shell-things/etc/opt/chromium/policies/managed/README.md

# Chromium policies

- https://chromeenterprise.google/policies/

<!-- editorconfig-checker-disable -->
<!-- prettier-ignore-start -->

<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->

- [`aminda-extensions.json`](#aminda-extensionsjson)
  - [Silk - Privacy Pass Client for the browser](#silk---privacy-pass-client-for-the-browser)
  - [NoScript](#noscript)
  - [OpenDyslexic](#opendyslexic)
  - [IPvFoo](#ipvfoo)
  - [Dark Reader](#dark-reader)
  - [Indiewiki Buddy](#indiewiki-buddy)
  - [Floccus bookmarks sync](#floccus-bookmarks-sync)
  - [Wayback Machine](#wayback-machine)
  - [Privacy Manager](#privacy-manager)
  - [Terms of Service; Didn't Read](#terms-of-service-didnt-read)
  - [Fedora User Agent](#fedora-user-agent)
  - [IPvFooBar](#ipvfoobar)
  - [Chrome Remote Desktop](#chrome-remote-desktop)
  - [Bias Finder](#bias-finder)
  - [Snowflake](#snowflake)
  - [AdNauseam](#adnauseam)
  - [IPFS Companion](#ipfs-companion)
  - [Bitwarden](#bitwarden)
  - [UpdateSWH](#updateswh)
  - [Privacy Badger](#privacy-badger)
  - [TODO/Inconsistencies](#todoinconsistencies)
- [`brave-shields-disabled.json`](#brave-shields-disabledjson)
- [`disable-brave-rewards-wallet.json`](#disable-brave-rewards-walletjson)
- [`disable-brave-tor.json`](#disable-brave-torjson)
- [`disable-brave-vpn.json`](#disable-brave-vpnjson)
- [`disable-floc.json`](#disable-flocjson)
- [`disable-incognito.json`](#disable-incognitojson)
- [`doh-cloudflare-secure.json`](#doh-cloudflare-securejson)
- [`doh-unlocked-unset.json`](#doh-unlocked-unsetjson)
- [`doh-dns0.json`](#doh-dns0json)
- [`doh-mullvad-base.json`](#doh-mullvad-basejson)
- [`doh-quad9-ecs.json`](#doh-quad9-ecsjson)
- [`doh-quad9-insecure-ecs.json`](#doh-quad9-insecure-ecsjson)
- [`doh-quad9-insecure.json`](#doh-quad9-insecurejson)
- [`doh-quad9.json`](#doh-quad9json)
- [`enable-ech-ocsp.json`](#enable-ech-ocspjson)
- [`enable-labs.json`](#enable-labsjson)
- [`fix-edge-search.json`](#fix-edge-searchjson)
- [`force-incognito.json`](#force-incognitojson)
- [`https-everywhere.json`](#https-everywherejson)
- [`README.md`](#readmemd)

<!-- END doctoc generated TOC please keep comment here to allow auto update -->

<!-- prettier-ignore-end -->
<!-- editorconfig-checker-enable -->

## `aminda-extensions.json`

As I cannot separate the keys to multiple files I am forced to keep them in
one and separate by what the file does, `aminda-extensions.json` is unlikely
to overlap with someone else.

Changing `normal_installed` to `force_installed` would also prevent
uninstallation.

This does contain some bloat or something not necessary in all situations or
even overlapping extensions, but there is an important side goal of _teaching
users to disable extraneous extensions they don't need_ (unless I decide they
do need something and thus it's `force_installed`.

### [Silk - Privacy Pass Client for the browser](https://chrome.google.com/webstore/detail/ajhmfdgkijocedmfjonnpjfojldioehi)

- `ajhmfdgkijocedmfjonnpjfojldioehi`

Silk or Privacy Pass has a chance of decreasing the amount of captchas
especially from Cloudflare when "suspicious" traffic is detected.

To intentionally trigger it and what should be allowed in NoScript:

- https://captcha.website
- https://issuance.privacypass.cloudflare.com

### [NoScript](https://chrome.google.com/webstore/detail/doojmbjmlfjjnbmnoijecmcbfeoakpjm)

- `doojmbjmlfjjnbmnoijecmcbfeoakpjm`

**_Not actually installed by `aminda-extensions.json` anymore due to
self-reflection and deciding it's a bit much to push on unsuspecting family
members._**

Appears to make the internet much more pleasant and less distracting in 2024
eliminating the cookie banners and all, while not trusting lists generated by
other people.

