFAULT,
                 base::WrapUnique(new base::FundamentalValue(false)), nullptr);
+  expected->Set(key::kPacHttpsUrlStrippingEnabled, POLICY_LEVEL_MANDATORY,
+                POLICY_SCOPE_USER, POLICY_SOURCE_ENTERPRISE_DEFAULT,
+                base::WrapUnique(new base::FundamentalValue(false)), nullptr);
 #endif
 }
 

diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json
@@ -8577,13 +8577,29 @@
       },
       'example_value': False,
       'id': 332,
+      'default_for_enterprise_users': False,
       'caption': '''Enable PAC URL stripping (for https://)''',
       'tags': ['system-security'],
       'desc': '''Strips privacy and security sensitive parts of https:// URLs before passing them on to PAC scripts (Proxy Auto Config) used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> during proxy resolution.
 
-      When not set (or set to true) the default behavior is to strip https:// URLs before submitting them to a PAC script. In this manner the PAC script is not able to view data that is ordinarily protected by an encrypted channel (like the path and query).
+      When True, the security feature is enabled, and https:// URLs are
+      stripped before submitting them to a PAC script. In this manner the PAC
+      script is not able to view data that is ordinarily protected by an
+      encrypted channel (such as the URL's path and query).
+
+      When False, the security feature is disabled, and PAC scripts are
+      implicitly granted the ability to view all components of an https://
+      URL. This applies to all PAC scripts regardless of origin (including
+      those fetched over an insecure transport, or discovered insecurely
+      through WPAD).
+
+      This defaults to True (security feature enabled), except for Chrome OS
+      enterprise users for which this currently defaults to False.
+
+      It is recommended that this be set to True. The only reason to set it to
+      False is if it causes a compatibility problem with existing PAC scripts.
 
-      When the policy is set to false, this security feature is disabled, and PAC scripts are granted the ability to view the full URL. This setting applies to all PAC scripts regardless of origin. For instance it applies to PAC scripts obtained through WPAD as well as those fetched over an insecure transport.''',
+      The desire is to remove this override in the future.''',
     },
   ],
   'messages': {