[NativeFS] Add enterprise policies.

This adds enterprise policies to enable auto-denying access to the file system via the native file system API to certain URLs. No policy yet for auto-granting, as that seems more dangerous, and also probably would be better in the form of granting access to specific paths rather than blanket access. Bug: 977764 Change-Id: Ie6d9f8c6cdef84ce922a7b110ab1424499157820 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2321240Reviewed-by: Owen Min <zmin@chromium.org> Reviewed-by: Balazs Engedy <engedy@chromium.org> Reviewed-by: Victor Costan <pwnall@chromium.org> Commit-Queue: Marijn Kruisselbrink <mek@chromium.org> Cr-Commit-Position: refs/heads/master@{#798381}

[NativeFS] Add enterprise policies.
This adds enterprise policies to enable auto-denying access to the file system via the native file system API to certain URLs. No policy yet for auto-granting, as that seems more dangerous, and also probably would be better in the form of granting access to specific paths rather than blanket access. Bug: 977764 Change-Id: Ie6d9f8c6cdef84ce922a7b110ab1424499157820 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2321240Reviewed-by: Owen Min <zmin@chromium.org> Reviewed-by: Balazs Engedy <engedy@chromium.org> Reviewed-by: Victor Costan <pwnall@chromium.org> Commit-Queue: Marijn Kruisselbrink <mek@chromium.org> Cr-Commit-Position: refs/heads/master@{#798381}
2283f6d8 · Marijn Kruisselbrink · Commit Bot · bc330327 · 2283f6d8 · 2283f6d8
Commit 2283f6d8 authored Aug 15, 2020 by Marijn Kruisselbrink Committed by Commit Bot Aug 15, 2020
8 changed files
--- a/chrome/browser/native_file_system/chrome_native_file_system_permission_context_unittest.cc
+++ b/chrome/browser/native_file_system/chrome_native_file_system_permission_context_unittest.cc
@@ -10,6 +10,7 @@
 #include "base/base_paths.h"
 #include "base/files/file_path.h"
 #include "base/files/scoped_temp_dir.h"
+#include "base/json/json_reader.h"
 #include "base/run_loop.h"
 #include "base/test/bind_test_util.h"
 #include "base/test/scoped_path_override.h"
@@ -19,6 +20,8 @@
 #include "chrome/common/chrome_paths.h"
 #include "chrome/test/base/testing_profile.h"
 #include "components/content_settings/core/browser/host_content_settings_map.h"
+#include "components/content_settings/core/common/pref_names.h"
+#include "components/sync_preferences/testing_pref_service_syncable.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/test/browser_task_environment.h"
 #include "content/public/test/test_renderer_host.h"
@@ -128,6 +131,7 @@ class ChromeNativeFileSystemPermissionContextTest : public testing::Test {
    return permission_context_.get();
  }
  BrowserContext* browser_context() { return &profile_; }
+  TestingProfile* profile() { return &profile_; }

 protected:
  const url::Origin kTestOrigin =
@@ -339,4 +343,67 @@ TEST_F(ChromeNativeFileSystemPermissionContextTest,
  EXPECT_TRUE(permission_context()->CanObtainWritePermission(kChromeOrigin));
 }

+TEST_F(ChromeNativeFileSystemPermissionContextTest, PolicyReadGuardPermission) {
+  auto* prefs = profile()->GetTestingPrefService();
+  prefs->SetManagedPref(prefs::kManagedDefaultFileSystemReadGuardSetting,
+                        std::make_unique<base::Value>(CONTENT_SETTING_BLOCK));
+
+  EXPECT_FALSE(permission_context()->CanObtainReadPermission(kTestOrigin));
+}
+
+TEST_F(ChromeNativeFileSystemPermissionContextTest,
+       PolicyWriteGuardPermission) {
+  auto* prefs = profile()->GetTestingPrefService();
+  prefs->SetManagedPref(prefs::kManagedDefaultFileSystemWriteGuardSetting,
+                        std::make_unique<base::Value>(CONTENT_SETTING_BLOCK));
+
+  EXPECT_FALSE(permission_context()->CanObtainWritePermission(kTestOrigin));
+}
+
+TEST_F(ChromeNativeFileSystemPermissionContextTest, PolicyReadAskForUrls) {
+  // Set the default to "block" so that the policy being tested overrides it.
