secureblue · RoyalOughtness · Sep 30, 2025 · Sep 30, 2025 · Sep 30, 2025 · Sep 30, 2025
@@ -11,32 +11,31 @@ distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, e
 See the License for the specific language governing permissions and limitations under the License.
 ---
 diff --git a/net/base/features.cc b/net/base/features.cc
-index 302f1a22d7d7e..4821492c651e1 100644
+index 58aa8a22e7..4d4d1689d7 100644
 --- a/net/base/features.cc
 +++ b/net/base/features.cc
-@@ -19,9 +19,13 @@ BASE_FEATURE(kAvoidH2Reprioritization,
-              "AvoidH2Reprioritization",
+@@ -24,9 +24,12 @@ BASE_FEATURE(AlpsForHttp2, base::FEATURE_ENABLED_BY_DEFAULT);
+
+ BASE_FEATURE(AvoidH2Reprioritization, base::FEATURE_DISABLED_BY_DEFAULT);
+
+-BASE_FEATURE(CapReferrerToOriginOnCrossOrigin,
++BASE_FEATURE(DisableCrossOriginReferrers,
               base::FEATURE_DISABLED_BY_DEFAULT);
-
-+BASE_FEATURE(kDisableCrossOriginReferrers,
-+             "DisableCrossOriginReferrers",
-+             base::FEATURE_DISABLED_BY_DEFAULT);
-+
- BASE_FEATURE(kCapReferrerToOriginOnCrossOrigin,
-              "CapReferrerToOriginOnCrossOrigin",
--             base::FEATURE_DISABLED_BY_DEFAULT);
+
++BASE_FEATURE(CapReferrerToOriginOnCrossOrigin,
 +             base::FEATURE_ENABLED_BY_DEFAULT);
-
- BASE_FEATURE(kAsyncDns,
-              "AsyncDns",
++
+ BASE_FEATURE(AsyncDns,
+ #if BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_MAC) || BUILDFLAG(IS_ANDROID) || \
+     BUILDFLAG(IS_WIN) || BUILDFLAG(IS_LINUX)
 diff --git a/net/base/features.h b/net/base/features.h
-index ffa3f6ced770b..d1f430814ca7e 100644
+index 8d1d6e3beb..fed8be738f 100644
 --- a/net/base/features.h
 +++ b/net/base/features.h
-@@ -26,6 +26,9 @@ NET_EXPORT BASE_DECLARE_FEATURE(kAlpsForHttp2);
+@@ -29,6 +29,9 @@ NET_EXPORT BASE_DECLARE_FEATURE(kAlpsForHttp2);
  // Disable H2 reprioritization, in order to measure its impact.
  NET_EXPORT BASE_DECLARE_FEATURE(kAvoidH2Reprioritization);
- 
+
 +// Disables referrers when navigating across origins.
 +NET_EXPORT BASE_DECLARE_FEATURE(kDisableCrossOriginReferrers);
 +

