├── .codacy.yml ├── .gitattributes ├── .github ├── CODEOWNERS ├── semantic.yml └── workflows │ ├── build.yml │ └── pr_approvals.yml ├── .gitignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── DONATE.md ├── LICENSE ├── LICENSE.Apache-2.0-note ├── LICENSE.FTL-note ├── LICENSE.GPL-2.0 ├── LICENSE.Webview-note ├── README.md ├── build ├── LICENSE ├── master_preferences ├── trivalent.appdata.xml ├── trivalent.conf ├── trivalent.desktop ├── trivalent.sh ├── trivalent.spec ├── trivalent.xml ├── trivalent128.png ├── trivalent16.png ├── trivalent22.png ├── trivalent24.png ├── trivalent256.png ├── trivalent32.png ├── trivalent44.png ├── trivalent48.png └── trivalent64.png ├── copr_script.sh ├── fedora_patches ├── LICENSE ├── chromium-123-screen-ai-service.patch ├── chromium-124-qt6.patch └── chromium-disable-font-tests.patch ├── patches ├── LICENSE ├── add-cross-origin-referrer-clearing-feature.patch ├── add-feature-to-disable-pdf-javascript.patch ├── add-feature-to-show-puny-code.patch ├── add-feature-to-toggle-middlemouse-copypaste.patch ├── add-incognito-launch-pref.patch ├── add-license-info.patch ├── block-external-extensions.patch ├── build-hardening.patch ├── clear-windowname-property-across-contexts.patch ├── default-disable-3d-apis.patch ├── disable-autofill-by-default.patch ├── disable-background-mode-by-default.patch ├── disable-disk-cache.patch ├── disable-extensions-by-default.patch ├── disable-gen-ai-features-and-logging-by-default.patch ├── disable-global-shortcuts-portal.patch ├── disable-gssapi-to-enable-network-service-sandbox.patch ├── disable-infobar-for-builds-without-api-key.patch ├── disable-jit-for-internal-pages.patch ├── disable-lens.patch ├── disable-metrics-reporting.patch ├── disable-password-manager-prompt-by-default.patch ├── disable-printing-by-default.patch ├── disable-promotions-by-default.patch ├── disable-protected-content.patch ├── disable-remote-access-by-default.patch ├── disable-search-suggest-by-default.patch ├── disable-secondary-browser-features-by-default.patch ├── disable-sync-by-default.patch ├── disable-variations.patch ├── disable-various-content-settings-by-default.patch ├── dns-providers.patch ├── enable-audio-service-sandbox.patch ├── enable-backforward-swipe-navigation.patch ├── enable-network-service-sandbox.patch ├── enable-private-network-access-restriction.patch ├── enable-vaapi-hwva.patch ├── enable-visited-link-database-partitioning.patch ├── expose-flags.patch ├── force-disable-safe-browsing.patch ├── hide-profile-icon-feature.patch ├── linux-gpu-sandbox.patch ├── prefer-startpage-search.patch ├── remove-undefined-ffmpeg-identifier.patch ├── remove-unused-preferences.patch ├── restrict-default-supported-http-auth-schemes.patch ├── revert-130-optimizer-jit-change.patch ├── revert-upstream-Revert-clearing-javascript-JIT-site-settings.patch ├── search-selection.patch ├── set-browser-defaults.patch ├── set-default-extension-content-verification-enforce-strict.patch ├── set-default-extension-install-verification-enforce-strict.patch ├── set-default-secure-dns-mode-automatic.patch ├── set-mv3-only-by-default.patch ├── set-ozone-platform-hint-auto-by-default.patch ├── show-full-urls-by-default.patch ├── strict-popup-blocking.patch ├── trivalent-code-references.patch ├── trivalent-data-dir.patch ├── trivalent-etc-dir.patch ├── trivalent-help-url.patch └── user-preferences.patch ├── trivalent.png ├── trivalent.svg ├── update-remote-patches.sh └── vanadium_patches ├── 0008-switch-to-fstack-protector-strong.patch ├── 0009-enable-fwrapv-in-Clang-for-non-UBSan-builds.patch ├── 0010-enable-ftrivial-auto-var-init-zero.patch ├── 0015-disable-seed-based-field-trials.patch ├── 0019-disable-navigation-error-correction-by-default.patch ├── 0021-disable-network-prediction-by-default.patch ├── 0023-disable-hyperlink-auditing-by-default.patch ├── 0024-disable-showing-popular-sites-by-default.patch ├── 0025-disable-article-suggestions-feature-by-default.patch ├── 0026-disable-content-feed-suggestions-by-default.patch ├── 0027-disable-sensors-access-by-default.patch ├── 0028-block-playing-protected-media-by-default.patch ├── 0029-disable-third-party-cookies-by-default.patch ├── 0030-disable-background-sync-by-default.patch ├── 0031-disable-payment-support-by-default.patch ├── 0032-disable-media-router-media-remoting-by-default.patch ├── 0033-disable-media-router-by-default.patch ├── 0035-disable-browser-sign-in-feature-by-default.patch ├── 0036-disable-safe-browsing-reporting-opt-in-by-default.patch ├── 0037-disable-unused-safe-browsing-option-by-default.patch ├── 0038-disable-media-DRM-preprovisioning-by-default.patch ├── 0039-disable-autofill-server-communication-by-default.patch ├── 0040-disable-component-updater-pings-by-default.patch ├── 0042-disable-trivial-subdomain-hiding.patch ├── 0045-disable-GaiaAuthFetcher-code-due-to-upstream-bug.patch ├── 0047-Disable-newer-privacy-sandbox-features-by-default.patch ├── 0049-Disable-top-toolbar-button-Translate-option-by-defau.patch ├── 0050-always-use-local-new-tab-page.patch ├── 0051-mark-non-secure-origins-as-dangerous.patch ├── 0053-stub-out-the-battery-status-API.patch ├── 0056-disable-trials-of-privacy-aware-analytics-advertisin.patch ├── 0058-disable-appending-variations-header.patch ├── 0059-Disable-detailed-language-settings-by-default.patch ├── 0060-disable-fetching-optimization-guides-by-default.patch ├── 0062-disable-fetching-optimization-hints-by-default.patch ├── 0063-disable-more-optimization-guides-features-by-default.patch ├── 0068-require-HTTPS-for-component-updates.patch ├── 0073-enable-prefetch-privacy-changes-by-default.patch ├── 0074-enable-split-cache-by-default.patch ├── 0075-enable-partitioning-connections-by-default.patch ├── 0076-enable-dubious-Do-Not-Track-feature-by-default.patch ├── 0078-Enable-strict-origin-isolation-by-default.patch ├── 0079-Enable-reduce-accept-language-header-by-default.patch ├── 0080-use-Google-Chrome-branding-for-client-hints.patch ├── 0087-temporary-Always-partition-third-party-storage.patch ├── 0120-Derive-high-entropy-client-hints-with-reduced-user-a.patch ├── 0126-Use-local-list-of-supported-languages-for-Language-s.patch ├── 0159-enable-subresource-filter-on-all-sites.patch ├── 0165-Enable-content-settings-partitioning-by-default.patch ├── 0180-Isolate-sandboxed-iframes-per-site-by-default.patch ├── 0186-Support-restriction-of-dynamic-code.patch ├── 0187-Restriction-of-dynamic-code-execution-via-seccomp-bp.patch ├── 0193-Enable-HSTS-upgrades-for-top-level-navigation-only-b.patch ├── 0209-Further-disable-password-leak-detection-checks.patch ├── 0211-enable-certificate-transparency-feature-by-default-f.patch ├── LICENSE ├── LICENSE.Apache-2.0-note ├── LICENSE.FTL-note ├── LICENSE.GPL-2.0 └── LICENSE.WebView-note /.codacy.yml: -------------------------------------------------------------------------------- 1 | --- 2 | include_paths: 3 | - "**/*" 4 | - "**/**" 5 | - "build/**" 6 | - ".github/workflows/**" 7 | - ".github/**" 8 | - "vanadium_patches/**" 9 | - "fedora_patches/**" 10 | - "patches/**" 11 | - "*" -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.yml linguist-detectable=true 2 | *.yml linguist-language=YAML 3 | 4 | *.yaml linguist-detectable=true 5 | *.yaml linguist-language=YAML 6 | 7 | *.just linguist-detectable=true 8 | *.just linguist-documentation=false 9 | *.just linguist-language=Just 10 | 11 | *.json linguist-detectable=true 12 | *.json linguist-documentation=false 13 | *.json linguist-language=JSON 14 | 15 | *.patch linguist-detectable=true 16 | *.patch linguist-language=diff -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @RoyalOughtness 2 | -------------------------------------------------------------------------------- /.github/semantic.yml: -------------------------------------------------------------------------------- 1 | enabled: true 2 | titleOnly: true 3 | -------------------------------------------------------------------------------- /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | on: 2 | workflow_dispatch: 3 | 4 | name: Create RPM Release 5 | 6 | permissions: read-all 7 | 8 | jobs: 9 | buildsrpm: 10 | name: Build SRPM 11 | if: github.triggering_actor == 'royaloughtness' 12 | runs-on: ubuntu-24.04 13 | container: 14 | image: fedora:42 15 | steps: 16 | - name: Build SRPM 17 | shell: bash 18 | id: srpm_build 19 | run: | 20 | dnf copr enable secureblue/trivalent -y 21 | dnf update -y 22 | dnf install git wget rpmbuild yum-utils rpm-sign trivalent-chromium-clean-source -y 23 | git clone https://github.com/secureblue/Trivalent.git 24 | bash ./Trivalent/copr_script.sh 25 | rpmbuild -bs -v --define "_sourcedir $PWD" --define "_rpmdir $PWD" --define "_builddir $PWD" --define "_specdir $PWD" --define "_srcrpmdir $PWD" trivalent.spec 26 | 27 | - name: Save SRPM 28 | uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 29 | with: 30 | name: srpm-artifact 31 | path: "*.rpm" 32 | compression-level: 0 33 | retention-days: 30 34 | 35 | buildrpm: 36 | name: Build RPM 37 | if: github.triggering_actor == 'royaloughtness' 38 | runs-on: self-hosted 39 | timeout-minutes: 1800 40 | needs: buildsrpm 41 | steps: 42 | - name: Retrieve SRPM 43 | uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 44 | with: 45 | name: srpm-artifact 46 | - name: Build RPM 47 | shell: bash 48 | id: rpm_build 49 | run: | 50 | sudo dnf config-manager --set-enabled crb -y 51 | sudo dnf install https://dl.fedoraproject.org/pub/epel/epel{,-next}-release-latest-9.noarch.rpm -y 52 | sudo dnf install mock rclone -y 53 | sudo usermod -aG mock $(whoami) 54 | mock --resultdir=. -r fedora-42-x86_64 --rebuild trivalent-*.src.rpm 55 | 56 | - name: Prepare for upload 57 | shell: bash 58 | run: | 59 | rm trivalent-*.src.rpm 60 | 61 | - name: Save RPM 62 | uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 63 | with: 64 | name: rpm-artifact 65 | path: "*.rpm" 66 | compression-level: 0 67 | retention-days: 7 68 | 69 | pushrpm: 70 | name: Push RPM 71 | if: github.triggering_actor == 'royaloughtness' 72 | runs-on: ubuntu-latest 73 | container: 74 | image: fedora:42 75 | needs: buildrpm 76 | steps: 77 | - name: Retrieve RPM 78 | uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 79 | with: 80 | name: rpm-artifact 81 | 82 | - name: Setup 83 | shell: bash 84 | run: | 85 | dnf install reposync rpm-sign createrepo rclone -y 86 | curl -o /etc/yum.repos.d/secureblue.repo https://repo.secureblue.dev/secureblue.repo 87 | dnf update --refresh -y 88 | echo "${{ secrets.RPM_SIGNING_KEY }}" | gpg --import 89 | echo " 90 | %_signature gpg 91 | %_gpg_name 26B4463ED8F313BC7E3FBDF9D9223AF0F47B3E41 92 | " > ~/.rpmmacros 93 | 94 | - name: Sign 95 | shell: bash 96 | run: | 97 | rpm --addsign *.rpm 98 | reposync --repo secureblue -y 99 | mv *.rpm secureblue/Packages 100 | cd secureblue 101 | rm -rf repodata 102 | createrepo . 103 | gpg --detach-sign --local-user 26B4463ED8F313BC7E3FBDF9D9223AF0F47B3E41 --armor repodata/repomd.xml 104 | 105 | - name: Upload RPM and logs to R2 to trivalent Bucket 106 | shell: bash 107 | env: 108 | RCLONE_CONFIG_R2_TYPE: s3 109 | RCLONE_CONFIG_R2_PROVIDER: Cloudflare 110 | RCLONE_CONFIG_R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }} 111 | RCLONE_CONFIG_R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }} 112 | RCLONE_CONFIG_R2_REGION: auto 113 | RCLONE_CONFIG_R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }} 114 | SOURCE_DIR: . 115 | run: | 116 | rclone copy ./secureblue/ R2:/ 117 | 118 | -------------------------------------------------------------------------------- /.github/workflows/pr_approvals.yml: -------------------------------------------------------------------------------- 1 | name: PR Approvals 2 | 3 | on: 4 | pull_request: 5 | 6 | permissions: read-all 7 | 8 | jobs: 9 | pr-approvals: 10 | name: PR Approvals 11 | runs-on: ubuntu-24.04 12 | env: 13 | approvers: 14 | steps: 15 | - uses: secureblue/approvals-action@ce28f64903343583dd92c84bffedba124d3a6c95 # v0.1.0 16 | id: approvers 17 | with: 18 | token: ${{ secrets.GITHUB_TOKEN }} 19 | min-required: 1 20 | approvers: | 21 | RoyalOughtness 22 | RKNF404 -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # build artifacts 2 | dist 3 | *.rpm -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | We as members, contributors, and leaders pledge to make participation in our 6 | community a harassment-free experience for everyone, regardless of age, body 7 | size, visible or invisible disability, ethnicity, sex characteristics, gender 8 | identity and expression, level of experience, education, socio-economic status, 9 | nationality, personal appearance, race, religion, or sexual identity 10 | and orientation. 11 | 12 | We pledge to act and interact in ways that contribute to an open, welcoming, 13 | diverse, inclusive, and healthy community. 14 | 15 | ## Our Standards 16 | 17 | Examples of behavior that contributes to a positive environment for our 18 | community include: 19 | 20 | * Demonstrating empathy and kindness toward other people 21 | * Being respectful of differing opinions, viewpoints, and experiences 22 | * Giving and gracefully accepting constructive feedback 23 | * Accepting responsibility and apologizing to those affected by our mistakes, 24 | and learning from the experience 25 | * Focusing on what is best not just for us as individuals, but for the 26 | overall community 27 | 28 | Examples of unacceptable behavior include: 29 | 30 | * The use of sexualized language or imagery, and sexual attention or 31 | advances of any kind 32 | * Trolling, insulting or derogatory comments, and personal or political attacks 33 | * Public or private harassment 34 | * Publishing others' private information, such as a physical or email 35 | address, without their explicit permission 36 | * Other conduct which could reasonably be considered inappropriate in a 37 | professional setting 38 | 39 | ## Enforcement Responsibilities 40 | 41 | Community leaders are responsible for clarifying and enforcing our standards of 42 | acceptable behavior and will take appropriate and fair corrective action in 43 | response to any behavior that they deem inappropriate, threatening, offensive, 44 | or harmful. 45 | 46 | Community leaders have the right and responsibility to remove, edit, or reject 47 | comments, commits, code, wiki edits, issues, and other contributions that are 48 | not aligned to this Code of Conduct, and will communicate reasons for moderation 49 | decisions when appropriate. 50 | 51 | ## Scope 52 | 53 | This Code of Conduct applies within all community spaces, and also applies when 54 | an individual is officially representing the community in public spaces. 55 | Examples of representing our community include using an official e-mail address, 56 | posting via an official social media account, or acting as an appointed 57 | representative at an online or offline event. 58 | 59 | ## Enforcement 60 | 61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 62 | reported to the community leaders responsible for enforcement at 63 | secureblueadmin@proton.me. 64 | All complaints will be reviewed and investigated promptly and fairly. 65 | 66 | All community leaders are obligated to respect the privacy and security of the 67 | reporter of any incident. 68 | 69 | ## Enforcement Guidelines 70 | 71 | Community leaders will follow these Community Impact Guidelines in determining 72 | the consequences for any action they deem in violation of this Code of Conduct: 73 | 74 | ### 1. Correction 75 | 76 | **Community Impact**: Use of inappropriate language or other behavior deemed 77 | unprofessional or unwelcome in the community. 78 | 79 | **Consequence**: A private, written warning from community leaders, providing 80 | clarity around the nature of the violation and an explanation of why the 81 | behavior was inappropriate. A public apology may be requested. 82 | 83 | ### 2. Warning 84 | 85 | **Community Impact**: A violation through a single incident or series 86 | of actions. 87 | 88 | **Consequence**: A warning with consequences for continued behavior. No 89 | interaction with the people involved, including unsolicited interaction with 90 | those enforcing the Code of Conduct, for a specified period of time. This 91 | includes avoiding interactions in community spaces as well as external channels 92 | like social media. Violating these terms may lead to a temporary or 93 | permanent ban. 94 | 95 | ### 3. Temporary Ban 96 | 97 | **Community Impact**: A serious violation of community standards, including 98 | sustained inappropriate behavior. 99 | 100 | **Consequence**: A temporary ban from any sort of interaction or public 101 | communication with the community for a specified period of time. No public or 102 | private interaction with the people involved, including unsolicited interaction 103 | with those enforcing the Code of Conduct, is allowed during this period. 104 | Violating these terms may lead to a permanent ban. 105 | 106 | ### 4. Permanent Ban 107 | 108 | **Community Impact**: Demonstrating a pattern of violation of community 109 | standards, including sustained inappropriate behavior, harassment of an 110 | individual, or aggression toward or disparagement of classes of individuals. 111 | 112 | **Consequence**: A permanent ban from any sort of public interaction within 113 | the community. 114 | 115 | ## Attribution 116 | 117 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 118 | version 2.0, available at 119 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. 120 | 121 | Community Impact Guidelines were inspired by [Mozilla's code of conduct 122 | enforcement ladder](https://github.com/mozilla/diversity). 123 | 124 | [homepage]: https://www.contributor-covenant.org 125 | 126 | For answers to common questions about this code of conduct, see the FAQ at 127 | https://www.contributor-covenant.org/faq. Translations are available at 128 | https://www.contributor-covenant.org/translations. -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | 2 | # Contributing to Trivalent 3 | 4 | 5 | ## Table of Contents 6 | 7 | - [Code of Conduct](#code-of-conduct) 8 | - [I Have a Question](#i-have-a-question) 9 | - [I Want To Contribute](#i-want-to-contribute) 10 | - [Building locally](#building-locally) 11 | - [Pull Requests](#pull-requests) 12 | 13 | ## Code of Conduct 14 | 15 | This project and everyone participating in it is governed by the 16 | [Code of Conduct](./CODE_OF_CONDUCT.md). 17 | By participating, you are expected to uphold this code. Please report unacceptable behavior 18 | to . 19 | 20 | ## I Have a Question 21 | 22 | Before you ask a question, it is best to search for existing [Issues](https://github.com/secureblue/Trivalent/issues) that might help you. In case you have found a suitable issue and still need clarification, you can write your question in this issue. It is also advisable to search the internet for answers first. 23 | 24 | If you then still feel the need to ask a question and need clarification, we recommend the following: 25 | 26 | - Open an [Issue](https://github.com/secureblue/Trivalent/issues/new). 27 | - Provide as much context as you can about what you're running into. 28 | - Provide project and platform versions (nodejs, npm, etc), depending on what seems relevant. 29 | 30 | We will then take care of the issue as soon as possible. 31 | 32 | ## I Want To Contribute 33 | 34 | 35 | > ### Legal Notice 36 | > When contributing to this project, you must agree that you have authored 100% of the content, that you have the necessary rights to the content and that the content you contribute may be provided under the project license. 37 | 38 | ### Building locally 39 | 40 | > [!NOTE] 41 | > These steps can also be done in a distrobox (or any other container software) if preferred 42 | 43 | #### Setup 44 | 45 | Enable the COPR repository (as root): 46 | 47 | `dnf copr enable secureblue/trivalent` 48 | 49 | Install the `trivalent-chromium-clean-source` package (as root): 50 | 51 | `dnf install trivalent-chromium-clean-source` 52 | 53 | > This command can take a while especially on a slow network, the package is over 3 gigabytes 54 | 55 | Clone the repository: 56 | 57 | `git clone https://github.com/secureblue/trivalent.git` 58 | 59 | Then run the COPR script: 60 | 61 | `/bin/bash ./trivalent/copr_script.sh` 62 | 63 | #### Build RPM 64 | 65 | Build the patched chromium source from the spec file: 66 | 67 | `rpmbuild -bs -v --define "_sourcedir $PWD" --define "_rpmdir $PWD" --define "_builddir $PWD" --define "_specdir $PWD" --define "_srcrpmdir $PWD" trivalent.spec` 68 | 69 | Rebuild the source for your system: 70 | 71 | `mock --resultdir=dist -r %{distro}-%{version}-%{arch} --rebuild trivalent-%{version}.%{distro}.src.rpm` 72 | 73 | Install the built rpm... 74 | 75 | ### Pull Requests 76 | 77 | #### Before Submitting a Pull Request 78 | 79 | A good pull request should be ready for review before it is even created. For all pull requests, ensure: 80 | 81 | - Your changes passes all checks 82 | - Your commits are signed 83 | - You have no unnecessary changes, including whitespace changes 84 | - For substantive changes, you include evidence of proper functionality in the pull request in addition to the build results. 85 | -------------------------------------------------------------------------------- /DONATE.md: -------------------------------------------------------------------------------- 1 | For donations, please visit https://secureblue.dev/donate. 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright © 2024-2025 The Trivalent Authors 2 | 3 | Trivalent is available under the terms of the GNU General Public 4 | License version 2 only, according to LICENSE.GPL-2.0. Also see 5 | LICENSE.Apache-2.0-note, LICENSE.FTL-note, and LICENSE.Webview-note 6 | for exceptions to the GPLv2 terms. 7 | 8 | In order for us to contribute upstream, contributors to Trivalent 9 | give permission to the secureblue project to submit their changes to the 10 | Chromium project or a future replacement upstream base under the preferred 11 | choice of licensing for that project. Only the code accepted by upstream 12 | will then be made available under upstream's preferred license. 13 | -------------------------------------------------------------------------------- /LICENSE.Apache-2.0-note: -------------------------------------------------------------------------------- 1 | The Trivalent code may be used as part of a work containing code under the 2 | Apache 2 license. An exception is made for the specific patent clause of the 3 | Apache 2 license. This exception does not permit using our code in a project 4 | containing GPLv3 code which has additional restrictions. -------------------------------------------------------------------------------- /LICENSE.FTL-note: -------------------------------------------------------------------------------- 1 | The Trivalent code may be used as part of a work containing code under the 2 | FreeType License (FTL). An exception is made for the specific credit clause of 3 | the FTL license. -------------------------------------------------------------------------------- /LICENSE.Webview-note: -------------------------------------------------------------------------------- 1 | Applications using Trivalent through the WebView library including our changes 2 | and extensions to the API are not considered derivative works of Trivalent for 3 | the terms of the GPL-2.0 license. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | 3 | Trivalent logo 4 | 5 |

6 | 7 |

Trivalent

8 | 9 | A hardened chromium for desktop Linux inspired by [Vanadium](https://github.com/GrapheneOS/Vanadium), using [Fedora's Chromium](https://src.fedoraproject.org/rpms/chromium) as a base. Intended for use in [secureblue](https://github.com/secureblue/secureblue). 10 | 11 | ## Scope 12 | 13 | ### In scope 14 | 15 | * Desktop-relevant patches from Vanadium (located in vanadium_patches) 16 | * Changes that increase hardening against known and unknown vulnerabilities 17 | * Changes that make secondary browser features opt-in instead of opt-out (for example, making the password manager and search suggestions opt-in) 18 | * Changes that disable opt-in metrics and data collection, so long as they have no security implications 19 | 20 | ### Out of scope 21 | 22 | * Any changes that sacrifice security for "privacy" (for example, enabling MV2) [why?](https://developer.chrome.com/docs/extensions/develop/migrate/improve-security) 23 | * Any novel functionality that is unrelated to security 24 | 25 | ## Installation 26 | 27 | Official support is only provided via [secureblue](https://github.com/secureblue/secureblue/). Unsupported installation is also possible [via our repo](https://repo.secureblue.dev/secureblue.repo). In addition to being unsupported, use of Trivalent outside of secureblue lacks [SELinux confinement](https://github.com/secureblue/secureblue/tree/live/files/scripts/selinux/trivalent). 28 | 29 | ## Post-install 30 | 31 | Some additional preferences are added to `chrome://settings/security`, these provide additional security and privacy controls should they be needed. An example of one toggle is the `Network Service Sandbox`, which is known to occasionally clear cookies on exit, disabling the sandbox may help. 32 | \ 33 | There is also a Website Dark Mode preference added to `chrome://settings/appearance`. 34 | \ 35 | \ 36 | Additionally, the following flags are available that provide extra hardening but may cause breakage or usability issues: 37 | 38 | * `chrome://flags/#show-punycode-domains` 39 | * `chrome://flags/#clear-cross-origin-referrers` 40 | 41 | Other flags are also provided for compatibility should you experience an issue related to some of the hardening enabled by default. For example, the default pop-up blocker is very strict, it may optionally be disabled `chrome://flags/#strict-popup-blocking` to improve usability. 42 | 43 | ## Contributing 44 | 45 | Follow the [contributing documentation](CONTRIBUTING.md), and make sure to respect the [CoC](CODE_OF_CONDUCT.md). 46 | -------------------------------------------------------------------------------- /build/master_preferences: -------------------------------------------------------------------------------- 1 | { 2 | "homepage_is_newtabpage": true, 3 | "distribution": { 4 | "alternate_shortcut_text": false, 5 | "oem_bubble": true, 6 | "chrome_shortcut_icon_index": 0, 7 | "create_all_shortcuts": true, 8 | "show_welcome_page": true, 9 | "system_level": false, 10 | "verbose_logging": false, 11 | }, 12 | } 13 | -------------------------------------------------------------------------------- /build/trivalent.appdata.xml: -------------------------------------------------------------------------------- 1 | 14 | 15 | 16 | trivalent.desktop 17 | 18 | GPL-2.0 license 19 | BSD-3-Clause AND LGPL-2.1-or-later AND Apache-2.0 AND IJG AND MIT AND GPL-2.0-or-later AND ISC AND OpenSSL AND (MPL-1.1 OR GPL-2.0-only OR LGPL-2.0-only) 20 | The Trivalent Authors 21 | Trivalent 22 | A security hardened Chromium for desktop Linux 23 | 24 |

25 | Trivalent is a Linux desktop web browser built on the Chromium open source project with the 26 | goal of improving security. 27 |