### [OpenDyslexic](https://chrome.google.com/webstore/detail/cdnapgfjopgaggbmfgbiinmmbdcglnam)

- `cdnapgfjopgaggbmfgbiinmmbdcglnam`

OpenDyslexic font + highlighting for currently pointed paragraph. Improves my
reading especially with more busy articles, even without dyslexia.

### [IPvFoo](https://chromewebstore.google.com/detail/ipvfoo/ecanpcehffngcegjmadlcijfolapggal)

- `ecanpcehffngcegjmadlcijfolapggal`

### [Dark Reader](https://chrome.google.com/webstore/detail/eimadpbcbfnmbkopoojfekhnkhdbieeh)

- `eimadpbcbfnmbkopoojfekhnkhdbieeh`

As playing around with these policies and constantly removing the profile directory doesn't help my migraine.

### [Indiewiki Buddy](https://chrome.google.com/webstore/detail/fkagelmloambgokoeokbpihmgpkbgbfm)

- `fkagelmloambgokoeokbpihmgpkbgbfm`

I am spoilt by how nice Breezewiki is to use and wikis existing outside of
Fandom is good to be reminded about occassionally. And I just happened to stay
in not so hardened Chromium for a bit due to hardened Firefox being too much
for my task and there is no reason occassionally needed Chromium shouldn't be
tolerable for a few minutes.

### [Floccus bookmarks sync](https://chromewebstore.google.com/detail/floccus-bookmarks-sync/fnaicdffflnofjppbagibeoednhnbjhg)

- `fnaicdffflnofjppbagibeoednhnbjhg`

Bookmarks sync either through selfhosted webdav or Google Drive working even
across different web browsers.

### [Wayback Machine](https://chrome.google.com/webstore/detail/fpnmgdkabkmnadcjpehmlllkndpkmiak)

- `fpnmgdkabkmnadcjpehmlllkndpkmiak`

[web.archive.org](https://web.archive.org) saving and discovering.

### [Privacy Manager](https://chrome.google.com/webstore/detail/giccehglhacakcfemddmfhdkahamfcmd)

- `giccehglhacakcfemddmfhdkahamfcmd`

Quick browser options and data removal on _startup_. Maybe beneficial if
incognito is disabled (which again is not great idea for quick guest access?)

### [Terms of Service; Didn't Read](https://chrome.google.com/webstore/detail/hjdoplcnndgiblooccencgcggcoihigg)

- `hjdoplcnndgiblooccencgcggcoihigg`

### [Fedora User Agent](https://chrome.google.com/webstore/detail/hojggiaghnldpcknpbciehjcaoafceil)

- `hojggiaghnldpcknpbciehjcaoafceil`

Communicates websites that Ubuntu isn't the only Linux distribution and makes
some offer rpm packages directly.

### [IPvFooBar](https://chromewebstore.google.com/detail/ipvfoobar/iimpkhokkfekbpmoamlmcndclohnehhk)

- `iimpkhokkfekbpmoamlmcndclohnehhk`

### [Chrome Remote Desktop](https://chrome.google.com/webstore/detail/inomeogfingihgjfjlpeplalcfajhgai)

- `inomeogfingihgjfjlpeplalcfajhgai`

Remote support integrated to Chrome.

The additional component is:

- Debian: `https://dl.google.com/linux/direct/chrome-remote-desktop_current_amd64.deb`
- Others: _unsupported_

### [Bias Finder](https://chromewebstore.google.com/detail/jojjlkfeofgcjeanbpghcapjcccbakop)

Political bias of English language media sites powered by allsides.com

### [Snowflake](https://chrome.google.com/webstore/detail/mafpmfcccpbjnhfhjnllmmalhifmlcie)

- `mafpmfcccpbjnhfhjnllmmalhifmlcie`

Helps bridge traffic to Tor by looking like WebRTC call.

### [AdNauseam](https://microsoftedge.microsoft.com/addons/detail/adnauseam/mlojlfildnehdpnlmpkeiiglhhkofhpb)

- `mlojlfildnehdpnlmpkeiiglhhkofhpb`

Complementing PrivacyBadger with an adblocker so first profile runs have at
least something to block Malvertising now that I no longer enable NoScript out
of the box.