+  auto* prefs = profile()->GetTestingPrefService();
+  prefs->SetManagedPref(prefs::kManagedDefaultFileSystemReadGuardSetting,
+                        std::make_unique<base::Value>(CONTENT_SETTING_BLOCK));
+  prefs->SetManagedPref(prefs::kManagedFileSystemReadAskForUrls,
+                        base::JSONReader::ReadDeprecated(
+                            "[\"" + kTestOrigin.Serialize() + "\"]"));
+
+  EXPECT_TRUE(permission_context()->CanObtainReadPermission(kTestOrigin));
+  EXPECT_FALSE(permission_context()->CanObtainReadPermission(kTestOrigin2));
+}
+
+TEST_F(ChromeNativeFileSystemPermissionContextTest, PolicyReadBlockedForUrls) {
+  auto* prefs = profile()->GetTestingPrefService();
+  prefs->SetManagedPref(prefs::kManagedFileSystemReadBlockedForUrls,
+                        base::JSONReader::ReadDeprecated(
+                            "[\"" + kTestOrigin.Serialize() + "\"]"));
+
+  EXPECT_FALSE(permission_context()->CanObtainReadPermission(kTestOrigin));
+  EXPECT_TRUE(permission_context()->CanObtainReadPermission(kTestOrigin2));
+}
+
+TEST_F(ChromeNativeFileSystemPermissionContextTest, PolicyWriteAskForUrls) {
+  // Set the default to "block" so that the policy being tested overrides it.
+  auto* prefs = profile()->GetTestingPrefService();
+  prefs->SetManagedPref(prefs::kManagedDefaultFileSystemWriteGuardSetting,
+                        std::make_unique<base::Value>(CONTENT_SETTING_BLOCK));
+  prefs->SetManagedPref(prefs::kManagedFileSystemWriteAskForUrls,
+                        base::JSONReader::ReadDeprecated(
+                            "[\"" + kTestOrigin.Serialize() + "\"]"));
+
+  EXPECT_TRUE(permission_context()->CanObtainWritePermission(kTestOrigin));
+  EXPECT_FALSE(permission_context()->CanObtainWritePermission(kTestOrigin2));
+}
+
+TEST_F(ChromeNativeFileSystemPermissionContextTest, PolicyWriteBlockedForUrls) {
+  auto* prefs = profile()->GetTestingPrefService();
+  prefs->SetManagedPref(prefs::kManagedFileSystemWriteBlockedForUrls,
+                        base::JSONReader::ReadDeprecated(
+                            "[\"" + kTestOrigin.Serialize() + "\"]"));
+
+  EXPECT_FALSE(permission_context()->CanObtainWritePermission(kTestOrigin));
+  EXPECT_TRUE(permission_context()->CanObtainWritePermission(kTestOrigin2));
+}
+
 #endif  // !defined(OS_ANDROID)
--- a/chrome/browser/policy/configuration_policy_handler_list_factory.cc
+++ b/chrome/browser/policy/configuration_policy_handler_list_factory.cc
@@ -567,6 +567,24 @@ const PolicyToPreferenceMapEntry kSimplePolicyMap[] = {
  { key::kSerialBlockedForUrls,
    prefs::kManagedSerialBlockedForUrls,
    base::Value::Type::LIST },
+  { key::kDefaultFileSystemReadGuardSetting,
+    prefs::kManagedDefaultFileSystemReadGuardSetting,
+    base::Value::Type::INTEGER },
+  { key::kFileSystemReadAskForUrls,
+    prefs::kManagedFileSystemReadAskForUrls,
+    base::Value::Type::LIST },
+  { key::kFileSystemReadBlockedForUrls,
+    prefs::kManagedFileSystemReadBlockedForUrls,
+    base::Value::Type::LIST },
