secureblue · RoyalOughtness · Nov 27, 2024 · Nov 23, 2024 · Nov 23, 2024 · Nov 23, 2024
@@ -0,0 +1,13 @@
+diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc
+index bfbdf8fcc8fa0..fac996b413b3f 100644
+--- a/chrome/browser/chrome_content_browser_client.cc
++++ b/chrome/browser/chrome_content_browser_client.cc
+@@ -1581,7 +1581,7 @@ void ChromeContentBrowserClient::RegisterLocalStatePrefs(
+ // static
+ void ChromeContentBrowserClient::RegisterProfilePrefs(
+     user_prefs::PrefRegistrySyncable* registry) {
+-  registry->RegisterBooleanPref(prefs::kDisable3DAPIs, false);
++  registry->RegisterBooleanPref(prefs::kDisable3DAPIs, true);
+   registry->RegisterBooleanPref(prefs::kEnableHyperlinkAuditing, false);
+   // Register user prefs for mapping SitePerProcess and IsolateOrigins in
+   // user policy in addition to the same named ones in Local State (which are
@@ -2,22 +2,12 @@ diff --git a/chrome/browser/profiles/profile.cc b/chrome/browser/profiles/profil
 index 89254771117da..411ef3dfa5908 100644
 --- a/chrome/browser/profiles/profile.cc
 +++ b/chrome/browser/profiles/profile.cc
-@@ -42,6 +42,7 @@
- #include "content/public/browser/web_contents.h"
- #include "content/public/browser/web_ui.h"
- #include "extensions/buildflags/buildflags.h"
-+#include "base/command_line.h"
-
- #if BUILDFLAG(IS_CHROMEOS)
- #include "ash/constants/ash_switches.h"
-@@ -321,7 +322,9 @@ void Profile::RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry) {
+@@ -321,7 +321,7 @@ void Profile::RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry) {
    registry->RegisterIntegerPref(prefs::kContextualSearchPromoCardShownCount, 0);
  #endif  // BUILDFLAG(IS_ANDROID)
    registry->RegisterStringPref(prefs::kSessionExitType, std::string());
 -  registry->RegisterBooleanPref(prefs::kDisableExtensions, false);
-+  registry->RegisterBooleanPref(prefs::kDisableExtensions, !(base::CommandLine::
-+                                ForCurrentProcess()->HasSwitch(
-+                                                     "enable-extensions")));
++  registry->RegisterBooleanPref(prefs::kDisableExtensions, true);
  #if BUILDFLAG(ENABLE_EXTENSIONS)
    registry->RegisterBooleanPref(extensions::pref_names::kAlertsInitialized,
                                  false);
@@ -2,18 +2,18 @@ diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
 index 9d0181f447a1a..8e10017c678f9 100644
 --- a/chrome/browser/about_flags.cc
 +++ b/chrome/browser/about_flags.cc
-@@ -4220,6 +4220,39 @@ const FeatureEntry kFeatureEntries[] = {
+@@ -4220,6 +4220,36 @@ const FeatureEntry kFeatureEntries[] = {
  // //tools/flags/generate_unexpire_flags.py.
  #include "build/chromeos_buildflags.h"
  #include "chrome/browser/unexpire_flags_gen.inc"
-+    {"disable-internal-page-jit", "Disable Internal Page Jit",
-+     "Disable JIT for JavaScript and WASM on internal pages. Enabled by "
-+     "default. This feature is provided by hardened-chromium.",
-+     kOsAll, FEATURE_VALUE_TYPE(features::kDisableInternalPageJit)},
 +    {"incognito-launch", "Incognito Launch",
 +     "Launch external links and open new sessions in Incognito. Disabled by "
 +     "default. This feature is provided by hardened-chromium.",
 +     kOsAll, FEATURE_VALUE_TYPE(features::kIncognitoLaunch)},
++    {"show-punycode-domains", "Show punycode for IDN domains",
++     "Shows punycode for IDN domains to mitigate IDN homograph attacks. "
++     "Defaults to disabled. This feature is provided by hardened-chromium.",
++     kOsAll, FEATURE_VALUE_TYPE(url::kShowPunycodeDomains)},
 +    {"disable-cross-origin-referrers", "Clear cross-origin referrers",
 +     "Clears referrers when navigating across origins. Defaults to disabled. "
 +     "This feature is provided by hardened-chromium.", kOsAll,
@@ -27,13 +27,10 @@ index 9d0181f447a1a..8e10017c678f9 100644
 +     "Hides the profile icon in the toolbar in regular profiles. Defaults "
 +     "to enabled. This feature is provided by hardened-chromium." , kOsAll,
 +     FEATURE_VALUE_TYPE(features::kHideProfileIcon)},
-+    {"show-punycode-domains", "Show punycode for IDN domains",
-+     "Shows punycode for IDN domains to mitigate IDN homograph attacks. "
-+     "Defaults to disabled. This feature is provided by hardened-chromium.",
-+     kOsAll, FEATURE_VALUE_TYPE(url::kShowPunycodeDomains)},
-+    {"extensions-support", "Extensions Support",
-+     "Toggle extensions support. This switch is provided by hardened-chromium.",
-+     kOsAll, SINGLE_VALUE_TYPE("enable-extensions")},
++    {"disable-internal-page-jit", "Disable Internal Page Jit",
++     "Disable JIT for JavaScript and WASM on internal pages & extensions. "
++     "Enabled by default. This feature is provided by hardened-chromium.",