@@ -71,27 +71,25 @@ index 2e5e7c71a5..228d8795f8 100644
 
    if (DisallowV8FeatureFlagOverrides()) {
 diff --git a/content/public/common/content_features.cc b/content/public/common/content_features.cc
-index cb7c7263bd..fad9831c58 100644
+index f087a28da0..5cf9a313fd 100644
 --- a/content/public/common/content_features.cc
 +++ b/content/public/common/content_features.cc
-@@ -19,6 +19,10 @@ namespace features {
- 
+@@ -19,6 +19,8 @@ namespace features {
+
  // All features in alphabetical order.
-
-+BASE_FEATURE(kEnableDrumbrake,
-+             "JitlessWasmInterpreter",
-+             base::FEATURE_ENABLED_BY_DEFAULT);
+
++BASE_FEATURE(EnableDrumbrake, base::FEATURE_ENABLED_BY_DEFAULT);
 +
  // Kill switch to guard additional security checks performed by the browser
  // process on opaque origins, such as when verifying source origins for
  // postMessage. See https://crbug.com/40109437.
-@@ -1209,7 +1213,7 @@ BASE_FEATURE(kDisableProcessReuse,
+@@ -1010,7 +1012,7 @@ BASE_FEATURE(DisableProcessReuse, base::FEATURE_DISABLED_BY_DEFAULT);
+ // Controls whether SpareRenderProcessHostManager tries to always have a warm
+ // spare renderer process around for the most recently requested BrowserContext.
  // This feature is only consulted in site-per-process mode.
- BASE_FEATURE(kSpareRendererForSitePerProcess,
-              "SpareRendererForSitePerProcess",
--             base::FEATURE_ENABLED_BY_DEFAULT);
-+             base::FEATURE_DISABLED_BY_DEFAULT);
-
+-BASE_FEATURE(SpareRendererForSitePerProcess, base::FEATURE_ENABLED_BY_DEFAULT);
++BASE_FEATURE(SpareRendererForSitePerProcess, base::FEATURE_DISABLED_BY_DEFAULT);
+
  // Controls whether site isolation should use origins instead of scheme and
  // eTLD+1.
 diff --git a/content/public/common/content_features.h b/content/public/common/content_features.h

@@ -190,41 +190,32 @@ index 0496c9046b553..f8113cc56c33c 100644
              learn-more-url="$i18n{safeBrowsingHelpCenterURL}">
            <template is="dom-if" if="[[!enableBundledSecuritySettings_]]">
 diff --git a/chrome/browser/resources/settings/privacy_page/privacy_page.ts b/chrome/browser/resources/settings/privacy_page/privacy_page.ts
-index 218a1933cd5e7..75ae2f8376369 100644
+index b45a26e611..a7218cfa6d 100644
 --- a/chrome/browser/resources/settings/privacy_page/privacy_page.ts
 +++ b/chrome/browser/resources/settings/privacy_page/privacy_page.ts
-@@ -290,7 +290,7 @@ export class SettingsPrivacyPageElement extends SettingsPrivacyPageElementBase {
-       shouldShowSafetyHub_: {
-         type: Boolean,
-         value() {
--          return !loadTimeData.getBoolean('isGuest');
-+          return false;
-         },
-       },
-
-@@ -561,8 +561,7 @@ export class SettingsPrivacyPageElement extends SettingsPrivacyPageElementBase {
+@@ -483,8 +483,7 @@ export class SettingsPrivacyPageElement extends SettingsPrivacyPageElementBase {
    }
- 
+
    private shouldShowAdPrivacy_(): boolean {
 -    return !this.isPrivacySandboxRestricted_ ||
 -        this.isPrivacySandboxRestrictedNoticeEnabled_;
 +    return false;
    }
- 
+
    private onBrowsingDataDeleted_(
 diff --git a/chrome/browser/resources/settings/privacy_page/privacy_page_index.html b/chrome/browser/resources/settings/privacy_page/privacy_page_index.html
-index 7e056817e5a11..f136baedcd768 100644
+index fb981e1f71..7443b4508e 100644
 --- a/chrome/browser/resources/settings/privacy_page/privacy_page_index.html
 +++ b/chrome/browser/resources/settings/privacy_page/privacy_page_index.html
-@@ -25,7 +25,7 @@
-   <template is="dom-if" if="[[showPage_(pageVisibility_.safetyHub)]]">
+@@ -22,7 +22,7 @@
+     </settings-section>
+   </template>
+
+-  <template is="dom-if" if="[[showPage_(pageVisibility_.safetyHub)]]">
++  <template style="display:none" is="dom-if" if="[[showPage_(pageVisibility_.safetyHub)]]">
      <template is="dom-if" if="[[renderView_(
          routes_.PRIVACY, currentRoute, inSearchMode)]]">
--      <settings-section slot="view" id="safetyHubEntryPoint"
-+      <settings-section style="display:none" slot="view" id="safetyHubEntryPoint"
-           page-title="$i18n{safetyHub}">
-         <settings-safety-hub-entry-point></settings-safety-hub-entry-point>
-       </settings-section>
+       <settings-safety-hub-entry-point slot="view" id="safetyHubEntryPoint">
 diff --git a/chrome/browser/resources/settings/privacy_page/security_page.html b/chrome/browser/resources/settings/privacy_page/security_page.html
 index ae93043d94ddc..4b87309d91176 100644
 --- a/chrome/browser/resources/settings/privacy_page/security_page.html
@@ -548,19 +539,6 @@ index 1c28609bdd978..2cc609c23786c 100644
 
