Add domain joined check to managed device detection for DoH.

Some devices may be domain joined but not have any active policies. We should also disable DoH by default for that scenario. Bug: 955454 Change-Id: I50ad015e9e5d072dddcaa72524e5d39ffb2e005c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1773397Reviewed-by: Eric Orth <ericorth@chromium.org> Commit-Queue: Katharine Daly <dalyk@google.com> Cr-Commit-Position: refs/heads/master@{#690809}

Add domain joined check to managed device detection for DoH.
Some devices may be domain joined but not have any active policies. We should also disable DoH by default for that scenario. Bug: 955454 Change-Id: I50ad015e9e5d072dddcaa72524e5d39ffb2e005c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1773397Reviewed-by: Eric Orth <ericorth@chromium.org> Commit-Queue: Katharine Daly <dalyk@google.com> Cr-Commit-Position: refs/heads/master@{#690809}
a50dfe61 · dalyk · Commit Bot · 675d2fdc · a50dfe61 · a50dfe61
Commit a50dfe61 authored Aug 27, 2019 by dalyk Committed by Commit Bot Aug 27, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 7 deletions

chrome/browser/net/dns_util.cc chrome/browser/net/dns_util.cc +10 -2

chrome/browser/net/dns_util.h chrome/browser/net/dns_util.h +5 -5

No files found.
--- a/chrome/browser/net/dns_util.cc
+++ b/chrome/browser/net/dns_util.cc
@@ -10,6 +10,10 @@
 #include "net/third_party/uri_template/uri_template.h"
 #include "url/gurl.h"

+#if defined(OS_WIN)
+#include "base/enterprise_util.h"
+#endif
+
 bool IsValidDoHTemplate(const std::string& server_template,
                        std::string* server_method) {
  std::string url_string;
@@ -41,8 +45,12 @@ bool IsValidDoHTemplate(const std::string& server_template,

 bool ShouldDisableDohForManaged() {
 #if !defined(OS_ANDROID) && !defined(OS_CHROMEOS)
-  return g_browser_process->browser_policy_connector()
-      ->HasMachineLevelPolicies();
+  if (g_browser_process->browser_policy_connector()->HasMachineLevelPolicies())
+    return true;
+#endif
+#if defined(OS_WIN)
+  if (base::IsMachineExternallyManaged())
+    return true;
 #endif
  return false;
 }
--- a/chrome/browser/net/dns_util.h
+++ b/chrome/browser/net/dns_util.h
@@ -14,11 +14,11 @@
 bool IsValidDoHTemplate(const std::string& server_template,
                        std::string* server_method);

-// Returns true if any machine level policies. ChromeOS devices are already
-// handled by the default_for_enterprise_users field on the DoH policy. We don't
-// attempt enterprise detection on Android at this time. This special logic is
-// to prevent enterprises from having DoH enabled by default and is necessary
-// because default_for_enterprise_users only applies to ChromeOS.
+// Returns true if there are any active machine level policies or if the machine
+// is domain joined. This special logic is used to disable DoH by default for
+// Desktop platforms (the enterprise policy field default_for_enterprise_users
+// only applies to ChromeOS). We don't attempt enterprise detection on Android
+// at this time.
 bool ShouldDisableDohForManaged();

 const char kDnsOverHttpsModeOff[] = "off";