++     kOsAll, FEATURE_VALUE_TYPE(features::kDisableInternalPageJit)},
 +    {"enable-gssapi", "Enable GSSAPI Authentication",
 +     "Enables GSSAPI for authentication. WARNING! This can cause the "
 +     "network service sandbox to become persistently disabled, enable only "

@@ -0,0 +1,103 @@
+diff --git a/chrome/browser/extensions/api/settings_private/prefs_util.cc b/chrome/browser/extensions/api/settings_private/prefs_util.cc
+index 9be2589cac759..be53fe96dd397 100644
+--- a/chrome/browser/extensions/api/settings_private/prefs_util.cc
++++ b/chrome/browser/extensions/api/settings_private/prefs_util.cc
+@@ -172,6 +172,16 @@ const PrefsUtil::TypedPrefMap& PrefsUtil::GetAllowlistedKeys() {
+   }
+   s_allowlist = new PrefsUtil::TypedPrefMap();
+
++  // hardened-chromium
++  (*s_allowlist)[::prefs::kWebRTCIPHandlingPolicy] =
++      settings_api::PrefType::kString;
++  (*s_allowlist)[::prefs::kDisable3DAPIs] =
++      settings_api::PrefType::kBoolean;
++  (*s_allowlist)[::prefs::kWebKitForceDarkModeEnabled] =
++      settings_api::PrefType::kBoolean;
++  (*s_allowlist)[::prefs::kDisableExtensions] =
++      settings_api::PrefType::kBoolean;
++
+   // Miscellaneous
+   (*s_allowlist)[::embedder_support::kAlternateErrorPagesEnabled] =
+       settings_api::PrefType::kBoolean;
+diff --git a/chrome/browser/resources/settings/appearance_page/appearance_page.html b/chrome/browser/resources/settings/appearance_page/appearance_page.html
+index 47120511edffd..53f2330898dd9 100644
+--- a/chrome/browser/resources/settings/appearance_page/appearance_page.html
++++ b/chrome/browser/resources/settings/appearance_page/appearance_page.html
+@@ -119,6 +119,11 @@
+             </template>
+           </select>
+         </div>
++        <div class="hr"></div>
++        <settings-toggle-button
++            pref="{{prefs.webkit.webprefs.force_dark_mode_enabled}}"
++            label="Website Dark Mode">
++        </settings-toggle-button>
+         <div
+             class="hr"
+             hidden="[[!showHr_(
+diff --git a/chrome/browser/resources/settings/privacy_page/security_page.html b/chrome/browser/resources/settings/privacy_page/security_page.html
+index d54888d0e712f..2dbeb7b8b444b 100644
+--- a/chrome/browser/resources/settings/privacy_page/security_page.html
++++ b/chrome/browser/resources/settings/privacy_page/security_page.html
+@@ -7,6 +7,9 @@
+         padding: 0 var(--cr-section-padding);
+       }
+
++      #webrtcLabel {
++        flex: 1;
++      }
+
+       .bullet-line {
+         align-items: center;
+@@ -227,3 +230,27 @@
+           on-click="onChromeCertificatesClick_">
+       </cr-link-row>
+ </if>
++
++    <div id="hardeningSection">
++      <div class="cr-row first"><h2 class="cr-title-text">Hardening</h2></div>
++      <settings-toggle-button class="cr-row first"
++        pref="{{prefs.disable_3d_apis}}"
++        label="Disable 3D APIs"
++        sub-label="Disable features like WebGL and Pepper 3D">
++      </settings-toggle-button>
++      <div class="cr-row">
++        <div id="webrtcLabel" class="flex cr-padded-text" aria-hidden="true">
++          WebRTC Handling Policy
++        </div>
++        <settings-dropdown-menu
++          label="WebRTC Handling Policy"
++          pref="{{prefs.webrtc.ip_handling_policy}}"
++          menu-options="[[webrtcHandlingPolicyOptions_]]">
++        </settings-dropdown-menu>
++      </div>
++      <settings-toggle-button class="cr-row"
++        pref="{{prefs.extensions.disabled}}"
++        label="Disable Extensions">
++        sub-label="Changes to this setting requires a restart">
++      </settings-toggle-button>
++    </div>
+diff --git a/chrome/browser/resources/settings/privacy_page/security_page.ts b/chrome/browser/resources/settings/privacy_page/security_page.ts
+index b0371a95c7dbe..60857ef0ee296 100644
+--- a/chrome/browser/resources/settings/privacy_page/security_page.ts
++++ b/chrome/browser/resources/settings/privacy_page/security_page.ts
+@@ -111,6 +111,19 @@ export class SettingsSecurityPageElement extends
+       },
+       // </if>
+
++      webrtcHandlingPolicyOptions_: {
++        readOnly: true,
++        type: Array,
++        value() {
++          return [
++            {value: "default", name: "Default"},
++            {value: "default_public_and_private_interfaces", name: "Default Public and Private Interfaces"},
++            {value: "default_public_interface_only", name: "Default Public Interface Only"},
++            {value: "disable_non_proxied_udp", name: "Disable Non-Proxied UDP"},
++          ];
++        },
++      },
++
+       /**
+        * Whether the secure DNS setting should be displayed.
+        */