    html_source->AddBoolean("enableHandTrackingContentSetting",
  #if BUILDFLAG(ENABLE_VR)
-diff --git a/chrome/common/chrome_features.cc b/chrome/common/chrome_features.cc
-index c01a0881828c8..4d19ddc95b79c 100644
---- a/chrome/common/chrome_features.cc
-+++ b/chrome/common/chrome_features.cc
-@@ -1336,7 +1336,7 @@ BASE_FEATURE(kSafetyHubExtensionsOffStoreTrigger,
- #endif
-
- // Enables Safety Hub feature.
--BASE_FEATURE(kSafetyHub, "SafetyHub", base::FEATURE_ENABLED_BY_DEFAULT);
-+BASE_FEATURE(kSafetyHub, "SafetyHub", base::FEATURE_DISABLED_BY_DEFAULT);
-
- BASE_FEATURE(kSafetyHubThreeDotDetails,
-              "SafetyHubThreeDotDetails",
 diff --git a/components/security_interstitials/core/browser/resources/interstitial_large.js b/components/security_interstitials/core/browser/resources/interstitial_large.js
 index 2d453febf6ecf..b4ef0632ad5c3 100644
 --- a/components/security_interstitials/core/browser/resources/interstitial_large.js

@@ -11,39 +11,37 @@ distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, e
 See the License for the specific language governing permissions and limitations under the License.
 ---
 diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn
-index 0c04c90368..75e2814d69 100644
+index 516f7d85fc..60afef1891 100644
 --- a/build/config/compiler/BUILD.gn
 +++ b/build/config/compiler/BUILD.gn
-@@ -383,14 +383,25 @@ config("compiler") {
+@@ -413,14 +413,23 @@ config("compiler") {
        # On Aarch64, SCS requires the x18 register to be unused because it will hold
        # a pointer to the shadow stack. For Android we know that Clang doesn't use
        # x18 by default. On other OSs adding "-ffixed-x18" might be required.
 -      assert(is_android)
 +      assert(is_linux && target_cpu == "arm64")
- 
+
        scs_parameters = [
          "-fsanitize=shadow-call-stack",
 -        "-fno-stack-protector",
 +        "-fstack-protector-strong",
        ]
-+
 +      rs_scs_params = [
-+        "-Zsanitizer=shadow-call-stack",
++        #"-Zsanitizer=shadow-call-stack",
 +        "-Zstack-protector=strong",
 +      ]
-+
-+      if (is_linux) {
++      if (!is_android) {
 +        scs_parameters += [ "-ffixed-x18" ]
-+        rs_scs_params += [ "-Zfixed-x18" ]
++        #rs_scs_params += [ "-Zfixed-x18" ]
 +      }
        cflags += scs_parameters
        ldflags += scs_parameters
 +      rustflags += rs_scs_params
      } else {
        if (is_apple) {
          # The strong variant of the stack protector significantly increases
-@@ -405,11 +416,19 @@ config("compiler") {
-       } else if ((is_posix && !is_nacl) || is_fuchsia) {
+@@ -435,11 +444,19 @@ config("compiler") {
+       } else if (is_posix || is_fuchsia) {
          if (current_os != "aix") {
            # Not available on aix.
 -          cflags += [ "-fstack-protector" ]
@@ -52,7 +50,7 @@ index 0c04c90368..75e2814d69 100644
          }
        }
      }
- 
+
 +    if (is_linux) {
 +      cflags += [
 +        "-fstack-clash-protection",
@@ -63,18 +61,18 @@ index 0c04c90368..75e2814d69 100644
      if (use_lld) {
        ldflags += [ "-fuse-ld=lld" ]
        if (lld_path != "") {
-@@ -2299,7 +2318,7 @@ config("chromium_code") {
+@@ -2305,7 +2322,7 @@ config("chromium_code") {
        # Non-chromium code is not guaranteed to compile cleanly with
        # _FORTIFY_SOURCE. Also, fortified build may fail when optimizations are
        # disabled, so only do that for Release build.
 -      fortify_level = "2"
 +      fortify_level = "3"
- 
+
        # ChromeOS's toolchain supports a high-quality _FORTIFY_SOURCE=3
        # implementation with a few custom glibc patches. Use that if it's
-@@ -3389,8 +3408,14 @@ buildflag_header("compiler_buildflags") {
+@@ -3331,8 +3348,14 @@ buildflag_header("compiler_buildflags") {
  }
- 
+
  config("cet_shadow_stack") {
 -  if (enable_cet_shadow_stack && is_win) {
 +  if (enable_cet_shadow_stack) {