+  { key::kDefaultFileSystemWriteGuardSetting,
+    prefs::kManagedDefaultFileSystemWriteGuardSetting,
+    base::Value::Type::INTEGER },
+  { key::kFileSystemWriteAskForUrls,
+    prefs::kManagedFileSystemWriteAskForUrls,
+    base::Value::Type::LIST },
+  { key::kFileSystemWriteBlockedForUrls,
+    prefs::kManagedFileSystemWriteBlockedForUrls,
+    base::Value::Type::LIST },
  { key::kTabFreezingEnabled,
    prefs::kTabFreezingEnabled,
    base::Value::Type::BOOLEAN },

--- a/chrome/test/data/policy/policy_test_cases.json
+++ b/chrome/test/data/policy/policy_test_cases.json
@@ -8084,5 +8084,63 @@
        "prefs": { "policy.cct_tos_dialog_enabled": { "local_state": true } }
      }
    ]
+  },
+  "DefaultFileSystemReadGuardSetting": {
+    "os": ["win", "linux", "mac", "chromeos"],
+    "policy_pref_mapping_test": [
+      {
+        "policies": { "DefaultFileSystemReadGuardSetting": 2 },
+        "prefs": { "profile.managed_default_content_settings.file_system_read_guard": {} }
+      }
+    ]
+  },
+  "DefaultFileSystemWriteGuardSetting": {
+    "os": ["win", "linux", "mac", "chromeos"],
+    "policy_pref_mapping_test": [
+      {
+        "policies": { "DefaultFileSystemWriteGuardSetting": 2 },
+        "prefs": { "profile.managed_default_content_settings.file_system_write_guard": {} }
+      }
+    ]
+  },
+  "FileSystemReadAskForUrls": {
+    "os": ["win", "linux", "mac", "chromeos"],
+    "policy_pref_mapping_test": [
+      {
+        "policies": {"FileSystemReadAskForUrls": ["[*.].com"]},
+        "prefs": { "profile.managed_file_system_read_ask_for_urls": {}},
+        "note": "TODO(mek): Add indicator tests. TODO(bartfab): Flag this with can_be_recommended when http://crbug.com/106682 is fixed."
+      }
+    ]
+  },
+  "FileSystemReadBlockedForUrls": {
+    "os": ["win", "linux", "mac", "chromeos"],
+    "policy_pref_mapping_test": [
+      {
+        "policies": {"FileSystemReadBlockedForUrls": ["[*.]google.com"]},
+        "prefs": { "profile.managed_file_system_read_blocked_for_urls": {} },
+        "note": "TODO(mek): Add indicator tests. TODO(bartfab): Flag this with can_be_recommended when http://crbug.com/106682 is fixed."
+      }
+    ]
+  },
+  "FileSystemWriteAskForUrls": {
+    "os": ["win", "linux", "mac", "chromeos"],
+    "policy_pref_mapping_test": [
+      {
+        "policies": {"FileSystemWriteAskForUrls": ["[*.].com"]},
+        "prefs": { "profile.managed_file_system_write_ask_for_urls": {}},
+        "note": "TODO(mek): Add indicator tests. TODO(bartfab): Flag this with can_be_recommended when http://crbug.com/106682 is fixed."
+      }
+    ]
+  },
+  "FileSystemWriteBlockedForUrls": {
+    "os": ["win", "linux", "mac", "chromeos"],
+    "policy_pref_mapping_test": [
+      {
+        "policies": {"FileSystemWriteBlockedForUrls": ["[*.]google.com"]},
+        "prefs": { "profile.managed_file_system_write_blocked_for_urls": {} },
+        "note": "TODO(mek): Add indicator tests. TODO(bartfab): Flag this with can_be_recommended when http://crbug.com/106682 is fixed."
