With reference to: https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md#will-the-chrome-certificate-verifier-consider-local-trust-decisions
>>Will the Chrome Certificate Verifier consider local trust decisions?
>>On Windows, the Chrome Certificate Verifier will automatically consume certificates added to the following certificate stores:
…
>>On macOS, the Chrome Certificate Verifier will automatically consume certificates added to the following certificate stores:
…
It would be useful to have a way to turn-off this default/automatic consumption of certificates from local store.
For devices where users control the local trust store, this creates a potential security issue.
Having the ability to turn the local trust consumption off can help secure the browser. An example use case is where the browser is corporate managed and therefore end users will not be able to turn the setting back to default.
This will go a long way in protecting the user from attacks using untrusted certificates.
Even otherwise have the setting turned to off by default and making local store consumption an opt-in will help prevent attacks.
Would love to hear thoughts/advice regarding this.