28 | 29 | https://github.com/secureblue/Trivalent 30 | https://github.com/secureblue/Trivalent/issues 31 | 32 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /build/trivalent.conf: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2025 The Trivalent Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software distributed under the License is 12 | # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and limitations under the License. 14 | 15 | ARCH="$(arch)" 16 | CHROMIUM_FLAGS="" 17 | FEATURES="" 18 | 19 | # ENABLE_GPU_SANDBOX=[true|false] 20 | ENABLE_GPU_SANDBOX="false" 21 | 22 | # USE_WAYLAND=[true|false] 23 | # shellcheck disable=SC2269 24 | USE_WAYLAND="${USE_WAYLAND}" 25 | if [ "$USE_WAYLAND" == "false" ]; then 26 | CHROMIUM_FLAGS+=" --ozone-platform-hint=x11" 27 | elif [ "$USE_WAYLAND" == "true" ] && [ "$XDG_SESSION_TYPE" != "x11" ]; then 28 | CHROMIUM_FLAGS+=" --ozone-platform-hint=wayland" 29 | elif command -v nvidia-smi && [ -n "$DISPLAY" ]; then 30 | echo "Nvidia on X11 detected" 31 | 32 | # Nvidia may or may not use Wayland when Xwayland is available 33 | # We don't want to do anything specific to either Wayland or X11 in this case 34 | USE_WAYLAND="unknown" 35 | # This includes disabling the GPU sandbox 36 | ENABLE_GPU_SANDBOX="false" 37 | else 38 | if [ "$USE_WAYLAND" == "true" ]; then 39 | echo "Wayland is not supported on X11 sessions" 40 | else 41 | echo "Value provided by 'USE_WAYLAND' empty or invalid, defaulting to '$XDG_SESSION_TYPE'" 42 | fi 43 | case "$XDG_SESSION_TYPE" in 44 | wayland) 45 | USE_WAYLAND="true" 46 | ;; 47 | x11) 48 | USE_WAYLAND="false" 49 | ;; 50 | *) 51 | USE_WAYLAND="unknown" 52 | ;; 53 | esac 54 | fi 55 | 56 | # ENABLE_VULKAN=[true|false] 57 | ENABLE_VULKAN="false" 58 | 59 | # Other architectures are not tested for and should not be included yet 60 | if [ "$ARCH" == "x86_64" ] ; then 61 | if [ "$USE_WAYLAND" == "false" ]; then 62 | CHROMIUM_FLAGS+=" --enable-native-gpu-memory-buffers" 63 | CHROMIUM_FLAGS+=" --enable-gpu-memory-buffer-video-frames" 64 | CHROMIUM_FLAGS+=" --enable-zero-copy" 65 | CHROMIUM_FLAGS+=" --ignore-gpu-blocklist" 66 | CHROMIUM_FLAGS+=" --disable-gpu-driver-bug-workaround" 67 | 68 | # Enable Vulkan 69 | # (Vulkan is not supported on Wayland, it is also experimental) 70 | ENABLE_VULKAN="true" 71 | 72 | # Disable GPU Sandbox 73 | # (Even if it is off, we don't want crash loops on x11) 74 | ENABLE_GPU_SANDBOX="false" 75 | fi 76 | 77 | if [ "$ENABLE_VULKAN" == "true" ]; then 78 | CHROMIUM_FLAGS+=" --use-angle=vulkan --use-vulkan" 79 | FEATURES+="Vulkan,DefaultANGLEVulkan,VulkanFromANGLE,VaapiIgnoreDriverChecks" 80 | 81 | # (Vulkan is not supported in the sandbox, at least currently it is not) 82 | ENABLE_GPU_SANDBOX="false" 83 | fi 84 | 85 | if [ "$ENABLE_GPU_SANDBOX" == "true" ]; then 86 | CHROMIUM_FLAGS+=" --gpu-sandbox-start-early" 87 | fi 88 | fi 89 | 90 | # Disable crash reporting, no simple way to patch it in 91 | CHROMIUM_FLAGS+=" --disable-breakpad" 92 | 93 | CHROMIUM_FLAGS+=" --enable-features=$FEATURES" 94 | -------------------------------------------------------------------------------- /build/trivalent.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2025 The Trivalent Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software distributed under the License is 12 | # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and limitations under the License. 14 | 15 | # Sanitize & protect risky variables 16 | declare -rx LD_PRELOAD="" 17 | declare -rx LD_LIBRARY_PATH="" 18 | declare -rx LD_AUDIT="" 19 | declare -rx LD_PROFILE="" 20 | declare -rx PATH="/usr/bin:/bin" 21 | declare -rx HOME="$HOME" 22 | declare -rx XDG_RUNTIME_DIR="$XDG_RUNTIME_DIR" 23 | declare -rx XAUTHORITY="$XAUTHORITY" 24 | declare -rx DISPLAY="$DISPLAY" 25 | 26 | # unify branding 27 | declare -r CHROMIUM_NAME="@@CHROMIUM_NAME@@" 28 | 29 | declare -rx CHROME_VERSION_EXTRA="Built from source for @@BUILD_TARGET@@" 30 | 31 | # We don't want bug-buddy intercepting our crashes. http://crbug.com/24120 32 | declare -rx GNOME_DISABLE_CRASH_DIALOG=SET_BY_GOOGLE_CHROME 33 | 34 | # Let the wrapped binary know that it has been run through the wrapper. 35 | CHROME_WRAPPER=$(readlink -f "$0") 36 | declare -rx CHROME_WRAPPER 37 | HERE=$(dirname "$CHROME_WRAPPER") 38 | declare -r HERE 39 | 40 | # obtain chromium flags from system file 41 | # shellcheck source=build/trivalent.conf 42 | [[ -f "/etc/$CHROMIUM_NAME/$CHROMIUM_NAME.conf" ]] && . "/etc/$CHROMIUM_NAME/$CHROMIUM_NAME.conf" 43 | declare -r CHROMIUM_FLAGS="$CHROMIUM_FLAGS" 44 | 45 | # desktop integration 46 | declare -r xdg_app_dir="${XDG_DATA_HOME:-$HOME/.local/share/applications}" 47 | mkdir -p "$xdg_app_dir" 48 | [[ -f "$xdg_app_dir/mimeapps.list" ]] || touch "$xdg_app_dir/mimeapps.list" 49 | 50 | # Check if Trivalent's subresource filter is installed, 51 | # if so runs the installer 52 | [[ -f "/usr/lib64/trivalent/install_filter.sh" ]] && /bin/bash /usr/lib64/trivalent/install_filter.sh 53 | 54 | PROCESSES=$(ps aux) 55 | echo "$PROCESSES" | grep "$CHROMIUM_NAME --type=zygote" | grep -v "grep" > /dev/null 56 | IS_BROWSER_RUNNING=$? 57 | 58 | # Fix Singleton process locking if the browser isn't running and the singleton files are present 59 | if [[ $IS_BROWSER_RUNNING -eq 1 ]] && compgen -G "$HOME/.config/$CHROMIUM_NAME/Singleton*" > /dev/null; then 60 | echo "Ruh roh! This shouldn't be here..." 61 | rm "$HOME/.config/$CHROMIUM_NAME/Singleton"* 62 | else 63 | echo "A process is already open in this directory or Singleton process files are not present." 64 | fi 65 | 66 | BWRAP_ARGS="--dev-bind / /" 67 | [[ -f "/etc/ld.so.preload" ]] && BWRAP_ARGS+=" --ro-bind /dev/null /etc/ld.so.preload" 68 | 69 | # Sanitize std{in,out,err} because they'll be shared with untrusted child 70 | # processes (http://crbug.com/376567). 71 | exec < /dev/null 72 | exec > >(exec cat) 73 | exec 2> >(exec cat >&2) 74 | 75 | # shellcheck disable=SC2086 76 | exec bwrap $BWRAP_ARGS "$HERE/$CHROMIUM_NAME" $CHROMIUM_FLAGS "$@" 77 | -------------------------------------------------------------------------------- /build/trivalent.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Trivalent 7 | trivalent 8 | /usr/bin/trivalent %s 9 | trivalent 10 | false 11 | false 12 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /build/trivalent128.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureblue/Trivalent/26f6c4e9671c70d145bf59d89dfb715e22470a28/build/trivalent128.png -------------------------------------------------------------------------------- /build/trivalent16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureblue/Trivalent/26f6c4e9671c70d145bf59d89dfb715e22470a28/build/trivalent16.png -------------------------------------------------------------------------------- /build/trivalent22.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureblue/Trivalent/26f6c4e9671c70d145bf59d89dfb715e22470a28/build/trivalent22.png -------------------------------------------------------------------------------- /build/trivalent24.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureblue/Trivalent/26f6c4e9671c70d145bf59d89dfb715e22470a28/build/trivalent24.png -------------------------------------------------------------------------------- /build/trivalent256.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureblue/Trivalent/26f6c4e9671c70d145bf59d89dfb715e22470a28/build/trivalent256.png -------------------------------------------------------------------------------- /build/trivalent32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureblue/Trivalent/26f6c4e9671c70d145bf59d89dfb715e22470a28/build/trivalent32.png -------------------------------------------------------------------------------- /build/trivalent44.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureblue/Trivalent/26f6c4e9671c70d145bf59d89dfb715e22470a28/build/trivalent44.png -------------------------------------------------------------------------------- /build/trivalent48.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureblue/Trivalent/26f6c4e9671c70d145bf59d89dfb715e22470a28/build/trivalent48.png -------------------------------------------------------------------------------- /build/trivalent64.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureblue/Trivalent/26f6c4e9671c70d145bf59d89dfb715e22470a28/build/trivalent64.png -------------------------------------------------------------------------------- /copr_script.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash -x 2 | 3 | # Copyright 2025 The Trivalent Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software distributed under the License is 12 | # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and limitations under the License. 14 | 15 | set -oue pipefail 16 | 17 | wget https://versionhistory.googleapis.com/v1/chrome/platforms/linux/channels/stable/versions/all/releases?filter=endtime=none -O chromium-version.json 18 | grep \"version\" chromium-version.json | grep -oh "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" > chromium-version.txt 19 | 20 | cd Trivalent 21 | 22 | # copy Fedora patches to the build dir 23 | cd fedora_patches/ 24 | patches=(*.patch) 25 | for ((i=0; i<${#patches[@]}; i++)); do 26 | cp "${patches[i]}" "../build/fedora-$((i+1000)).patch" 27 | done 28 | cd .. 29 | 30 | # copy Vanadium patches to the build dir 31 | cd vanadium_patches/ 32 | patches=(*.patch) 33 | for ((i=0; i<${#patches[@]}; i++)); do 34 | cp "${patches[i]}" "../build/vanadium-$((i+2000)).patch" 35 | done 36 | cd .. 37 | 38 | # copy hardened-chromium patches to the build dir 39 | cd patches/ 40 | patches=(*.patch) 41 | for ((i=0; i<${#patches[@]}; i++)); do 42 | cp "${patches[i]}" "../build/trivalent-$((i+3000)).patch" 43 | done 44 | cd .. 45 | 46 | # Move all the source files into the parent directory for the COPR build system to find them 47 | cp /usr/src/chromium/chromium-*-clean.tar.xz ../ 48 | mv ./build/* ../ 49 | -------------------------------------------------------------------------------- /fedora_patches/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Fedora Project Authors. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 4 | 5 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 6 | 7 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /fedora_patches/chromium-123-screen-ai-service.patch: -------------------------------------------------------------------------------- 1 | diff -up chromium-123.0.6312.58/chrome/browser/component_updater/screen_ai_component_installer.cc.me chromium-123.0.6312.58/chrome/browser/component_updater/screen_ai_component_installer.cc 2 | --- chromium-123.0.6312.58/chrome/browser/component_updater/screen_ai_component_installer.cc.me 2024-03-24 10:58:43.033885904 +0100 3 | +++ chromium-123.0.6312.58/chrome/browser/component_updater/screen_ai_component_installer.cc 2024-03-24 11:00:38.861979740 +0100 4 | @@ -143,8 +143,7 @@ void ScreenAIComponentInstallerPolicy::D 5 | void ManageScreenAIComponentRegistration(ComponentUpdateService* cus, 6 | PrefService* local_state) { 7 | if (screen_ai::ScreenAIInstallState::ShouldInstall(local_state)) { 8 | - RegisterScreenAIComponent(cus); 9 | - return; 10 | + // don't register the screenn ai service 11 | } 12 | 13 | // Clean up. 14 | -------------------------------------------------------------------------------- /fedora_patches/chromium-124-qt6.patch: -------------------------------------------------------------------------------- 1 | diff -up chromium-124.0.6367.155/ui/qt/BUILD.gn.me chromium-124.0.6367.155/ui/qt/BUILD.gn 2 | --- chromium-124.0.6367.155/ui/qt/BUILD.gn.me 2024-05-08 18:15:34.178627040 +0200 3 | +++ chromium-124.0.6367.155/ui/qt/BUILD.gn 2024-05-08 18:29:31.162513709 +0200 4 | @@ -61,6 +61,7 @@ template("qt_shim") { 5 | packages = [ 6 | "Qt" + invoker.qt_version + "Core", 7 | "Qt" + invoker.qt_version + "Widgets", 8 | + "Qt" + invoker.qt_version + "Gui", 9 | ] 10 | } 11 | 12 | -------------------------------------------------------------------------------- /fedora_patches/chromium-disable-font-tests.patch: -------------------------------------------------------------------------------- 1 | description: disable building font tests 2 | author: Michael Gilbert 3 | 4 | --- a/skia/BUILD.gn 5 | +++ b/skia/BUILD.gn 6 | @@ -860,7 +860,7 @@ group("test_fonts_resources") { 7 | if (is_apple) { 8 | deps += [ ":test_fonts_bundle_data" ] 9 | data_deps += [ ":test_fonts_bundle_data" ] 10 | - } else { 11 | + } else if (false) { 12 | deps += [ "//third_party/test_fonts" ] 13 | data_deps += [ "//third_party/test_fonts" ] 14 | } 15 | --- a/third_party/test_fonts/fontconfig/BUILD.gn 16 | +++ b/third_party/test_fonts/fontconfig/BUILD.gn 17 | @@ -8,9 +8,7 @@ if (is_linux || is_chromeos) { 18 | group("test_support") { 19 | testonly = true 20 | public_deps = [ ":fontconfig_util_linux" ] 21 | - data_deps = [ "//third_party/test_fonts" ] 22 | if (current_toolchain == host_toolchain) { 23 | - data_deps += [ ":do_generate_fontconfig_caches" ] 24 | } 25 | } 26 | 27 | -------------------------------------------------------------------------------- /patches/add-cross-origin-referrer-clearing-feature.patch: -------------------------------------------------------------------------------- 1 | diff --git a/net/base/features.cc b/net/base/features.cc 2 | index 302f1a22d7d7e..4821492c651e1 100644 3 | --- a/net/base/features.cc 4 | +++ b/net/base/features.cc 5 | @@ -19,9 +19,13 @@ BASE_FEATURE(kAvoidH2Reprioritization, 6 | "AvoidH2Reprioritization", 7 | base::FEATURE_DISABLED_BY_DEFAULT); 8 | 9 | +BASE_FEATURE(kDisableCrossOriginReferrers, 10 | + "DisableCrossOriginReferrers", 11 | + base::FEATURE_DISABLED_BY_DEFAULT); 12 | + 13 | BASE_FEATURE(kCapReferrerToOriginOnCrossOrigin, 14 | "CapReferrerToOriginOnCrossOrigin", 15 | - base::FEATURE_DISABLED_BY_DEFAULT); 16 | + base::FEATURE_ENABLED_BY_DEFAULT); 17 | 18 | BASE_FEATURE(kAsyncDns, 19 | "AsyncDns", 20 | diff --git a/net/base/features.h b/net/base/features.h 21 | index ffa3f6ced770b..d1f430814ca7e 100644 22 | --- a/net/base/features.h 23 | +++ b/net/base/features.h 24 | @@ -26,6 +26,9 @@ NET_EXPORT BASE_DECLARE_FEATURE(kAlpsForHttp2); 25 | // Disable H2 reprioritization, in order to measure its impact. 26 | NET_EXPORT BASE_DECLARE_FEATURE(kAvoidH2Reprioritization); 27 | 28 | +// Disables referrers when navigating across origins. 29 | +NET_EXPORT BASE_DECLARE_FEATURE(kDisableCrossOriginReferrers); 30 | + 31 | // When kCapReferrerToOriginOnCrossOrigin is enabled, HTTP referrers on cross- 32 | // origin requests are restricted to contain at most the source origin. 33 | NET_EXPORT BASE_DECLARE_FEATURE(kCapReferrerToOriginOnCrossOrigin); 34 | diff --git a/net/url_request/url_request_job.cc b/net/url_request/url_request_job.cc 35 | index a3d565a410685..8c7b19dd8515d 100644 36 | --- a/net/url_request/url_request_job.cc 37 | +++ b/net/url_request/url_request_job.cc 38 | @@ -327,6 +327,16 @@ GURL URLRequestJob::ComputeReferrerForPolicy( 39 | if (same_origin_out_for_metrics) 40 | *same_origin_out_for_metrics = same_origin; 41 | 42 | + if (base::FeatureList::IsEnabled( 43 | + features::kDisableCrossOriginReferrers) && 44 | + !same_origin) { 45 | + // Return an empty URL if cross-origin and the feature is enabled. 46 | + // 47 | + // Returns here since the referrer policy doesn't matter if it is 48 | + // cross-origin (if it is same origin then this will never happen) 49 | + return GURL(); 50 | + } 51 | + 52 | // 7. The user agent MAY alter referrerURL or referrerOrigin at this point to 53 | // enforce arbitrary policy considerations in the interests of minimizing data 54 | // leakage. For example, the user agent could strip the URL down to an origin, 55 | diff --git a/services/network/network_service_network_delegate.cc b/services/network/network_service_network_delegate.cc 56 | index 24034fb3a78f7..c67fb7bde22eb 100644 57 | --- a/services/network/network_service_network_delegate.cc 58 | +++ b/services/network/network_service_network_delegate.cc 59 | @@ -60,9 +60,13 @@ void NetworkServiceNetworkDelegate::MaybeTruncateReferrer( 60 | return; 61 | } 62 | 63 | - if (base::FeatureList::IsEnabled( 64 | - net::features::kCapReferrerToOriginOnCrossOrigin)) { 65 | - if (!url::IsSameOriginWith(effective_url, GURL(request->referrer()))) { 66 | + // If the target URL isn't the same origin as the current URL 67 | + if (!url::IsSameOriginWith(effective_url, GURL(request->referrer()))) { 68 | + if (base::FeatureList::IsEnabled( 69 | + net::features::kDisableCrossOriginReferrers)) { 70 | + request->SetReferrer(std::string()); 71 | + } else if (base::FeatureList::IsEnabled( 72 | + net::features::kCapReferrerToOriginOnCrossOrigin)) { 73 | auto capped_referrer = url::Origin::Create(GURL(request->referrer())); 74 | request->SetReferrer(capped_referrer.GetURL().spec()); 75 | } 76 | -------------------------------------------------------------------------------- /patches/add-feature-to-disable-pdf-javascript.patch: -------------------------------------------------------------------------------- 1 | diff --git a/pdf/pdf_features.cc b/pdf/pdf_features.cc 2 | index e4dbc7d5b0834..973bc515cea96 100644 3 | --- a/pdf/pdf_features.cc 4 | +++ b/pdf/pdf_features.cc 5 | @@ -13,6 +13,10 @@ namespace { 6 | bool g_is_oopif_pdf_policy_enabled = true; 7 | } // namespace 8 | 9 | +// Trivalent 10 | +BASE_FEATURE(kPdfJavaScript, "PdfJavaScript", 11 | + base::FEATURE_DISABLED_BY_DEFAULT); 12 | + 13 | BASE_FEATURE(kAccessiblePDFForm, 14 | "AccessiblePDFForm", 15 | base::FEATURE_DISABLED_BY_DEFAULT); 16 | diff --git a/pdf/pdf_features.h b/pdf/pdf_features.h 17 | index d41a57843a..92ca24ed0e 100644 18 | --- a/pdf/pdf_features.h 19 | +++ b/pdf/pdf_features.h 20 | @@ -16,6 +16,9 @@ static_assert(BUILDFLAG(ENABLE_PDF), "ENABLE_PDF not set to true"); 21 | 22 | namespace chrome_pdf::features { 23 | 24 | +// Trivalent 25 | +BASE_DECLARE_FEATURE(kPdfJavaScript); 26 | + 27 | BASE_DECLARE_FEATURE(kAccessiblePDFForm); 28 | BASE_DECLARE_FEATURE(kPdfGetSaveDataInBlocks); 29 | BASE_DECLARE_FEATURE(kPdfIncrementalLoading); 30 | diff --git a/pdf/pdfium/pdfium_form_filler.cc b/pdf/pdfium/pdfium_form_filler.cc 31 | index f319c45d075e2..d1b311d76d1d3 100644 32 | --- a/pdf/pdfium/pdfium_form_filler.cc 33 | +++ b/pdf/pdfium/pdfium_form_filler.cc 34 | @@ -41,6 +41,8 @@ std::string WideStringToString(FPDF_WIDESTRING wide_string) { 35 | 36 | // static 37 | PDFiumFormFiller::ScriptOption PDFiumFormFiller::DefaultScriptOption() { 38 | + if (!base::FeatureList::IsEnabled(features::kPdfJavaScript)) 39 | + return PDFiumFormFiller::ScriptOption::kNoJavaScript; 40 | #if defined(PDF_ENABLE_XFA) 41 | if (base::FeatureList::IsEnabled(features::kPdfXfaSupport)) 42 | return PDFiumFormFiller::ScriptOption::kJavaScriptAndXFA; 43 | -------------------------------------------------------------------------------- /patches/add-feature-to-show-puny-code.patch: -------------------------------------------------------------------------------- 1 | diff --git a/components/url_formatter/url_formatter.cc b/components/url_formatter/url_formatter.cc 2 | index 63b6e1583a837..a0b8b8c588161 100644 3 | --- a/components/url_formatter/url_formatter.cc 4 | +++ b/components/url_formatter/url_formatter.cc 5 | @@ -26,6 +26,7 @@ 6 | #include "url/third_party/mozilla/url_parse.h" 7 | #include "url/url_constants.h" 8 | #include "url/url_util.h" 9 | +#include "url/url_features.h" 10 | 11 | namespace url_formatter { 12 | 13 | @@ -318,6 +319,10 @@ IDNConversionResult IDNToUnicodeWithAdjustmentsImpl( 14 | GetTopLevelDomain(host, &top_level_domain, &top_level_domain_unicode); 15 | 16 | IDNConversionResult result; 17 | + if (base::FeatureList::IsEnabled(url::kShowPunycodeDomains)) { 18 | + result.result = host16; 19 | + return result; 20 | + } 21 | // Do each component of the host separately, since we enforce script matching 22 | // on a per-component basis. 23 | std::u16string out16; 24 | diff --git a/url/url_features.cc b/url/url_features.cc 25 | index 584e93ac72bd1..b89fea48914d6 100644 26 | --- a/url/url_features.cc 27 | +++ b/url/url_features.cc 28 | @@ -7,6 +7,10 @@ 29 | 30 | namespace url { 31 | 32 | +BASE_FEATURE(kShowPunycodeDomains, 33 | + "ShowPunycodeDomains", 34 | + base::FEATURE_DISABLED_BY_DEFAULT); 35 | + 36 | BASE_FEATURE(kUseIDNA2008NonTransitional, 37 | "UseIDNA2008NonTransitional", 38 | base::FEATURE_ENABLED_BY_DEFAULT); 39 | diff --git a/url/url_features.h b/url/url_features.h 40 | index fa4493a12e9c1..70c5d811122fe 100644 41 | --- a/url/url_features.h 42 | +++ b/url/url_features.h 43 | @@ -10,6 +10,10 @@ 44 | 45 | namespace url { 46 | 47 | +// Forces IDN domains to be shown as punycode, this helps mitigate IDN homograph 48 | +// attacks which can be used for phishing 49 | +BASE_DECLARE_FEATURE(kShowPunycodeDomains); 50 | + 51 | // If you add or remove a feature related to URLs, you may need to 52 | // correspondingly update the EarlyAccess allow list in app shims 53 | // (chrome/app_shim/app_shim_controller.mm). See https://crbug.com/1520386 for 54 | -------------------------------------------------------------------------------- /patches/add-feature-to-toggle-middlemouse-copypaste.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/ui/views/tabs/tab_strip.cc b/chrome/browser/ui/views/tabs/tab_strip.cc 2 | index 9b5b2834eb..40e7c7b6fa 100644 3 | --- a/chrome/browser/ui/views/tabs/tab_strip.cc 4 | +++ b/chrome/browser/ui/views/tabs/tab_strip.cc 5 | @@ -2,6 +2,9 @@ 6 | // Use of this source code is governed by a BSD-style license that can be 7 | // found in the LICENSE file. 8 | 9 | +#include "ui/views/views_features.h" 10 | +#include "third_party/blink/public/common/features_generated.h" 11 | + 12 | #include "chrome/browser/ui/views/tabs/tab_strip.h" 13 | 14 | #include 15 | @@ -2186,7 +2189,11 @@ void TabStrip::NewTabButtonPressed(const ui::Event& event) { 16 | const ui::MouseEvent& mouse = static_cast(event); 17 | if (mouse.IsOnlyMiddleMouseButton()) { 18 | if (ui::Clipboard::IsSupportedClipboardBuffer( 19 | - ui::ClipboardBuffer::kSelection)) { 20 | + ui::ClipboardBuffer::kSelection) && 21 | + !base::FeatureList::IsEnabled( 22 | + blink::features::kMiddleClickAutoscroll) && 23 | + base::FeatureList::IsEnabled( 24 | + views::features::kMiddleClickCopyPaste)) { 25 | ui::Clipboard* clipboard = ui::Clipboard::GetForCurrentThread(); 26 | CHECK(clipboard) 27 | << "Clipboard instance is not available, cannot proceed with " 28 | diff --git a/ui/views/selection_controller.h b/ui/views/selection_controller.h 29 | index dcc4d40592932..f9a9b002bd956 100644 30 | --- a/ui/views/selection_controller.h 31 | +++ b/ui/views/selection_controller.h 32 | @@ -5,6 +5,10 @@ 33 | #ifndef UI_VIEWS_SELECTION_CONTROLLER_H_ 34 | #define UI_VIEWS_SELECTION_CONTROLLER_H_ 35 | 36 | +// Needed features for middle click controls 37 | +#include "ui/views/views_features.h" 38 | +#include "third_party/blink/public/common/features_generated.h" 39 | + 40 | #include "base/memory/raw_ptr.h" 41 | #include "base/time/time.h" 42 | #include "base/timer/timer.h" 43 | @@ -61,7 +65,10 @@ class VIEWS_EXPORT SelectionController { 44 | // Sets whether the SelectionController should update or paste the 45 | // selection clipboard on middle-click. Default is false. 46 | void set_handles_selection_clipboard(bool value) { 47 | - handles_selection_clipboard_ = value; 48 | + handles_selection_clipboard_ = value && 49 | + !base::FeatureList::IsEnabled( 50 | + blink::features::kMiddleClickAutoscroll) && 51 | + base::FeatureList::IsEnabled(features::kMiddleClickCopyPaste); 52 | } 53 | 54 | // Offsets the double-clicked word's range. This is only used in the unusual 55 | diff --git a/ui/views/views_features.cc b/ui/views/views_features.cc 56 | index 4c6ae8ff79..e6f160160b 100644 57 | --- a/ui/views/views_features.cc 58 | +++ b/ui/views/views_features.cc 59 | @@ -44,4 +44,11 @@ BASE_FEATURE(kKeyboardAccessibleTooltipInViews, 60 | "KeyboardAccessibleTooltipInViews", 61 | base::FEATURE_ENABLED_BY_DEFAULT); 62 | 63 | +// Controls the behavior of middle-mouse copy and pasting. 64 | +// This may be overridden by the kMiddleClickAutoscroll 65 | +// blink feature. 66 | +BASE_FEATURE(kMiddleClickCopyPaste, 67 | + "MiddleClickCopyPaste", 68 | + base::FEATURE_ENABLED_BY_DEFAULT); 69 | + 70 | } // namespace views::features 71 | diff --git a/ui/views/views_features.h b/ui/views/views_features.h 72 | index d586436498..55ac42ee4a 100644 73 | --- a/ui/views/views_features.h 74 | +++ b/ui/views/views_features.h 75 | @@ -18,6 +18,8 @@ VIEWS_EXPORT BASE_DECLARE_FEATURE(kEnableTouchDragCursorSync); 76 | VIEWS_EXPORT BASE_DECLARE_FEATURE(kEnableTransparentHwndEnlargement); 77 | VIEWS_EXPORT BASE_DECLARE_FEATURE(kKeyboardAccessibleTooltipInViews); 78 | 79 | +VIEWS_EXPORT BASE_DECLARE_FEATURE(kMiddleClickCopyPaste); 80 | + 81 | } // namespace views::features 82 | 83 | #endif // UI_VIEWS_VIEWS_FEATURES_H_ 84 | diff --git a/third_party/blink/renderer/core/editing/selection_controller.cc b/third_party/blink/renderer/core/editing/selection_controller.cc 85 | index 8f129a1d5d..0ce49f8457 100644 86 | --- a/third_party/blink/renderer/core/editing/selection_controller.cc 87 | +++ b/third_party/blink/renderer/core/editing/selection_controller.cc 88 | @@ -63,6 +63,8 @@ 89 | #include "third_party/blink/renderer/platform/runtime_enabled_features.h" 90 | #include "ui/gfx/geometry/point_conversions.h" 91 | 92 | +#include "ui/views/views_features.h" 93 | + 94 | namespace blink { 95 | 96 | SelectionController::SelectionController(LocalFrame& frame) 97 | @@ -1260,7 +1262,9 @@ bool SelectionController::HandlePasteGlobalSelection( 98 | Frame* focus_frame = 99 | frame_->GetPage()->GetFocusController().FocusedOrMainFrame(); 100 | // Do not paste here if the focus was moved somewhere else. 101 | - if (frame_ == focus_frame) 102 | + if (frame_ == focus_frame && 103 | + !RuntimeEnabledFeatures::MiddleClickAutoscrollEnabled() && 104 | + base::FeatureList::IsEnabled(views::features::kMiddleClickCopyPaste)) 105 | return frame_->GetEditor().ExecuteCommand("PasteGlobalSelection"); 106 | 107 | return false; 108 | -------------------------------------------------------------------------------- /patches/add-incognito-launch-pref.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/prefs/incognito_mode_prefs.cc b/chrome/browser/prefs/incognito_mode_prefs.cc 2 | index ce5660ca65a4f..4cf8a3dbb1eaa 100644 3 | --- a/chrome/browser/prefs/incognito_mode_prefs.cc 4 | +++ b/chrome/browser/prefs/incognito_mode_prefs.cc 5 | @@ -162,6 +162,9 @@ bool IncognitoModePrefs::ShouldLaunchIncognitoInternal( 6 | } 7 | bool should_use_incognito = 8 | forced_by_switch || 9 | + (prefs->GetBoolean(prefs::kIncognitoLaunch) && !for_subsequent_browsers && 10 | + !command_line.HasSwitch(switches::kAppId) && 11 | + !command_line.HasSwitch(switches::kApp)) || 12 | GetAvailabilityInternal(prefs, DONT_CHECK_PARENTAL_CONTROLS) == 13 | IncognitoModeAvailability::kForced; 14 | return should_use_incognito && 15 | diff --git a/chrome/browser/profiles/profile.cc b/chrome/browser/profiles/profile.cc 16 | index a490fefce8c79..1b071f5c7c571 100644 17 | --- a/chrome/browser/profiles/profile.cc 18 | +++ b/chrome/browser/profiles/profile.cc 19 | @@ -316,6 +316,7 @@ const char Profile::kProfileKey[] = "__PROFILE__"; 20 | 21 | // static 22 | void Profile::RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry) { 23 | + registry->RegisterBooleanPref(prefs::kIncognitoLaunch, false); 24 | registry->RegisterBooleanPref( 25 | prefs::kSearchSuggestEnabled, 26 | true, 27 | diff --git a/chrome/common/pref_names.h b/chrome/common/pref_names.h 28 | index 32141931a58d5..93cf4c2a33d54 100644 29 | --- a/chrome/common/pref_names.h 30 | +++ b/chrome/common/pref_names.h 31 | @@ -28,6 +28,9 @@ namespace prefs { 32 | // *************** PROFILE PREFS *************** 33 | // These are attached to the user profile 34 | 35 | +// Launch sessions and open external links in Incognito 36 | +inline constexpr char kIncognitoLaunch[] = "incognito.launch_mode"; 37 | + 38 | // A string property indicating whether default apps should be installed 39 | // in this profile. Use the value "install" to enable defaults apps, or 40 | // "noinstall" to disable them. This property is usually set in the 41 | -------------------------------------------------------------------------------- /patches/add-license-info.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/resources/settings/about_page/about_page.html b/chrome/browser/resources/settings/about_page/about_page.html 2 | index 6864d76343794..678a7c240d91e 100644 3 | --- a/chrome/browser/resources/settings/about_page/about_page.html 4 | +++ b/chrome/browser/resources/settings/about_page/about_page.html 5 | @@ -148,7 +148,68 @@ 6 | 7 |
8 |
9 | -
$i18n{aboutProductTitle}
10 | +
Trivalent
11 | +
Copyright 2024-2025 The Trivalent authors.
