From 38c331494ccfa7a07d44871509623a4022f14089 Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen+git@mikaela.info>
Date: Fri, 17 May 2024 16:15:34 +0300
Subject: [PATCH] chromium/managed: merge enable-ech-ocsp.json into
 https-everywhere.json

This will not appear on my blog post. ECH is enough offtopic and OCSP would only bring argument on whether it's useful and is that usefulness more important than privacy leakage to non-ocsp-stapling websites.
---
 etc/opt/chromium/policies/managed/README.md   | 20 ++++++++-----------
 .../policies/managed/enable-ech-ocsp.json     |  4 ----
 .../policies/managed/https-everywhere.json    |  2 ++
 3 files changed, 10 insertions(+), 16 deletions(-)
 delete mode 100644 etc/opt/chromium/policies/managed/enable-ech-ocsp.json

diff --git a/etc/opt/chromium/policies/managed/README.md b/etc/opt/chromium/policies/managed/README.md
index d65e4a41..bb48ae96 100644
--- a/etc/opt/chromium/policies/managed/README.md
+++ b/etc/opt/chromium/policies/managed/README.md
@@ -42,7 +42,6 @@
 - [`edge-newtabapps.json`](#edge-newtabappsjson)
 - [`edge-screenshots.json`](#edge-screenshotsjson)
 - [`enable-chromecast.json`](#enable-chromecastjson)
-- [`enable-ech-ocsp.json`](#enable-ech-ocspjson)
 - [`enable-labs.json`](#enable-labsjson)
 - [`enable-passwordleakdetection.json`](#enable-passwordleakdetectionjson)
 - [`enable-tab-suspend.json`](#enable-tab-suspendjson)
@@ -265,16 +264,6 @@ Explicitly enables screenshotting-
 
 Explicitly enables Chromecast support.
 
-## `enable-ech-ocsp.json`
-
-Enables encrypted client hello (ECH) and Online Certificate Status Protocol
-(OCSP)/Certificate Revocation List (CRL) checks.
-
-However ECH requires `"DnsOverHttpsMode": "secure"` which will break things
-(and thus my files don't enable it),
-or it will occassionally get disabled (I hope they implement it with system
-resolver soon).
-
 ## `enable-labs.json`
 
 Enables the beaker button "Experiments" for easier management than `about:flags`.
@@ -304,7 +293,14 @@ back to Google about them.
 
 ## `https-everywhere.json`
 
-Enforces https and attempts to upgrade http to https.
+This file evolved to merge another one, so now it:
+
+- Online Certificate Status Protocol (OCSP), and Certivicate Revokation List
+  (CRL) checks.
+- Enables Encrypted Client-Hello (ECH), which however requires DNS-Over-HTTPS
+  to be used.
+- Forces HTTPS-only mode to be enabled.
+- Attempts to upgrade `http://` queries to `https://`
 
 ## `README.md`
 
diff --git a/etc/opt/chromium/policies/managed/enable-ech-ocsp.json b/etc/opt/chromium/policies/managed/enable-ech-ocsp.json
deleted file mode 100644
index 410cdc2e..00000000
--- a/etc/opt/chromium/policies/managed/enable-ech-ocsp.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
-  "EnableOnlineRevocationChecks": true,
-  "EncryptedClientHelloEnabled": true
-}
diff --git a/etc/opt/chromium/policies/managed/https-everywhere.json b/etc/opt/chromium/policies/managed/https-everywhere.json
index 9bb6caf4..2c610d1f 100644
--- a/etc/opt/chromium/policies/managed/https-everywhere.json
+++ b/etc/opt/chromium/policies/managed/https-everywhere.json
@@ -1,4 +1,6 @@
 {
+  "EnableOnlineRevocationChecks": true,
+  "EncryptedClientHelloEnabled": true,
   "HttpsOnlyMode": "force_enabled",
   "HttpsUpgradesEnabled": true
 }