Clarify documentation for DeviceLoginScreen{IsolateOrigins,SitePerProcess} policies

Write out explicitly that these policies are intended to match the user policy values, and that if they don't match, a chrome process restart will be performed on user session start, leading to a delay. BUG=800117 TEST=none Change-Id: Ic458ac006d8ffe80460d3f021d0a8fb99837b63f Reviewed-on: https://chromium-review.googlesource.com/926129Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Commit-Queue: Pavol Marko <pmarko@chromium.org> Cr-Commit-Position: refs/heads/master@{#539108}

Clarify documentation for DeviceLoginScreen{IsolateOrigins,SitePerProcess} policies
Write out explicitly that these policies are intended to match the user policy values, and that if they don't match, a chrome process restart will be performed on user session start, leading to a delay. BUG=800117 TEST=none Change-Id: Ic458ac006d8ffe80460d3f021d0a8fb99837b63f Reviewed-on: https://chromium-review.googlesource.com/926129Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Commit-Queue: Pavol Marko <pmarko@chromium.org> Cr-Commit-Position: refs/heads/master@{#539108}
b07bcc5c · Pavol Marko · Commit Bot · f045ab7b · b07bcc5c · b07bcc5c
Commit b07bcc5c authored Feb 26, 2018 by Pavol Marko Committed by Commit Bot Feb 26, 2018
Showing with 10 additions and 2 deletions

components/policy/proto/chrome_device_policy.proto components/policy/proto/chrome_device_policy.proto +6 -0

components/policy/resources/policy_templates.json components/policy/resources/policy_templates.json +4 -2

No files found.
--- a/components/policy/proto/chrome_device_policy.proto
+++ b/components/policy/proto/chrome_device_policy.proto
@@ -993,12 +993,18 @@ message DeviceUserPolicyLoopbackProcessingModeProto {
 message DeviceLoginScreenIsolateOriginsProto {
  // A comma-separated list of the origins to be run in a separate process on
  // the sign-in screen.
+  // If the value of this policy does not match the value of the user policy
+  // IsolateOrigins, the chrome process will be restarted on user sign-in to
+  // apply the value specified by the user policy.
  optional string isolate_origins = 1;
 }
 // Specifies if each site should run in its own process on the sign-in screen.
 message DeviceLoginScreenSitePerProcessProto {
  // If true, each site will run in its own process on the sign-in screen.
+  // If the value of this policy does not match the value of the user policy
+  // SitePerProcess, the chrome process will be restarted on user sign-in to
+  // apply the value specified by the user policy.
  optional bool site_per_process = 1;
 }

--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -10893,6 +10893,7 @@
      https://example.com/ site.
      If the policy is disabled, the per-Site Isolation process management logic will take effect.
      If the policy is not configured, the user will be able to change this setting.
+      On <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>, it is recommended to also set the <ph name="DEVICE_LOGIN_SCREEN_ISOLATE_ORIGINS_POLICY_NAME">DeviceLoginScreenIsolateOrigins</ph> device policy to the same value. If the values specified by the two policies don't match, a delay may be incurred when entering a user session while the value specified by user policy is being applied.
      ''',
    },
    {
@@ -10918,6 +10919,7 @@
      If the policy is enabled, each site will run in its own process.
      If the policy is disabled, the per-Site Isolation process management logic will take effect.
      If the policy is not configured, the user will be able to change this setting.
+      On <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph>, it is recommended to also set the <ph name="DEVICE_LOGIN_SCREEN_SITE_PER_PROCESS_POLICY_NAME">DeviceLoginScreenSitePerProcess</ph> device policy to the same value. If the values specified by the two policies don't match, a delay may be incurred when entering a user session while the value specified by user policy is being applied.
      ''',
    },
    {
@@ -10936,7 +10938,7 @@
      'tags': ['system-security'],
      'desc': '''
      NOTE: This policy is experimental and may break functionality!
-      This policy applies to the sign-in screen. Please see also the 'IsolateOrigins' policy which applies to the user session. It is recommended to set both policies to the same value.
+      This policy applies to the sign-in screen. Please see also the <ph name="ISOLATE_ORIGINS_POLICY_NAME">IsolateOrigins</ph> policy which applies to the user session. It is recommended to set both policies to the same value. If the values don't match, a delay may be incurred when entering a user session while the value specified by user policy is being applied.
      If the policy is enabled, each of the named origins in a
      comma-separated list will run in its own process. This will also isolate
      origins named by subdomains; e.g. specifying https://example.com/ will
@@ -10962,7 +10964,7 @@
      'tags': ['system-security'],
      'desc': '''
      NOTE: This policy is experimental and may break functionality!
-      This policy applies to the sign-in screen. Please see also the 'SitePerProcess' policy which applies to the user session. It is recommended to set both policies to the same value.
+      This policy applies to the sign-in screen. Please see also the <ph name="SITE_PER_PROCESS_POLICY_NAME">SitePerProcess</ph> policy which applies to the user session. It is recommended to set both policies to the same value. If the values don't match, a delay may be incurred when entering a user session while the value specified by user policy is being applied.
      You might want to look at the IsolateOrigins policy setting to get the
      best of both worlds, isolation and limited impact for users, by using
      IsolateOrigins with a list of the sites you want to isolate. This setting,