12 | +
Trivalent license: 13 | + 
14 | +Trivalent is available under the terms of the GNU General Public
15 | +License version 2 only, according to LICENSE.GPL-2.0. Also see
16 | +LICENSE.Apache-2.0-note, LICENSE.FTL-note, and LICENSE.Webview-note
17 | +for exceptions to the GPLv2 terms.
18 | +
19 | +
20 | +
The Trivalent source code is available on github.
21 | +
The Trivalent patches are licensed under the Apache License, Version 2.0.
22 | +
23 | +
24 | +
25 | +
This project contains code from Vanadium.
26 | +
Copyright © 2016-2025 GrapheneOS
27 | +
Vanadium patches license: 28 | + 
29 | +Vanadium patches are available under the terms of the GNU General Public
30 | +License version 2 only, according with LICENSE.GPL-2.0. Also see
31 | +LICENSE.WebView-note and LICENSE.Apache-2.0-note for exceptions from the GPLv2
32 | +terms.
33 | +
34 | +In order for us to continue to contribute upstream, contributors to Vanadium
35 | +give permission to the GrapheneOS project to submit their changes to the
36 | +Chromium project or a future replacement for the base Vanadium code based on
37 | +it under the preferred choice of licensing for that project. Only the code
38 | +accepted by them will be available under their choice of license.
39 | +
40 | +
41 | +
The Vanadium source code is available on github.
42 | +
43 | +
44 | +
45 | +
This project contains code from the Fedora Project.
46 | +
Copyright Fedora Project Authors
47 | +
Fedora Project license: 48 | + 
49 | +Permission is hereby granted, free of charge, to any person obtaining a copy
50 | +of this software and associated documentation files (the "Software"), to deal
51 | +in the Software without restriction, including without limitation the rights
52 | +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
53 | +copies of the Software, and to permit persons to whom the Software is
54 | +furnished to do so, subject to the following conditions:
55 | +
56 | +The above copyright notice and this permission notice shall be included in all
57 | +copies or substantial portions of the Software.
58 | +
59 | +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
60 | +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
61 | +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
62 | +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
63 | +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
64 | +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
65 | +SOFTWARE.
66 | +
67 | +
68 | +
69 | +
70 | +
71 | +
This project is based on the Chromium open source project.
72 |
$i18n{aboutProductCopyright}
73 |
74 | 75 | -------------------------------------------------------------------------------- /patches/block-external-extensions.patch: -------------------------------------------------------------------------------- 1 | diff --git a/extensions/browser/extension_prefs.cc b/extensions/browser/extension_prefs.cc 2 | index 8fa89d4bd502a..1a40bf5d285b6 100644 3 | --- a/extensions/browser/extension_prefs.cc 4 | +++ b/extensions/browser/extension_prefs.cc 5 | @@ -2297,7 +2297,7 @@ void ExtensionPrefs::RegisterProfilePrefs( 6 | registry->RegisterBooleanPref(pref_names::kAppFullscreenAllowed, true); 7 | #endif 8 | 9 | - registry->RegisterBooleanPref(pref_names::kBlockExternalExtensions, false); 10 | + registry->RegisterBooleanPref(pref_names::kBlockExternalExtensions, true); 11 | registry->RegisterIntegerPref(pref_names::kExtensionUnpublishedAvailability, 12 | 0); 13 | registry->RegisterListPref(pref_names::kExtensionInstallTypeBlocklist); 14 | -------------------------------------------------------------------------------- /patches/build-hardening.patch: -------------------------------------------------------------------------------- 1 | diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn 2 | index 5898b8c54bef2..d924cec372c1a 100644 3 | --- a/build/config/compiler/BUILD.gn 4 | +++ b/build/config/compiler/BUILD.gn 5 | @@ -371,6 +371,10 @@ config("compiler") { 6 | } 7 | } 8 | 9 | + if (is_linux) { 10 | + cflags += [ "-fstack-clash-protection" ] 11 | + } 12 | + 13 | if (use_lld) { 14 | ldflags += [ "-fuse-ld=lld" ] 15 | if (lld_path != "") { 16 | @@ -2059,7 +2063,7 @@ config("chromium_code") { 17 | # Non-chromium code is not guaranteed to compile cleanly with 18 | # _FORTIFY_SOURCE. Also, fortified build may fail when optimizations are 19 | # disabled, so only do that for Release build. 20 | - fortify_level = "2" 21 | + fortify_level = "3" 22 | 23 | # ChromeOS's toolchain supports a high-quality _FORTIFY_SOURCE=3 24 | # implementation with a few custom glibc patches. Use that if it's 25 | -------------------------------------------------------------------------------- /patches/clear-windowname-property-across-contexts.patch: -------------------------------------------------------------------------------- 1 | diff --git a/content/public/common/content_features.cc b/content/public/common/content_features.cc 2 | index a0ac946fc64b4..bb3ba83bf77a9 100644 3 | --- a/content/public/common/content_features.cc 4 | +++ b/content/public/common/content_features.cc 5 | @@ -192,7 +192,7 @@ BASE_FEATURE(kCdmStorageDatabaseMigration, 6 | // swap BrowsingContextGroups(BrowsingInstances). 7 | BASE_FEATURE(kClearCrossSiteCrossBrowsingContextGroupWindowName, 8 | "ClearCrossSiteCrossBrowsingContextGroupWindowName", 9 | - base::FEATURE_DISABLED_BY_DEFAULT); 10 | + base::FEATURE_ENABLED_BY_DEFAULT); 11 | 12 | BASE_FEATURE(kCompositeBGColorAnimation, 13 | "CompositeBGColorAnimation", 14 | diff --git a/third_party/blink/renderer/core/loader/document_loader.cc b/third_party/blink/renderer/core/loader/document_loader.cc 15 | index 85c4d912e2fdb..d03099ab283f0 100644 16 | --- a/third_party/blink/renderer/core/loader/document_loader.cc 17 | +++ b/third_party/blink/renderer/core/loader/document_loader.cc 18 | @@ -2854,7 +2854,7 @@ void DocumentLoader::CommitNavigation() { 19 | // that the name would be nulled and if the name is accessed after we will 20 | // fire a UseCounter. If we decide to move forward with this change, we'd 21 | // actually clean the name here. 22 | - // frame_->tree().setName(g_null_atom); 23 | + frame_->Tree().SetName(g_null_atom); 24 | frame_->Tree().ExperimentalSetNulledName(); 25 | } 26 | 27 | @@ -2865,6 +2865,7 @@ void DocumentLoader::CommitNavigation() { 28 | // TODO(shuuran): CrossSiteCrossBrowsingContextGroupSetNulledName will just 29 | // record the fact that the name would be nulled and if the name is accessed 30 | // after we will fire a UseCounter. 31 | + frame_->Tree().SetName(g_null_atom); 32 | frame_->Tree().CrossSiteCrossBrowsingContextGroupSetNulledName(); 33 | } 34 | 35 | -------------------------------------------------------------------------------- /patches/default-disable-3d-apis.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc 2 | index 25b5c325f612d..b5d404abbca92 100644 3 | --- a/chrome/browser/chrome_content_browser_client.cc 4 | +++ b/chrome/browser/chrome_content_browser_client.cc 5 | @@ -1579,7 +1579,7 @@ void ChromeContentBrowserClient::RegisterLocalStatePrefs( 6 | // static 7 | void ChromeContentBrowserClient::RegisterProfilePrefs( 8 | user_prefs::PrefRegistrySyncable* registry) { 9 | - registry->RegisterBooleanPref(prefs::kDisable3DAPIs, false); 10 | + registry->RegisterBooleanPref(prefs::kDisable3DAPIs, true); 11 | registry->RegisterBooleanPref(prefs::kEnableHyperlinkAuditing, false); 12 | // Register user prefs for mapping SitePerProcess and IsolateOrigins in 13 | // user policy in addition to the same named ones in Local State (which are 14 | -------------------------------------------------------------------------------- /patches/disable-autofill-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/components/autofill/core/common/autofill_prefs.cc b/components/autofill/core/common/autofill_prefs.cc 2 | index 08699c4ee2..dbbb017115 100644 3 | --- a/components/autofill/core/common/autofill_prefs.cc 4 | +++ b/components/autofill/core/common/autofill_prefs.cc 5 | @@ -29,7 +29,7 @@ constexpr char kAutofillRanQuasiDuplicateExtraDeduplication[] = 6 | void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry) { 7 | // Synced prefs. Used for cross-device choices, e.g., credit card Autofill. 8 | registry->RegisterBooleanPref( 9 | - kAutofillProfileEnabled, true, 10 | + kAutofillProfileEnabled, false, 11 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 12 | registry->RegisterIntegerPref( 13 | kAutofillLastVersionDeduped, 0, 14 | @@ -38,13 +38,13 @@ void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry) { 15 | kAutofillHasSeenIban, false, 16 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 17 | registry->RegisterBooleanPref( 18 | - kAutofillCreditCardEnabled, true, 19 | + kAutofillCreditCardEnabled, false, 20 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 21 | registry->RegisterBooleanPref( 22 | - kAutofillPaymentCvcStorage, true, 23 | + kAutofillPaymentCvcStorage, false, 24 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 25 | registry->RegisterBooleanPref( 26 | - kAutofillPaymentCardBenefits, true, 27 | + kAutofillPaymentCardBenefits, false, 28 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 29 | 30 | // Non-synced prefs. Used for per-device choices, e.g., signin promo. 31 | -------------------------------------------------------------------------------- /patches/disable-background-mode-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/background/extensions/background_mode_manager.cc b/chrome/browser/background/extensions/background_mode_manager.cc 2 | index c7de82b5ee393..ee63ed0637067 100644 3 | --- a/chrome/browser/background/extensions/background_mode_manager.cc 4 | +++ b/chrome/browser/background/extensions/background_mode_manager.cc 5 | @@ -364,7 +364,7 @@ BackgroundModeManager::~BackgroundModeManager() { 6 | 7 | // static 8 | void BackgroundModeManager::RegisterPrefs(PrefRegistrySimple* registry) { 9 | - registry->RegisterBooleanPref(prefs::kBackgroundModeEnabled, true); 10 | + registry->RegisterBooleanPref(prefs::kBackgroundModeEnabled, false); 11 | } 12 | 13 | void BackgroundModeManager::RegisterProfile(Profile* profile) { 14 | -------------------------------------------------------------------------------- /patches/disable-disk-cache.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc 2 | index 7c3178793b3fb..4d347b8292142 100644 3 | --- a/chrome/browser/chrome_content_browser_client.cc 4 | +++ b/chrome/browser/chrome_content_browser_client.cc 5 | @@ -1529,7 +1529,7 @@ ChromeContentBrowserClient::~ChromeContentBrowserClient() { 6 | // static 7 | void ChromeContentBrowserClient::RegisterLocalStatePrefs( 8 | PrefRegistrySimple* registry) { 9 | - registry->RegisterFilePathPref(prefs::kDiskCacheDir, base::FilePath()); 10 | + registry->RegisterFilePathPref(prefs::kDiskCacheDir, base::FilePath("/dev/null")); 11 | registry->RegisterIntegerPref(prefs::kDiskCacheSize, 0); 12 | registry->RegisterStringPref(prefs::kIsolateOrigins, std::string()); 13 | registry->RegisterBooleanPref(prefs::kSitePerProcess, false); 14 | -------------------------------------------------------------------------------- /patches/disable-extensions-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/profiles/profile.cc b/chrome/browser/profiles/profile.cc 2 | index 363a7c4ac5..56ae736a88 100644 3 | --- a/chrome/browser/profiles/profile.cc 4 | +++ b/chrome/browser/profiles/profile.cc 5 | @@ -331,7 +331,7 @@ void Profile::RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry) { 6 | registry->RegisterIntegerPref(prefs::kContextualSearchPromoCardShownCount, 0); 7 | #endif // BUILDFLAG(IS_ANDROID) 8 | registry->RegisterStringPref(prefs::kSessionExitType, std::string()); 9 | - registry->RegisterBooleanPref(prefs::kDisableExtensions, false); 10 | + registry->RegisterBooleanPref(prefs::kDisableExtensions, true); 11 | #if BUILDFLAG(ENABLE_EXTENSIONS_CORE) 12 | registry->RegisterBooleanPref(extensions::pref_names::kAlertsInitialized, 13 | false); 14 | -------------------------------------------------------------------------------- /patches/disable-gen-ai-features-and-logging-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/devtools/devtools_window.cc b/chrome/browser/devtools/devtools_window.cc 2 | index 9b388234f3dfe..5122dcfc5ea77 100644 3 | --- a/chrome/browser/devtools/devtools_window.cc 4 | +++ b/chrome/browser/devtools/devtools_window.cc 5 | @@ -533,7 +533,7 @@ void DevToolsWindow::RegisterProfilePrefs( 6 | prefs::kDevToolsSyncedPreferencesSyncDisabled); 7 | registry->RegisterIntegerPref( 8 | prefs::kDevToolsGenAiSettings, 9 | - static_cast(DevToolsGenAiEnterprisePolicyValue::kAllow)); 10 | + static_cast(DevToolsGenAiEnterprisePolicyValue::kDisable)); 11 | } 12 | 13 | // static 14 | diff --git a/components/optimization_guide/core/feature_registry/enterprise_policy_registry.cc b/components/optimization_guide/core/feature_registry/enterprise_policy_registry.cc 15 | index e5d92f8730357..31c60742976d5 100644 16 | --- a/components/optimization_guide/core/feature_registry/enterprise_policy_registry.cc 17 | +++ b/components/optimization_guide/core/feature_registry/enterprise_policy_registry.cc 18 | @@ -52,7 +52,7 @@ void EnterprisePolicyRegistry::RegisterProfilePrefs( 19 | registry->RegisterIntegerPref( 20 | policy.name(), 21 | static_cast(model_execution::prefs:: 22 | - ModelExecutionEnterprisePolicyValue::kAllow), 23 | + ModelExecutionEnterprisePolicyValue::kDisable), 24 | PrefRegistry::LOSSY_PREF); 25 | } 26 | // From that point on, it's too late to modify the registry as the prefs 27 | diff --git a/components/optimization_guide/core/model_execution/model_execution_prefs.cc b/components/optimization_guide/core/model_execution/model_execution_prefs.cc 28 | index 305df14ead0ff..eb8b1b25f1ea3 100644 29 | --- a/components/optimization_guide/core/model_execution/model_execution_prefs.cc 30 | +++ b/components/optimization_guide/core/model_execution/model_execution_prefs.cc 31 | @@ -130,7 +130,7 @@ void RegisterLocalStatePrefs(PrefRegistrySimple* registry) { 32 | registry->RegisterInt64Pref(localstate::kModelQualityLoggingClientId, 0, 33 | PrefRegistry::LOSSY_PREF); 34 | registry->RegisterIntegerPref( 35 | - localstate::kGenAILocalFoundationalModelEnterprisePolicySettings, 0); 36 | + localstate::kGenAILocalFoundationalModelEnterprisePolicySettings, 1); 37 | } 38 | 39 | void RegisterLegacyUsagePrefsForMigration(PrefRegistrySimple* registry) { 40 | diff --git a/chrome/browser/prefs/browser_prefs.cc b/chrome/browser/prefs/browser_prefs.cc 41 | index 9a00400829..91a9b429e3 100644 42 | --- a/chrome/browser/prefs/browser_prefs.cc 43 | +++ b/chrome/browser/prefs/browser_prefs.cc 44 | @@ -2319,7 +2319,7 @@ void RegisterScreenshotPrefs(PrefRegistrySimple* registry) { 45 | } 46 | 47 | void RegisterGeminiSettingsPrefs(user_prefs::PrefRegistrySyncable* registry) { 48 | - registry->RegisterIntegerPref(prefs::kGeminiSettings, 0); 49 | + registry->RegisterIntegerPref(prefs::kGeminiSettings, 1); 50 | } 51 | 52 | #if BUILDFLAG(IS_CHROMEOS) 53 | diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc 54 | index 3ebb85bbe3..1193f35958 100644 55 | --- a/chrome/browser/chrome_content_browser_client.cc 56 | +++ b/chrome/browser/chrome_content_browser_client.cc 57 | @@ -1666,7 +1666,7 @@ void ChromeContentBrowserClient::RegisterProfilePrefs( 58 | prefs::kServiceWorkerToControlSrcdocIframeEnabled, true); 59 | registry->RegisterBooleanPref(prefs::kReduceAcceptLanguageEnabled, true); 60 | registry->RegisterBooleanPref(policy::policy_prefs::kBuiltInAIAPIsEnabled, 61 | - true); 62 | + false); 63 | } 64 | 65 | // static 66 | -------------------------------------------------------------------------------- /patches/disable-global-shortcuts-portal.patch: -------------------------------------------------------------------------------- 1 | diff --git a/ui/base/accelerators/global_accelerator_listener/global_accelerator_listener_ozone.cc b/ui/base/accelerators/global_accelerator_listener/global_accelerator_listener_ozone.cc 2 | index c98ecc3600..e4a772c18a 100644 3 | --- a/ui/base/accelerators/global_accelerator_listener/global_accelerator_listener_ozone.cc 4 | +++ b/ui/base/accelerators/global_accelerator_listener/global_accelerator_listener_ozone.cc 5 | @@ -23,7 +23,7 @@ namespace { 6 | #if BUILDFLAG(IS_LINUX) && BUILDFLAG(USE_DBUS) 7 | BASE_FEATURE(kGlobalShortcutsPortal, 8 | "GlobalShortcutsPortal", 9 | - base::FEATURE_ENABLED_BY_DEFAULT); 10 | + base::FEATURE_DISABLED_BY_DEFAULT); 11 | #endif 12 | } // namespace 13 | 14 | -------------------------------------------------------------------------------- /patches/disable-gssapi-to-enable-network-service-sandbox.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc 2 | index 249ff5ecffa8d..c9c36e3226290 100644 3 | --- a/chrome/browser/net/system_network_context_manager.cc 4 | +++ b/chrome/browser/net/system_network_context_manager.cc 5 | @@ -533,8 +533,12 @@ void SystemNetworkContextManager::GssapiLibraryLoadObserver::Install( 6 | 7 | void SystemNetworkContextManager::GssapiLibraryLoadObserver:: 8 | OnBeforeGssapiLibraryLoad() { 9 | + // Keeping this enabled will disable the Network Service Sandbox when a 10 | + // website tries to use GSSAPI, not very secure. Flag can re-enable. 11 | owner_->local_state_->SetBoolean(prefs::kReceivedHttpAuthNegotiateHeader, 12 | - true); 13 | + base::CommandLine:: 14 | + ForCurrentProcess()->HasSwitch( 15 | + "enable-gssapi")); 16 | } 17 | #endif // BUILDFLAG(IS_LINUX) 18 | 19 | -------------------------------------------------------------------------------- /patches/disable-infobar-for-builds-without-api-key.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/ui/startup/infobar_utils.cc b/chrome/browser/ui/startup/infobar_utils.cc 2 | index d3ad537ab2055..1fcf5da985d74 100644 3 | --- a/chrome/browser/ui/startup/infobar_utils.cc 4 | +++ b/chrome/browser/ui/startup/infobar_utils.cc 5 | @@ -154,10 +154,6 @@ void AddInfoBarsIfNecessary(Browser* browser, 6 | infobars::ContentInfoBarManager* infobar_manager = 7 | infobars::ContentInfoBarManager::FromWebContents(web_contents); 8 | 9 | - if (!google_apis::HasAPIKeyConfigured()) { 10 | - GoogleApiKeysInfoBarDelegate::Create(infobar_manager); 11 | - } 12 | - 13 | if (ObsoleteSystem::IsObsoleteNowOrSoon()) { 14 | PrefService* local_state = g_browser_process->local_state(); 15 | if (!local_state || 16 | -------------------------------------------------------------------------------- /patches/disable-jit-for-internal-pages.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc 2 | index e5ce608907f72..09159a4e83115 100644 3 | --- a/chrome/browser/chrome_content_browser_client.cc 4 | +++ b/chrome/browser/chrome_content_browser_client.cc 5 | @@ -8013,9 +8013,10 @@ bool ChromeContentBrowserClient::IsJitDisabledForSite( 6 | nullptr) == CONTENT_SETTING_BLOCK; 7 | } 8 | 9 | - // Only disable JIT for web schemes. 10 | - if (!site_url.SchemeIsHTTPOrHTTPS()) 11 | - return false; 12 | + // Only force disable JIT for pages that aren't web schemes, aren't file schemes, and aren't extensions 13 | + if (!site_url.SchemeIsHTTPOrHTTPS() && !site_url.SchemeIsFile() 14 | + && !site_url.SchemeIs("chrome-extension")) 15 | + return true; 16 | 17 | return (map && map->GetContentSetting(site_url, site_url, 18 | ContentSettingsType::JAVASCRIPT_JIT) == 19 | diff --git a/content/public/common/content_features.cc b/content/public/common/content_features.cc 20 | index 2d95d5e1df911..e7a29a6687a07 100644 21 | --- a/content/public/common/content_features.cc 22 | +++ b/content/public/common/content_features.cc 23 | @@ -1067,7 +1067,7 @@ BASE_FEATURE(kDisableProcessReuse, 24 | // This feature is only consulted in site-per-process mode. 25 | BASE_FEATURE(kSpareRendererForSitePerProcess, 26 | "SpareRendererForSitePerProcess", 27 | - base::FEATURE_ENABLED_BY_DEFAULT); 28 | + base::FEATURE_DISABLED_BY_DEFAULT); 29 | 30 | // Controls whether site isolation should use origins instead of scheme and 31 | // eTLD+1. 32 | -------------------------------------------------------------------------------- /patches/disable-lens.patch: -------------------------------------------------------------------------------- 1 | diff --git a/components/lens/lens_features.cc b/components/lens/lens_features.cc 2 | index 12b0f931fa71d..cc5952d04b9ae 100644 3 | --- a/components/lens/lens_features.cc 4 | +++ b/components/lens/lens_features.cc 5 | @@ -16,16 +16,11 @@ namespace lens::features { 6 | 7 | BASE_FEATURE(kLensStandalone, 8 | "LensStandalone", 9 | - base::FEATURE_ENABLED_BY_DEFAULT); 10 | + base::FEATURE_DISABLED_BY_DEFAULT); 11 | 12 | BASE_FEATURE(kLensOverlay, 13 | "LensOverlay", 14 | -#if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_IOS) 15 | - base::FEATURE_DISABLED_BY_DEFAULT 16 | -#else 17 | - base::FEATURE_ENABLED_BY_DEFAULT 18 | -#endif 19 | -); 20 | + base::FEATURE_DISABLED_BY_DEFAULT); 21 | 22 | BASE_FEATURE(kLensOverlayTranslateButton, 23 | "LensOverlayTranslateButton", 24 | diff --git a/components/lens/lens_overlay_permission_utils.cc b/components/lens/lens_overlay_permission_utils.cc 25 | index 5c54e349a6d27..1c3a00f4c0f67 100644 26 | --- a/components/lens/lens_overlay_permission_utils.cc 27 | +++ b/components/lens/lens_overlay_permission_utils.cc 28 | @@ -19,11 +19,11 @@ void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry) { 29 | // policies are registered just in case. 30 | registry->RegisterIntegerPref( 31 | kLensOverlaySettings, 32 | - static_cast(LensOverlaySettingsPolicyValue::kEnabled)); 33 | + static_cast(LensOverlaySettingsPolicyValue::kDisabled)); 34 | 35 | registry->RegisterIntegerPref( 36 | kGenAiLensOverlaySettings, 37 | - static_cast(GenAiLensOverlaySettingsPolicyValue::kAllowed)); 38 | + static_cast(GenAiLensOverlaySettingsPolicyValue::kDisabled)); 39 | 40 | registry->RegisterBooleanPref(kLensSharingPageScreenshotEnabled, false); 41 | registry->RegisterBooleanPref(kLensSharingPageContentEnabled, false); 42 | -------------------------------------------------------------------------------- /patches/disable-metrics-reporting.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/browser_process_impl.cc b/chrome/browser/browser_process_impl.cc 2 | index d2e348767ab87..b7c7b27bb6ab8 100644 3 | --- a/chrome/browser/browser_process_impl.cc 4 | +++ b/chrome/browser/browser_process_impl.cc 5 | @@ -1130,7 +1130,7 @@ void BrowserProcessImpl::RegisterPrefs(PrefRegistrySimple* registry) { 6 | #endif // BUILDFLAG(IS_CHROMEOS) 7 | 8 | registry->RegisterBooleanPref(metrics::prefs::kMetricsReportingEnabled, 9 | - GoogleUpdateSettings::GetCollectStatsConsent()); 10 | + false); 11 | registry->RegisterBooleanPref(prefs::kDevToolsRemoteDebuggingAllowed, true); 12 | 13 | #if BUILDFLAG(IS_LINUX) 14 | -------------------------------------------------------------------------------- /patches/disable-password-manager-prompt-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/components/password_manager/core/browser/password_manager.cc b/components/password_manager/core/browser/password_manager.cc 2 | index aac3a2f63d8a2..ed26baf23170a 100644 3 | --- a/components/password_manager/core/browser/password_manager.cc 4 | +++ b/components/password_manager/core/browser/password_manager.cc 5 | @@ -319,7 +319,7 @@ bool HasManuallyFilledFields(const PasswordForm& form) { 6 | void PasswordManager::RegisterProfilePrefs( 7 | user_prefs::PrefRegistrySyncable* registry) { 8 | registry->RegisterBooleanPref( 9 | - prefs::kCredentialsEnableService, true, 10 | + prefs::kCredentialsEnableService, false, 11 | user_prefs::PrefRegistrySyncable::SYNCABLE_PRIORITY_PREF); 12 | #if BUILDFLAG(IS_IOS) 13 | // Deprecated pref in profile prefs. 