Rather relying on domain administrators to decide which extensions are trusted, we're now proposing whitelisting only our own extensions, making this a private API.
managed-devices will be the owner rather than chromeos-team-tok.
I also fleshed out the Google Forms use case, as that's particularly high priority right now.
I look forward to your timely review.
Thanks,
Jimmy
Devlin Cronin
unread,
Sep 21, 2017, 5:54:52 PM9/21/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Jimmy Hastings, apps-dev, Steven Bennetts, mnis...@chromium.org, Akshat Sharma, Dan Ferrara, Min Zhong, Max Kirsch
As a private API, this seems reasonable enough to me.
Jimmy Hastings
unread,
Sep 21, 2017, 6:56:48 PM9/21/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to apps-dev, security-enamel, Devlin Cronin, Steven Bennetts, mnis...@chromium.org, Akshat Sharma, Dan Ferrara, Min Zhong, Max Kirsch
Sweet! +security-enamel for approval from that side.
Steven Bennetts
unread,
Sep 21, 2017, 7:06:50 PM9/21/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Jimmy Hastings, apps-dev, security-enamel, Devlin Cronin, Mattias Nissler, Akshat Sharma, Dan Ferrara, Min Zhong, Max Kirsch
Proposal lgtm
Jimmy Hastings
unread,
Sep 21, 2017, 7:32:03 PM9/21/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to isa...@chromium.org, apps-dev, security-enamel, Devlin Cronin, Mattias Nissler, Akshat Sharma, Dan Ferrara, Min Zhong, Max Kirsch, Steven Bennetts
+isandrk, who will be implementing
Jimmy Hastings
unread,
Oct 2, 2017, 3:17:37 PM10/2/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to isa...@chromium.org, atwi...@chromium.org, apps-dev, security-enamel, Devlin Cronin, Steven Bennetts, Mattias Nissler, Akshat Sharma, Dan Ferrara, Min Zhong, Max Kirsch, Eric Lawrence
+isandrk, +atwilson
On Mon, Oct 2, 2017 at 11:26 AM, Eric Lawrence <elaw...@google.com> wrote:
This LGTM for security-enamel, with the caveat that we wouldn't consider a circumvention of this feature (e.g. student finds a way to exit the locked mode) as a security vulnerability.
I left some non-security questions in the document.