Disable TPCD bypasses

hardening.patch

@@ -32,11 +32,11 @@ index 931b9c0..451591e 100644
 +Name:	hardened-chromium%{chromium_channel}
  Version: 126.0.6478.182
 -Release: 1%{?dist}
-+Release: 3%{?dist}
++Release: 4%{?dist}
  Summary: A WebKit (Blink) powered web browser that Google doesn't want you to use
  Url: http://www.chromium.org/Home
  License: BSD-3-Clause AND LGPL-2.1-or-later AND Apache-2.0 AND IJG AND MIT AND GPL-2.0-or-later AND ISC AND OpenSSL AND (MPL-1.1 OR GPL-2.0-only OR LGPL-2.0-only)
-@@ -563,6 +563,82 @@ Patch413: fix-unknown-warning-option-messages.diff
+@@ -563,6 +563,83 @@ Patch413: fix-unknown-warning-option-messages.diff
  # 64kpage support on el8
  Patch500: chromium-124-el8-support-64kpage.patch
 
@@ -115,11 +115,12 @@ index 931b9c0..451591e 100644
 +Patch2077: disable-infobar-for-builds-without-api-key.patch
 +Patch2078: disable-printing-by-default.patch
 +Patch2079: enable-visited-link-database-partitioning.patch
++Patch2080: disable-tpcd-bypasses.patch
 +
  # Use chromium-latest.py to generate clean tarball from released build tarballs, found here:
  # http://build.chromium.org/buildbot/official/
  # For Chromium Fedora use chromium-latest.py --stable --ffmpegclean --ffmpegarm
-@@ -928,7 +1004,7 @@ Requires: libcanberra-gtk3%{_isa}
+@@ -928,7 +1005,7 @@ Requires: libcanberra-gtk3%{_isa}
  Requires: u2f-hidraw-policy
  %endif
 
@@ -128,7 +129,7 @@ index 931b9c0..451591e 100644
 
  # rhel 7: x86_64
  # rhel 8 or newer: x86_64, aarch64
-@@ -1098,7 +1174,7 @@ Requires(preun): systemd
+@@ -1098,7 +1175,7 @@ Requires(preun): systemd
  Requires(postun): systemd
  Requires: xorg-x11-server-Xvfb
  Requires: python3-psutil
@@ -137,7 +138,7 @@ index 931b9c0..451591e 100644
  Summary: Remote desktop support for google-chrome & chromium
 
  %description -n chrome-remote-desktop
-@@ -1107,7 +1183,7 @@ Remote desktop support for google-chrome & chromium.
+@@ -1107,7 +1184,7 @@ Remote desktop support for google-chrome & chromium.
 
  %package -n chromedriver
  Summary: WebDriver for Google Chrome/Chromium
@@ -146,7 +147,7 @@ index 931b9c0..451591e 100644
 
  %description -n chromedriver
  WebDriver is an open source tool for automated testing of webapps across many
-@@ -1118,7 +1194,7 @@ members of the Chromium and WebDriver teams.
+@@ -1118,7 +1195,7 @@ members of the Chromium and WebDriver teams.
 
  %package headless
  Summary:	A minimal headless shell built from Chromium
@@ -155,7 +156,7 @@ index 931b9c0..451591e 100644
 
  %description headless
  A minimal headless client built from Chromium. headless_shell is built
-@@ -1127,14 +1203,14 @@ udev.
+@@ -1127,14 +1204,14 @@ udev.
 
  %package qt5-ui
  Summary: Qt5 UI built from Chromium
@@ -172,7 +173,7 @@ index 931b9c0..451591e 100644
 
  %description qt6-ui
  Qt6 UI for chromium.
-@@ -1341,6 +1417,79 @@ cp /opt/rh/%{toolset}-%{dts_version}/root/usr/include/c++/%{dts_version}/optiona
+@@ -1341,6 +1418,80 @@ cp /opt/rh/%{toolset}-%{dts_version}/root/usr/include/c++/%{dts_version}/optiona
  %endif
  %endif
 
@@ -249,10 +250,11 @@ index 931b9c0..451591e 100644
 +%patch -P2077 -p1 -b .disable-infobar-for-builds-without-api-key
 +%patch -P2078 -p1 -b .disable-printing-by-default
 +%patch -P2079 -p1 -b .enable-visited-link-database-partitioning
++%patch -P2080 -p1 -b .disable-tpcd-bypasses
  # Change shebang in all relevant files in this directory and all subdirectories
  # See `man find` for how the `-exec command {} +` syntax works
  find -type f \( -iname "*.py" \) -exec sed -i '1s=^#! */usr/bin/\(python\|env python\)[23]\?=#!%{chromium_pybin}=' {} +
-@@ -1393,7 +1542,7 @@ cp -a %{_includedir}/libusb-1.0/libusb.h third_party/libusb/src/libusb/libusb.h
+@@ -1393,7 +1544,7 @@ cp -a %{_includedir}/libusb-1.0/libusb.h third_party/libusb/src/libusb/libusb.h
  %endif
 