+      }
+    ]
  }
 }
--- a/components/content_settings/core/browser/content_settings_policy_provider.cc
+++ b/components/content_settings/core/browser/content_settings_policy_provider.cc
@@ -75,6 +75,14 @@ const PrefsForManagedContentSettingsMapEntry
         CONTENT_SETTING_ASK},
        {prefs::kManagedWebUsbBlockedForUrls, ContentSettingsType::USB_GUARD,
         CONTENT_SETTING_BLOCK},
+        {prefs::kManagedFileSystemReadAskForUrls,
+         ContentSettingsType::FILE_SYSTEM_READ_GUARD, CONTENT_SETTING_ASK},
+        {prefs::kManagedFileSystemReadBlockedForUrls,
+         ContentSettingsType::FILE_SYSTEM_READ_GUARD, CONTENT_SETTING_BLOCK},
+        {prefs::kManagedFileSystemWriteAskForUrls,
+         ContentSettingsType::FILE_SYSTEM_WRITE_GUARD, CONTENT_SETTING_ASK},
+        {prefs::kManagedFileSystemWriteBlockedForUrls,
+         ContentSettingsType::FILE_SYSTEM_WRITE_GUARD, CONTENT_SETTING_BLOCK},
        {prefs::kManagedLegacyCookieAccessAllowedForDomains,
         ContentSettingsType::LEGACY_COOKIE_ACCESS, CONTENT_SETTING_ALLOW},
        {prefs::kManagedSerialAskForUrls, ContentSettingsType::SERIAL_GUARD,
@@ -145,6 +153,10 @@ const PolicyProvider::PrefsForManagedDefaultMapEntry
         prefs::kManagedDefaultWebBluetoothGuardSetting},
        {ContentSettingsType::USB_GUARD,
         prefs::kManagedDefaultWebUsbGuardSetting},
+        {ContentSettingsType::FILE_SYSTEM_READ_GUARD,
+         prefs::kManagedDefaultFileSystemReadGuardSetting},
+        {ContentSettingsType::FILE_SYSTEM_WRITE_GUARD,
+         prefs::kManagedDefaultFileSystemWriteGuardSetting},
        {ContentSettingsType::LEGACY_COOKIE_ACCESS,
         prefs::kManagedDefaultLegacyCookieAccessSetting},
        {ContentSettingsType::SERIAL_GUARD,
@@ -176,6 +188,10 @@ void PolicyProvider::RegisterProfilePrefs(
  registry->RegisterListPref(prefs::kManagedWebUsbAllowDevicesForUrls);
  registry->RegisterListPref(prefs::kManagedWebUsbAskForUrls);
  registry->RegisterListPref(prefs::kManagedWebUsbBlockedForUrls);
+  registry->RegisterListPref(prefs::kManagedFileSystemReadAskForUrls);
+  registry->RegisterListPref(prefs::kManagedFileSystemReadBlockedForUrls);
+  registry->RegisterListPref(prefs::kManagedFileSystemWriteAskForUrls);
+  registry->RegisterListPref(prefs::kManagedFileSystemWriteBlockedForUrls);
  registry->RegisterListPref(
      prefs::kManagedLegacyCookieAccessAllowedForDomains);
  registry->RegisterListPref(prefs::kManagedSerialAskForUrls);
@@ -211,6 +227,12 @@ void PolicyProvider::RegisterProfilePrefs(
                                CONTENT_SETTING_DEFAULT);
  registry->RegisterIntegerPref(prefs::kManagedDefaultWebUsbGuardSetting,
                                CONTENT_SETTING_DEFAULT);
+  registry->RegisterIntegerPref(
+      prefs::kManagedDefaultFileSystemReadGuardSetting,
+      CONTENT_SETTING_DEFAULT);
+  registry->RegisterIntegerPref(
+      prefs::kManagedDefaultFileSystemWriteGuardSetting,
+      CONTENT_SETTING_DEFAULT);
  registry->RegisterIntegerPref(prefs::kManagedDefaultLegacyCookieAccessSetting,
                                CONTENT_SETTING_DEFAULT);
  registry->RegisterIntegerPref(prefs::kManagedDefaultSerialGuardSetting,