@@ -11,18 +11,18 @@ distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, e
 See the License for the specific language governing permissions and limitations under the License.
 ---
 diff --git a/content/public/common/content_features.cc b/content/public/common/content_features.cc
-index a0ac946fc64b4..bb3ba83bf77a9 100644
+index f087a28da0..c2d81c423f 100644
 --- a/content/public/common/content_features.cc
 +++ b/content/public/common/content_features.cc
-@@ -192,7 +192,7 @@ BASE_FEATURE(kCdmStorageDatabaseMigration,
+@@ -202,7 +202,7 @@ BASE_FEATURE(CapturedSurfaceControlKillswitch,
+ // Clear the window.name property for the top-level cross-site navigations that
  // swap BrowsingContextGroups(BrowsingInstances).
- BASE_FEATURE(kClearCrossSiteCrossBrowsingContextGroupWindowName,
-              "ClearCrossSiteCrossBrowsingContextGroupWindowName",
+ BASE_FEATURE(ClearCrossSiteCrossBrowsingContextGroupWindowName,
 -             base::FEATURE_DISABLED_BY_DEFAULT);
 +             base::FEATURE_ENABLED_BY_DEFAULT);
+
+ BASE_FEATURE(CompositeBGColorAnimation, base::FEATURE_DISABLED_BY_DEFAULT);
 
- BASE_FEATURE(kCompositeBGColorAnimation,
-              "CompositeBGColorAnimation",
 diff --git a/third_party/blink/renderer/core/loader/document_loader.cc b/third_party/blink/renderer/core/loader/document_loader.cc
 index 85c4d912e2fdb..d03099ab283f0 100644
 --- a/third_party/blink/renderer/core/loader/document_loader.cc

@@ -68,18 +68,18 @@ index d016286d9cb7a..89ac48fb06cd8 100644
 
  #if BUILDFLAG(IS_CHROMEOS)
 diff --git a/components/omnibox/browser/aim_eligibility_service.cc b/components/omnibox/browser/aim_eligibility_service.cc
-index 88bf166cbcff5..f10dcacc03f70 100644
+index ffedbe6af7..990c311482 100644
 --- a/components/omnibox/browser/aim_eligibility_service.cc
 +++ b/components/omnibox/browser/aim_eligibility_service.cc
-@@ -62,7 +62,7 @@ static constexpr char kRequestPath[] = "/async/folae";
- static constexpr char kRequestQuery[] = "async=_fmt:pb";
-
- // The default value for the AIM policy pref; 0 = allowed, 1 = disallowed.
--constexpr int kAIModeAllowedDefault = 0;
-+constexpr int kAIModeAllowedDefault = 1;
- 
- // Returns the request URL or an empty GURL if a valid URL cannot be created;
- // e.g., Google is not the default search provider.
+@@ -59,7 +59,7 @@ static constexpr char kRequestQuery[] = "async=_fmt:pb";
+ // `GenAiDefaultSettings` policy if `AIModeSettings` isn't set, or the default
+ // pref value (0) if neither policy is set. Do not change this value without
+ // migrating the existing prefs and the policy's prefs mapping.
+-constexpr int kAiModeAllowedDefault = 0;
++constexpr int kAiModeAllowedDefault = 1;
+
+ // The pref name used for storing the eligibility response proto.
+ constexpr char kResponsePrefName[] =
 diff --git a/components/optimization_guide/core/feature_registry/enterprise_policy_registry.cc b/components/optimization_guide/core/feature_registry/enterprise_policy_registry.cc
 index d2163e7eef014..8090c19e5ab09 100644
 --- a/components/optimization_guide/core/feature_registry/enterprise_policy_registry.cc