  # Hard code extra version
@@ -261,7 +263,7 @@ index 931b9c0..451591e 100644
 
  # Fix hardcoded path in remoting code
  sed -i 's|/opt/google/chrome-remote-desktop|%{crd_path}|g' remoting/host/setup/daemon_controller_delegate_linux.cc
-@@ -1494,9 +1643,11 @@ sed -i 's|OFFICIAL_BUILD|GOOGLE_CHROME_BUILD|g' tools/generate_shim_headers/gene
+@@ -1494,9 +1645,11 @@ sed -i 's|OFFICIAL_BUILD|GOOGLE_CHROME_BUILD|g' tools/generate_shim_headers/gene
 
  CHROMIUM_CORE_GN_DEFINES+=' chrome_pgo_phase=0'
 
@@ -276,7 +278,7 @@ index 931b9c0..451591e 100644
 
  %if %{useapikey}
  CHROMIUM_CORE_GN_DEFINES+=' google_api_key="%{api_key}"'
-@@ -1547,6 +1698,9 @@ CHROMIUM_CORE_GN_DEFINES+=' use_custom_libcxx=false'
+@@ -1547,6 +1700,9 @@ CHROMIUM_CORE_GN_DEFINES+=' use_custom_libcxx=false'
  %endif
  CHROMIUM_CORE_GN_DEFINES+=' enable_iterator_debugging=false'
  CHROMIUM_CORE_GN_DEFINES+=' enable_vr=false'
@@ -286,7 +288,7 @@ index 931b9c0..451591e 100644
  CHROMIUM_CORE_GN_DEFINES+=' build_dawn_tests=false enable_perfetto_unittests=false'
  CHROMIUM_CORE_GN_DEFINES+=' disable_fieldtrial_testing_config=true'
  CHROMIUM_CORE_GN_DEFINES+=' symbol_level=%{debug_level} blink_symbol_level=%{debug_level}'
-@@ -1586,8 +1740,8 @@ CHROMIUM_BROWSER_GN_DEFINES+=' use_qt6=false'
+@@ -1586,8 +1742,8 @@ CHROMIUM_BROWSER_GN_DEFINES+=' use_qt6=false'
  %endif
 
  CHROMIUM_BROWSER_GN_DEFINES+=' use_gio=true use_pulseaudio=true'
@@ -297,7 +299,7 @@ index 931b9c0..451591e 100644
 
  %if %{use_vaapi}
  CHROMIUM_BROWSER_GN_DEFINES+=' use_vaapi=true'
-@@ -1784,15 +1938,15 @@ rm -rf %{buildroot}
+@@ -1784,15 +1940,15 @@ rm -rf %{buildroot}
 
  mkdir -p %{buildroot}%{_bindir} \
           %{buildroot}%{chromium_path}/locales \
@@ -316,7 +318,7 @@ index 931b9c0..451591e 100644
  %endif
 
  export BUILD_TARGET=`cat /etc/redhat-release`
-@@ -1953,7 +2107,7 @@ mkdir -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
+@@ -1953,7 +2109,7 @@ mkdir -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
  cp -a chrome/app/theme/chromium/product_logo_24.png %{buildroot}%{_datadir}/icons/hicolor/24x24/apps/%{chromium_browser_channel}.png
 
  # Install the master_preferences file
@@ -325,7 +327,7 @@ index 931b9c0..451591e 100644
 
  mkdir -p %{buildroot}%{_datadir}/applications/
  desktop-file-install --dir %{buildroot}%{_datadir}/applications %{SOURCE4}
-@@ -2005,11 +2159,11 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt
+@@ -2005,11 +2161,11 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt
  %doc AUTHORS README.fedora
  %doc chrome_policy_list.html *.json
  %license LICENSE

patches/disable-tpcd-bypasses.patch

@@ -0,0 +1,26 @@
+diff --git a/components/content_settings/core/common/features.cc b/components/content_settings/core/common/features.cc
+index c1340623701ba..07ef347995154 100644
+--- a/components/content_settings/core/common/features.cc
++++ b/components/content_settings/core/common/features.cc
+@@ -100,7 +100,7 @@ const char kTpcdReadHeuristicsGrantsName[] = "TpcdReadHeuristicsGrants";
+
+ BASE_FEATURE(kTpcdHeuristicsGrants,
+              "TpcdHeuristicsGrants",
+-             base::FEATURE_ENABLED_BY_DEFAULT);
++             base::FEATURE_DISABLED_BY_DEFAULT);
+
+ const base::FeatureParam<bool> kTpcdReadHeuristicsGrants{
+     &kTpcdHeuristicsGrants, kTpcdReadHeuristicsGrantsName, true};
+diff --git a/net/base/features.cc b/net/base/features.cc
+index 387c7f01e1f5e..106176e8d4265 100644
+--- a/net/base/features.cc
++++ b/net/base/features.cc
+@@ -257,7 +257,7 @@ BASE_FEATURE(kTopLevelTpcdTrialSettings,
+
+ BASE_FEATURE(kTpcdMetadataGrants,
+              "TpcdMetadataGrants",
+-             base::FEATURE_ENABLED_BY_DEFAULT);
++             base::FEATURE_DISABLED_BY_DEFAULT);
+
+ BASE_FEATURE(kTpcdMetadataStageControl,
+              "TpcdMetadataStageControl",