@@ -253,6 +275,13 @@ PolicyProvider::PolicyProvider(PrefService* prefs) : prefs_(prefs) {
  pref_change_registrar_.Add(prefs::kManagedPopupsBlockedForUrls, callback);
  pref_change_registrar_.Add(prefs::kManagedWebUsbAskForUrls, callback);
  pref_change_registrar_.Add(prefs::kManagedWebUsbBlockedForUrls, callback);
+  pref_change_registrar_.Add(prefs::kManagedFileSystemReadAskForUrls, callback);
+  pref_change_registrar_.Add(prefs::kManagedFileSystemReadBlockedForUrls,
+                             callback);
+  pref_change_registrar_.Add(prefs::kManagedFileSystemWriteAskForUrls,
+                             callback);
+  pref_change_registrar_.Add(prefs::kManagedFileSystemWriteBlockedForUrls,
+                             callback);
  pref_change_registrar_.Add(prefs::kManagedLegacyCookieAccessAllowedForDomains,
                             callback);
  pref_change_registrar_.Add(prefs::kManagedSerialAskForUrls, callback);
@@ -287,6 +316,10 @@ PolicyProvider::PolicyProvider(PrefService* prefs) : prefs_(prefs) {
                             callback);
  pref_change_registrar_.Add(prefs::kManagedDefaultWebUsbGuardSetting,
                             callback);
+  pref_change_registrar_.Add(prefs::kManagedDefaultFileSystemReadGuardSetting,
+                             callback);
+  pref_change_registrar_.Add(prefs::kManagedDefaultFileSystemWriteGuardSetting,
+                             callback);
  pref_change_registrar_.Add(prefs::kManagedDefaultLegacyCookieAccessSetting,
                             callback);
  pref_change_registrar_.Add(prefs::kManagedDefaultSerialGuardSetting,
@@ -580,6 +613,10 @@ void PolicyProvider::OnPreferenceChanged(const std::string& name) {
      name == prefs::kManagedCookiesAllowedForUrls ||
      name == prefs::kManagedCookiesBlockedForUrls ||
      name == prefs::kManagedCookiesSessionOnlyForUrls ||
+      name == prefs::kManagedFileSystemReadAskForUrls ||
+      name == prefs::kManagedFileSystemReadBlockedForUrls ||
+      name == prefs::kManagedFileSystemWriteAskForUrls ||
+      name == prefs::kManagedFileSystemWriteBlockedForUrls ||
      name == prefs::kManagedImagesAllowedForUrls ||
      name == prefs::kManagedImagesBlockedForUrls ||
      name == prefs::kManagedInsecureContentAllowedForUrls ||

--- a/components/content_settings/core/common/pref_names.cc
+++ b/components/content_settings/core/common/pref_names.cc
@@ -51,6 +51,10 @@ const char kManagedDefaultWebBluetoothGuardSetting[] =
    "profile.managed_default_content_settings.web_bluetooth_guard";
 const char kManagedDefaultWebUsbGuardSetting[] =
    "profile.managed_default_content_settings.web_usb_guard";
+const char kManagedDefaultFileSystemReadGuardSetting[] =
+    "profile.managed_default_content_settings.file_system_read_guard";
+const char kManagedDefaultFileSystemWriteGuardSetting[] =
+    "profile.managed_default_content_settings.file_system_write_guard";
 const char kManagedDefaultLegacyCookieAccessSetting[] =
    "profile.managed_default_content_settings.legacy_cookie_access";
 const char kManagedDefaultSerialGuardSetting[] =
@@ -101,6 +105,14 @@ const char kManagedWebUsbAllowDevicesForUrls[] =
