Create group policy options for Shields

[spylogsster]

Description

Add group policy support for Shields (up/down). This will support individual URLs and patterns

• Added BraveShieldsDisabledForUrls to disable shields urls
• Added BraveShieldsEnabledForUrls to enable shields urls

For the design, see Figma:
https://www.figma.com/file/3A6F6VrxVahiZFxLr7j7FO/Desktop-Shields?node-id=2695%3A49651

Behavior notes

This is an overview of what the user should expect when the policy is set.

Behavior when DISABLED

When the site being visited matches the URL or the pattern:

• shields should be DISABLED
• when clicking shields (to open advanced panel), person should see shields disabled
• shields itself should NOT be toggleable
• the other settings will never show up because shields are down

Behavior when ENABLED

When the site being visited matches the URL or the pattern:

• shields should be ENABLED
• when clicking shields (to open advanced panel), person should see shields enabled
• shields itself should NOT be toggleable (should be grayed out)
• none of the sub-values (block ads, https upgrade, block script, block fingerprint, block cookie) should be toggleable. It should be grayed out.

Example of how to add the group policy (Windows)

1. Open regedit.exe
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
3. Create the key (folders) BraveSoftware\Brave\ if they don't already exist

How to add the shields DISABLE policy

1. Create a new key (folder) BraveShieldsDisabledForUrls inside the root (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave\)
2. You can now add REG_SZ (string value) for any sites you wish to mark as disabled.

The entries need to created in a numbered fashion. Let's say you want to add two values. You would create:

• REG_SZ value 1 set to https://www.example.com
• REG_SZ value 2 set to [*.]brave.com

This would DISABLE shields on brave.com and all subdomains. It would also DISABLE shields on https://www.example.com - but NOT on other subdomains (or if you leave www. out for example).

How to add the shields ENABLE policy

1. Create a new key (folder) BraveShieldsEnabledForUrls inside the root (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave\)
2. You can now add REG_SZ (string value) for any sites you wish to mark as enabled.

The entries need to created in a numbered fashion. Let's say you want to add two values. You would create:

• REG_SZ value 1 set to [*.]twitter.com
• REG_SZ value 2 set to https://www.example.com

This would ENABLE shields on brave.com and all subdomains. It would also ENABLE shields on https://www.example.com - but NOT on other subdomains (or if you leave www. out for example).

Adding using a .reg file (also on Windows)

1. Create a new empty file called shields-policy.reg
2. Open it in Notepad and put this for the content:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave\BraveShieldsEnabledForUrls]
"1"="[*.]twitter.com"
"2"="https://www.example.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave\BraveShieldsDisabledForUrls]
"1"="https://www.example.com"
"2"="[*.]brave.com"

3. Save the file and close it
4. Double click the shields-policy.reg file
5. You can use regedit.exe to confirm it was added

Test plan

Go through above - download/run the registry key.
Verify that

• install is showing as managed (in hamburger menu)
• behavior matches expected behavior above

[bridiver]

what should actually display in the shields popup when shields is enabled/disabled by policy? How are we displaying to the user that shields is managed and cannot be changed there? This ticket needs more detail for review and QA

[spylogsster]

@bridiver there is follow up (with picture) to add a tooltip for this case #26187

[LaurenWags]

@spylogsster @bsclifton

Is this only for Windows, or is this applicable to macOS and Linux as well? Only Windows is mentioned in #25394 (comment).

If this is only for Windows, please add OS/Windows label.

If this is applicable for macOS and Linux as well, please add instructions on how to enable on those OSes also.

Labelling as QA/Blocked until the above is sorted out.

cc @kjozwiak @rebron

[bsclifton]

This is available on macOS and Linux - but I'm not sure offhand how to test actually. Let me dig in on that and then I'll share an update

[bsclifton]

Example of how to add the group policy (macOS)

You can set via the command line. Here's a general example for EnableSha1ForLocalAnchors in Chrome:
defaults write com.google.Chrome EnableSha1ForLocalAnchors -bool true

• For Brave, you'd use a bundle ID of com.brave.Browser, com.brave.Browser.beta, or com.brave.Browser.nightly (depending on your channel.
• The key names are BraveShieldsDisabledForUrls and BraveShieldsEnabledForUrls which are array types
• The value would be an array of strings (example using XML; actual syntax is different)

    <array>
      <string>[*.]twitter.com</string>
      <string>https://www.example.com</string>
    </array>

Example of how to enable shields for a list of origins

1. Run the following from command line:

   defaults write com.brave.Browser BraveShieldsEnabledForUrls -array "[*.]twitter.com" "https://www.example.com"
   

2. Load Brave; verify it shows under brave://policy/

Example of how to disable shields for a list of origins

1. Run the following from command line:

   defaults write com.brave.Browser BraveShieldsDisabledForUrls -array "https://www.example.com/" "[*.]brave.com"
   

2. Load Brave; verify it shows under brave://policy/

[bsclifton]

Example of how to add the group policy (Linux)

You can set the options via /etc/brave/policies/managed

Basically, you will make a file with JSON matching the keys/values you'd like to set. Full overview here:
https://source.chromium.org/chromium/chromium/src/+/main:docs/website/site/administrators/linux-quick-start/index.md

Example of how to enable shields for a list of origins

1. create a file

   vim /etc/brave/policies/managed/shields_enabled_policy.json

2. paste in:

   {
       "BraveShieldsEnabledForUrls": [
           "[*.]twitter.com",
           "https://www.example.com"
       ]
   }

3. Save the file and exit (escape; :wq, enter)

4. Load Brave; verify it shows under brave://policy/

5. Delete the file after testing is complete

Example of how to disable shields for a list of origins

1. create a file

   vim /etc/brave/policies/managed/shields_disabled_policy.json

2. paste in:

   {
       "BraveShieldsDisabledForUrls": [
           "https://www.example.com",
           "[*.]brave.com"
       ]
   }

3. Save the file and exit (escape; :wq, enter)

4. Load Brave; verify it shows under brave://policy/

5. Delete the file after testing is complete

[LaurenWags]

thanks @bsclifton!

