Update all sensitive policies descriptions

Make all sensitive policies have same descriptions except two for
extension force installed which only covered non-CWS extensions.

The statement is also added into `description_guidelines.md` for
future usage.

Remove sensitive policies description for the `URLAllowlist` policy
because there is no such check for it.

Also
 * Create default value field for some policies.
 * Fix indent for all policies that are modified here.

Bug: 1446691
Change-Id: Iee4d73c7b84d36813e186d85cadf4b4adb24fea7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4585045
Commit-Queue: Owen Min <zmin@chromium.org>
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Reviewed-by: Anqing Zhao <anqing@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1153815}

components/policy/resources/templates/policy_definitions/DefaultSearchProvider/DefaultSearchProviderEnabled.yaml

@@ -3,9 +3,11 @@ default: null
 desc: |-
   Setting the policy to Enabled means a default search is performed when a user enters non-URL text in the address bar. To specify the default search provider, set the rest of the default search policies. If you leave those policies empty, the user can choose the default provider. Setting the policy to Disabled means there's no search when the user enters non-URL text in the address bar. The Disabled value is not supported by the <ph name="GOOGLE_ADMIN_CONSOLE_PRODUCT_NAME">Google Admin console</ph>.
 
-        If you set the policy, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, the default search provider is on, and users can set the search provider list.
+  If you set the policy, users can't change it in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>. If not set, the default search provider is on, and users can set the search provider list.
 
-        On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph>` or enrolled in `<ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>`.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in `<ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>`.
 example_value: true
 features:
   can_be_recommended: true

components/policy/resources/templates/policy_definitions/Extensions/ExtensionInstallForcelist.yaml

@@ -4,19 +4,19 @@ caption: Configure the list of force-installed apps and extensions
 desc: |-
   Setting the policy specifies a list of apps and extensions that install silently, without user interaction, and which users can't uninstall or turn off. Permissions are granted implicitly, including for the enterprise.deviceAttributes and enterprise.platformKeys extension APIs. (These 2 APIs aren't available to apps and extensions that aren't force-installed.)
 
-        Leaving the policy unset means no apps or extensions are autoinstalled, and users can uninstall any app or extension in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+  Leaving the policy unset means no apps or extensions are autoinstalled, and users can uninstall any app or extension in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
 
-        This policy supersedes <ph name="EXTENSION_INSTALL_BLOCKLIST_POLICY_NAME">ExtensionInstallBlocklist</ph> policy. If a previously force-installed app or extension is removed from this list, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> automatically uninstalls it.
+  This policy supersedes <ph name="EXTENSION_INSTALL_BLOCKLIST_POLICY_NAME">ExtensionInstallBlocklist</ph> policy. If a previously force-installed app or extension is removed from this list, <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> automatically uninstalls it.
 
-        On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> instances, apps and extensions from outside the Chrome Web Store can only be forced installed if the instance is joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph>` or enrolled in `<ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>`.
+  The source code of any extension may be altered by users through developer tools, potentially rendering the extension dysfunctional. If this is a concern, set the <ph name="DEVELOPER_TOOLS_DISABLED_POLICY_NAME">DeveloperToolsDisabled</ph> policy.
 
-        On <ph name="MAC_OS_NAME">macOS</ph> instances, apps and extensions from outside the Chrome Web Store can only be force installed if the instance is managed via MDM, joined to a domain via MCX or enrolled in `<ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>`
+  Each list item of the policy is a string that contains an extension ID and, optionally, an update URL separated by a semicolon (;). The extension ID is the 32-letter string found, for example, on chrome://extensions when in Developer mode. If specified, the update URL should point to an Update Manifest XML document ( https://developer.chrome.com/extensions/autoupdate ). The update URL should use one of the following schemes: <ph name="HTTP_SCHEME">http</ph>, <ph name="HTTPS_SCHEME">https</ph> or <ph name="FILE_SCHEME">file</ph>. By default, the Chrome Web Store's update URL is used. The update URL set in this policy is only used for the initial installation; subsequent updates of the extension use the update URL in the extension's manifest. The update url for subsequent updates can be overridden using the <ph name="EXTENSION_SETTINGS_POLICY_NAME">ExtensionSettings</ph> policy, see http://support.google.com/chrome/a?p=Configure_ExtensionSettings_policy.
 
-        The source code of any extension may be altered by users through developer tools, potentially rendering the extension dysfunctional. If this is a concern, set the <ph name="DEVELOPER_TOOLS_DISABLED_POLICY_NAME">DeveloperToolsDisabled</ph> policy.
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> instances, apps and extensions from outside the Chrome Web Store can only be forced installed if the instance is joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph>` or enrolled in `<ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>`.
 