 const char kManagedWebUsbAskForUrls[] = "profile.managed_web_usb_ask_for_urls";
 const char kManagedWebUsbBlockedForUrls[] =
    "profile.managed_web_usb_blocked_for_urls";
+const char kManagedFileSystemReadAskForUrls[] =
+    "profile.managed_file_system_read_ask_for_urls";
+const char kManagedFileSystemReadBlockedForUrls[] =
+    "profile.managed_file_system_read_blocked_for_urls";
+const char kManagedFileSystemWriteAskForUrls[] =
+    "profile.managed_file_system_write_ask_for_urls";
+const char kManagedFileSystemWriteBlockedForUrls[] =
+    "profile.managed_file_system_write_blocked_for_urls";
 const char kManagedLegacyCookieAccessAllowedForDomains[] =
    "profile.managed_legacy_cookie_access_allowed_for_domains";
 const char kManagedSerialAskForUrls[] = "profile.managed_serial_ask_for_urls";

--- a/components/content_settings/core/common/pref_names.h
+++ b/components/content_settings/core/common/pref_names.h
@@ -34,6 +34,8 @@ extern const char kManagedDefaultMediaStreamSetting[];
 extern const char kManagedDefaultSensorsSetting[];
 extern const char kManagedDefaultWebBluetoothGuardSetting[];
 extern const char kManagedDefaultWebUsbGuardSetting[];
+extern const char kManagedDefaultFileSystemReadGuardSetting[];
+extern const char kManagedDefaultFileSystemWriteGuardSetting[];
 extern const char kManagedDefaultLegacyCookieAccessSetting[];
 extern const char kManagedDefaultSerialGuardSetting[];
 extern const char kManagedDefaultInsecurePrivateNetworkSetting[];
@@ -59,6 +61,10 @@ extern const char kManagedAutoSelectCertificateForUrls[];
 extern const char kManagedWebUsbAllowDevicesForUrls[];
 extern const char kManagedWebUsbAskForUrls[];
 extern const char kManagedWebUsbBlockedForUrls[];
+extern const char kManagedFileSystemReadAskForUrls[];
+extern const char kManagedFileSystemReadBlockedForUrls[];
+extern const char kManagedFileSystemWriteAskForUrls[];
+extern const char kManagedFileSystemWriteBlockedForUrls[];
 extern const char kManagedLegacyCookieAccessAllowedForDomains[];
 extern const char kManagedSerialAskForUrls[];
 extern const char kManagedSerialBlockedForUrls[];

--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -499,6 +499,8 @@
      'desc': '''Content settings allow you to specify how contents of a specific type (for example Cookies, Images or JavaScript) is handled.''',
      'policies': [
        'DefaultCookiesSetting',
+        'DefaultFileSystemReadGuardSetting',
+        'DefaultFileSystemWriteGuardSetting',
        'DefaultImagesSetting',
        'DefaultInsecureContentSetting',
        'DefaultJavaScriptSetting',
@@ -516,6 +518,10 @@
        'CookiesAllowedForUrls',
        'CookiesBlockedForUrls',
        'CookiesSessionOnlyForUrls',
+        'FileSystemReadAskForUrls',
+        'FileSystemReadBlockedForUrls',
+        'FileSystemWriteAskForUrls',
+        'FileSystemWriteBlockedForUrls',
        'ImagesAllowedForUrls',
        'ImagesBlockedForUrls',
        'InsecureContentAllowedForUrls',
@@ -5992,7 +5998,174 @@
      URL patterns can't conflict with <ph name="SERIAL_ASK_FOR_URLS_POLICY_NAME">SerialAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.

