Google Git
Sign in
chromium / chromium / src / b4773b8e9d5ff9c7ad02a6438bda7b88b29ced0e^! / . / chrome / browser / chrome_content_browser_client.cc
commitb4773b8e9d5ff9c7ad02a6438bda7b88b29ced0e[log] [tgz]
authorJulian Pastarmov <[email protected]>Tue Apr 21 16:34:14 2020
committerCommit Bot <[email protected]>Tue Apr 21 16:34:14 2020
tree4cda66b5dd1d467fedf0c0db5c6a5df172f95eeb
parent3e1566b993c00ba93a996aa25de3049be12d5709 [diff] [blame]
Only allow protocol whitelisting on centrally managed Windows instances

Only trust the URLWhitelist policy for external protocol handlers if the
computer is part of an AD or AAD domain.

BUG=1052093

Change-Id: Ie0d3ecb24ae6117248ff4e00e875a9104255ef41
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2152585
Reviewed-by: Avi Drissman <[email protected]>
Commit-Queue: Julian Pastarmov <[email protected]>
Cr-Commit-Position: refs/heads/master@{#761000}

diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc
index 7b2707fc..859e67c 100644
--- a/chrome/browser/chrome_content_browser_client.cc
+++ b/chrome/browser/chrome_content_browser_client.cc

@@ -358,6 +358,8 @@
 
 #if defined(OS_WIN)
 #include "base/strings/string_tokenizer.h"
+#include "base/win/win_util.h"
+#include "base/win/windows_version.h"
 #include "chrome/browser/chrome_browser_main_win.h"
 #include "chrome/install_static/install_util.h"
 #include "sandbox/win/src/sandbox_policy.h"
@@ -922,6 +924,23 @@
   return canceler;
 }
 
+// Encapculates logic to determine if enterprise policies should be honored.
+// This is a copy of the code in policy_loader_win.cc but it's ok to duplicate
+// as a new central class to replace those checks is in the making.
+bool ShouldHonorPolicies() {
+#if defined(OS_WIN)
+  bool is_enterprise_version =
+      base::win::OSInfo::GetInstance()->version_type() != base::win::SUITE_HOME;
+  return base::win::IsEnrolledToDomain() ||
+         (base::win::IsDeviceRegisteredWithManagement() &&
+          is_enterprise_version);
+#else   // defined(OS_WIN)
+  // TODO(pastarmovj): Replace this with check for MacOS and the new management
+  // service once it is ready.
+  return true;
+#endif  // defined(OS_WIN)
+}
+
 void LaunchURL(const GURL& url,
                content::WebContents::OnceGetter web_contents_getter,
                ui::PageTransition page_transition,
@@ -954,7 +973,7 @@
   PolicyBlacklistService* service =
       PolicyBlacklistFactory::GetForBrowserContext(
           web_contents->GetBrowserContext());
-  if (service) {
+  if (ShouldHonorPolicies() && service) {
     const policy::URLBlacklist::URLBlacklistState url_state =
         service->GetURLBlacklistState(url);
     is_whitelisted =