14 | @@ -327,7 +327,7 @@ void PasswordManager::RegisterProfilePrefs( 15 | false); 16 | #endif // BUILDFLAG(IS_IOS) 17 | registry->RegisterBooleanPref( 18 | - prefs::kCredentialsEnableAutosignin, true, 19 | + prefs::kCredentialsEnableAutosignin, false, 20 | user_prefs::PrefRegistrySyncable::SYNCABLE_PRIORITY_PREF); 21 | registry->RegisterBooleanPref( 22 | prefs::kWasAutoSignInFirstRunExperienceShown, false, 23 | @@ -355,7 +355,7 @@ void PasswordManager::RegisterProfilePrefs( 24 | registry->RegisterListPref(prefs::kPasswordHashDataList, 25 | PrefRegistry::NO_REGISTRATION_FLAGS); 26 | registry->RegisterBooleanPref( 27 | - prefs::kPasswordLeakDetectionEnabled, true, 28 | + prefs::kPasswordLeakDetectionEnabled, false, 29 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 30 | registry->RegisterBooleanPref( 31 | prefs::kPasswordDismissCompromisedAlertEnabled, true, 32 | -------------------------------------------------------------------------------- /patches/disable-printing-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/profiles/profile_impl.cc b/chrome/browser/profiles/profile_impl.cc 2 | index a7d35836cb9da..ffc1b07878958 100644 3 | --- a/chrome/browser/profiles/profile_impl.cc 4 | +++ b/chrome/browser/profiles/profile_impl.cc 5 | @@ -401,7 +401,7 @@ void ProfileImpl::RegisterProfilePrefs( 6 | std::string()); 7 | 8 | #if BUILDFLAG(ENABLE_PRINTING) 9 | - registry->RegisterBooleanPref(prefs::kPrintingEnabled, true); 10 | + registry->RegisterBooleanPref(prefs::kPrintingEnabled, false); 11 | #endif // BUILDFLAG(ENABLE_PRINTING) 12 | #if BUILDFLAG(ENABLE_OOP_PRINTING) 13 | registry->RegisterBooleanPref(prefs::kOopPrintDriversAllowedByPolicy, true); 14 | -------------------------------------------------------------------------------- /patches/disable-promotions-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/ui/startup/startup_browser_creator.cc b/chrome/browser/ui/startup/startup_browser_creator.cc 2 | index d26f0998c81fc..857eda407e3ab 100644 3 | --- a/chrome/browser/ui/startup/startup_browser_creator.cc 4 | +++ b/chrome/browser/ui/startup/startup_browser_creator.cc 5 | @@ -929,7 +929,7 @@ void StartupBrowserCreator::ClearLaunchedProfilesForTesting() { 6 | // static 7 | void StartupBrowserCreator::RegisterLocalStatePrefs( 8 | PrefRegistrySimple* registry) { 9 | - registry->RegisterBooleanPref(prefs::kPromotionsEnabled, true); 10 | + registry->RegisterBooleanPref(prefs::kPromotionsEnabled, false); 11 | #if !BUILDFLAG(IS_CHROMEOS) 12 | registry->RegisterBooleanPref(prefs::kCommandLineFlagSecurityWarningsEnabled, 13 | true); 14 | -------------------------------------------------------------------------------- /patches/disable-protected-content.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/ui/prefs/prefs_tab_helper.cc b/chrome/browser/ui/prefs/prefs_tab_helper.cc 2 | index 791ef35fb7bb0..012e8a3f6ec5c 100644 3 | --- a/chrome/browser/ui/prefs/prefs_tab_helper.cc 4 | +++ b/chrome/browser/ui/prefs/prefs_tab_helper.cc 5 | @@ -375,7 +375,7 @@ void PrefsTabHelper::RegisterProfilePrefs( 6 | registry->RegisterBooleanPref( 7 | prefs::kEnableReferrers, 8 | !base::FeatureList::IsEnabled(features::kNoReferrers)); 9 | - registry->RegisterBooleanPref(prefs::kEnableEncryptedMedia, true); 10 | + registry->RegisterBooleanPref(prefs::kEnableEncryptedMedia, false); 11 | registry->RegisterBooleanPref(prefs::kScrollToTextFragmentEnabled, true); 12 | #if BUILDFLAG(IS_ANDROID) 13 | registry->RegisterDoublePref(browser_ui::prefs::kWebKitFontScaleFactor, 1.0); 14 | -------------------------------------------------------------------------------- /patches/disable-remote-access-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/remoting/host/policy_watcher.cc b/remoting/host/policy_watcher.cc 2 | index 694f832b5f047..ab220a2f5cb74 100644 3 | --- a/remoting/host/policy_watcher.cc 4 | +++ b/remoting/host/policy_watcher.cc 5 | @@ -166,13 +166,13 @@ base::Value::Dict PolicyWatcher::GetPlatformPolicies() { 6 | 7 | base::Value::Dict PolicyWatcher::GetDefaultPolicies() { 8 | base::Value::Dict result; 9 | - result.Set(key::kRemoteAccessHostFirewallTraversal, true); 10 | + result.Set(key::kRemoteAccessHostFirewallTraversal, false); 11 | result.Set(key::kRemoteAccessHostClientDomainList, base::Value::List()); 12 | result.Set(key::kRemoteAccessHostDomainList, base::Value::List()); 13 | result.Set(key::kRemoteAccessHostAllowRelayedConnection, true); 14 | result.Set(key::kRemoteAccessHostUdpPortRange, ""); 15 | result.Set(key::kRemoteAccessHostClipboardSizeBytes, -1); 16 | - result.Set(key::kRemoteAccessHostAllowRemoteSupportConnections, true); 17 | + result.Set(key::kRemoteAccessHostAllowRemoteSupportConnections, false); 18 | #if BUILDFLAG(IS_CHROMEOS) 19 | result.Set(key::kRemoteAccessHostAllowEnterpriseRemoteSupportConnections, 20 | true); 21 | @@ -188,7 +188,7 @@ base::Value::Dict PolicyWatcher::GetDefaultPolicies() { 22 | result.Set(key::kRemoteAccessHostAllowFileTransfer, true); 23 | result.Set(key::kRemoteAccessHostAllowUrlForwarding, true); 24 | result.Set(key::kRemoteAccessHostEnableUserInterface, true); 25 | - result.Set(key::kRemoteAccessHostAllowRemoteAccessConnections, true); 26 | + result.Set(key::kRemoteAccessHostAllowRemoteAccessConnections, false); 27 | result.Set(key::kRemoteAccessHostMaximumSessionDurationMinutes, 0); 28 | result.Set(key::kRemoteAccessHostAllowPinAuthentication, base::Value()); 29 | #endif 30 | -------------------------------------------------------------------------------- /patches/disable-search-suggest-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/profiles/profile.cc b/chrome/browser/profiles/profile.cc 2 | index cd4fd8104866c..757d919d6496d 100644 3 | --- a/chrome/browser/profiles/profile.cc 4 | +++ b/chrome/browser/profiles/profile.cc 5 | @@ -318,7 +318,7 @@ const char Profile::kProfileKey[] = "__PROFILE__"; 6 | registry->RegisterBooleanPref(prefs::kIncognitoLaunch, false); 7 | registry->RegisterBooleanPref( 8 | prefs::kSearchSuggestEnabled, 9 | - true, 10 | + false, 11 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 12 | #if BUILDFLAG(IS_ANDROID) 13 | registry->RegisterStringPref( 14 | -------------------------------------------------------------------------------- /patches/disable-secondary-browser-features-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/sharing_hub/sharing_hub_features.cc b/chrome/browser/sharing_hub/sharing_hub_features.cc 2 | index 2ddc318a2b738..6fd447d8e5ce1 100644 3 | --- a/chrome/browser/sharing_hub/sharing_hub_features.cc 4 | +++ b/chrome/browser/sharing_hub/sharing_hub_features.cc 5 | @@ -72,7 +72,7 @@ BASE_FEATURE(kDesktopScreenshots, 6 | 7 | #if !BUILDFLAG(IS_ANDROID) && !BUILDFLAG(IS_CHROMEOS) 8 | void RegisterProfilePrefs(PrefRegistrySimple* registry) { 9 | - registry->RegisterBooleanPref(prefs::kDesktopSharingHubEnabled, true); 10 | + registry->RegisterBooleanPref(prefs::kDesktopSharingHubEnabled, false); 11 | } 12 | #endif 13 | 14 | diff --git a/chrome/browser/ui/toolbar/chrome_labs/chrome_labs_prefs.cc b/chrome/browser/ui/toolbar/chrome_labs/chrome_labs_prefs.cc 15 | index 2e0e1e41c3c58..d4b7b33d8830d 100644 16 | --- a/chrome/browser/ui/toolbar/chrome_labs/chrome_labs_prefs.cc 17 | +++ b/chrome/browser/ui/toolbar/chrome_labs/chrome_labs_prefs.cc 18 | @@ -50,7 +50,7 @@ const int kChromeLabsActivationThresholdDefaultValue = -1; 19 | const int kChromeLabsNewExperimentPrefValue = -1; 20 | 21 | void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry) { 22 | - registry->RegisterBooleanPref(kBrowserLabsEnabledEnterprisePolicy, true); 23 | + registry->RegisterBooleanPref(kBrowserLabsEnabledEnterprisePolicy, false); 24 | #if BUILDFLAG(IS_CHROMEOS) 25 | registry->RegisterDictionaryPref(kChromeLabsNewBadgeDictAshChrome); 26 | #endif 27 | diff --git a/chrome/browser/ui/ui_features.cc b/chrome/browser/ui/ui_features.cc 28 | index 7579ada331de3..abe60e0839fd8 100644 29 | --- a/chrome/browser/ui/ui_features.cc 30 | +++ b/chrome/browser/ui/ui_features.cc 31 | @@ -206,11 +206,7 @@ BASE_FEATURE(kTabGroupsCollapseFreezing, 32 | // https://crbug.com/928954 33 | BASE_FEATURE(kTabHoverCardImages, 34 | "TabHoverCardImages", 35 | -#if BUILDFLAG(IS_MAC) 36 | base::FEATURE_DISABLED_BY_DEFAULT 37 | -#else 38 | - base::FEATURE_ENABLED_BY_DEFAULT 39 | -#endif 40 | ); 41 | 42 | const char kTabHoverCardImagesNotReadyDelayParameterName[] = 43 | diff --git a/components/history_clusters/core/features.cc b/components/history_clusters/core/features.cc 44 | index a85534a986fc8..be4d151f7be66 100644 45 | --- a/components/history_clusters/core/features.cc 46 | +++ b/components/history_clusters/core/features.cc 47 | @@ -26,7 +26,7 @@ constexpr auto enabled_by_default_desktop_only = 48 | 49 | namespace internal { 50 | 51 | -BASE_FEATURE(kJourneys, "Journeys", enabled_by_default_desktop_only); 52 | +BASE_FEATURE(kJourneys, "Journeys", base::FEATURE_DISABLED_BY_DEFAULT); 53 | 54 | BASE_FEATURE(kJourneysImages, 55 | "JourneysImages", 56 | -------------------------------------------------------------------------------- /patches/disable-sync-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/components/sync/base/command_line_switches.cc b/components/sync/base/command_line_switches.cc 2 | index 064326ef5273c..0270572cd7c5d 100644 3 | --- a/components/sync/base/command_line_switches.cc 4 | +++ b/components/sync/base/command_line_switches.cc 5 | @@ -11,7 +11,7 @@ 6 | namespace syncer { 7 | 8 | bool IsSyncAllowedByFlag() { 9 | - return !base::CommandLine::ForCurrentProcess()->HasSwitch(kDisableSync); 10 | + return base::CommandLine::ForCurrentProcess()->HasSwitch(kEnableSync); 11 | } 12 | 13 | } // namespace syncer 14 | diff --git a/components/sync/base/command_line_switches.h b/components/sync/base/command_line_switches.h 15 | index 4a6a677e3a492..53caf7160a8bb 100644 16 | --- a/components/sync/base/command_line_switches.h 17 | +++ b/components/sync/base/command_line_switches.h 18 | @@ -10,6 +10,9 @@ namespace syncer { 19 | // Disables syncing browser data to a Google Account. 20 | inline constexpr char kDisableSync[] = "disable-sync"; 21 | 22 | +// Enables syncing browser data to a Google Account. 23 | +inline constexpr char kEnableSync[] = "enable-sync"; 24 | + 25 | // Allows overriding the deferred init fallback timeout. 26 | inline constexpr char kSyncDeferredStartupTimeoutSeconds[] = 27 | "sync-deferred-startup-timeout-seconds"; 28 | -------------------------------------------------------------------------------- /patches/disable-variations.patch: -------------------------------------------------------------------------------- 1 | diff --git a/components/variations/service/variations_service.cc b/components/variations/service/variations_service.cc 2 | index e4279de7ed..134a65a0e7 100644 3 | --- a/components/variations/service/variations_service.cc 4 | +++ b/components/variations/service/variations_service.cc 5 | @@ -224,22 +224,7 @@ bool GetInstanceManipulations(const net::HttpResponseHeaders* headers, 6 | // Variations seed fetching is only enabled in official Chrome builds, if a URL 7 | // is specified on the command line, and for testing. 8 | bool IsFetchingEnabled() { 9 | -#if BUILDFLAG(GOOGLE_CHROME_BRANDING) 10 | - if (base::CommandLine::ForCurrentProcess()->HasSwitch( 11 | - switches::kDisableVariationsSeedFetch)) { 12 | - return false; 13 | - } 14 | -#else 15 | - if (!base::CommandLine::ForCurrentProcess()->HasSwitch( 16 | - switches::kVariationsServerURL) && 17 | - !g_should_fetch_for_testing) { 18 | - DVLOG(1) 19 | - << "Not performing repeated fetching in unofficial build without --" 20 | - << switches::kVariationsServerURL << " specified."; 21 | - return false; 22 | - } 23 | -#endif // BUILDFLAG(GOOGLE_CHROME_BRANDING) 24 | - return true; 25 | + return false; 26 | } 27 | 28 | // Returns the already downloaded first run seed, and clear the seed from the 29 | @@ -566,10 +551,10 @@ void VariationsService::RegisterPrefs(PrefRegistrySimple* registry) { 30 | 31 | registry->RegisterIntegerPref( 32 | prefs::kDeviceVariationsRestrictionsByPolicy, 33 | - static_cast(RestrictionPolicy::NO_RESTRICTIONS)); 34 | + static_cast(RestrictionPolicy::ALL)); 35 | registry->RegisterDictionaryPref( 36 | prefs::kVariationsGoogleGroups, 37 | - static_cast(RestrictionPolicy::NO_RESTRICTIONS)); 38 | + static_cast(RestrictionPolicy::ALL)); 39 | // This preference keeps track of the country code used to filter 40 | // permanent-consistency studies. 41 | registry->RegisterListPref(prefs::kVariationsPermanentConsistencyCountry); 42 | @@ -581,7 +566,7 @@ void VariationsService::RegisterPrefs(PrefRegistrySimple* registry) { 43 | // allows the admin to restrict the set of variations applied. 44 | registry->RegisterIntegerPref( 45 | prefs::kVariationsRestrictionsByPolicy, 46 | - static_cast(RestrictionPolicy::NO_RESTRICTIONS)); 47 | + static_cast(RestrictionPolicy::ALL)); 48 | // This preference will only be written by the policy service, which will fill 49 | // it according to a value stored in the User Policy. 50 | registry->RegisterStringPref(prefs::kVariationsRestrictParameter, 51 | -------------------------------------------------------------------------------- /patches/disable-various-content-settings-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/components/content_settings/core/browser/content_settings_registry.cc b/components/content_settings/core/browser/content_settings_registry.cc 2 | index 229ac346cfc83..93416d6ab0332 100644 3 | --- a/components/content_settings/core/browser/content_settings_registry.cc 4 | +++ b/components/content_settings/core/browser/content_settings_registry.cc 5 | @@ -395,7 +395,7 @@ void ContentSettingsRegistry::Init() { 6 | ContentSettingsInfo::EXCEPTIONS_ON_SECURE_ORIGINS_ONLY); 7 | 8 | Register(ContentSettingsType::PAYMENT_HANDLER, "payment-handler", 9 | - CONTENT_SETTING_ALLOW, WebsiteSettingsInfo::UNSYNCABLE, 10 | + CONTENT_SETTING_BLOCK, WebsiteSettingsInfo::UNSYNCABLE, 11 | /*allowlisted_primary_schemes=*/{}, 12 | /*valid_settings=*/{CONTENT_SETTING_ALLOW, CONTENT_SETTING_BLOCK}, 13 | WebsiteSettingsInfo::TOP_ORIGIN_ONLY_SCOPE, 14 | @@ -588,7 +588,7 @@ void ContentSettingsRegistry::Init() { 15 | ContentSettingsInfo::EXCEPTIONS_ON_SECURE_ORIGINS_ONLY); 16 | 17 | Register(ContentSettingsType::JAVASCRIPT_JIT, "javascript-jit", 18 | - CONTENT_SETTING_ALLOW, WebsiteSettingsInfo::UNSYNCABLE, 19 | + CONTENT_SETTING_BLOCK, WebsiteSettingsInfo::UNSYNCABLE, 20 | /*allowlisted_primary_schemes=*/{}, 21 | /*valid_settings=*/{CONTENT_SETTING_ALLOW, CONTENT_SETTING_BLOCK}, 22 | WebsiteSettingsInfo::TOP_ORIGIN_ONLY_SCOPE, 23 | @@ -657,7 +657,7 @@ void ContentSettingsRegistry::Init() { 24 | ContentSettingsInfo::INHERIT_IN_INCOGNITO, 25 | ContentSettingsInfo::EXCEPTIONS_ON_SECURE_ORIGINS_ONLY); 26 | 27 | - Register(ContentSettingsType::ANTI_ABUSE, "anti-abuse", CONTENT_SETTING_ALLOW, 28 | + Register(ContentSettingsType::ANTI_ABUSE, "anti-abuse", CONTENT_SETTING_BLOCK, 29 | WebsiteSettingsInfo::SYNCABLE, 30 | /*allowlisted_primary_schemes=*/{}, 31 | /*valid_settings=*/{CONTENT_SETTING_ALLOW, CONTENT_SETTING_BLOCK}, 32 | -------------------------------------------------------------------------------- /patches/enable-audio-service-sandbox.patch: -------------------------------------------------------------------------------- 1 | diff --git a/content/public/common/content_features.cc b/content/public/common/content_features.cc 2 | index 75b2720edef81..2763ad5a33c7d 100644 3 | --- a/content/public/common/content_features.cc 4 | +++ b/content/public/common/content_features.cc 5 | @@ -47,7 +47,7 @@ BASE_FEATURE(kAudioServiceOutOfProcess, 6 | // kAudioServiceOutOfProcess feature is enabled. 7 | BASE_FEATURE(kAudioServiceSandbox, 8 | "AudioServiceSandbox", 9 | -#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC) || BUILDFLAG(IS_FUCHSIA) 10 | +#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC) || BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) 11 | base::FEATURE_ENABLED_BY_DEFAULT 12 | #else 13 | base::FEATURE_DISABLED_BY_DEFAULT 14 | -------------------------------------------------------------------------------- /patches/enable-backforward-swipe-navigation.patch: -------------------------------------------------------------------------------- 1 | diff --git a/content/common/features.cc b/content/common/features.cc 2 | index 5323e486d6e15..8eac47176a2dc 100644 3 | --- a/content/common/features.cc 4 | +++ b/content/common/features.cc 5 | @@ -431,7 +431,7 @@ const base::FeatureParam kTextInputClientIPCTimeout{ 6 | // only enabled by default on CrOS and Windows. 7 | BASE_FEATURE(kTouchpadOverscrollHistoryNavigation, 8 | "TouchpadOverscrollHistoryNavigation", 9 | -#if BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_WIN) 10 | +#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_WIN) 11 | base::FEATURE_ENABLED_BY_DEFAULT 12 | #else 13 | base::FEATURE_DISABLED_BY_DEFAULT 14 | -------------------------------------------------------------------------------- /patches/enable-network-service-sandbox.patch: -------------------------------------------------------------------------------- 1 | diff --git a/sandbox/policy/features.cc b/sandbox/policy/features.cc 2 | index ac60b806fe941..c52dad86ef6ec 100644 3 | --- a/sandbox/policy/features.cc 4 | +++ b/sandbox/policy/features.cc 5 | @@ -20,7 +20,7 @@ namespace sandbox::policy::features { 6 | // (Only causes an effect when feature kNetworkServiceInProcess is disabled.) 7 | BASE_FEATURE(kNetworkServiceSandbox, 8 | "NetworkServiceSandbox", 9 | - base::FEATURE_DISABLED_BY_DEFAULT); 10 | + base::FEATURE_ENABLED_BY_DEFAULT); 11 | 12 | #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS) 13 | // Enables a fine-grained seccomp-BPF syscall filter for the network service. 14 | -------------------------------------------------------------------------------- /patches/enable-private-network-access-restriction.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/prefs/browser_prefs.cc b/chrome/browser/prefs/browser_prefs.cc 2 | index 3e27913d47dc7..702054201581a 100644 3 | --- a/chrome/browser/prefs/browser_prefs.cc 4 | +++ b/chrome/browser/prefs/browser_prefs.cc 5 | @@ -2354,7 +2354,7 @@ void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry, 6 | #endif 7 | 8 | registry->RegisterBooleanPref( 9 | - prefs::kManagedPrivateNetworkAccessRestrictionsEnabled, false); 10 | + prefs::kManagedPrivateNetworkAccessRestrictionsEnabled, true); 11 | 12 | #if BUILDFLAG(ENTERPRISE_DATA_CONTROLS) 13 | data_controls::RegisterProfilePrefs(registry); 14 | -------------------------------------------------------------------------------- /patches/enable-vaapi-hwva.patch: -------------------------------------------------------------------------------- 1 | diff --git a/media/base/media_switches.cc b/media/base/media_switches.cc 2 | index f23a85d6ad174..c24041daf20ca 100644 3 | --- a/media/base/media_switches.cc 4 | +++ b/media/base/media_switches.cc 5 | @@ -688,11 +688,19 @@ BASE_FEATURE(kAcceleratedVideoDecodeLinux, 6 | 7 | BASE_FEATURE(kAcceleratedVideoDecodeLinuxGL, 8 | "AcceleratedVideoDecodeLinuxGL", 9 | +#if BUILDFLAG(USE_VAAPI) 10 | + base::FEATURE_ENABLED_BY_DEFAULT); 11 | +#else 12 | base::FEATURE_DISABLED_BY_DEFAULT); 13 | +#endif 14 | 15 | BASE_FEATURE(kAcceleratedVideoEncodeLinux, 16 | "AcceleratedVideoEncoder", 17 | +#if BUILDFLAG(USE_VAAPI) 18 | + base::FEATURE_ENABLED_BY_DEFAULT); 19 | +#else 20 | base::FEATURE_DISABLED_BY_DEFAULT); 21 | +#endif 22 | 23 | // Ignore the non-intel driver blacklist for VaapiVideoDecoder implementations. 24 | // Intended for manual usage only in order to gague the status of newer driver 25 | @@ -706,7 +714,7 @@ BASE_FEATURE(kVaapiIgnoreDriverChecks, 26 | // crashes, disable VA-API on NVIDIA GPUs by default. See crbug.com/1492880. 27 | BASE_FEATURE(kVaapiOnNvidiaGPUs, 28 | "VaapiOnNvidiaGPUs", 29 | - base::FEATURE_DISABLED_BY_DEFAULT); 30 | + base::FEATURE_ENABLED_BY_DEFAULT); 31 | 32 | // Enable VA-API hardware low power encoder for all codecs on intel Gen9x gpu. 33 | BASE_FEATURE(kVaapiLowPowerEncoderGen9x, 34 | diff --git a/media/mojo/services/gpu_mojo_media_client_linux.cc b/media/mojo/services/gpu_mojo_media_client_linux.cc 35 | index fe71234b32a1f..6b0c638f835de 100644 36 | --- a/media/mojo/services/gpu_mojo_media_client_linux.cc 37 | +++ b/media/mojo/services/gpu_mojo_media_client_linux.cc 38 | @@ -22,7 +22,11 @@ namespace { 39 | 40 | BASE_FEATURE(kAcceleratedVideoDecodeLinuxZeroCopyGL, 41 | "AcceleratedVideoDecodeLinuxZeroCopyGL", 42 | +#if BUILDFLAG(USE_VAAPI) 43 | + base::FEATURE_ENABLED_BY_DEFAULT); 44 | +#else 45 | base::FEATURE_DISABLED_BY_DEFAULT); 46 | +#endif 47 | 48 | VideoDecoderType GetPreferredLinuxDecoderImplementation() { 49 | // VaapiVideoDecoder flag is required for VaapiVideoDecoder. 50 | -------------------------------------------------------------------------------- /patches/enable-visited-link-database-partitioning.patch: -------------------------------------------------------------------------------- 1 | diff --git a/third_party/blink/common/features.cc b/third_party/blink/common/features.cc 2 | index 18e5ae64bc200..c0e466ba9f807 100644 3 | --- a/third_party/blink/common/features.cc 4 | +++ b/third_party/blink/common/features.cc 5 | @@ -1859,7 +1859,7 @@ BASE_FEATURE_PARAM(bool, 6 | // 7 | BASE_FEATURE(kPartitionVisitedLinkDatabase, 8 | "PartitionVisitedLinkDatabase", 9 | - base::FEATURE_DISABLED_BY_DEFAULT); 10 | + base::FEATURE_ENABLED_BY_DEFAULT); 11 | 12 | // Enables the use of the PaintCache for Path2D objects that are rasterized 13 | // out of process. Has no effect when kCanvasOopRasterization is disabled. 14 | -------------------------------------------------------------------------------- /patches/expose-flags.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc 2 | index 7613006656aaa..ee707f847ccba 100644 3 | --- a/chrome/browser/about_flags.cc 4 | +++ b/chrome/browser/about_flags.cc 5 | @@ -4343,6 +4343,55 @@ const FeatureEntry kFeatureEntries[] = { 6 | // //tools/flags/generate_unexpire_flags.py. 7 | #include "build/chromeos_buildflags.h" 8 | #include "chrome/browser/unexpire_flags_gen.inc" 9 | + {"middle-click-autoscroll", "Autoscroll with Middleclick", 10 | + "Enables scroll with middleclick. Disabled by default. This feature " 11 | + "is exposed by Trivalent.", kOsLinux, 12 | + FEATURE_VALUE_TYPE(blink::features::kMiddleClickAutoscroll)}, 13 | + {"middle-click-copy-paste", "Copy and Paste with Middle Click", 14 | + "Controls copying and pasting with middle click. NOTE: Enabling " 15 | + "Autoscroll with Middleclick will force-disable this feature. " 16 | + "Enabled by default. This feature is provided by Trivalent.", 17 | + kOsLinux, 18 | + FEATURE_VALUE_TYPE(views::features::kMiddleClickCopyPaste)}, 19 | + {"show-punycode-domains", "Show punycode for IDN domains", 20 | + "Shows punycode for IDN domains to mitigate IDN homograph attacks. " 21 | + "Disabled by default. This feature is provided by Trivalent.", 22 | + kOsAll, FEATURE_VALUE_TYPE(url::kShowPunycodeDomains)}, 23 | + {"pdf-javascript", "PDF JavaScript", 24 | + "Toggle JavaScript for rendered PDFs (this also controls XFA Forms). " 25 | + "Disabled by default. This feature is provided by Trivalent.", 26 | + kOsAll, FEATURE_VALUE_TYPE(chrome_pdf::features::kPdfJavaScript)}, 27 | + {"clear-cross-origin-referrers", "Clear cross-origin referrers", 28 | + "Clears referrers when navigating across origins. Disabled by default. " 29 | + "This feature is provided by Trivalent.", kOsAll, 30 | + FEATURE_VALUE_TYPE(net::features::kDisableCrossOriginReferrers)}, 31 | + {"cross-origin-trim-referrer", "Cross-origin referrer trimming", 32 | + "Trims the referrer to just the origin on cross origin navigation. " 33 | + "Enabled by default. This feature is exposed by Trivalent.", 34 | + kOsAll, 35 | + FEATURE_VALUE_TYPE(net::features::kCapReferrerToOriginOnCrossOrigin)}, 36 | + {"strict-popup-blocking", "Strict Popup Blocking", 37 | + "Controls the strictness of the popup blocker. This switch is provided " 38 | + "by Trivalent.", kOsAll, 39 | + SINGLE_DISABLE_VALUE_TYPE("disable-strict-popup-blocking")}, 40 | + {"hide-profile-icon", "Hide profile icon in toolbar", 41 | + "Hides the profile icon in the toolbar in regular profiles. Enabled " 42 | + "by default. This feature is provided by Trivalent." , kOsAll, 43 | + FEATURE_VALUE_TYPE(features::kHideProfileIcon)}, 44 | + {"gssapi-support", "GSSAPI Authentication", 45 | + "Enables GSSAPI for authentication. WARNING! This can cause the " 46 | + "network service sandbox to become persistently disabled, enable only " 47 | + "if absolutely necessary. This switch is provided by Trivalent.", 48 | + kOsLinux, SINGLE_VALUE_TYPE("enable-gssapi")}, 49 | + {"gpu-sandbox-test", "Force GPU Sandbox For Testing", 50 | + "Enables the GPU sandbox. WARNING: This is HIGHLY experimental and " 51 | + "can disable hardware acceleration or cause crashes. It is for " 52 | + "testing only. To assist in testing, enable this flag, shutdown " 53 | + "the browser, run the browser via commandline and paste the error " 54 | + "output in an issue that will be present here: " 55 | + "https://github.com/secureblue/trivalent. This flag is exposed by " 56 | + "Trivalent.", kOsLinux, 57 | + SINGLE_VALUE_TYPE(switches::kGpuSandboxStartEarly)}, 58 | {variations::switches::kEnableBenchmarking, 59 | flag_descriptions::kEnableBenchmarkingName, 60 | flag_descriptions::kEnableBenchmarkingDescription, kOsAll, 61 | -------------------------------------------------------------------------------- /patches/force-disable-safe-browsing.