@@ -11,10 +11,10 @@ distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, e
 See the License for the specific language governing permissions and limitations under the License.
 ---
 diff --git a/components/autofill/core/common/autofill_prefs.cc b/components/autofill/core/common/autofill_prefs.cc
-index 08699c4ee2..dbbb017115 100644
+index 9919d52a43..3f0b8a4d9f 100644
 --- a/components/autofill/core/common/autofill_prefs.cc
 +++ b/components/autofill/core/common/autofill_prefs.cc
-@@ -29,7 +29,7 @@ constexpr char kAutofillRanQuasiDuplicateExtraDeduplication[] =
+@@ -31,7 +31,7 @@ constexpr char kAutofillRanQuasiDuplicateExtraDeduplication[] =
  void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry) {
    // Synced prefs. Used for cross-device choices, e.g., credit card Autofill.
    registry->RegisterBooleanPref(
@@ -23,7 +23,7 @@ index 08699c4ee2..dbbb017115 100644
        user_prefs::PrefRegistrySyncable::SYNCABLE_PREF);
    registry->RegisterIntegerPref(
        kAutofillLastVersionDeduped, 0,
-@@ -38,13 +38,13 @@ void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry) {
+@@ -40,13 +40,13 @@ void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry) {
        kAutofillHasSeenIban, false,
        user_prefs::PrefRegistrySyncable::SYNCABLE_PREF);
    registry->RegisterBooleanPref(
@@ -38,5 +38,5 @@ index 08699c4ee2..dbbb017115 100644
 -      kAutofillPaymentCardBenefits, true,
 +      kAutofillPaymentCardBenefits, false,
        user_prefs::PrefRegistrySyncable::SYNCABLE_PREF);
- 
-   // Non-synced prefs. Used for per-device choices, e.g., signin promo.
+
+   registry->RegisterStringPref(kAutofillNameAndEmailProfileSignature, "",
@@ -10,14 +10,14 @@ Unless required by applicable law or agreed to in writing, software distributed
 distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and limitations under the License.
 ---
-diff --git a/content/public/common/content_features.cc b/content/public/common/content_features.cc
-index 75b2720edef81..2763ad5a33c7d 100644
+iff --git a/content/public/common/content_features.cc b/content/public/common/content_features.cc
+index f087a28da0..d170478965 100644
 --- a/content/public/common/content_features.cc
 +++ b/content/public/common/content_features.cc
-@@ -47,7 +47,7 @@ BASE_FEATURE(kAudioServiceOutOfProcess,
+@@ -112,7 +112,7 @@ BASE_FEATURE(AudioServiceOutOfProcess,
+ // Enables the audio-service sandbox. This feature has an effect only when the
  // kAudioServiceOutOfProcess feature is enabled.
- BASE_FEATURE(kAudioServiceSandbox,
-              "AudioServiceSandbox",
+ BASE_FEATURE(AudioServiceSandbox,
 -#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC) || BUILDFLAG(IS_FUCHSIA)
 +#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC) || BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX)
               base::FEATURE_ENABLED_BY_DEFAULT