From 39f2eb4f0f9c979176feb4ed6d9ef48feeace76e Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen+git@mikaela.info>
Date: Fri, 19 Apr 2024 08:24:29 +0300
Subject: [PATCH] chromium: add doh-cloudflare-secure.json, ECH notes

---
 etc/opt/chromium/policies/managed/README.md              | 9 +++++++++
 .../chromium/policies/managed/doh-cloudflare-secure.json | 3 +++
 2 files changed, 12 insertions(+)
 create mode 100644 etc/opt/chromium/policies/managed/doh-cloudflare-secure.json

diff --git a/etc/opt/chromium/policies/managed/README.md b/etc/opt/chromium/policies/managed/README.md
index 0f6005bf..c978ef3a 100644
--- a/etc/opt/chromium/policies/managed/README.md
+++ b/etc/opt/chromium/policies/managed/README.md
@@ -34,6 +34,7 @@
 - [`disable-brave-vpn.json`](#disable-brave-vpnjson)
 - [`disable-floc.json`](#disable-flocjson)
 - [`disable-incognito.json`](#disable-incognitojson)
+- [`doh-cloudflare-secure.json`](#doh-cloudflare-securejson)
 - [`doh-allowed.json`](#doh-allowedjson)
 - [`doh-dns0.json`](#doh-dns0json)
 - [`doh-forced.json`](#doh-forcedjson)
@@ -233,6 +234,10 @@ Disables floc or ad topics that are against privacy.
 
 Disables incognito mode. I don't recommend this.
 
+## `doh-cloudflare-secure.json`
+
+Sets Cloudflare with malware protection as the DNS-over-HTTPS server.
+
 ## `doh-allowed.json`
 
 If no DNS over HTTPS policy is used, this unlocks the setting while still allowing downgrade to system DNS
@@ -240,6 +245,8 @@ If no DNS over HTTPS policy is used, this unlocks the setting while still allowi
 
 Incompatible with `doh-forced.json`. This must be used together with any other `doh-*.json` file, but only one of them.
 
+**_No ECH._**
+
 ## `doh-dns0.json`
 
 Simply enables DNS-over-HTTPS with DNS0.eu.
@@ -250,6 +257,8 @@ Enforces use of DNS-over-HTTPS disabling the downgrade.
 
 Incompatible with `doh-allowed.json`. Use this together with any other `doh-*.json` file, but only one of them.
 
+**_Required for ECH._**
+
 ## `doh-mullvad-base.json`
 
 Enables DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker blocking.
diff --git a/etc/opt/chromium/policies/managed/doh-cloudflare-secure.json b/etc/opt/chromium/policies/managed/doh-cloudflare-secure.json
new file mode 100644
index 00000000..989e19d7
--- /dev/null
+++ b/etc/opt/chromium/policies/managed/doh-cloudflare-secure.json
@@ -0,0 +1,3 @@
+{
+  "DnsOverHttpsTemplates": "https://security.cloudflare-dns.com/dns-query"
+}