Update policy templates and examples for HTTP-Bad

This tweaks the policy templates and examples to be clearer about affects on the "Not Secure" UI and how wildcard hostname patterns work. Bug: 844885 Change-Id: I49eba85762272a0bfedb4163cecad1b8e6df513a Reviewed-on: https://chromium-review.googlesource.com/1166247Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Commit-Queue: Christopher Thompson <cthomp@chromium.org> Cr-Commit-Position: refs/heads/master@{#582260}

Update policy templates and examples for HTTP-Bad
This tweaks the policy templates and examples to be clearer about affects on the "Not Secure" UI and how wildcard hostname patterns work. Bug: 844885 Change-Id: I49eba85762272a0bfedb4163cecad1b8e6df513a Reviewed-on: https://chromium-review.googlesource.com/1166247Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Commit-Queue: Christopher Thompson <cthomp@chromium.org> Cr-Commit-Position: refs/heads/master@{#582260}
1ac9b351 · Christopher Thompson · Commit Bot · 11811235 · 1ac9b351 · 1ac9b351
Commit 1ac9b351 authored Aug 10, 2018 by Christopher Thompson Committed by Commit Bot Aug 10, 2018
Showing with 55 additions and 15 deletions

chrome/test/data/policy/policy_test_cases.json chrome/test/data/policy/policy_test_cases.json +3 -3

components/policy/resources/policy_templates.json components/policy/resources/policy_templates.json +52 -12

No files found.
--- a/chrome/test/data/policy/policy_test_cases.json
+++ b/chrome/test/data/policy/policy_test_cases.json
@@ -43,15 +43,15 @@
  },
  "OverrideSecurityRestrictionsOnInsecureOrigin": {
-    "os": ["win", "linux", "mac"],
+    "os": ["win", "linux", "mac", "android", "chromeos"],
-    "test_policy": { "OverrideSecurityRestrictionsOnInsecureOrigin": ["http://example.com/"] },
+    "test_policy": { "OverrideSecurityRestrictionsOnInsecureOrigin": ["http://example.com/","*.example.com"] },
    "pref_mappings": [ { "pref": "unsafely_treat_insecure_origin_as_secure" } ]
  },
  "UnsafelyTreatInsecureOriginAsSecure": {
    "note": "This policy is deprecated.",
    "os": ["win", "linux", "mac"],
-    "test_policy": { "UnsafelyTreatInsecureOriginAsSecure": ["http://example.com/"] },
+    "test_policy": { "UnsafelyTreatInsecureOriginAsSecure": ["http://example.com/","*.example.com"] },
    "pref_mappings": [ { "pref": "unsafely_treat_insecure_origin_as_secure" } ]
  },

--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -11445,15 +11445,37 @@
        'dynamic_refresh': False,
        'per_profile': True,
      },
-      'example_value': ['http://testserver.example.com/'],
+      'example_value': ['http://testserver.example.com/','*.example.org'],
      'id': 400,
-      'caption': '''Origins to be treated as secure context.''',
+      'caption': '''Origins or hostname patterns for which restrictions on
+      insecure origins should not apply''',
      'tags': ['system-security'],
-      'desc': '''Deprecated in M69. Use OverrideSecurityRestrictionsOnInsecureOrigin instead.
+      'desc': '''Deprecated in M69. Use
+      OverrideSecurityRestrictionsOnInsecureOrigin instead.
-      The policy specifies a list of origins (URLs) to be treated as secure context. The intent is to allow organizations to set up a staging server for internal web development, so that their developers can test out features requiring secure contexts without having to deploy TLS on the staging server.
-      Setting a list of URLs in this policy has the same effect as setting the command-line flag '--unsafely-treat-insecure-origin-as-secure' to a comma-separated list of the same URLs. If the policy is set, it will override the command-line flag.
+      The policy specifies a list of origins (URLs) or hostname patterns (such
-      For more information on secure contexts, see https://www.w3.org/TR/secure-contexts/
+      as "*.example.com") for which security restrictions on insecure origins
+      will not apply.
+      The intent is to allow organizations to whitelist origins for legacy
+      applications that cannot deploy TLS, or to set up a staging server for
+      internal web development so that their developers can test out features
+      requiring secure contexts without having to deploy TLS on the staging
+      server. This policy will also prevent the origin from being labeled
+      "Not Secure" in the omnibox.
+      Setting a list of URLs in this policy has the same effect as setting the
+      command-line flag '--unsafely-treat-insecure-origin-as-secure' to a
+      comma-separated list of the same URLs. If the policy is set, it will
+      override the command-line flag.
+      This policy is deprecated in M69 in favor of
+      OverrideSecurityRestrictionsOnInsecureOrigin. If both policies are
+      present, OverrideSecurityRestrictionsOnInsecureOrigin will override this
+      policy.
+      For more information on secure contexts, see
+      https://www.w3.org/TR/secure-contexts/
      '''
    },
    {
@@ -12518,14 +12540,32 @@
        'dynamic_refresh': False,
        'per_profile': True,
      },
-      'example_value': ['http://testserver.example.com/'],
+      'example_value': ['http://testserver.example.com/','*.example.org'],
      'id': 457,
-      'caption': '''Origins or hostname patterns to be treated as secure context.''',
+      'caption': '''Origins or hostname patterns for which restrictions on
+      insecure origins should not apply''',
      'tags': ['system-security'],
      'desc': '''
-      The policy specifies a list of origins (URLs) or hostname patterns (such as "*.example.com") to be treated as secure contexts. The intent is to allow organizations to set up a staging server for internal web development, so that their developers can test out features requiring secure contexts without having to deploy TLS on the staging server.
+      The policy specifies a list of origins (URLs) or hostname patterns (such
-      Setting a list of URLs in this policy has the same effect as setting the command-line flag '--unsafely-treat-insecure-origin-as-secure' to a comma-separated list of the same URLs. If the policy is set, it will override the command-line flag.
+      as "*.example.com") for which security restrictions on insecure origins
-      For more information on secure contexts, see https://www.w3.org/TR/secure-contexts/
+      will not apply.
+      The intent is to allow organizations to set whitelist origins for legacy
+      applications that cannot deploy TLS, or to set up a staging server for
+      internal web development so that their developers can test out features
+      requiring secure contexts without having to deploy TLS on the staging
+      server. This policy will also prevent the origin from being labeled
+      "Not Secure" in the omnibox.
+      Setting a list of URLs in this policy has the same effect as setting the
+      command-line flag '--unsafely-treat-insecure-origin-as-secure' to a
+      comma-separated list of the same URLs. If the policy is set, it will
+      override the command-line flag.
+      This policy will override UnsafelyTreatInsecureOriginAsSecure, if present.
+      For more information on secure contexts, see
+      https://www.w3.org/TR/secure-contexts/.
      '''
    },
    {