      For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.''',
-    },{
+    },
+    {
+      'name': 'DefaultFileSystemReadGuardSetting',
+      'owners': ['mek@chromium.org', 'file://content/browser/native_file_system/OWNERS'],
+      'type': 'int-enum',
+      'schema': {
+        'type': 'integer',
+        'enum': [ 2, 3 ],
+      },
+      'items': [
+        {
+          'name': 'BlockFileSystemRead',
+          'value': 2,
+          'caption': '''Do not allow any site to request read access to files and directories via the File System API''',
+        },
+        {
+          'name': 'AskFileSystemRead',
+          'value': 3,
+          'caption': '''Allow sites to ask the user to grant read access to files and directories via the File System API''',
+        },
+      ],
+      'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
+      'features': {
+        'dynamic_refresh': True,
+        'per_profile': True,
+      },
+      'example_value': 2,
+      'id': 773,
+      'caption': '''Control use of the File System API for reading''',
+      'tags': ['website-sharing'],
+      'desc': '''Setting the policy to 3 lets websites ask for read access to files and directories in the host operating system's file system via the File System API. Setting the policy to 2 denies access.
+
+      Leaving it unset lets websites ask for access, but users can change this setting.''',
+    },
+    {
+      'name': 'DefaultFileSystemWriteGuardSetting',
+      'owners': ['mek@chromium.org', 'file://content/browser/native_file_system/OWNERS'],
+      'type': 'int-enum',
+      'schema': {
+        'type': 'integer',
+        'enum': [ 2, 3 ],
+      },
+      'items': [
+        {
+          'name': 'BlockFileSystemWrite',
+          'value': 2,
+          'caption': '''Do not allow any site to request write access to files and directories''',
+        },
+        {
+          'name': 'AskFileSystemWrite',
+          'value': 3,
+          'caption': '''Allow sites to ask the user to grant write access to files and directories''',
+        },
+      ],
+      'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
+      'features': {
+        'dynamic_refresh': True,
+        'per_profile': True,
+      },
+      'example_value': 2,
+      'id': 774,
+      'caption': '''Control use of the File System API for writing''',
+      'tags': ['website-sharing'],
+      'desc': '''Setting the policy to 3 lets websites ask for write access to files and directories in the host operating system's file system. Setting the policy to 2 denies access.
+
+      Leaving it unset lets websites ask for access, but users can change this setting.''',
+    },
+    {
+      'name': 'FileSystemReadAskForUrls',
+      'owners': ['mek@chromium.org', 'file://content/browser/native_file_system/OWNERS'],
+      'type': 'list',
+      'schema': {
+        'type': 'array',
+        'items': { 'type': 'string' },
+      },
+      'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
+      'features': {
+        'dynamic_refresh': True,
+        'per_profile': True,
+      },
+      'example_value': ['https://www.example.com', '[*.]example.edu'],
+      'id': 775,
+      'caption': '''Allow read access via the File System API on these sites''',
+      'tags': ['website-sharing'],
+      'desc': '''Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them read access to files or directories in the host operating system's file system via the File System API.
+
+      Leaving the policy unset means <ph name="DEFAULT_FILE_SYSTEM_READ_GUARD_SETTING_POLICY_NAME">DefaultFileSystemReadGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+      URL patterns must not conflict with <ph name="FILE_SYSTEM_READ_BLOCKED_FOR_URLS_POLICY_NAME">FileSystemReadBlockedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+      For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.''',
+    },
+    {
+      'name': 'FileSystemReadBlockedForUrls',
+      'owners': ['mek@chromium.org', 'file://content/browser/native_file_system/OWNERS'],
+      'type': 'list',
+      'schema': {
+        'type': 'array',
+        'items': { 'type': 'string' },
+      },
+      'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
+      'features': {
+        'dynamic_refresh': True,
+        'per_profile': True,
+      },
+      'example_value': ['https://www.example.com', '[*.]example.edu'],
+      'id': 776,
+      'caption': '''Block read access via the File System API on these sites''',
+      'tags': [],
+      'desc': '''Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them read access to files or directories in the host operating system's file system via the File System API.