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/download/download_ui_safe_browsing_util.cc b/chrome/browser/download/download_ui_safe_browsing_util.cc 2 | index dc88d1050019e..a0b6275adeb0d 100644 3 | --- a/chrome/browser/download/download_ui_safe_browsing_util.cc 4 | +++ b/chrome/browser/download/download_ui_safe_browsing_util.cc 5 | @@ -53,12 +53,7 @@ bool WasSafeBrowsingVerdictObtained(const download::DownloadItem* item) { 6 | } 7 | 8 | bool ShouldShowWarningForNoSafeBrowsing(Profile* profile) { 9 | -#if BUILDFLAG(SAFE_BROWSING_AVAILABLE) 10 | - return safe_browsing::GetSafeBrowsingState(*profile->GetPrefs()) == 11 | - safe_browsing::SafeBrowsingState::NO_SAFE_BROWSING; 12 | -#else 13 | - return true; 14 | -#endif 15 | + return false; // We do not have safe browsing 16 | } 17 | 18 | bool CanUserTurnOnSafeBrowsing(Profile* profile) { 19 | diff --git a/components/safe_browsing/core/common/safe_browsing_prefs.cc b/components/safe_browsing/core/common/safe_browsing_prefs.cc 20 | index 1f92a936e44f1..53d6a91ccc32c 100644 21 | --- a/components/safe_browsing/core/common/safe_browsing_prefs.cc 22 | +++ b/components/safe_browsing/core/common/safe_browsing_prefs.cc 23 | @@ -149,8 +149,7 @@ bool IsExtendedReportingPolicyManaged(const PrefService& prefs) { 24 | } 25 | 26 | bool IsSafeBrowsingPolicyManaged(const PrefService& prefs) { 27 | - return prefs.IsManagedPreference(prefs::kSafeBrowsingEnabled) || 28 | - prefs.IsManagedPreference(prefs::kSafeBrowsingEnhanced); 29 | + return true; // just assume Safe Browsing cannot be modified 30 | } 31 | 32 | bool IsSafeBrowsingExtensionControlled(const PrefService& prefs) { 33 | -------------------------------------------------------------------------------- /patches/hide-profile-icon-feature.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/ui/ui_features.cc b/chrome/browser/ui/ui_features.cc 2 | index 703fc03b7e6cc..0623c0ed9ffab 100644 3 | --- a/chrome/browser/ui/ui_features.cc 4 | +++ b/chrome/browser/ui/ui_features.cc 5 | @@ -13,6 +13,10 @@ 6 | 7 | namespace features { 8 | 9 | +// Hides the toolbar profile icon in regular profiles 10 | +BASE_FEATURE(kHideProfileIcon, "HideProfileIcon", 11 | + base::FEATURE_ENABLED_BY_DEFAULT); 12 | + 13 | // Enables the tab dragging fallback when full window dragging is not supported 14 | // by the platform (e.g. Wayland). See https://crbug.com/896640 15 | BASE_FEATURE(kAllowWindowDragUsingSystemDragDrop, 16 | diff --git a/chrome/browser/ui/ui_features.h b/chrome/browser/ui/ui_features.h 17 | index 504a3419f1bb0..341667da5e703 100644 18 | --- a/chrome/browser/ui/ui_features.h 19 | +++ b/chrome/browser/ui/ui_features.h 20 | @@ -21,6 +21,8 @@ namespace features { 21 | // All features in alphabetical order. The features should be documented 22 | // alongside the definition of their values in the .cc file. 23 | 24 | +BASE_DECLARE_FEATURE(kHideProfileIcon); 25 | + 26 | // TODO(crbug.com/40598679): Remove this when the tab dragging 27 | // interactive_ui_tests pass on Wayland. 28 | BASE_DECLARE_FEATURE(kAllowWindowDragUsingSystemDragDrop); 29 | diff --git a/chrome/browser/ui/views/toolbar/toolbar_view.cc b/chrome/browser/ui/views/toolbar/toolbar_view.cc 30 | index d1519e7f3782a..548be223ca340 100644 31 | --- a/chrome/browser/ui/views/toolbar/toolbar_view.cc 32 | +++ b/chrome/browser/ui/views/toolbar/toolbar_view.cc 33 | @@ -481,7 +481,9 @@ void ToolbarView::Init() { 34 | // DevTools profiles are OffTheRecord, so hide it there. 35 | show_avatar_toolbar_button = browser_->profile()->IsIncognitoProfile() || 36 | browser_->profile()->IsGuestSession() || 37 | - browser_->profile()->IsRegularProfile(); 38 | + (browser_->profile()->IsRegularProfile() && 39 | + !base::FeatureList::IsEnabled( 40 | + features::kHideProfileIcon)); 41 | #endif 42 | avatar_->SetVisible(show_avatar_toolbar_button); 43 | 44 | -------------------------------------------------------------------------------- /patches/prefer-startpage-search.patch: -------------------------------------------------------------------------------- 1 | diff --git a/definitions/regional_settings.json b/definitions/regional_settings.json 2 | index ca7dc52..8690877 100644 3 | --- a/third_party/search_engines_data/resources/definitions/regional_settings.json 4 | +++ b/third_party/search_engines_data/resources/definitions/regional_settings.json 5 | @@ -165,6 +165,7 @@ 6 | "CA": { 7 | // Canada 8 | "search_engines": [ 9 | + "&startpage", 10 | "&google", 11 | "&bing", 12 | "&yahoo_ca", 13 | @@ -247,6 +248,7 @@ 14 | "DE": { 15 | // Germany 16 | "search_engines": [ 17 | + "&startpage", 18 | "&google", 19 | "&duckduckgo", 20 | "&ecosia", 21 | @@ -254,8 +256,7 @@ 22 | "&bing", 23 | 24 | "&yahoo_de", 25 | - "&qwant", 26 | - "&startpage" 27 | + "&qwant" 28 | ] 29 | }, 30 | "DK": { 31 | @@ -381,6 +382,7 @@ 32 | "GB": { 33 | // United Kingdom 34 | "search_engines": [ 35 | + "&startpage", 36 | "&google", 37 | "&bing", 38 | "&yahoo_uk", 39 | @@ -777,6 +779,7 @@ 40 | "NL": { 41 | // Netherlands 42 | "search_engines": [ 43 | + "&startpage", 44 | "&google", 45 | "&duckduckgo", 46 | "&brave", 47 | @@ -1113,6 +1116,7 @@ 48 | "US": { 49 | // United States 50 | "search_engines": [ 51 | + "&startpage", 52 | "&google", 53 | "&bing", 54 | "&yahoo", 55 | @@ -1174,7 +1178,7 @@ 56 | // See https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#ZZ 57 | "ZZ": { 58 | // Default 59 | - "search_engines": ["&google", "&bing", "&yahoo"] 60 | + "search_engines": ["&startpage", "&google", "&bing", "&yahoo"] 61 | } 62 | }, 63 | 64 | 65 | -------------------------------------------------------------------------------- /patches/remove-undefined-ffmpeg-identifier.patch: -------------------------------------------------------------------------------- 1 | diff --git a/media/filters/ffmpeg_glue.cc b/media/filters/ffmpeg_glue.cc 2 | index 26bb9e8b92614..05143a0130b22 100644 3 | --- a/media/filters/ffmpeg_glue.cc 4 | +++ b/media/filters/ffmpeg_glue.cc 5 | @@ -109,10 +109,6 @@ FFmpegGlue::FFmpegGlue(FFmpegURLProtocol* protocol) { 6 | // Enable fast, but inaccurate seeks for MP3. 7 | format_context_->flags |= AVFMT_FLAG_FAST_SEEK; 8 | 9 | - // We don't allow H.264 parsing during demuxing since we have our own parser 10 | - // and the ffmpeg one increases memory usage unnecessarily. 11 | - format_context_->flags |= AVFMT_FLAG_NOH264PARSE; 12 | - 13 | // Ensures format parsing errors will bail out. From an audit on 11/2017, all 14 | // instances were real failures. Solves bugs like http://crbug.com/710791. 15 | format_context_->error_recognition |= AV_EF_EXPLODE; 16 | -------------------------------------------------------------------------------- /patches/restrict-default-supported-http-auth-schemes.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc 2 | index d2acbdc28805c..bb1a23f1a77d9 100644 3 | --- a/chrome/browser/net/system_network_context_manager.cc 4 | +++ b/chrome/browser/net/system_network_context_manager.cc 5 | @@ -644,7 +644,7 @@ void SystemNetworkContextManager::RegisterPrefs(PrefRegistrySimple* registry) { 6 | 7 | // Static auth params 8 | registry->RegisterStringPref(prefs::kAuthSchemes, 9 | - "basic,digest,ntlm,negotiate"); 10 | + "ntlm,negotiate"); 11 | #if BUILDFLAG(IS_POSIX) && !BUILDFLAG(IS_ANDROID) && !BUILDFLAG(IS_CHROMEOS) 12 | registry->RegisterStringPref(prefs::kGSSAPILibraryName, std::string()); 13 | #endif // BUILDFLAG(IS_POSIX) && !BUILDFLAG(IS_ANDROID) && 14 | -------------------------------------------------------------------------------- /patches/search-selection.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/search_engine_choice/search_engine_choice_dialog_service_factory.cc b/chrome/browser/search_engine_choice/search_engine_choice_dialog_service_factory.cc 2 | index e4d2eacf3f316..0dfdd8c0d365d 100644 3 | --- a/chrome/browser/search_engine_choice/search_engine_choice_dialog_service_factory.cc 4 | +++ b/chrome/browser/search_engine_choice/search_engine_choice_dialog_service_factory.cc 5 | @@ -129,10 +129,6 @@ SearchEngineChoiceDialogServiceFactory::BuildServiceInstanceForBrowserContext( 6 | 7 | base::CommandLine* const command_line = 8 | base::CommandLine::ForCurrentProcess(); 9 | - if (!g_is_chrome_build && 10 | - !command_line->HasSwitch(switches::kForceSearchEngineChoiceScreen)) { 11 | - return nullptr; 12 | - } 13 | 14 | if (command_line->HasSwitch(switches::kNoFirstRun) && 15 | !command_line->HasSwitch( 16 | diff --git a/components/regional_capabilities/regional_capabilities_utils.cc b/components/regional_capabilities/regional_capabilities_utils.cc 17 | index cbdceda6674e2..be04a19262c35 100644 18 | --- a/components/regional_capabilities/regional_capabilities_utils.cc 19 | +++ b/components/regional_capabilities/regional_capabilities_utils.cc 20 | @@ -21,9 +21,8 @@ bool IsEeaCountry(int country_id) { 21 | // the current profile country. 22 | // TODO(crbug.com/328040066): Move this check to 23 | // `RegionalCapabilitiesService::IsInEeaCountry()`. 24 | - return HasSearchEngineCountryListOverride() 25 | - ? true 26 | - : kEeaChoiceCountriesIds.contains(country_id); 27 | + // We want the search choice screen no matter what 28 | + return true; 29 | } 30 | 31 | std::optional GetSearchEngineCountryOverride() { 32 | -------------------------------------------------------------------------------- /patches/set-browser-defaults.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/ui/browser_ui_prefs.cc b/chrome/browser/ui/browser_ui_prefs.cc 2 | index ee2364fc09eb4..f3f9300e3484a 100644 3 | --- a/chrome/browser/ui/browser_ui_prefs.cc 4 | +++ b/chrome/browser/ui/browser_ui_prefs.cc 5 | @@ -97,10 +97,10 @@ void RegisterBrowserUserPrefs(user_prefs::PrefRegistrySyncable* registry) { 6 | registry->RegisterBooleanPref(prefs::kWebAppCreateInAppsMenu, true); 7 | registry->RegisterBooleanPref(prefs::kWebAppCreateInQuickLaunchBar, true); 8 | registry->RegisterBooleanPref( 9 | - translate::prefs::kOfferTranslateEnabled, true, 10 | + translate::prefs::kOfferTranslateEnabled, false, 11 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 12 | registry->RegisterStringPref(prefs::kCloudPrintEmail, std::string()); 13 | - registry->RegisterBooleanPref(prefs::kCloudPrintProxyEnabled, true); 14 | + registry->RegisterBooleanPref(prefs::kCloudPrintProxyEnabled, false); 15 | registry->RegisterDictionaryPref(prefs::kBrowserWindowPlacement); 16 | registry->RegisterDictionaryPref(prefs::kBrowserWindowPlacementPopup); 17 | registry->RegisterDictionaryPref(prefs::kAppWindowPlacement); 18 | @@ -109,20 +109,20 @@ void RegisterBrowserUserPrefs(user_prefs::PrefRegistrySyncable* registry) { 19 | false); 20 | #endif 21 | registry->RegisterStringPref(prefs::kWebRTCIPHandlingPolicy, 22 | - blink::kWebRTCIPHandlingDefault); 23 | + blink::kWebRTCIPHandlingDisableNonProxiedUdp); 24 | registry->RegisterListPref(prefs::kWebRTCIPHandlingUrl, base::Value::List()); 25 | registry->RegisterStringPref(prefs::kWebRTCUDPPortRange, std::string()); 26 | registry->RegisterBooleanPref(prefs::kWebRtcEventLogCollectionAllowed, false); 27 | registry->RegisterListPref(prefs::kWebRtcLocalIpsAllowedUrls); 28 | - registry->RegisterBooleanPref(prefs::kWebRtcTextLogCollectionAllowed, true); 29 | + registry->RegisterBooleanPref(prefs::kWebRtcTextLogCollectionAllowed, false); 30 | 31 | // We need to register the type of these preferences in order to query 32 | // them even though they're only typically controlled via policy. 33 | registry->RegisterBooleanPref(policy::policy_prefs::kHideWebStoreIcon, false); 34 | - registry->RegisterBooleanPref(prefs::kSharedClipboardEnabled, true); 35 | + registry->RegisterBooleanPref(prefs::kSharedClipboardEnabled, false); 36 | 37 | #if BUILDFLAG(ENABLE_CLICK_TO_CALL) 38 | - registry->RegisterBooleanPref(prefs::kClickToCallEnabled, true); 39 | + registry->RegisterBooleanPref(prefs::kClickToCallEnabled, false); 40 | #endif // BUILDFLAG(ENABLE_CLICK_TO_CALL) 41 | 42 | #if BUILDFLAG(IS_MAC) 43 | @@ -171,7 +171,7 @@ void RegisterBrowserUserPrefs(user_prefs::PrefRegistrySyncable* registry) { 44 | #endif 45 | 46 | registry->RegisterBooleanPref( 47 | - prefs::kHttpsOnlyModeEnabled, false, 48 | + prefs::kHttpsOnlyModeEnabled, true, 49 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 50 | registry->RegisterBooleanPref( 51 | prefs::kHttpsFirstBalancedMode, false, 52 | -------------------------------------------------------------------------------- /patches/set-default-extension-content-verification-enforce-strict.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/extensions/chrome_content_verifier_delegate.cc b/chrome/browser/extensions/chrome_content_verifier_delegate.cc 2 | index 33c74c40b02fe..bdc4f9b9e2305 100644 3 | --- a/chrome/browser/extensions/chrome_content_verifier_delegate.cc 4 | +++ b/chrome/browser/extensions/chrome_content_verifier_delegate.cc 5 | @@ -130,7 +130,7 @@ ChromeContentVerifierDelegate::GetDefaultMode() { 6 | experiment_value = VerifyInfo::Mode::ENFORCE_STRICT; 7 | } 8 | 9 | - VerifyInfo::Mode cmdline_value = VerifyInfo::Mode::NONE; 10 | + VerifyInfo::Mode cmdline_value = VerifyInfo::Mode::ENFORCE_STRICT; 11 | if (command_line->HasSwitch(::switches::kExtensionContentVerification)) { 12 | std::string switch_value = command_line->GetSwitchValueASCII( 13 | ::switches::kExtensionContentVerification); 14 | -------------------------------------------------------------------------------- /patches/set-default-extension-install-verification-enforce-strict.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/extensions/install_verifier.cc b/chrome/browser/extensions/install_verifier.cc 2 | index 47af320d9cbf9..ee9c64d398ec9 100644 3 | --- a/chrome/browser/extensions/install_verifier.cc 4 | +++ b/chrome/browser/extensions/install_verifier.cc 5 | @@ -87,7 +87,7 @@ VerifyStatus GetCommandLineStatus() { 6 | return VerifyStatus::ENFORCE; 7 | } 8 | 9 | - return VerifyStatus::NONE; 10 | + return VerifyStatus::ENFORCE_STRICT; 11 | } 12 | 13 | VerifyStatus GetStatus() { 14 | -------------------------------------------------------------------------------- /patches/set-default-secure-dns-mode-automatic.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/net/secure_dns_policy_handler.cc b/chrome/browser/net/secure_dns_policy_handler.cc 2 | index 27526ac0c574b..0680d2912d381 100644 3 | --- a/chrome/browser/net/secure_dns_policy_handler.cc 4 | +++ b/chrome/browser/net/secure_dns_policy_handler.cc 5 | @@ -197,7 +197,7 @@ void SecureDnsPolicyHandler::ApplyPolicySettings(const PolicyMap& policies, 6 | prefs->SetString(prefs::kDnsOverHttpsMode, 7 | SecureDnsConfig::ParseMode(mode_str) 8 | ? std::string(mode_str) 9 | - : SecureDnsConfig::kModeOff); 10 | + : SecureDnsConfig::kModeAutomatic); 11 | } 12 | 13 | const base::Value* templates = 14 | -------------------------------------------------------------------------------- /patches/set-mv3-only-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/extensions/common/extension_features.cc b/extensions/common/extension_features.cc 2 | index b598c4723199a..2597912500296 100644 3 | --- a/extensions/common/extension_features.cc 4 | +++ b/extensions/common/extension_features.cc 5 | @@ -100,7 +100,7 @@ BASE_FEATURE(kExtensionWebFileHandlers, 6 | 7 | BASE_FEATURE(kExtensionsManifestV3Only, 8 | "ExtensionsManifestV3Only", 9 | - base::FEATURE_DISABLED_BY_DEFAULT); 10 | + base::FEATURE_ENABLED_BY_DEFAULT); 11 | 12 | BASE_FEATURE(kExtensionsMenuAccessControl, 13 | "ExtensionsMenuAccessControl", 14 | -------------------------------------------------------------------------------- /patches/set-ozone-platform-hint-auto-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/ui/base/ui_base_features.cc b/ui/base/ui_base_features.cc 2 | index fbaea143b6..3184d5bc05 100644 3 | --- a/ui/base/ui_base_features.cc 4 | +++ b/ui/base/ui_base_features.cc 5 | @@ -149,7 +149,7 @@ BASE_FEATURE(kWaylandSessionManagement, 6 | COMPONENT_EXPORT(UI_BASE_FEATURES) 7 | BASE_FEATURE(kOverrideDefaultOzonePlatformHintToAuto, 8 | "OverrideDefaultOzonePlatformHintToAuto", 9 | - base::FEATURE_DISABLED_BY_DEFAULT); 10 | + base::FEATURE_ENABLED_BY_DEFAULT); 11 | #endif // BUILDFLAG(IS_LINUX) 12 | 13 | // Chrome for Linux should eventually use XInput2 key events. 14 | -------------------------------------------------------------------------------- /patches/show-full-urls-by-default.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/ui/toolbar/chrome_location_bar_model_delegate.cc b/chrome/browser/ui/toolbar/chrome_location_bar_model_delegate.cc 2 | index fb1468965dd4a..cf85bee93ec94 100644 3 | --- a/chrome/browser/ui/toolbar/chrome_location_bar_model_delegate.cc 4 | +++ b/chrome/browser/ui/toolbar/chrome_location_bar_model_delegate.cc 5 | @@ -261,5 +261,5 @@ TemplateURLService* ChromeLocationBarModelDelegate::GetTemplateURLService() { 6 | // static 7 | void ChromeLocationBarModelDelegate::RegisterProfilePrefs( 8 | user_prefs::PrefRegistrySyncable* registry) { 9 | - registry->RegisterBooleanPref(omnibox::kPreventUrlElisionsInOmnibox, false); 10 | + registry->RegisterBooleanPref(omnibox::kPreventUrlElisionsInOmnibox, true); 11 | } 12 | -------------------------------------------------------------------------------- /patches/strict-popup-blocking.patch: -------------------------------------------------------------------------------- 1 | diff --git a/components/blocked_content/popup_blocker.cc b/components/blocked_content/popup_blocker.cc 2 | index 8b12c7dd441f3..9c13ac10a6f1a 100644 3 | --- a/components/blocked_content/popup_blocker.cc 4 | +++ b/components/blocked_content/popup_blocker.cc 5 | @@ -81,11 +81,8 @@ PopupBlockType ShouldBlockPopup(content::WebContents* web_contents, 6 | return PopupBlockType::kNotBlocked; 7 | } 8 | 9 | - auto* safe_browsing_blocker = 10 | - SafeBrowsingTriggeredPopupBlocker::FromWebContents(web_contents); 11 | - if (safe_browsing_blocker && 12 | - safe_browsing_blocker->ShouldApplyAbusivePopupBlocker( 13 | - GetSourcePageForPopup(open_url_params, web_contents))) { 14 | + if (!base::CommandLine::ForCurrentProcess()->HasSwitch( 15 | + "disable-strict-popup-blocking")) { 16 | return PopupBlockType::kAbusive; 17 | } 18 | return PopupBlockType::kNotBlocked; 19 | -------------------------------------------------------------------------------- /patches/trivalent-code-references.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/shell_integration_linux.cc b/chrome/browser/shell_integration_linux.cc 2 | index 29a9515238937..420799f254862 100644 3 | --- a/chrome/browser/shell_integration_linux.cc 4 | +++ b/chrome/browser/shell_integration_linux.cc 5 | @@ -488,7 +488,7 @@ std::string GetIconName() { 6 | #if BUILDFLAG(GOOGLE_CHROME_BRANDING) 7 | return "google-chrome"; 8 | #else // BUILDFLAG(CHROMIUM_BRANDING) 9 | - return "chromium-browser"; 10 | + return "trivalent"; 11 | #endif 12 | } 13 | 14 | diff --git a/chrome/common/channel_info_posix.cc b/chrome/common/channel_info_posix.cc 15 | index eb94a11e5c932..25c4e240eb919 100644 16 | --- a/chrome/common/channel_info_posix.cc 17 | +++ b/chrome/common/channel_info_posix.cc 18 | @@ -122,6 +122,7 @@ std::string GetChannelSuffixForExtraFlagsEnvVarName() { 19 | 20 | #if BUILDFLAG(IS_LINUX) 21 | std::string GetDesktopName(base::Environment* env) { 22 | + return "trivalent.desktop"; 23 | #if BUILDFLAG(GOOGLE_CHROME_BRANDING) 24 | // Google Chrome packaged as a snap is a special case: the application name 25 | // is always "google-chrome", regardless of the channel (channels are built 26 | diff --git a/media/audio/pulse/pulse_util.cc b/media/audio/pulse/pulse_util.cc 27 | index a3523a9bbb1d7..460fdbe273da2 100644 28 | --- a/media/audio/pulse/pulse_util.cc 29 | +++ b/media/audio/pulse/pulse_util.cc 30 | @@ -44,7 +44,7 @@ namespace { 31 | constexpr char kBrowserDisplayName[] = "google-chrome"; 32 | #define PRODUCT_STRING "Google Chrome" 33 | #else 34 | -constexpr char kBrowserDisplayName[] = "chromium-browser"; 35 | +constexpr char kBrowserDisplayName[] = "trivalent"; 36 | #define PRODUCT_STRING "Chromium" 37 | #endif 38 | 39 | diff --git a/base/files/file_util_posix.cc b/base/files/file_util_posix.cc 40 | index 84e81affcb..13d5c0f601 100644 41 | --- a/base/files/file_util_posix.cc 42 | +++ b/base/files/file_util_posix.cc 43 | @@ -870,7 +870,7 @@ FilePath FormatTemporaryFileName(FilePath::StringViewType identifier) { 44 | #elif BUILDFLAG(GOOGLE_CHROME_BRANDING) 45 | std::string_view prefix = "com.google.Chrome"; 46 | #else 47 | - std::string_view prefix = "org.chromium.Chromium"; 48 | + std::string_view prefix = "dev.secureblue.Trivalent"; 49 | #endif 50 | return FilePath(StrCat({".", prefix, ".", identifier})); 51 | } 52 | diff --git a/components/dbus/xdg/systemd.cc b/components/dbus/xdg/systemd.cc 53 | index 88a595c3eb..ac7f3cb675 100644 54 | --- a/components/dbus/xdg/systemd.cc 55 | +++ b/components/dbus/xdg/systemd.cc 56 | @@ -55,7 +55,7 @@ constexpr char kChannelEnvVar[] = "CHROME_VERSION_EXTRA"; 57 | #if BUILDFLAG(GOOGLE_CHROME_BRANDING) 58 | constexpr char kAppNamePrefix[] = "com.google.Chrome"; 59 | #else 60 | -constexpr char kAppNamePrefix[] = "org.chromium.Chromium"; 61 | +constexpr char kAppNamePrefix[] = "dev.secureblue.Trivalent"; 62 | #endif 63 | 64 | const char* GetAppNameSuffix(const std::string& channel) { 65 | -------------------------------------------------------------------------------- /patches/trivalent-data-dir.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/common/chrome_paths_linux.cc b/chrome/common/chrome_paths_linux.cc 2 | index 62da648c6acb0..d5d0678b96d7f 100644 3 | --- a/chrome/common/chrome_paths_linux.cc 4 | +++ b/chrome/common/chrome_paths_linux.cc 5 | @@ -94,9 +94,10 @@ bool GetDefaultUserDataDirectory(base::FilePath* result) { 6 | #elif BUILDFLAG(GOOGLE_CHROME_BRANDING) 7 | std::string data_dir_basename = "google-chrome"; 8 | #else 9 | - std::string data_dir_basename = "chromium"; 10 | + std::string data_dir_basename = "trivalent"; 11 | #endif 12 | - *result = config_dir.Append(data_dir_basename + GetChannelSuffixForDataDir()); 13 | + // We don't have channels 14 | + *result = config_dir.Append(data_dir_basename); 15 | return true; 16 | } 17 | 18 | -------------------------------------------------------------------------------- /patches/trivalent-etc-dir.