-        Each list item of the policy is a string that contains an extension ID and, optionally, an update URL separated by a semicolon (;). The extension ID is the 32-letter string found, for example, on chrome://extensions when in Developer mode. If specified, the update URL should point to an Update Manifest XML document ( https://developer.chrome.com/extensions/autoupdate ). The update URL should use one of the following schemes: <ph name="HTTP_SCHEME">http</ph>, <ph name="HTTPS_SCHEME">https</ph> or <ph name="FILE_SCHEME">file</ph>. By default, the Chrome Web Store's update URL is used. The update URL set in this policy is only used for the initial installation; subsequent updates of the extension use the update URL in the extension's manifest. The update url for subsequent updates can be overridden using the <ph name="EXTENSION_SETTINGS_POLICY_NAME">ExtensionSettings</ph> policy, see http://support.google.com/chrome/a?p=Configure_ExtensionSettings_policy.
+  On <ph name="MAC_OS_NAME">macOS</ph> instances, apps and extensions from outside the Chrome Web Store can only be force installed if the instance is managed via MDM, joined to a domain via MCX or enrolled in `<ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>`.
 
-         Note: This policy doesn't apply to Incognito mode. Read about hosting extensions ( https://developer.chrome.com/extensions/hosting ).
+  Note: This policy doesn't apply to Incognito mode. Read about hosting extensions ( https://developer.chrome.com/extensions/hosting ).
 example_value:
 - aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx
 - abcdefghijklmnopabcdefghijklmnop

components/policy/resources/templates/policy_definitions/Extensions/ExtensionSettings.yaml

@@ -2,9 +2,11 @@ caption: Extension management settings
 desc: |-
   Setting the policy controls extension management settings for <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, including any controlled by existing extension-related policies. The policy supersedes any legacy policies that might be set.
 
-        This policy maps an extension ID or an update URL to its specific setting only. A default configuration can be set for the special ID <ph name="DEFAULT_SCOPE">"*"</ph>, which applies to all extensions without a custom configuration in this policy. With an update URL, configuration applies to extensions with the exact update URL stated in the extension manifest ( http://support.google.com/chrome/a?p=Configure_ExtensionSettings_policy ). If the 'override_update_url' flag is set to true, the extension is installed and updated using the "update" URL specified in the <ph name="EXTENSION_INSTALL_FORCELIST_POLICY_NAME">ExtensionInstallForcelist</ph> policy or in 'update_url' field in this policy. The flag 'override_update_url' is ignored if the 'update_url' is a Chrome Web Store url.
+  This policy maps an extension ID or an update URL to its specific setting only. A default configuration can be set for the special ID <ph name="DEFAULT_SCOPE">"*"</ph>, which applies to all extensions without a custom configuration in this policy. With an update URL, configuration applies to extensions with the exact update URL stated in the extension manifest ( http://support.google.com/chrome/a?p=Configure_ExtensionSettings_policy ). If the 'override_update_url' flag is set to true, the extension is installed and updated using the "update" URL specified in the <ph name="EXTENSION_INSTALL_FORCELIST_POLICY_NAME">ExtensionInstallForcelist</ph> policy or in 'update_url' field in this policy. The flag 'override_update_url' is ignored if the 'update_url' is a Chrome Web Store url.
 
-        Note: For <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> instances not joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain and <ph name="MAC_OS_NAME">macOS</ph> instances not managed via MDM or joined to a domain via MCX, forced installation is limited to apps and extensions listed in the Chrome Web Store.
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph> instances, apps and extensions from outside the Chrome Web Store can only be forced installed if the instance is joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph>` or enrolled in `<ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>`.
+
+  On <ph name="MAC_OS_NAME">macOS</ph> instances, apps and extensions from outside the Chrome Web Store can only be force installed if the instance is managed via MDM, joined to a domain via MCX or enrolled in `<ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>`.
 example_value:
   '*':
     allowed_types:

components/policy/resources/templates/policy_definitions/FirstPartySets/FirstPartySetsOverrides.yaml

@@ -3,36 +3,38 @@ default: {}
 desc: |-
   This policy provides a way to override the list of sets the browser uses for First-Party Sets features.
 
-        Each set in the browser's list of First-Party Sets must meet the requirements of a First-Party Set.
-        A First-Party Set must contain a primary site and one or more member sites.
-        A set can also contain a list of service sites that it owns, as well as a map from a site to all of its ccTLD variants.
-        See https: //github.com/WICG/first-party-sets for more information on First-Party Sets are used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
+  Each set in the browser's list of First-Party Sets must meet the requirements of a First-Party Set.
+  A First-Party Set must contain a primary site and one or more member sites.
+  A set can also contain a list of service sites that it owns, as well as a map from a site to all of its ccTLD variants.
+  See https: //github.com/WICG/first-party-sets for more information on First-Party Sets are used by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>.
 
-        All sites in a First-Party Set must be a registrable domain served over HTTPS. Each site in a First-Party Set must also be unique,
-        meaning a site cannot be listed more than once in a First-Party Set.
+  All sites in a First-Party Set must be a registrable domain served over HTTPS. Each site in a First-Party Set must also be unique,
+  meaning a site cannot be listed more than once in a First-Party Set.
 
-        When this policy is given an empty dictionary, the browser uses the public list of First-Party Sets.
+  When this policy is given an empty dictionary, the browser uses the public list of First-Party Sets.
 