[btlechowski]

Verification passed on

Brave	1.47.115 Chromium: 108.0.5359.94 (Official Build) beta (64-bit)
Revision	713576b895246504ccc6b92c2fb8ce2d60194074-refs/branch-heads/5359_71@{#3}
OS	Windows 10 Version 21H2 (Build 19044.2251)

Verified test plan from the description

DISABLE policy

Verified Brave is shown as managed in hamburger menu

Verified Brave Shields are disabled by default for the disabled page

Verified unable to enable Brave Shields for disabled page

ENABLE policy

Verified Brave is shown as managed in hamburger menu

Verified Brave Shields are enabled by default for the enabled page

Verified unable to disable Brave Shields for enabled page

ENABLE & DISABLE policy for the same domain

Verified the policies have 'OK' status

Verified Brave Shields enabled policy takes precedent over disabled policy

Wildcard policy

Policy used:

Verified policy was applied to https://www.example.com

Verified policy was applied to https://example.com

[btlechowski]

Verification passed on

Brave	1.47.115 Chromium: 108.0.5359.94 (Official Build) beta (64-bit)
Revision	713576b895246504ccc6b92c2fb8ce2d60194074-refs/branch-heads/5359_71@{#3}
OS	Ubuntu 18.04 LTS

Verified test plan from the description

DISABLE policy

Verified Brave is shown as managed in hamburger menu

Verified Brave Shields are disabled by default for the disabled page

Verified unable to enable Brave Shields for disabled page

ENABLE policy

Verified Brave is shown as managed in hamburger menu

Verified Brave Shields are enabled by default for the enabled page

Verified unable to disable Brave Shields for enabled page

ENABLE & DISABLE policy for the same domain

Verified the policies have 'OK' status

Verified Brave Shields enabled policy takes precedent over disabled policy

Wildcard policy

Policy used:

Verified policy was applied to https://www.example.com

Verified policy was applied to https://example.com

[stephendonner]

Verification IN-PROGRESS using

Brave	1.47.136 Chromium: 108.0.5359.128 (Official Build) beta (x86_64)
Revision	1cd27afdb8e5d057070c0961e04c490d2aca1aa0-refs/branch-heads/5359@{#1185}
OS	macOS Version 11.7.2 (Build 20G1020)

NOTE: Ran the following in-between tests, to clean up the keys:

defaults delete com.brave.Browser

Case 1: Disable policy - PASSED

1. installed 1.47.136
2. ran the following snippets from the commandline/Terminal window:

defaults write com.brave.Browser BraveShieldsDisabledForUrls -array "https://www.example.com/" "https://brave.com"

3. launched Brave
4. clicked on the "hamburger" menu
5. confirmed This browser is managed by your organization message on the bottom
6. opened brave://policy
7. confirmed BraveShieldsDisabledForUrls entry with correct domains
8. loaded https://www.example.com
9. confirmed Shields were disabled by default
10. loaded brave.com
11. confirmed Shields were disabled by default

steps 5 + 7	step 8+9	steps 10 + 11

Case 2: Enable policy - PASSED

1. installed 1.47.136
2. launched Brave
3. loaded https://twitter.com
4. disabled Shields via the toggle
5. loaded https://www.example.com
6. disabled Shields via the toggle
7. quit Brave
8. ran the following from the commandline:

defaults write com.brave.Browser BraveShieldsEnabledForUrls -array "https://twitter.com" "https://www.example.com"

9. relaunched Brave
10. loaded https://twitter.com
11. confirmed Shields were enabled
12. loaded https://www.example.com
13. confirmed Shields were enabled
14. confirmed entry in brave://policy

step 4	step 6	step 8	step 11	step 13	step 14

Case 3: Enable & disable policy for the same domain - PASSED

1. installed 1.47.136
2. launched Brave
3. ran:

defaults write com.brave.Browser BraveShieldsEnabledForUrls -array "https://twitter.com" "https://www.example.com"

4. ran:

defaults write com.brave.Browser BraveShieldsDisabledForUrls -array "https://twitter.com" "https://www.example.com"

6. opened brave://policy
7. loaded https://twitter.com
8. confirmed Shields were still set to enabled
9. loaded https://www.example.com
10. confirmed Shields were still set to enabled

steps 3-4	step 6	step 8	step 10

Case 4: Wildcard policy - FAILED

1. installed 1.47.136
2. ran:

defaults write com.brave.Browser BraveShieldsDisabledForUrls -array "https://www.example.com/" "[*.]brave.com"

Encountered:

• Brave shields toggler is not locked on macos #27691