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/browser/first_run/first_run_internal_linux.cc b/chrome/browser/first_run/first_run_internal_linux.cc 2 | index 33fd5790123ea..a778eb4471405 100644 3 | --- a/chrome/browser/first_run/first_run_internal_linux.cc 4 | +++ b/chrome/browser/first_run/first_run_internal_linux.cc 5 | @@ -20,10 +20,8 @@ bool IsOrganicFirstRun() { 6 | 7 | base::FilePath InitialPrefsPath() { 8 | // The standard location of the initial prefs is next to the chrome binary. 9 | - base::FilePath dir_exe; 10 | - if (!base::PathService::Get(base::DIR_EXE, &dir_exe)) { 11 | - return base::FilePath(); 12 | - } 13 | + // ... but we want to mimic Fedora and use our own directory 14 | + base::FilePath dir_exe = base::FilePath("/etc/trivalent"); 15 | 16 | return installer::InitialPreferences::Path(dir_exe); 17 | } 18 | diff --git a/chrome/common/chrome_paths.cc b/chrome/common/chrome_paths.cc 19 | index ec09803ffabcf..4475a3112326d 100644 20 | --- a/chrome/common/chrome_paths.cc 21 | +++ b/chrome/common/chrome_paths.cc 22 | @@ -609,7 +609,7 @@ bool PathProvider(int key, base::FilePath* result) { 23 | FILE_PATH_LITERAL("/etc/opt/chrome/native-messaging-hosts")); 24 | #else 25 | cur = base::FilePath( 26 | - FILE_PATH_LITERAL("/etc/chromium/native-messaging-hosts")); 27 | + FILE_PATH_LITERAL("/etc/trivalent/native-messaging-hosts")); 28 | #endif 29 | #endif // !BUILDFLAG(IS_MAC) 30 | break; 31 | diff --git a/components/policy/core/common/policy_paths.cc b/components/policy/core/common/policy_paths.cc 32 | index 7c15eeaa4f875..a1bc336139867 100644 33 | --- a/components/policy/core/common/policy_paths.cc 34 | +++ b/components/policy/core/common/policy_paths.cc 35 | @@ -18,7 +18,9 @@ const char kPolicyPath[] = "/etc/opt/chrome/policies"; 36 | #elif BUILDFLAG(GOOGLE_CHROME_FOR_TESTING_BRANDING) 37 | const char kPolicyPath[] = "/etc/opt/chrome_for_testing/policies"; 38 | #else 39 | -const char kPolicyPath[] = "/etc/chromium/policies"; 40 | +// we can try to account for policies in the main directory but that may be too dirty 41 | +// we just want new directories 42 | +const char kPolicyPath[] = "/etc/trivalent/policies"; 43 | #endif // BUILDFLAG(GOOGLE_CHROME_BRANDING) 44 | #endif // BUILDFLAG(IS_POSIX) && !BUILDFLAG(IS_MAC) 45 | 46 | -------------------------------------------------------------------------------- /patches/trivalent-help-url.patch: -------------------------------------------------------------------------------- 1 | diff --git a/chrome/common/url_constants.h b/chrome/common/url_constants.h 2 | index f16884e429de1..7e69337046e84 100644 3 | --- a/chrome/common/url_constants.h 4 | +++ b/chrome/common/url_constants.h 5 | @@ -135,7 +135,7 @@ inline constexpr char kChromeHelpViaMenuURL[] = 6 | #endif // BUILDFLAG(IS_CHROMEOS) 7 | 8 | inline constexpr char kChromeHelpViaWebUIURL[] = 9 | - "https://support.google.com/chrome?p=help&ctx=settings"; 10 | + "https://github.com/secureblue/Trivalent/issues"; 11 | #if BUILDFLAG(IS_CHROMEOS) 12 | inline constexpr char kChromeOsHelpViaWebUIURL[] = 13 | #if BUILDFLAG(GOOGLE_CHROME_BRANDING) 14 | -------------------------------------------------------------------------------- /trivalent.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secureblue/Trivalent/26f6c4e9671c70d145bf59d89dfb715e22470a28/trivalent.png -------------------------------------------------------------------------------- /update-remote-patches.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2025 The Trivalent Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software distributed under the License is 12 | # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and limitations under the License. 14 | 15 | set -oue pipefail 16 | 17 | repo_directory=$(pwd) 18 | 19 | readonly vanadium_patches_path="./vanadium_patches/" 20 | readonly vanadium_git_url="https://github.com/GrapheneOS/Vanadium.git" 21 | current_vanadium_patches=() 22 | truncated_vanadium_patches=() 23 | remote_vanadium_patches=() 24 | truncated_remote_vanadium_patches=() 25 | 26 | readonly fedora_patches_path="./fedora_patches/" 27 | readonly fedora_git_url="https://src.fedoraproject.org/rpms/chromium.git" 28 | current_fedora_patches=() 29 | remote_fedora_patches=() 30 | 31 | get_remote_vanadium_patches() { 32 | cd vanadium-patches-tmp/ 33 | retry=0 34 | while true; do 35 | git clone "$vanadium_git_url" 36 | if [ ! -d Vanadium/patches/ ]; then 37 | rm -rf Vanadium/ 38 | echo "ERROR! git operation failed!" 39 | if [[ $retry -gt 0 ]]; then 40 | echo "Failed to clone $((retry+1)) times..." 41 | fi 42 | if [[ $retry == 2 ]]; then 43 | echo "Aborting!" 44 | cd "$repo_directory" 45 | rm -rf vanadium-patches-tmp/ 46 | exit 1 47 | fi 48 | echo "Retrying..." 49 | retry=$((retry+1)) 50 | else 51 | break 52 | fi 53 | done 54 | cd Vanadium/patches/ 55 | remote_vanadium_patches=(*.patch) 56 | for ((i=0; i<${#remote_vanadium_patches[@]}; i++)); do 57 | if [[ ${remote_vanadium_patches[$i]} =~ ^[0-9]{4}[\-] ]]; then 58 | truncated_remote_vanadium_patches[i]="${remote_vanadium_patches[$i]:4}" 59 | else 60 | echo "ERROR! Remote patch ${remote_vanadium_patches[$i]} does match expected naming scheme!" 61 | echo "Aborting!" 62 | cd "$repo_directory" 63 | rm -rf vanadium-patches-tmp/ 64 | exit 1 65 | fi 66 | done 67 | cd "$repo_directory" 68 | } 69 | 70 | update_vanadium_patches() { 71 | get_remote_vanadium_patches 72 | cd "$vanadium_patches_path" 73 | current_vanadium_patches=(*.patch) 74 | for ((i=0; i<${#current_vanadium_patches[@]}; i++)); do 75 | truncated_vanadium_patches[i]="${current_vanadium_patches[$i]:4}" 76 | done 77 | updated_counter=0 78 | removed_counter=0 79 | patch_not_found_counter=0 80 | for ((i=0; i<${#truncated_vanadium_patches[@]}; i++)); do 81 | for ((j=0; j<${#truncated_remote_vanadium_patches[@]}; j++)); do 82 | if [[ "${truncated_remote_vanadium_patches[$j]}" == "${truncated_vanadium_patches[$i]}" ]]; then 83 | if [[ "${remote_vanadium_patches[$j]}" == "${current_vanadium_patches[$i]}" ]]; then 84 | echo "Updating patch ${current_vanadium_patches[$i]}" 85 | echo " No name change" 86 | else 87 | echo "Updating patch ${current_vanadium_patches[$i]}" 88 | echo " Patch renamed to: ${remote_vanadium_patches[$j]}" 89 | fi 90 | rm "${current_vanadium_patches[$i]}" 91 | cp "$repo_directory/vanadium-patches-tmp/Vanadium/patches/${remote_vanadium_patches[$j]}" ./ 92 | updated_counter=$((updated_counter+1)) 93 | else 94 | patch_not_found_counter=$((patch_not_found_counter+1)) 95 | fi 96 | done 97 | # Assume, since the patch has not been found, the patch has been removed 98 | if [[ $patch_not_found_counter == "${#truncated_remote_vanadium_patches[@]}" ]]; then 99 | echo "Removing ${current_vanadium_patches[i]}" 100 | echo " Patch has been removed in Vanadium" 101 | rm "${current_vanadium_patches[$i]}" 102 | removed_counter=$((removed_counter+1)) 103 | fi 104 | patch_not_found_counter=0 105 | done 106 | echo "" 107 | echo "Updated $updated_counter patches." 108 | echo "Removed $removed_counter patches." 109 | cd "$repo_directory" 110 | } 111 | 112 | update_fedora_patches() { 113 | cd fedora-patches-tmp 114 | git clone "$fedora_git_url" 115 | cd chromium 116 | remote_fedora_patches=(*.patch) 117 | cd "$repo_directory/$fedora_patches_path" 118 | current_fedora_patches=(*.patch) 119 | updated_counter=0 120 | removed_counter=0 121 | patch_not_found_counter=0 122 | for ((i=0; i<${#current_fedora_patches[@]}; i++)); do 123 | for ((j=0; j<${#remote_fedora_patches[@]}; j++)); do 124 | if [[ "${remote_fedora_patches[$j]}" == "${current_fedora_patches[$i]}" ]]; then 125 | echo "Updating patch ${current_fedora_patches[$i]} from Fedora" 126 | rm "${current_fedora_patches[$i]}" 127 | cp "$repo_directory/fedora-patches-tmp/chromium/${remote_fedora_patches[$j]}" ./ 128 | updated_counter=$((updated_counter+1)) 129 | else 130 | patch_not_found_counter=$((patch_not_found_counter+1)) 131 | fi 132 | done 133 | if [[ $patch_not_found_counter == "${#remote_fedora_patches[@]}" ]]; then 134 | echo "Deleting removed patch ${current_fedora_patches[i]}" 135 | rm "${current_fedora_patches[$i]}" 136 | removed_counter=$((removed_counter+1)) 137 | fi 138 | patch_not_found_counter=0 139 | done 140 | echo "" 141 | echo "Updated $updated_counter patches." 142 | echo "Removed $removed_counter patches." 143 | cd "$repo_directory" 144 | } 145 | 146 | mkdir vanadium-patches-tmp/ # create a temporary directory for cloning the Vanadium patches 147 | update_vanadium_patches 148 | rm -rf vanadium-patches-tmp/ # cleanup 149 | 150 | mkdir fedora-patches-tmp/ # create a temporary directory for cloning the Fedora patches 151 | update_fedora_patches 152 | rm -rf fedora-patches-tmp/ # cleanup 153 | exit 0 154 | -------------------------------------------------------------------------------- /vanadium_patches/0008-switch-to-fstack-protector-strong.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Wed, 26 Dec 2018 10:20:24 -0500 4 | Subject: [PATCH] switch to -fstack-protector-strong 5 | 6 | --- 7 | build/config/compiler/BUILD.gn | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn 11 | index 97263593eac89..f07539c610d18 100644 12 | --- a/build/config/compiler/BUILD.gn 13 | +++ b/build/config/compiler/BUILD.gn 14 | @@ -383,7 +383,7 @@ config("compiler") { 15 | } else if ((is_posix && !is_nacl) || is_fuchsia) { 16 | if (current_os != "aix") { 17 | # Not available on aix. 18 | - cflags += [ "-fstack-protector" ] 19 | + cflags += [ "-fstack-protector-strong" ] 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /vanadium_patches/0009-enable-fwrapv-in-Clang-for-non-UBSan-builds.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Thu, 22 Dec 2016 07:15:34 -0500 4 | Subject: [PATCH] enable -fwrapv in Clang for non-UBSan builds 5 | 6 | --- 7 | build/config/compiler/BUILD.gn | 4 ++++ 8 | 1 file changed, 4 insertions(+) 9 | 10 | diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn 11 | index f07539c610d18..356773724c1b7 100644 12 | --- a/build/config/compiler/BUILD.gn 13 | +++ b/build/config/compiler/BUILD.gn 14 | @@ -399,6 +399,10 @@ config("compiler") { 15 | } 16 | } 17 | 18 | + if (is_clang && !is_ubsan && !is_ubsan_security) { 19 | + cflags += [ "-fwrapv" ] 20 | + } 21 | + 22 | # Linker warnings. 23 | if (fatal_linker_warnings && !is_apple && current_os != "aix" && 24 | current_os != "zos") { 25 | -------------------------------------------------------------------------------- /vanadium_patches/0010-enable-ftrivial-auto-var-init-zero.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Wed, 8 Apr 2020 20:48:17 -0400 4 | Subject: [PATCH] enable -ftrivial-auto-var-init=zero 5 | 6 | --- 7 | build/config/compiler/BUILD.gn | 4 ++++ 8 | 1 file changed, 4 insertions(+) 9 | 10 | diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn 11 | index 356773724c1b7..24101607a2ef9 100644 12 | --- a/build/config/compiler/BUILD.gn 13 | +++ b/build/config/compiler/BUILD.gn 14 | @@ -403,6 +403,10 @@ config("compiler") { 15 | cflags += [ "-fwrapv" ] 16 | } 17 | 18 | + if (is_clang) { 19 | + cflags += [ "-ftrivial-auto-var-init=zero" ] 20 | + } 21 | + 22 | # Linker warnings. 23 | if (fatal_linker_warnings && !is_apple && current_os != "aix" && 24 | current_os != "zos") { 25 | -------------------------------------------------------------------------------- /vanadium_patches/0015-disable-seed-based-field-trials.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Tue, 25 Dec 2018 16:19:51 -0500 4 | Subject: [PATCH] disable seed-based field trials 5 | 6 | --- 7 | .../service/variations_field_trial_creator_base.cc | 10 ++++++++++ 8 | components/variations/synthetic_trial_registry.cc | 2 ++ 9 | 2 files changed, 12 insertions(+) 10 | 11 | diff --git a/components/variations/service/variations_field_trial_creator_base.cc b/components/variations/service/variations_field_trial_creator_base.cc 12 | index 4d71cf267b23a..22f8a0b6b77fb 100644 13 | --- a/components/variations/service/variations_field_trial_creator_base.cc 14 | +++ b/components/variations/service/variations_field_trial_creator_base.cc 15 | @@ -268,8 +268,14 @@ bool VariationsFieldTrialCreatorBase::SetUpFieldTrials( 16 | } 17 | // Force the variation ids selected in chrome://flags and/or specified using 18 | // the command-line flag. 19 | +#if defined(FIELDTRIAL_SEED_ENABLED) 20 | auto result = http_header_provider->ForceVariationIds( 21 | variation_ids, command_line_variation_ids); 22 | +#else 23 | + // Pretend that it was successful without acutally forcing 24 | + // variation ids and command line variation ids 25 | + auto result = VariationsIdsProvider::ForceIdsResult::SUCCESS; 26 | +#endif // defined(FIELDTRIAL_SEED_ENABLED) 27 | 28 | switch (result) { 29 | case VariationsIdsProvider::ForceIdsResult::INVALID_SWITCH_ENTRY: 30 | @@ -334,13 +340,17 @@ bool VariationsFieldTrialCreatorBase::SetUpFieldTrials( 31 | 32 | bool used_seed = false; 33 | if (!used_testing_config && client_filterable_state) { 34 | +#if defined(FIELDTRIAL_SEED_ENABLED) 35 | used_seed = CreateTrialsFromSeed( 36 | entropy_providers, feature_list.get(), safe_seed_manager, 37 | synthetic_trial_registry, std::move(client_filterable_state)); 38 | +#endif 39 | } 40 | 41 | +#if defined(FIELDTRIAL_SEED_ENABLED) 42 | platform_field_trials->SetUpClientSideFieldTrials( 43 | used_seed, entropy_providers, feature_list.get()); 44 | +#endif 45 | 46 | platform_field_trials->RegisterFeatureOverrides(feature_list.get()); 47 | 48 | diff --git a/components/variations/synthetic_trial_registry.cc b/components/variations/synthetic_trial_registry.cc 49 | index cd3eac8828f2e..574153fb40bee 100644 50 | --- a/components/variations/synthetic_trial_registry.cc 51 | +++ b/components/variations/synthetic_trial_registry.cc 52 | @@ -122,6 +122,7 @@ SyntheticTrialRegistry::GetCurrentSyntheticFieldTrialsForTest() const { 53 | 54 | void SyntheticTrialRegistry::RegisterSyntheticFieldTrial( 55 | const SyntheticTrialGroup& trial) { 56 | +#if defined(FIELDTRIAL_SEED_ENABLED) 57 | for (auto& entry : synthetic_trial_groups_) { 58 | if (entry.id().name == trial.id().name) { 59 | if (entry.id().group != trial.id().group || 60 | @@ -139,6 +140,7 @@ void SyntheticTrialRegistry::RegisterSyntheticFieldTrial( 61 | trial_group.SetStartTime(base::TimeTicks::Now()); 62 | synthetic_trial_groups_.push_back(trial_group); 63 | NotifySyntheticTrialObservers({trial_group}, {}); 64 | +#endif // defined(FIELDTRIAL_SEED_ENABLED) 65 | } 66 | 67 | std::string_view SyntheticTrialRegistry::GetStudyNameForExpId( 68 | -------------------------------------------------------------------------------- /vanadium_patches/0019-disable-navigation-error-correction-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Wed, 23 Nov 2016 08:29:58 -0500 4 | Subject: [PATCH] disable navigation error correction by default 5 | 6 | --- 7 | chrome/browser/net/profile_network_context_service.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/chrome/browser/net/profile_network_context_service.cc b/chrome/browser/net/profile_network_context_service.cc 11 | index dcaee00297897..54eb41fb061da 100644 12 | --- a/chrome/browser/net/profile_network_context_service.cc 13 | +++ b/chrome/browser/net/profile_network_context_service.cc 14 | @@ -530,7 +530,7 @@ void ProfileNetworkContextService::ConfigureNetworkContextParams( 15 | void ProfileNetworkContextService::RegisterProfilePrefs( 16 | user_prefs::PrefRegistrySyncable* registry) { 17 | registry->RegisterBooleanPref(embedder_support::kAlternateErrorPagesEnabled, 18 | - true); 19 | + false); 20 | registry->RegisterBooleanPref(prefs::kQuicAllowed, true); 21 | registry->RegisterBooleanPref(prefs::kGloballyScopeHTTPAuthCacheEnabled, 22 | false); 23 | -------------------------------------------------------------------------------- /vanadium_patches/0021-disable-network-prediction-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Wed, 23 Nov 2016 08:31:44 -0500 4 | Subject: [PATCH] disable network prediction by default 5 | 6 | --- 7 | chrome/browser/preloading/preloading_prefs.h | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/chrome/browser/preloading/preloading_prefs.h b/chrome/browser/preloading/preloading_prefs.h 11 | index 20d7692b46deb..11632e3994c52 100644 12 | --- a/chrome/browser/preloading/preloading_prefs.h 13 | +++ b/chrome/browser/preloading/preloading_prefs.h 14 | @@ -23,7 +23,7 @@ enum class NetworkPredictionOptions { 15 | kWifiOnlyDeprecated = 1, 16 | kDisabled = 2, 17 | kExtended = 3, 18 | - kDefault = kWifiOnlyDeprecated, 19 | + kDefault = kDisabled, 20 | }; 21 | 22 | // Enum representing possible values of the Preload Pages opt-in state. These 23 | -------------------------------------------------------------------------------- /vanadium_patches/0023-disable-hyperlink-auditing-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Sat, 26 Nov 2016 14:57:22 -0500 4 | Subject: [PATCH] disable hyperlink auditing by default 5 | 6 | --- 7 | chrome/browser/chrome_content_browser_client.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc 11 | index 3ebb85bbe3c48..2dc19c66cd1a1 100644 12 | --- a/chrome/browser/chrome_content_browser_client.cc 13 | +++ b/chrome/browser/chrome_content_browser_client.cc 14 | @@ -1568,7 +1568,7 @@ void ChromeContentBrowserClient::RegisterLocalStatePrefs( 15 | void ChromeContentBrowserClient::RegisterProfilePrefs( 16 | user_prefs::PrefRegistrySyncable* registry) { 17 | registry->RegisterBooleanPref(prefs::kDisable3DAPIs, false); 18 | - registry->RegisterBooleanPref(prefs::kEnableHyperlinkAuditing, true); 19 | + registry->RegisterBooleanPref(prefs::kEnableHyperlinkAuditing, false); 20 | // Register user prefs for mapping SitePerProcess and IsolateOrigins in 21 | // user policy in addition to the same named ones in Local State (which are 22 | // used for mapping the command-line flags). 23 | -------------------------------------------------------------------------------- /vanadium_patches/0024-disable-showing-popular-sites-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Tue, 6 Mar 2018 00:27:41 -0500 4 | Subject: [PATCH] disable showing popular sites by default 5 | 6 | --- 7 | components/ntp_tiles/features.cc | 4 ++-- 8 | 1 file changed, 2 insertions(+), 2 deletions(-) 9 | 10 | diff --git a/components/ntp_tiles/features.cc b/components/ntp_tiles/features.cc 11 | index b7353c48a6923..158476da9a2e9 100644 12 | --- a/components/ntp_tiles/features.cc 13 | +++ b/components/ntp_tiles/features.cc 14 | @@ -15,7 +15,7 @@ const char kPopularSitesFieldTrialName[] = "NTPPopularSites"; 15 | 16 | BASE_FEATURE(kPopularSitesBakedInContentFeature, 17 | "NTPPopularSitesBakedInContent", 18 | - base::FEATURE_ENABLED_BY_DEFAULT); 19 | + base::FEATURE_DISABLED_BY_DEFAULT); 20 | 21 | BASE_FEATURE(kNtpMostLikelyFaviconsFromServerFeature, 22 | "NTPMostLikelyFaviconsFromServer", 23 | @@ -23,6 +23,6 @@ BASE_FEATURE(kNtpMostLikelyFaviconsFromServerFeature, 24 | 25 | BASE_FEATURE(kUsePopularSitesSuggestions, 26 | "UsePopularSitesSuggestions", 27 | - base::FEATURE_ENABLED_BY_DEFAULT); 28 | + base::FEATURE_DISABLED_BY_DEFAULT); 29 | 30 | } // namespace ntp_tiles 31 | -------------------------------------------------------------------------------- /vanadium_patches/0025-disable-article-suggestions-feature-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Thu, 8 Mar 2018 22:43:12 -0500 4 | Subject: [PATCH] disable article suggestions feature by default 5 | 6 | --- 7 | components/feed/core/shared_prefs/pref_names.cc | 6 +++--- 8 | 1 file changed, 3 insertions(+), 3 deletions(-) 9 | 10 | diff --git a/components/feed/core/shared_prefs/pref_names.cc b/components/feed/core/shared_prefs/pref_names.cc 11 | index 50f880e715489..c80632a001c40 100644 12 | --- a/components/feed/core/shared_prefs/pref_names.cc 13 | +++ b/components/feed/core/shared_prefs/pref_names.cc 14 | @@ -24,9 +24,9 @@ const char kArticlesListVisible[] = "ntp_snippets.list_visible"; 15 | const char kEnableSnippetsByDse[] = "ntp_snippets_by_dse.enable"; 16 | 17 | void RegisterFeedSharedProfilePrefs(PrefRegistrySimple* registry) { 18 | - registry->RegisterBooleanPref(kEnableSnippets, true); 19 | - registry->RegisterBooleanPref(kArticlesListVisible, true); 20 | - registry->RegisterBooleanPref(kEnableSnippetsByDse, true); 21 | + registry->RegisterBooleanPref(kEnableSnippets, false); 22 | + registry->RegisterBooleanPref(kArticlesListVisible, false); 23 | + registry->RegisterBooleanPref(kEnableSnippetsByDse, false); 24 | } 25 | 26 | } // namespace prefs 27 | -------------------------------------------------------------------------------- /vanadium_patches/0026-disable-content-feed-suggestions-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Sun, 22 Mar 2020 01:23:48 -0400 4 | Subject: [PATCH] disable content feed suggestions by default 5 | 6 | --- 7 | components/feed/feed_feature_list.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/feed/feed_feature_list.cc b/components/feed/feed_feature_list.cc 11 | index 5353c654dcd4c..c72fe964c23af 100644 12 | --- a/components/feed/feed_feature_list.cc 13 | +++ b/components/feed/feed_feature_list.cc 14 | @@ -26,7 +26,7 @@ const char kFeedHeaderRemovalTreatmentValue2[] = "none"; 15 | // changed, please update the cached one's default value in CachedFeatureFlags. 16 | BASE_FEATURE(kInterestFeedV2, 17 | "InterestFeedV2", 18 | - base::FEATURE_ENABLED_BY_DEFAULT); 19 | + base::FEATURE_DISABLED_BY_DEFAULT); 20 | 21 | BASE_FEATURE(kDiscoFeedEndpoint, 22 | "DiscoFeedEndpoint", 23 | -------------------------------------------------------------------------------- /vanadium_patches/0027-disable-sensors-access-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Sun, 16 Jun 2019 15:57:29 -0400 4 | Subject: [PATCH] disable sensors access by default 5 | 6 | --- 7 | .../content_settings/core/browser/content_settings_registry.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/content_settings/core/browser/content_settings_registry.cc b/components/content_settings/core/browser/content_settings_registry.cc 11 | index 20e44439d566d..12f92bc4d27a6 100644 12 | --- a/components/content_settings/core/browser/content_settings_registry.cc 13 | +++ b/components/content_settings/core/browser/content_settings_registry.cc 14 | @@ -385,7 +385,7 @@ void ContentSettingsRegistry::Init() { 15 | // TODO(crbug.com/40602007): Update this to "SECURE_ONLY" once 16 | // DeviceOrientationEvents and DeviceMotionEvents are only fired in secure 17 | // contexts. 18 | - Register(ContentSettingsType::SENSORS, "sensors", CONTENT_SETTING_ALLOW, 19 | + Register(ContentSettingsType::SENSORS, "sensors", CONTENT_SETTING_BLOCK, 20 | WebsiteSettingsInfo::UNSYNCABLE, /*allowlisted_primary_schemes=*/{}, 21 | /*valid_settings=*/{CONTENT_SETTING_ALLOW, CONTENT_SETTING_BLOCK}, 22 | WebsiteSettingsInfo::TOP_ORIGIN_ONLY_SCOPE, 23 | -------------------------------------------------------------------------------- /vanadium_patches/0028-block-playing-protected-media-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Tue, 1 Dec 2020 00:29:28 -0500 4 | Subject: [PATCH] block playing protected media by default 5 | 6 | --- 7 | .../content_settings/core/browser/content_settings_registry.