-        For all sites in a First-Party Set from the <ph name="REPLACEMENTS">replacements</ph> list, if a site is also present
-        on a First-Party Set in the browser's list, then that site will be removed from the browser's First-Party Set.
-        After this, the policy's First-Party Set will be added to the browser's list of First-Party Sets.
+  For all sites in a First-Party Set from the <ph name="REPLACEMENTS">replacements</ph> list, if a site is also present
+  on a First-Party Set in the browser's list, then that site will be removed from the browser's First-Party Set.
+  After this, the policy's First-Party Set will be added to the browser's list of First-Party Sets.
 
-        For all sites in a First-Party Set from the <ph name="ADDITIONS">additions</ph> list, if a site is also present
-        on a First-Party Set in the browser's list, then the browser's First-Party Set will be updated so that the
-        new First-Party Set can be added to the browser's list. After the browser's list has been updated,
-        the policy's First-Party Set will be added to the browser's list of First-Party Sets.
+  For all sites in a First-Party Set from the <ph name="ADDITIONS">additions</ph> list, if a site is also present
+  on a First-Party Set in the browser's list, then the browser's First-Party Set will be updated so that the
+  new First-Party Set can be added to the browser's list. After the browser's list has been updated,
+  the policy's First-Party Set will be added to the browser's list of First-Party Sets.
 
-        The browser's list of First-Party Sets requires that for all sites in its list, no site is in
-        more than one set. This is also required for both the <ph name="REPLACEMENTS">replacements</ph> list
-        and the <ph name="ADDITIONS">additions</ph> list. Similarly, a site cannot be in both the
-        <ph name="REPLACEMENTS">replacements</ph> list and the <ph name="ADDITIONS">additions</ph> list.
+  The browser's list of First-Party Sets requires that for all sites in its list, no site is in
+  more than one set. This is also required for both the <ph name="REPLACEMENTS">replacements</ph> list
+  and the <ph name="ADDITIONS">additions</ph> list. Similarly, a site cannot be in both the
+  <ph name="REPLACEMENTS">replacements</ph> list and the <ph name="ADDITIONS">additions</ph> list.
 
-        Wildcards (*) are not supported as a policy value, nor within any First-Party Set in these lists.
+  Wildcards (*) are not supported as a policy value, nor within any First-Party Set in these lists.
 
-        All sets provided by to policy must be valid First-Party Sets, if they aren't then an
-        appropriate error will be outputted.
+  All sets provided by to policy must be valid First-Party Sets, if they aren't then an
+  appropriate error will be outputted.
 
-        This policy is available only on Windows instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain or Windows 10 Pro or Enterprise instances that are enrolled for device management, and macOS instances that are managed via MDM or joined to a domain via MCX.
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph>` or enrolled in `<ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>`.
+
+  On <ph name="MAC_OS_NAME">macOS</ph>, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in `<ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>`.
 example_value:
   additions:
   - associatedSites:

components/policy/resources/templates/policy_definitions/Miscellaneous/AutoOpenFileTypes.yaml

@@ -2,11 +2,11 @@ caption: List of file types that should be automatically opened on download
 desc: |-
   List of file types that should be automatically opened on download. The leading separator should not be included when listing the file type, so list "txt" instead of ".txt".
 
-        Files with types that should be automatically opened will still be subject to the enabled safe browsing checks and won't be opened if they fail those checks.
+  Files with types that should be automatically opened will still be subject to the enabled safe browsing checks and won't be opened if they fail those checks.
 
-        If this policy isn't set, only file types that a user has already specified to automatically be opened will do so when downloaded.
+  If this policy isn't set, only file types that a user has already specified to automatically be opened will do so when downloaded.
 
-        On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management. On <ph name="MAC_OS_NAME">macOS</ph>, this functionality is only available on instances that are managed via MDM, or joined to a domain via MCX.
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph>` or enrolled in `<ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>`.
 example_value:
 - exe
 - txt

components/policy/resources/templates/policy_definitions/Miscellaneous/ChromeCleanupEnabled.yaml

@@ -1,10 +1,11 @@
 caption: Enable Chrome Cleanup on Windows
+default: true
 desc: |-
   Setting the policy to Enabled or leaving it unset means Chrome Cleanup periodically scans the system for unwanted software and should any be found, will ask the user if they wish to remove it. Manually triggering Chrome Cleanup from chrome://settings is allowed.
 
-        Setting the policy to Disabled means Chrome Cleanup won't periodically scan and manual triggering is disabled.
+  Setting the policy to Disabled means Chrome Cleanup won't periodically scan and manual triggering is disabled.
 
-        On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this functionality is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, running on Windows 10 Pro, or enrolled in Chrome Browser Cloud Management.
+  On <ph name="MS_WIN_NAME">Microsoft® Windows®</ph>, this policy is only available on instances that are joined to a <ph name="MS_AD_NAME">Microsoft® Active Directory®</ph> domain, joined to <ph name="MS_AAD_NAME">Microsoft® Azure® Active Directory®</ph>` or enrolled in `<ph name="CHROME_BROWSER_CLOUD_MANAGEMENT_NAME">Chrome Browser Cloud Management</ph>`.
 example_value: true
 features:
   dynamic_refresh: false