### [IPFS Companion](https://chromewebstore.google.com/detail/nibjojkomfdiaoajekhjakgkdhaomnch?pli=1)

- `nibjojkomfdiaoajekhjakgkdhaomnch`

IPFS integration for web browsers.

### [Bitwarden](https://chrome.google.com/webstore/detail/nngceckbapebfimnlniiiahkandclblb)

- `nngceckbapebfimnlniiiahkandclblb`

The password manager of my choice.

### [UpdateSWH](palihjnakafgffnompkdfgbgdbcagbko)

- `palihjnakafgffnompkdfgbgdbcagbko`

Adds a floating coloured button to source code forges reflecting the status
of it being in Software Heritage Archive and allows quick archiving requests
to be made.

### [Privacy Badger](https://chrome.google.com/webstore/detail/pkehgijcmpdhfbdbbnkijodmdjhbjlgp)

- `pkehgijcmpdhfbdbbnkijodmdjhbjlgp`

Configured to learn locally and also in incognito as opposed to only relying
on vendor list. Also not display the "Welcome to Privacy Badger screen".

See also:

- https://github.com/EFForg/privacybadger/blob/master/doc/admin-deployment.md
- https://github.com/EFForg/privacybadger/blob/master/src/data/schema.json

### TODO/Inconsistencies

- I am not aware of any _New Tab Suspender_ equivalents, but it might be an
  integrated feature on some Chromiums.
- [Peertubeify doesn't support Chromium yet.](https://codeberg.org/Booteille/peertube-companion/issues/15)

## `brave-shields-disabled.json`

Allowlist for sites where I think Brave Shields may be breaking things. Similar is also in
`aminda-extensions.json` for Privacy Badger.

## `disable-brave-rewards-wallet.json`

Disables Brave rewards and wallet.

## `disable-brave-tor.json`

Disables Tor in Brave as I recommend using Tor Browser instead.

## `disable-brave-vpn.json`

Disables Brave VPN, which is the most annoying feature that has group policy
that I can see.

## `disable-floc.json`

Disables floc or ad topics that are against privacy.

- https://start.duckduckgo.com/?q=google+floc+privacy+topics

## `disable-incognito.json`

Disables incognito mode. I don't recommend this.

## `doh-cloudflare-secure.json`

Sets Cloudflare with malware protection as the forced DNS-over-HTTPS server.

## `doh-unlocked-unset.json`

If no DNS over HTTPS policy is used, this unlocks the setting. Enabling managed policies disable it by default.

Incompatible with other `doh-*.json` file, because they set `"DnsOverHttpsMode": "secure",`.

**_This also causes there to not be ECH._**

## `doh-dns0.json`

Simply forces DNS-over-HTTPS with DNS0.eu.

## `doh-mullvad-base.json`

Forces DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker blocking.

- https://mullvad.net/en/help/dns-over-https-and-dns-over-tls#specifications

## `doh-quad9-ecs.json`

Forces DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also contains
their alternative port.

## `doh-quad9-insecure-ecs.json`

Forces DNS over HTTPS with Quad9 ECS enabled unfiltered server and also contains
their alternative port. **No DNSSEC either.**

## `doh-quad9-insecure.json`

Forces DNS over HTTPS with Quad9 unfiltered server and also contains
their alternative port. **No DNSSEC either.**

## `doh-quad9.json`

Forces DNS over HTTPS with Quad9 threat-blocking server and also contains
their alternative port.

## `enable-ech-ocsp.json`

Enables encrypted client hello (ECH) and Online Certificate Status Protocol (OCSP) (or Certificate Revocation List (CRL)?) checks.

However ECH seems to require `"DnsOverHttpsMode": "secure"` from the `doh-*` files and OCSP seems to bypass that going to the system resolver.

## `enable-labs.json`

Enables the beaker button "Experiments" for easier management than `about:flags`.

## `fix-edge-search.json`

Tells Microsoft Edge to redirect queries from new tab search box to URL bar
effectively forcing it to respect user configured search engine instead of
stealthily sending those queries to Bing.

## `force-incognito.json`

Forces incognito mode. I don't recommend this.

## `https-everywhere.json`

Enforces https and attempts to upgrade http to https.

## `README.md`

You are reading this file, are you not?