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/content_settings/core/browser/content_settings_registry.cc b/components/content_settings/core/browser/content_settings_registry.cc 11 | index 12f92bc4d27a6..bf4957bebc445 100644 12 | --- a/components/content_settings/core/browser/content_settings_registry.cc 13 | +++ b/components/content_settings/core/browser/content_settings_registry.cc 14 | @@ -212,7 +212,7 @@ void ContentSettingsRegistry::Init() { 15 | ContentSettingsInfo::EXCEPTIONS_ON_SECURE_ORIGINS_ONLY); 16 | 17 | Register(ContentSettingsType::PROTECTED_MEDIA_IDENTIFIER, 18 | - "protected-media-identifier", CONTENT_SETTING_ALLOW, 19 | + "protected-media-identifier", CONTENT_SETTING_BLOCK, 20 | WebsiteSettingsInfo::UNSYNCABLE, /*allowlisted_primary_schemes=*/{}, 21 | #if BUILDFLAG(IS_ANDROID) 22 | /*valid_settings=*/ 23 | -------------------------------------------------------------------------------- /vanadium_patches/0029-disable-third-party-cookies-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Sun, 16 Jun 2019 16:01:31 -0400 4 | Subject: [PATCH] disable third party cookies by default 5 | 6 | --- 7 | components/content_settings/core/browser/cookie_settings.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/content_settings/core/browser/cookie_settings.cc b/components/content_settings/core/browser/cookie_settings.cc 11 | index f5567359dd911..f5fc49d72b392 100644 12 | --- a/components/content_settings/core/browser/cookie_settings.cc 13 | +++ b/components/content_settings/core/browser/cookie_settings.cc 14 | @@ -94,7 +94,7 @@ void CookieSettings::RegisterProfilePrefs( 15 | user_prefs::PrefRegistrySyncable* registry) { 16 | registry->RegisterIntegerPref( 17 | prefs::kCookieControlsMode, 18 | - static_cast(CookieControlsMode::kIncognitoOnly), 19 | + static_cast(CookieControlsMode::kBlockThirdParty), 20 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 21 | } 22 | 23 | -------------------------------------------------------------------------------- /vanadium_patches/0030-disable-background-sync-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Sun, 16 Jun 2019 21:57:26 -0400 4 | Subject: [PATCH] disable background sync by default 5 | 6 | --- 7 | .../content_settings/core/browser/content_settings_registry.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/content_settings/core/browser/content_settings_registry.cc b/components/content_settings/core/browser/content_settings_registry.cc 11 | index bf4957bebc445..e90ef49b365f4 100644 12 | --- a/components/content_settings/core/browser/content_settings_registry.cc 13 | +++ b/components/content_settings/core/browser/content_settings_registry.cc 14 | @@ -239,7 +239,7 @@ void ContentSettingsRegistry::Init() { 15 | ContentSettingsInfo::EXCEPTIONS_ON_SECURE_ORIGINS_ONLY); 16 | 17 | Register(ContentSettingsType::BACKGROUND_SYNC, "background-sync", 18 | - CONTENT_SETTING_ALLOW, WebsiteSettingsInfo::UNSYNCABLE, 19 | + CONTENT_SETTING_BLOCK, WebsiteSettingsInfo::UNSYNCABLE, 20 | /*allowlisted_primary_schemes=*/{}, 21 | /*valid_settings=*/{CONTENT_SETTING_ALLOW, CONTENT_SETTING_BLOCK}, 22 | WebsiteSettingsInfo::TOP_ORIGIN_ONLY_SCOPE, 23 | -------------------------------------------------------------------------------- /vanadium_patches/0031-disable-payment-support-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Tue, 18 Jun 2019 22:28:53 -0400 4 | Subject: [PATCH] disable payment support by default 5 | 6 | --- 7 | components/payments/core/payment_prefs.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/payments/core/payment_prefs.cc b/components/payments/core/payment_prefs.cc 11 | index d42858bde4cf7..a632291402897 100644 12 | --- a/components/payments/core/payment_prefs.cc 13 | +++ b/components/payments/core/payment_prefs.cc 14 | @@ -11,7 +11,7 @@ namespace payments { 15 | void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry) { 16 | registry->RegisterBooleanPref(kPaymentsFirstTransactionCompleted, false); 17 | registry->RegisterBooleanPref( 18 | - kCanMakePaymentEnabled, true, 19 | + kCanMakePaymentEnabled, false, 20 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 21 | } 22 | 23 | -------------------------------------------------------------------------------- /vanadium_patches/0032-disable-media-router-media-remoting-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Thu, 4 Jul 2019 18:11:27 -0400 4 | Subject: [PATCH] disable media router media remoting by default 5 | 6 | --- 7 | chrome/browser/media/router/media_router_feature.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/chrome/browser/media/router/media_router_feature.cc b/chrome/browser/media/router/media_router_feature.cc 11 | index 6675fa0cec62f..f140a1f573a4c 100644 12 | --- a/chrome/browser/media/router/media_router_feature.cc 13 | +++ b/chrome/browser/media/router/media_router_feature.cc 14 | @@ -153,7 +153,7 @@ void RegisterProfilePrefs(PrefRegistrySimple* registry) { 15 | registry->RegisterStringPref(prefs::kMediaRouterReceiverIdHashToken, "", 16 | PrefRegistry::PUBLIC); 17 | registry->RegisterBooleanPref( 18 | - media_router::prefs::kMediaRouterMediaRemotingEnabled, true); 19 | + media_router::prefs::kMediaRouterMediaRemotingEnabled, false); 20 | registry->RegisterBooleanPref( 21 | media_router::prefs::kMediaRouterShowCastSessionsStartedByOtherDevices, 22 | true); 23 | -------------------------------------------------------------------------------- /vanadium_patches/0033-disable-media-router-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Thu, 4 Jul 2019 19:08:52 -0400 4 | Subject: [PATCH] disable media router by default 5 | 6 | --- 7 | chrome/browser/media/router/media_router_feature.cc | 2 +- 8 | chrome/browser/profiles/profile_impl.cc | 2 +- 9 | 2 files changed, 2 insertions(+), 2 deletions(-) 10 | 11 | diff --git a/chrome/browser/media/router/media_router_feature.cc b/chrome/browser/media/router/media_router_feature.cc 12 | index f140a1f573a4c..fe9c26b54ccc5 100644 13 | --- a/chrome/browser/media/router/media_router_feature.cc 14 | +++ b/chrome/browser/media/router/media_router_feature.cc 15 | @@ -138,7 +138,7 @@ bool MediaRouterEnabled(content::BrowserContext* context) { 16 | pref_values.insert(std::make_pair(context, allowed)); 17 | return allowed; 18 | } 19 | - return true; 20 | + return false; 21 | } 22 | 23 | #if !BUILDFLAG(IS_ANDROID) 24 | diff --git a/chrome/browser/profiles/profile_impl.cc b/chrome/browser/profiles/profile_impl.cc 25 | index 22445800c6ac8..0ddb5ead8d29f 100644 26 | --- a/chrome/browser/profiles/profile_impl.cc 27 | +++ b/chrome/browser/profiles/profile_impl.cc 28 | @@ -429,7 +429,7 @@ void ProfileImpl::RegisterProfilePrefs( 29 | #endif 30 | 31 | registry->RegisterBooleanPref(prefs::kForceEphemeralProfiles, false); 32 | - registry->RegisterBooleanPref(prefs::kEnableMediaRouter, true); 33 | + registry->RegisterBooleanPref(prefs::kEnableMediaRouter, false); 34 | #if !BUILDFLAG(IS_ANDROID) 35 | registry->RegisterBooleanPref(prefs::kShowCastIconInToolbar, false); 36 | #endif // !BUILDFLAG(IS_ANDROID) 37 | -------------------------------------------------------------------------------- /vanadium_patches/0035-disable-browser-sign-in-feature-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Fri, 12 Jul 2019 04:23:18 -0400 4 | Subject: [PATCH] disable browser sign in feature by default 5 | 6 | --- 7 | chrome/browser/signin/account_consistency_mode_manager.cc | 2 +- 8 | .../signin/internal/identity_manager/primary_account_manager.cc | 2 +- 9 | 2 files changed, 2 insertions(+), 2 deletions(-) 10 | 11 | diff --git a/chrome/browser/signin/account_consistency_mode_manager.cc b/chrome/browser/signin/account_consistency_mode_manager.cc 12 | index cc676d3c1b201..81829e00f3409 100644 13 | --- a/chrome/browser/signin/account_consistency_mode_manager.cc 14 | +++ b/chrome/browser/signin/account_consistency_mode_manager.cc 15 | @@ -112,7 +112,7 @@ AccountConsistencyModeManager::~AccountConsistencyModeManager() = default; 16 | // static 17 | void AccountConsistencyModeManager::RegisterProfilePrefs( 18 | user_prefs::PrefRegistrySyncable* registry) { 19 | - registry->RegisterBooleanPref(prefs::kSigninAllowedOnNextStartup, true); 20 | + registry->RegisterBooleanPref(prefs::kSigninAllowedOnNextStartup, false); 21 | } 22 | 23 | // static 24 | diff --git a/components/signin/internal/identity_manager/primary_account_manager.cc b/components/signin/internal/identity_manager/primary_account_manager.cc 25 | index a8d61c3c4b271..8812140213196 100644 26 | --- a/components/signin/internal/identity_manager/primary_account_manager.cc 27 | +++ b/components/signin/internal/identity_manager/primary_account_manager.cc 28 | @@ -342,7 +342,7 @@ void PrimaryAccountManager::RegisterProfilePrefs(PrefRegistrySimple* registry) { 29 | prefs::kGoogleServicesSyncingGaiaIdMigratedToSignedIn, std::string()); 30 | registry->RegisterStringPref( 31 | prefs::kGoogleServicesSyncingUsernameMigratedToSignedIn, std::string()); 32 | - registry->RegisterBooleanPref(prefs::kSigninAllowed, true); 33 | + registry->RegisterBooleanPref(prefs::kSigninAllowed, false); 34 | registry->RegisterBooleanPref(prefs::kSignedInWithCredentialProvider, false); 35 | registry->RegisterBooleanPref(kExplicitBrowserSigninWithoutFeatureEnabled, 36 | false); 37 | -------------------------------------------------------------------------------- /vanadium_patches/0036-disable-safe-browsing-reporting-opt-in-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Fri, 12 Jul 2019 05:22:11 -0400 4 | Subject: [PATCH] disable safe browsing reporting opt-in by default 5 | 6 | --- 7 | components/safe_browsing/core/common/safe_browsing_prefs.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/safe_browsing/core/common/safe_browsing_prefs.cc b/components/safe_browsing/core/common/safe_browsing_prefs.cc 11 | index 90ec1b9162127..efe8115b0f594 100644 12 | --- a/components/safe_browsing/core/common/safe_browsing_prefs.cc 13 | +++ b/components/safe_browsing/core/common/safe_browsing_prefs.cc 14 | @@ -211,7 +211,7 @@ void RegisterProfilePrefs(PrefRegistrySimple* registry) { 15 | registry->RegisterBooleanPref( 16 | prefs::kSafeBrowsingSawInterstitialScoutReporting, false); 17 | registry->RegisterBooleanPref( 18 | - prefs::kSafeBrowsingExtendedReportingOptInAllowed, true); 19 | + prefs::kSafeBrowsingExtendedReportingOptInAllowed, false); 20 | registry->RegisterTimePref( 21 | prefs::kSafeBrowsingEsbProtegoPingWithTokenLastLogTime, base::Time()); 22 | registry->RegisterTimePref( 23 | -------------------------------------------------------------------------------- /vanadium_patches/0037-disable-unused-safe-browsing-option-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Thu, 12 Mar 2020 13:01:02 -0400 4 | Subject: [PATCH] disable unused safe browsing option by default 5 | 6 | Safe Browsing is currently a no-op due to the lack of Play Services, and 7 | support for using the local database backend hasn't been implemented. 8 | Various changes would be needed to make it available and to make sure 9 | that privacy is preserved. 10 | --- 11 | components/safe_browsing/core/common/safe_browsing_prefs.cc | 2 +- 12 | 1 file changed, 1 insertion(+), 1 deletion(-) 13 | 14 | diff --git a/components/safe_browsing/core/common/safe_browsing_prefs.cc b/components/safe_browsing/core/common/safe_browsing_prefs.cc 15 | index efe8115b0f594..f851bd7fe3fce 100644 16 | --- a/components/safe_browsing/core/common/safe_browsing_prefs.cc 17 | +++ b/components/safe_browsing/core/common/safe_browsing_prefs.cc 18 | @@ -217,7 +217,7 @@ void RegisterProfilePrefs(PrefRegistrySimple* registry) { 19 | registry->RegisterTimePref( 20 | prefs::kSafeBrowsingEsbProtegoPingWithoutTokenLastLogTime, base::Time()); 21 | registry->RegisterBooleanPref( 22 | - prefs::kSafeBrowsingEnabled, true, 23 | + prefs::kSafeBrowsingEnabled, false, 24 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 25 | if (base::FeatureList::IsEnabled(kEsbAsASyncedSetting)) { 26 | registry->RegisterBooleanPref( 27 | -------------------------------------------------------------------------------- /vanadium_patches/0038-disable-media-DRM-preprovisioning-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Thu, 21 May 2020 12:27:29 -0400 4 | Subject: [PATCH] disable media DRM preprovisioning by default 5 | 6 | This switches to fetching on-demand, which can only happen if DRM media 7 | support is enabled. 8 | --- 9 | media/base/media_switches.cc | 2 +- 10 | 1 file changed, 1 insertion(+), 1 deletion(-) 11 | 12 | diff --git a/media/base/media_switches.cc b/media/base/media_switches.cc 13 | index c3a25d502d938..996624abd7fe1 100644 14 | --- a/media/base/media_switches.cc 15 | +++ b/media/base/media_switches.cc 16 | @@ -1064,7 +1064,7 @@ BASE_FEATURE(kMediaDrmPersistentLicense, 17 | // which will trigger provisioning process after MediaDrmBridge is created. 18 | BASE_FEATURE(kMediaDrmPreprovisioning, 19 | "MediaDrmPreprovisioning", 20 | - base::FEATURE_ENABLED_BY_DEFAULT); 21 | + base::FEATURE_DISABLED_BY_DEFAULT); 22 | 23 | // Determines if MediaDrmOriginIdManager should attempt to pre-provision origin 24 | // IDs at startup (whenever a profile is loaded). Also used by tests that 25 | -------------------------------------------------------------------------------- /vanadium_patches/0039-disable-autofill-server-communication-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Tue, 1 Dec 2020 00:56:57 -0500 4 | Subject: [PATCH] disable autofill server communication by default 5 | 6 | --- 7 | components/autofill/core/common/autofill_features.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/autofill/core/common/autofill_features.cc b/components/autofill/core/common/autofill_features.cc 11 | index 997ef6cb6b746..d033981fb1257 100644 12 | --- a/components/autofill/core/common/autofill_features.cc 13 | +++ b/components/autofill/core/common/autofill_features.cc 14 | @@ -947,7 +947,7 @@ const base::FeatureParam kAutofillOverridePredictionsJson{ 15 | // i.e., https://other.autofill.server:port/tbproxy/af/ 16 | BASE_FEATURE(kAutofillServerCommunication, 17 | "AutofillServerCommunication", 18 | - base::FEATURE_ENABLED_BY_DEFAULT); 19 | + base::FEATURE_DISABLED_BY_DEFAULT); 20 | 21 | // Enables showing DOM Node ID of elements. 22 | BASE_FEATURE(kShowDomNodeIDs, 23 | -------------------------------------------------------------------------------- /vanadium_patches/0040-disable-component-updater-pings-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Fri, 27 Nov 2020 03:56:29 -0500 4 | Subject: [PATCH] disable component updater pings by default 5 | 6 | --- 7 | .../component_updater_command_line_config_policy.h | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/component_updater/component_updater_command_line_config_policy.h b/components/component_updater/component_updater_command_line_config_policy.h 11 | index 6c16b4e37a753..a627cb7ffd59c 100644 12 | --- a/components/component_updater/component_updater_command_line_config_policy.h 13 | +++ b/components/component_updater/component_updater_command_line_config_policy.h 14 | @@ -42,7 +42,7 @@ class ComponentUpdaterCommandLineConfigPolicy final 15 | bool background_downloads_enabled_ = false; 16 | bool deltas_enabled_ = true; 17 | bool fast_update_ = false; 18 | - bool pings_enabled_ = true; 19 | + bool pings_enabled_ = false; 20 | bool test_request_ = false; 21 | 22 | // If non-zero, time interval until the first component update check. 23 | -------------------------------------------------------------------------------- /vanadium_patches/0042-disable-trivial-subdomain-hiding.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: JTL 3 | Date: Sat, 21 Dec 2019 04:04:24 +0000 4 | Subject: [PATCH] disable trivial subdomain hiding 5 | 6 | --- 7 | components/url_formatter/url_formatter.cc | 3 +-- 8 | 1 file changed, 1 insertion(+), 2 deletions(-) 9 | 10 | diff --git a/components/url_formatter/url_formatter.cc b/components/url_formatter/url_formatter.cc 11 | index 429cadd2131a5..e5ab9ceb106e0 100644 12 | --- a/components/url_formatter/url_formatter.cc 13 | +++ b/components/url_formatter/url_formatter.cc 14 | @@ -675,8 +675,7 @@ std::u16string FormatUrlWithAdjustments( 15 | } 16 | 17 | // Host. 18 | - bool trim_trivial_subdomains = 19 | - (format_types & kFormatUrlOmitTrivialSubdomains) != 0; 20 | + bool trim_trivial_subdomains = false; 21 | bool trim_mobile_prefix = (format_types & kFormatUrlOmitMobilePrefix) != 0; 22 | AppendFormattedComponent( 23 | spec, parsed.host, 24 | -------------------------------------------------------------------------------- /vanadium_patches/0045-disable-GaiaAuthFetcher-code-due-to-upstream-bug.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Thu, 19 Nov 2020 07:59:29 -0500 4 | Subject: [PATCH] disable GaiaAuthFetcher code due to upstream bug 5 | 6 | https://bugs.chromium.org/p/chromium/issues/detail?id=1150817 7 | --- 8 | google_apis/gaia/gaia_auth_fetcher.cc | 2 ++ 9 | 1 file changed, 2 insertions(+) 10 | 11 | diff --git a/google_apis/gaia/gaia_auth_fetcher.cc b/google_apis/gaia/gaia_auth_fetcher.cc 12 | index d18521e24d63e..60e41a1a1983c 100644 13 | --- a/google_apis/gaia/gaia_auth_fetcher.cc 14 | +++ b/google_apis/gaia/gaia_auth_fetcher.cc 15 | @@ -251,6 +251,7 @@ void GaiaAuthFetcher::CreateAndStartGaiaFetcher( 16 | const net::NetworkTrafficAnnotationTag& traffic_annotation) { 17 | DCHECK(!fetch_pending_) << "Tried to fetch two things at once!"; 18 | 19 | +#if 0 20 | auto resource_request = std::make_unique(); 21 | resource_request->url = gaia_gurl; 22 | original_url_ = gaia_gurl; 23 | @@ -306,6 +307,7 @@ void GaiaAuthFetcher::CreateAndStartGaiaFetcher( 24 | base::Unretained(this)), 25 | // Limit to 1 MiB. 26 | 1024 * 1024); 27 | +#endif 28 | } 29 | 30 | // static 31 | -------------------------------------------------------------------------------- /vanadium_patches/0047-Disable-newer-privacy-sandbox-features-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: fgei 3 | Date: Mon, 25 Sep 2023 09:26:57 +0000 4 | Subject: [PATCH] Disable newer privacy sandbox features by default 5 | 6 | --- 7 | components/privacy_sandbox/privacy_sandbox_features.cc | 2 +- 8 | services/network/public/cpp/features.cc | 2 +- 9 | third_party/blink/common/features.cc | 4 ++-- 10 | 3 files changed, 4 insertions(+), 4 deletions(-) 11 | 12 | diff --git a/components/privacy_sandbox/privacy_sandbox_features.cc b/components/privacy_sandbox/privacy_sandbox_features.cc 13 | index 03301e5ff2980..7ec6cb743b4fd 100644 14 | --- a/components/privacy_sandbox/privacy_sandbox_features.cc 15 | +++ b/components/privacy_sandbox/privacy_sandbox_features.cc 16 | @@ -21,7 +21,7 @@ const base::FeatureParam kPrivacySandboxAdsNoticeCCTAppId{ 17 | 18 | BASE_FEATURE(kPrivacySandboxSettings4, 19 | "PrivacySandboxSettings4", 20 | - base::FEATURE_ENABLED_BY_DEFAULT); 21 | + base::FEATURE_DISABLED_BY_DEFAULT); 22 | 23 | const char kPrivacySandboxSettings4ConsentRequiredName[] = "consent-required"; 24 | const char kPrivacySandboxSettings4NoticeRequiredName[] = "notice-required"; 25 | diff --git a/services/network/public/cpp/features.cc b/services/network/public/cpp/features.cc 26 | index 50aeaa0a1beee..fbdcfee51ed92 100644 27 | --- a/services/network/public/cpp/features.cc 28 | +++ b/services/network/public/cpp/features.cc 29 | @@ -476,7 +476,7 @@ BASE_FEATURE(kUpdateRequestForCorsRedirect, 30 | // Kill switch for the Topics API. 31 | BASE_FEATURE(kBrowsingTopics, 32 | "BrowsingTopics", 33 | - base::FEATURE_ENABLED_BY_DEFAULT); 34 | + base::FEATURE_DISABLED_BY_DEFAULT); 35 | 36 | // Enable the shared storage API. Note that enabling this feature does not 37 | // automatically expose this API to the web, it only allows the element to be 38 | diff --git a/third_party/blink/common/features.cc b/third_party/blink/common/features.cc 39 | index 012857a0e2db0..240475e677c31 100644 40 | --- a/third_party/blink/common/features.cc 41 | +++ b/third_party/blink/common/features.cc 42 | @@ -249,13 +249,13 @@ BASE_FEATURE(kBrowsingTopicsBypassIPIsPubliclyRoutableCheck, 43 | // is enabled.) 44 | BASE_FEATURE(kBrowsingTopicsDocumentAPI, 45 | "BrowsingTopicsDocumentAPI", 46 | - base::FEATURE_ENABLED_BY_DEFAULT); 47 | + base::FEATURE_DISABLED_BY_DEFAULT); 48 | 49 | // Decoupled with the main `kBrowsingTopics` feature, so it allows us to 50 | // decouple the server side configs. 51 | BASE_FEATURE(kBrowsingTopicsParameters, 52 | "BrowsingTopicsParameters", 53 | - base::FEATURE_ENABLED_BY_DEFAULT); 54 | + base::FEATURE_DISABLED_BY_DEFAULT); 55 | // The periodic topics calculation interval. 56 | BASE_FEATURE_PARAM(base::TimeDelta, 57 | kBrowsingTopicsTimePeriodPerEpoch, 58 | -------------------------------------------------------------------------------- /vanadium_patches/0049-Disable-top-toolbar-button-Translate-option-by-defau.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: fgei 3 | Date: Tue, 18 Jun 2024 18:50:35 +0000 4 | Subject: [PATCH] Disable top toolbar button Translate option by default 5 | 6 | --- 7 | .../settings/RadioButtonGroupAdaptiveToolbarPreference.java | 5 +++++ 8 | 1 file changed, 5 insertions(+) 9 | 10 | diff --git a/chrome/browser/ui/android/toolbar/java/src/org/chromium/chrome/browser/toolbar/adaptive/settings/RadioButtonGroupAdaptiveToolbarPreference.java b/chrome/browser/ui/android/toolbar/java/src/org/chromium/chrome/browser/toolbar/adaptive/settings/RadioButtonGroupAdaptiveToolbarPreference.java 11 | index b3021b530d305..17a74186023c6 100644 12 | --- a/chrome/browser/ui/android/toolbar/java/src/org/chromium/chrome/browser/toolbar/adaptive/settings/RadioButtonGroupAdaptiveToolbarPreference.java 13 | +++ b/chrome/browser/ui/android/toolbar/java/src/org/chromium/chrome/browser/toolbar/adaptive/settings/RadioButtonGroupAdaptiveToolbarPreference.java 14 | @@ -169,8 +169,13 @@ public class RadioButtonGroupAdaptiveToolbarPreference extends Preference 15 | updateVoiceButtonVisibility(); 16 | updateReadAloudButtonVisibility(); 17 | updatePageSummaryButtonVisibility(); 18 | + updateRemoveUnneededButtons(); 19 | mButtonsInitialized = true; 20 | } 21 | + 22 | + private void updateRemoveUnneededButtons() { 23 | + updateButtonVisibility(mTranslateButton, false); 24 | + } 25 | 26 | @Override 27 | public void onCheckedChanged(@Nullable RadioGroup group, int checkedId) { 28 | -------------------------------------------------------------------------------- /vanadium_patches/0050-always-use-local-new-tab-page.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Mon, 17 Jun 2019 13:14:22 -0400 4 | Subject: [PATCH] always use local new tab page 5 | 6 | --- 7 | chrome/browser/search/search.cc | 7 +++++++ 8 | 1 file changed, 7 insertions(+) 9 | 10 | diff --git a/chrome/browser/search/search.cc b/chrome/browser/search/search.cc 11 | index cb37fdb16846e..4196f8f4e0e46 100644 12 | --- a/chrome/browser/search/search.cc 13 | +++ b/chrome/browser/search/search.cc 14 | @@ -162,6 +162,10 @@ struct NewTabURLDetails { 15 | NewTabURLDetails(const GURL& url, NewTabURLState state) 16 | : url(url), state(state) {} 17 | 18 | + static bool ShouldUseLocalNewTab() { 19 | + return true; 20 | + } 21 | + 22 | static NewTabURLDetails ForProfile(Profile* profile) { 23 | // Incognito and Guest profiles have their own New Tab. 24 | // This function may also be called by other off-the-record profiles that 25 | @@ -173,6 +177,9 @@ struct NewTabURLDetails { 26 | 27 | #if BUILDFLAG(IS_ANDROID) 28 | const GURL local_url; 29 | + if (ShouldUseLocalNewTab()) { 30 | + return NewTabURLDetails(local_url, NEW_TAB_URL_VALID); 31 | + } 32 | #else 33 | const bool default_is_google = DefaultSearchProviderIsGoogle(profile); 34 | const GURL local_url(default_is_google 35 | -------------------------------------------------------------------------------- /vanadium_patches/0051-mark-non-secure-origins-as-dangerous.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Fri, 20 Oct 2017 21:20:50 -0400 4 | Subject: [PATCH] mark non-secure origins as dangerous 5 | 6 | --- 7 | components/security_state/core/security_state.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/security_state/core/security_state.cc b/components/security_state/core/security_state.cc 11 | index 16da2d3f268d9..60c7097250c08 100644 12 | --- a/components/security_state/core/security_state.cc 13 | +++ b/components/security_state/core/security_state.cc 14 | @@ -133,7 +133,7 @@ SecurityLevel GetSecurityLevel( 15 | return NONE; 16 | } 17 | #endif // !BUILDFLAG(IS_ANDROID) 18 | - return WARNING; 19 | + return DANGEROUS; 20 | } 21 | return NONE; 22 | } 23 | -------------------------------------------------------------------------------- /vanadium_patches/0053-stub-out-the-battery-status-API.