Policy Reload (UI vs AsyncPolicyLoader)

[Mohamed Morsy]

Greetings,

I've been working on an extension where the goal is to programmatically update policies by navigating to chrome://policy page then execute chrome.send('reloadPolicies'); as javascript code.

The purpose is to initially block all websites and then allow specific websites by appending to URLAllowlist in the policy file during runtime.

After some research, I've managed to get the code execution part working, but if I try to open the web URL immediately after reloading the policies, it still throws the error ERR_BLOCKED_BY_ADMINISTRATOR and then only after a delay the page will work (between 3 and 5 seconds).

I looked into the source code and found that AsyncPolicyLoader actually reloads the policy every 5 seconds.

So my question here is: Is the chrome://policy reload functionality only for UI display purposes and the only real reload occurs in the async job?

Thanks

[PhistucK]

Note that executing JavaScript on chrome:// URLs via Chrome extensions is not supposed to be possible by default, can you file a security bug on crbug.com for this with the details? You might get a reward if this is reproducible.

Thank you.

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[Julian Pastarmov]

Hello,

I guess you run Chrome with "--extensions-on-chrome-urls" to enable your extension to access any chrome:// origin. If this is the case then fine otherwise I second PhistucK's comment that you should file this as a bug with a description how do you achieve it.

As for the reload button it is actually reloading policy from disk asap potentially withholding the 5s cool-off time to avoid too much file IO. Otherwise policy is not reloaded every 5seconds all the time but rather immediately when there is a change to the files but at most once every 5 seconds. If there is no change then the files are still re-read once every 15min to avoid the risk of missing a failed notification for a file change for too long.

Best,

Julian

[Mohamed Morsy]

@PhistucK It's not by default. I had to enable "Extensions on chrome:// URLs" flag as Julian mentioned.

@Julian Thanks. I'm asking because instantly visiting a newly added URL in the URLAllowlist policy entry after reloading policies from the policy page fails.

There is a time window before applied policy is in effect regardless of whether policies are reloaded manually or waited to be reloaded through the background job. Which makes me think that attempting to reload policies programmatically is redundant and I'd have to wait for the background job to update it anyway.