+
+      Leaving the policy unset means <ph name="DEFAULT_FILE_SYSTEM_READ_GUARD_SETTING_POLICY_NAME">DefaultFileSystemReadGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+      URL patterns can't conflict with <ph name="FILE_SYSTEM_READ_ASK_FOR_URLS_POLICY_NAME">FileSystemReadAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+      For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.''',
+    },
+    {
+      'name': 'FileSystemWriteAskForUrls',
+      'owners': ['mek@chromium.org', 'file://content/browser/native_file_system/OWNERS'],
+      'type': 'list',
+      'schema': {
+        'type': 'array',
+        'items': { 'type': 'string' },
+      },
+      'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
+      'features': {
+        'dynamic_refresh': True,
+        'per_profile': True,
+      },
+      'example_value': ['https://www.example.com', '[*.]example.edu'],
+      'id': 777,
+      'caption': '''Allow write access to files and directories on these sites''',
+      'tags': ['website-sharing'],
+      'desc': '''Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them write access to files or directories in the host operating system's file system.
+
+      Leaving the policy unset means <ph name="DEFAULT_FILE_SYSTEM_WRITE_GUARD_SETTING_POLICY_NAME">DefaultFileSystemWriteGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+      URL patterns must not conflict with <ph name="FILE_SYSTEM_WRITE_BLOCKED_FOR_URLS_POLICY_NAME">FileSystemWriteBlockedForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+      For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.''',
+    },
+    {
+      'name': 'FileSystemWriteBlockedForUrls',
+      'owners': ['mek@chromium.org', 'file://content/browser/native_file_system/OWNERS'],
+      'type': 'list',
+      'schema': {
+        'type': 'array',
+        'items': { 'type': 'string' },
+      },
+      'supported_on': ['chrome_os:86-', 'chrome.*:86-'],
+      'features': {
+        'dynamic_refresh': True,
+        'per_profile': True,
+      },
+      'example_value': ['https://www.example.com', '[*.]example.edu'],
+      'id': 778,
+      'caption': '''Block write access to files and directories on these sites''',
+      'tags': [],
+      'desc': '''Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them write access to files or directories in the host operating system's file system.
+
+      Leaving the policy unset means <ph name="DEFAULT_FILE_SYSTEM_WRITE_GUARD_SETTING_POLICY_NAME">DefaultFileSystemWriteGuardSetting</ph> applies for all sites, if it's set. If not, users' personal settings apply.
+
+      URL patterns can't conflict with <ph name="FILE_SYSTEM_WRITE_ASK_FOR_URLS_POLICY_NAME">FileSystemWriteAskForUrls</ph>. Neither policy takes precedence if a URL matches with both.
+
+      For detailed information on valid <ph name="URL_LABEL">url</ph> patterns, please see https://cloud.google.com/docs/chrome-enterprise/policies/url-patterns.''',
+    },
+    {
      'name': 'AutoSelectCertificateForUrls',
      'owners': ['file://components/policy/resources/OWNERS'],
      'type': 'list',
@@ -23952,6 +24125,6 @@ The recommended way to configure policy on Windows is via GPO, although provisio
  ],
  'placeholders': [],
  'deleted_policy_ids': [412, 476, 546, 562, 569, 578],
-  'highest_id_currently_used': 772,
+  'highest_id_currently_used': 778,
  'highest_atomic_group_id_currently_used': 40
 }
--- a/tools/metrics/histograms/enums.xml
+++ b/tools/metrics/histograms/enums.xml
@@ -21425,6 +21425,12 @@ Called by update_document_policy_enum.py.-->
  <int value="770" label="PrintersBulkConfiguration"/>
  <int value="771" label="DeviceReleaseLtsTag"/>
  <int value="772" label="PrintersBulkAccessMode"/>
+  <int value="773" label="DefaultFileSystemReadGuardSetting"/>
+  <int value="774" label="DefaultFileSystemWriteGuardSetting"/>
+  <int value="775" label="FileSystemReadAskForUrls"/>
+  <int value="776" label="FileSystemReadBlockedForUrls"/>
+  <int value="777" label="FileSystemWriteAskForUrls"/>
+  <int value="778" label="FileSystemWriteBlockedForUrls"/>
 </enum>

 <enum name="EnterprisePolicyDeviceIdValidity">