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Mon, 17 Jun 2019 11:29:21 -0400 4 | Subject: [PATCH] stub out the battery status API 5 | 6 | Pretend that the device is always plugged in and fully charged. 7 | --- 8 | .../modules/battery/battery_manager.cc | 26 +++---------------- 9 | 1 file changed, 4 insertions(+), 22 deletions(-) 10 | 11 | diff --git a/third_party/blink/renderer/modules/battery/battery_manager.cc b/third_party/blink/renderer/modules/battery/battery_manager.cc 12 | index 51cdc75ceee61..c1b1031e12ee6 100644 13 | --- a/third_party/blink/renderer/modules/battery/battery_manager.cc 14 | +++ b/third_party/blink/renderer/modules/battery/battery_manager.cc 15 | @@ -80,46 +80,28 @@ ScriptPromise BatteryManager::StartRequest( 16 | } 17 | 18 | bool BatteryManager::charging() { 19 | - return battery_status_.Charging(); 20 | + return true; 21 | } 22 | 23 | double BatteryManager::chargingTime() { 24 | - return battery_status_.charging_time().InSecondsF(); 25 | + return 0.0; 26 | } 27 | 28 | double BatteryManager::dischargingTime() { 29 | - return battery_status_.discharging_time().InSecondsF(); 30 | + return std::numeric_limits::infinity(); 31 | } 32 | 33 | double BatteryManager::level() { 34 | - return battery_status_.Level(); 35 | + return 1.0; 36 | } 37 | 38 | void BatteryManager::DidUpdateData() { 39 | DCHECK(battery_property_); 40 | 41 | - BatteryStatus old_status = battery_status_; 42 | - battery_status_ = *battery_dispatcher_->LatestData(); 43 | - 44 | if (battery_property_->GetState() == BatteryProperty::kPending) { 45 | battery_property_->Resolve(this); 46 | return; 47 | } 48 | - 49 | - DCHECK(GetExecutionContext()); 50 | - if (GetExecutionContext()->IsContextPaused() || 51 | - GetExecutionContext()->IsContextDestroyed()) { 52 | - return; 53 | - } 54 | - 55 | - if (battery_status_.Charging() != old_status.Charging()) 56 | - DispatchEvent(*Event::Create(event_type_names::kChargingchange)); 57 | - if (battery_status_.charging_time() != old_status.charging_time()) 58 | - DispatchEvent(*Event::Create(event_type_names::kChargingtimechange)); 59 | - if (battery_status_.discharging_time() != old_status.discharging_time()) 60 | - DispatchEvent(*Event::Create(event_type_names::kDischargingtimechange)); 61 | - if (battery_status_.Level() != old_status.Level()) 62 | - DispatchEvent(*Event::Create(event_type_names::kLevelchange)); 63 | } 64 | 65 | void BatteryManager::RegisterWithDispatcher() { 66 | -------------------------------------------------------------------------------- /vanadium_patches/0056-disable-trials-of-privacy-aware-analytics-advertisin.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Wed, 4 Aug 2021 03:29:04 -0400 4 | Subject: [PATCH] disable trials of privacy-aware analytics/advertising APIs 5 | 6 | --- 7 | components/privacy_sandbox/privacy_sandbox_prefs.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/privacy_sandbox/privacy_sandbox_prefs.cc b/components/privacy_sandbox/privacy_sandbox_prefs.cc 11 | index d7a79452255b5..04e3924b7a605 100644 12 | --- a/components/privacy_sandbox/privacy_sandbox_prefs.cc 13 | +++ b/components/privacy_sandbox/privacy_sandbox_prefs.cc 14 | @@ -49,7 +49,7 @@ void RegisterProfilePrefs(PrefRegistrySimple* registry) { 15 | prefs::kPrivacySandboxRelatedWebsiteSetsDataAccessAllowedInitialized, 16 | false); 17 | registry->RegisterBooleanPref( 18 | - prefs::kPrivacySandboxRelatedWebsiteSetsEnabled, true, 19 | + prefs::kPrivacySandboxRelatedWebsiteSetsEnabled, false, 20 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 21 | registry->RegisterTimePref( 22 | prefs::kPrivacySandboxFakeNoticePromptShownTimeSync, base::Time(), 23 | -------------------------------------------------------------------------------- /vanadium_patches/0058-disable-appending-variations-header.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Zoraver Kang 3 | Date: Sat, 15 Jan 2022 13:34:33 -0500 4 | Subject: [PATCH] disable appending variations header 5 | 6 | --- 7 | components/variations/net/variations_http_headers.cc | 5 +---- 8 | 1 file changed, 1 insertion(+), 4 deletions(-) 9 | 10 | diff --git a/components/variations/net/variations_http_headers.cc b/components/variations/net/variations_http_headers.cc 11 | index 9b6ed6630c7cb..5bf0d95756a42 100644 12 | --- a/components/variations/net/variations_http_headers.cc 13 | +++ b/components/variations/net/variations_http_headers.cc 14 | @@ -116,10 +116,7 @@ URLValidationResult GetUrlValidationResult(const GURL& url) { 15 | // Also, logs the result of validating |url| in histograms, one of which ends in 16 | // |suffix|. 17 | bool ShouldAppendVariationsHeader(const GURL& url, const std::string& suffix) { 18 | - URLValidationResult result = GetUrlValidationResult(url); 19 | - base::UmaHistogramEnumeration( 20 | - "Variations.Headers.URLValidationResult." + suffix, result); 21 | - return result == URLValidationResult::kShouldAppend; 22 | + return false; 23 | } 24 | 25 | // Returns true if the request is sent from a Google web property, i.e. from a 26 | -------------------------------------------------------------------------------- /vanadium_patches/0059-Disable-detailed-language-settings-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: fgei 3 | Date: Tue, 8 Feb 2022 03:04:20 +0000 4 | Subject: [PATCH] Disable detailed language settings by default 5 | 6 | --- 7 | components/language/core/common/language_experiments.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/language/core/common/language_experiments.cc b/components/language/core/common/language_experiments.cc 11 | index 66db7d9c9af40..dfecf9f30e0d3 100644 12 | --- a/components/language/core/common/language_experiments.cc 13 | +++ b/components/language/core/common/language_experiments.cc 14 | @@ -13,7 +13,7 @@ namespace language { 15 | // Features: 16 | BASE_FEATURE(kDetailedLanguageSettings, 17 | "DetailedLanguageSettings", 18 | - base::FEATURE_ENABLED_BY_DEFAULT); 19 | + base::FEATURE_DISABLED_BY_DEFAULT); 20 | BASE_FEATURE(kContentLanguagesInLanguagePicker, 21 | "ContentLanguagesInLanguagePicker", 22 | base::FEATURE_ENABLED_BY_DEFAULT); 23 | -------------------------------------------------------------------------------- /vanadium_patches/0060-disable-fetching-optimization-guides-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Mon, 25 Apr 2022 06:19:32 -0400 4 | Subject: [PATCH] disable fetching optimization guides by default 5 | 6 | --- 7 | .../optimization_guide/core/optimization_guide_features.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/optimization_guide/core/optimization_guide_features.cc b/components/optimization_guide/core/optimization_guide_features.cc 11 | index 8b6cb44ef9df0..961fe9520eb57 100644 12 | --- a/components/optimization_guide/core/optimization_guide_features.cc 13 | +++ b/components/optimization_guide/core/optimization_guide_features.cc 14 | @@ -55,7 +55,7 @@ BASE_FEATURE(kOptimizationHints, 15 | // Enables fetching from a remote Optimization Guide Service. 16 | BASE_FEATURE(kRemoteOptimizationGuideFetching, 17 | "OptimizationHintsFetching", 18 | - base::FEATURE_ENABLED_BY_DEFAULT); 19 | + base::FEATURE_DISABLED_BY_DEFAULT); 20 | 21 | BASE_FEATURE(kRemoteOptimizationGuideFetchingAnonymousDataConsent, 22 | "OptimizationHintsFetchingAnonymousDataConsent", 23 | -------------------------------------------------------------------------------- /vanadium_patches/0062-disable-fetching-optimization-hints-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Mon, 25 Apr 2022 06:19:32 -0400 4 | Subject: [PATCH] disable fetching optimization hints by default 5 | 6 | --- 7 | .../optimization_guide/core/optimization_guide_features.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/optimization_guide/core/optimization_guide_features.cc b/components/optimization_guide/core/optimization_guide_features.cc 11 | index 961fe9520eb57..ef87f701866f3 100644 12 | --- a/components/optimization_guide/core/optimization_guide_features.cc 13 | +++ b/components/optimization_guide/core/optimization_guide_features.cc 14 | @@ -50,7 +50,7 @@ constexpr auto enabled_by_default_mobile_only = 15 | // hints for what optimizations can be applied on a page load. 16 | BASE_FEATURE(kOptimizationHints, 17 | "OptimizationHints", 18 | - base::FEATURE_ENABLED_BY_DEFAULT); 19 | + base::FEATURE_DISABLED_BY_DEFAULT); 20 | 21 | // Enables fetching from a remote Optimization Guide Service. 22 | BASE_FEATURE(kRemoteOptimizationGuideFetching, 23 | -------------------------------------------------------------------------------- /vanadium_patches/0063-disable-more-optimization-guides-features-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Mon, 25 Apr 2022 06:19:32 -0400 4 | Subject: [PATCH] disable more optimization guides features by default 5 | 6 | --- 7 | .../core/optimization_guide_features.cc | 8 ++++---- 8 | 1 file changed, 4 insertions(+), 4 deletions(-) 9 | 10 | diff --git a/components/optimization_guide/core/optimization_guide_features.cc b/components/optimization_guide/core/optimization_guide_features.cc 11 | index ef87f701866f3..b4b160ba388a2 100644 12 | --- a/components/optimization_guide/core/optimization_guide_features.cc 13 | +++ b/components/optimization_guide/core/optimization_guide_features.cc 14 | @@ -59,7 +59,7 @@ BASE_FEATURE(kRemoteOptimizationGuideFetching, 15 | 16 | BASE_FEATURE(kRemoteOptimizationGuideFetchingAnonymousDataConsent, 17 | "OptimizationHintsFetchingAnonymousDataConsent", 18 | - base::FEATURE_ENABLED_BY_DEFAULT); 19 | + base::FEATURE_DISABLED_BY_DEFAULT); 20 | 21 | // Enables the prediction of optimization targets. 22 | BASE_FEATURE(kOptimizationTargetPrediction, 23 | @@ -70,7 +70,7 @@ BASE_FEATURE(kOptimizationTargetPrediction, 24 | BASE_FEATURE(kOptimizationGuideModelDownloading, 25 | "OptimizationGuideModelDownloading", 26 | #if BUILDFLAG(BUILD_WITH_TFLITE_LIB) 27 | - base::FEATURE_ENABLED_BY_DEFAULT 28 | + base::FEATURE_DISABLED_BY_DEFAULT 29 | #else // BUILD_WITH_TFLITE_LIB 30 | base::FEATURE_DISABLED_BY_DEFAULT 31 | #endif // !BUILD_WITH_TFLITE_LIB 32 | @@ -118,7 +118,7 @@ BASE_FEATURE(kModelQualityLogging, 33 | // Enables fetching personalized metadata from Optimization Guide Service. 34 | BASE_FEATURE(kOptimizationGuidePersonalizedFetching, 35 | "OptimizationPersonalizedHintsFetching", 36 | - base::FEATURE_ENABLED_BY_DEFAULT); 37 | + base::FEATURE_DISABLED_BY_DEFAULT); 38 | 39 | // An emergency kill switch feature to stop serving certain model versions per 40 | // optimization target. This is useful in exceptional situations when a bad 41 | @@ -157,7 +157,7 @@ BASE_FEATURE(kLogOnDeviceMetricsOnStartup, 42 | // Whether to download the text safety classifier model. 43 | BASE_FEATURE(kTextSafetyClassifier, 44 | "TextSafetyClassifier", 45 | - base::FEATURE_ENABLED_BY_DEFAULT); 46 | + base::FEATURE_DISABLED_BY_DEFAULT); 47 | 48 | // Whether to scan the full text when running the language detection in the text 49 | // safety classifier. 50 | -------------------------------------------------------------------------------- /vanadium_patches/0068-require-HTTPS-for-component-updates.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Tue, 25 Apr 2023 04:53:22 -0400 4 | Subject: [PATCH] require HTTPS for component updates 5 | 6 | --- 7 | .../component_updater/aw_component_updater_configurator.cc | 2 +- 8 | .../component_updater/chrome_component_updater_configurator.cc | 2 +- 9 | 2 files changed, 2 insertions(+), 2 deletions(-) 10 | 11 | diff --git a/android_webview/nonembedded/component_updater/aw_component_updater_configurator.cc b/android_webview/nonembedded/component_updater/aw_component_updater_configurator.cc 12 | index ed1faff27df00..cd438dfce1975 100644 13 | --- a/android_webview/nonembedded/component_updater/aw_component_updater_configurator.cc 14 | +++ b/android_webview/nonembedded/component_updater/aw_component_updater_configurator.cc 15 | @@ -38,7 +38,7 @@ AwComponentUpdaterConfigurator::AwComponentUpdaterConfigurator( 16 | PrefService* pref_service) 17 | : configurator_impl_( 18 | component_updater::ComponentUpdaterCommandLineConfigPolicy(cmdline), 19 | - false), 20 | + true), 21 | pref_service_(pref_service), 22 | persisted_data_(update_client::CreatePersistedData( 23 | base::BindRepeating( 24 | diff --git a/chrome/browser/component_updater/chrome_component_updater_configurator.cc b/chrome/browser/component_updater/chrome_component_updater_configurator.cc 25 | index 22453ebcf1b52..ef09b996cb92d 100644 26 | --- a/chrome/browser/component_updater/chrome_component_updater_configurator.cc 27 | +++ b/chrome/browser/component_updater/chrome_component_updater_configurator.cc 28 | @@ -114,7 +114,7 @@ class ChromeConfigurator : public update_client::Configurator { 29 | ChromeConfigurator::ChromeConfigurator(const base::CommandLine* cmdline, 30 | PrefService* pref_service) 31 | : configurator_impl_(ComponentUpdaterCommandLineConfigPolicy(cmdline), 32 | - /*require_encryption=*/false), 33 | + /*require_encryption=*/true), 34 | pref_service_(pref_service), 35 | persisted_data_(update_client::CreatePersistedData( 36 | base::BindRepeating( 37 | -------------------------------------------------------------------------------- /vanadium_patches/0073-enable-prefetch-privacy-changes-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Fri, 23 Oct 2020 23:59:13 -0400 4 | Subject: [PATCH] enable prefetch privacy changes by default 5 | 6 | --- 7 | third_party/blink/common/features.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/third_party/blink/common/features.cc b/third_party/blink/common/features.cc 11 | index 240475e677c31..2c015bd1d028a 100644 12 | --- a/third_party/blink/common/features.cc 13 | +++ b/third_party/blink/common/features.cc 14 | @@ -2079,7 +2079,7 @@ BASE_FEATURE(kPrefetchFontLookupTables, 15 | // crbug.com/988956. 16 | BASE_FEATURE(kPrefetchPrivacyChanges, 17 | "PrefetchPrivacyChanges", 18 | - base::FEATURE_DISABLED_BY_DEFAULT); 19 | + base::FEATURE_ENABLED_BY_DEFAULT); 20 | 21 | BASE_FEATURE(kPreloadingHeuristicsMLModel, 22 | "PreloadingHeuristicsMLModel", 23 | -------------------------------------------------------------------------------- /vanadium_patches/0074-enable-split-cache-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Wed, 23 Dec 2020 06:00:50 -0500 4 | Subject: [PATCH] enable split cache by default 5 | 6 | --- 7 | net/base/features.cc | 6 +++--- 8 | 1 file changed, 3 insertions(+), 3 deletions(-) 9 | 10 | diff --git a/net/base/features.cc b/net/base/features.cc 11 | index bad06c9cdc423..c1864f3914033 100644 12 | --- a/net/base/features.cc 13 | +++ b/net/base/features.cc 14 | @@ -119,11 +119,11 @@ const base::FeatureParam 15 | 16 | BASE_FEATURE(kSplitCacheByIncludeCredentials, 17 | "SplitCacheByIncludeCredentials", 18 | - base::FEATURE_DISABLED_BY_DEFAULT); 19 | + base::FEATURE_ENABLED_BY_DEFAULT); 20 | 21 | BASE_FEATURE(kSplitCacheByNetworkIsolationKey, 22 | "SplitCacheByNetworkIsolationKey", 23 | - base::FEATURE_DISABLED_BY_DEFAULT); 24 | + base::FEATURE_ENABLED_BY_DEFAULT); 25 | 26 | // Note: Use of this feature is gated on the HTTP cache itself being 27 | // partitioned, which is controlled by the kSplitCacheByNetworkIsolationKey 28 | @@ -134,7 +134,7 @@ BASE_FEATURE(kSplitCacheByCrossSiteMainFrameNavigationBoolean, 29 | 30 | BASE_FEATURE(kSplitCodeCacheByNetworkIsolationKey, 31 | "SplitCodeCacheByNetworkIsolationKey", 32 | - base::FEATURE_DISABLED_BY_DEFAULT); 33 | + base::FEATURE_ENABLED_BY_DEFAULT); 34 | 35 | BASE_FEATURE(kPartitionConnectionsByNetworkIsolationKey, 36 | "PartitionConnectionsByNetworkIsolationKey", 37 | -------------------------------------------------------------------------------- /vanadium_patches/0075-enable-partitioning-connections-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Mon, 8 Mar 2021 16:53:47 -0500 4 | Subject: [PATCH] enable partitioning connections by default 5 | 6 | --- 7 | net/base/features.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/net/base/features.cc b/net/base/features.cc 11 | index c1864f3914033..dc61a7aec2323 100644 12 | --- a/net/base/features.cc 13 | +++ b/net/base/features.cc 14 | @@ -138,7 +138,7 @@ BASE_FEATURE(kSplitCodeCacheByNetworkIsolationKey, 15 | 16 | BASE_FEATURE(kPartitionConnectionsByNetworkIsolationKey, 17 | "PartitionConnectionsByNetworkIsolationKey", 18 | - base::FEATURE_DISABLED_BY_DEFAULT); 19 | + base::FEATURE_ENABLED_BY_DEFAULT); 20 | 21 | BASE_FEATURE(kPostQuantumKyber, 22 | "PostQuantumKyber", 23 | -------------------------------------------------------------------------------- /vanadium_patches/0076-enable-dubious-Do-Not-Track-feature-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Daniel Micay 3 | Date: Tue, 1 Aug 2017 11:16:11 -0400 4 | Subject: [PATCH] enable dubious Do Not Track feature by default 5 | 6 | --- 7 | components/privacy_sandbox/tracking_protection_prefs.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/privacy_sandbox/tracking_protection_prefs.cc b/components/privacy_sandbox/tracking_protection_prefs.cc 11 | index a987d3093edaa..1366aef733897 100644 12 | --- a/components/privacy_sandbox/tracking_protection_prefs.cc 13 | +++ b/components/privacy_sandbox/tracking_protection_prefs.cc 14 | @@ -12,7 +12,7 @@ namespace privacy_sandbox::tracking_protection { 15 | 16 | void RegisterProfilePrefs(PrefRegistrySimple* registry) { 17 | registry->RegisterBooleanPref( 18 | - prefs::kEnableDoNotTrack, false, 19 | + prefs::kEnableDoNotTrack, true, 20 | user_prefs::PrefRegistrySyncable::SYNCABLE_PREF); 21 | registry->RegisterBooleanPref( 22 | prefs::kFingerprintingProtectionEnabled, true, 23 | -------------------------------------------------------------------------------- /vanadium_patches/0078-Enable-strict-origin-isolation-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: qua3k 3 | Date: Thu, 21 Oct 2021 00:00:00 +0000 4 | Subject: [PATCH] Enable strict origin isolation by default 5 | 6 | Upstream is in the process of enabling origin isolation by default 7 | in the process of deprecating `document.domain`. An insignificant 8 | number of Chrome page loads use `document.domain`. 9 | 10 | See https://crbug.com/1259920 and 11 | https://chromestatus.com/metrics/feature/timeline/popularity/2544 12 | for more detail. 13 | --- 14 | content/public/common/content_features.cc | 2 +- 15 | 1 file changed, 1 insertion(+), 1 deletion(-) 16 | 17 | diff --git a/content/public/common/content_features.cc b/content/public/common/content_features.cc 18 | index 2016abf289e54..733a24142885a 100644 19 | --- a/content/public/common/content_features.cc 20 | +++ b/content/public/common/content_features.cc 21 | @@ -1132,7 +1132,7 @@ BASE_FEATURE(kSpareRendererForSitePerProcess, 22 | // eTLD+1. 23 | BASE_FEATURE(kStrictOriginIsolation, 24 | "StrictOriginIsolation", 25 | - base::FEATURE_DISABLED_BY_DEFAULT); 26 | + base::FEATURE_ENABLED_BY_DEFAULT); 27 | 28 | // Controls whether subframe process reuse should be restricted according to 29 | // resource usage policies. Namely, a process that is already consuming too 30 | -------------------------------------------------------------------------------- /vanadium_patches/0079-Enable-reduce-accept-language-header-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: fgei 3 | Date: Tue, 14 Feb 2023 21:35:28 +0000 4 | Subject: [PATCH] Enable reduce accept language header by default 5 | 6 | --- 7 | services/network/public/cpp/features.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/services/network/public/cpp/features.cc b/services/network/public/cpp/features.cc 11 | index fbdcfee51ed92..ccc6bef6ca43c 100644 12 | --- a/services/network/public/cpp/features.cc 13 | +++ b/services/network/public/cpp/features.cc 14 | @@ -198,7 +198,7 @@ BASE_FEATURE(kOmitCorsClientCert, 15 | // accept-language. https://github.com/Tanych/accept-language 16 | BASE_FEATURE(kReduceAcceptLanguage, 17 | "ReduceAcceptLanguage", 18 | - base::FEATURE_DISABLED_BY_DEFAULT); 19 | + base::FEATURE_ENABLED_BY_DEFAULT); 20 | 21 | BASE_FEATURE_PARAM(base::TimeDelta, 22 | kReduceAcceptLanguageCacheDuration, 23 | -------------------------------------------------------------------------------- /vanadium_patches/0080-use-Google-Chrome-branding-for-client-hints.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Zoraver Kang 3 | Date: Sun, 10 Oct 2021 21:59:16 -0400 4 | Subject: [PATCH] use Google Chrome branding for client hints 5 | 6 | --- 7 | components/embedder_support/user_agent_utils.cc | 1 + 8 | 1 file changed, 1 insertion(+) 9 | 10 | diff --git a/components/embedder_support/user_agent_utils.cc b/components/embedder_support/user_agent_utils.cc 11 | index 47abbd2835a36..9f62e20a03d9d 100644 12 | --- a/components/embedder_support/user_agent_utils.cc 13 | +++ b/components/embedder_support/user_agent_utils.cc 14 | @@ -203,6 +203,7 @@ const blink::UserAgentBrandList GetUserAgentBrandList( 15 | bool parse_result = base::StringToInt(major_version, &major_version_number); 16 | DCHECK(parse_result); 17 | std::optional brand; 18 | + brand = "Google Chrome"; 19 | #if !BUILDFLAG(CHROMIUM_BRANDING) 20 | brand = version_info::GetProductName(); 21 | #endif 22 | -------------------------------------------------------------------------------- /vanadium_patches/0087-temporary-Always-partition-third-party-storage.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: fgei 3 | Date: Fri, 26 Jan 2024 14:57:11 +0000 4 | Subject: [PATCH] temporary: Always partition third party storage 5 | 6 | This will be removed in future milestone, but currently, sites can opt 7 | out to this feature via the depreciation trial, see 8 | https://developers.google.com/privacy-sandbox/3pcd/storage-partitioning#implementation_status 9 | https://developers.google.com/privacy-sandbox/blog/storage-partitioning-deprecation-trial#disablethirdpartystoragepartitioning 10 | --- 11 | third_party/blink/common/features.cc | 2 +- 12 | .../blink/renderer/platform/runtime_enabled_features.json5 | 2 +- 13 | 2 files changed, 2 insertions(+), 2 deletions(-) 14 | 15 | diff --git a/third_party/blink/common/features.cc b/third_party/blink/common/features.cc 16 | index 2c015bd1d028a..f115f43b22b53 100644 17 | --- a/third_party/blink/common/features.cc 18 | +++ b/third_party/blink/common/features.cc 19 | @@ -710,7 +710,7 @@ BASE_FEATURE(kDiscardInputEventsToRecentlyMovedFrames, 20 | 21 | BASE_FEATURE(kDisableThirdPartyStoragePartitioning3DeprecationTrial, 22 | "DisableThirdPartyStoragePartitioning3DeprecationTrial", 23 | - base::FEATURE_ENABLED_BY_DEFAULT); 24 | + base::FEATURE_DISABLED_BY_DEFAULT); 25 | 26 | // Drop input events at the browser process until the process receives the first 27 | // signal that the renderer has sent a frame to cc (https://crbug.com/40057499). 28 | diff --git a/third_party/blink/renderer/platform/runtime_enabled_features.json5 b/third_party/blink/renderer/platform/runtime_enabled_features.json5 29 | index 773ed8ed9a436..6bd1d7c2bf368 100644 30 | --- a/third_party/blink/renderer/platform/runtime_enabled_features.json5 31 | +++ b/third_party/blink/renderer/platform/runtime_enabled_features.json5 32 | @@ -1718,7 +1718,7 @@ 33 | origin_trial_type: "deprecation", 34 | origin_trial_allows_insecure: true, 35 | origin_trial_allows_third_party: true, 36 | - status: "experimental", 37 | + status: "test", 38 | base_feature: "none", 39 | browser_process_read_write_access: true, 40 | }, 41 | -------------------------------------------------------------------------------- /vanadium_patches/0120-Derive-high-entropy-client-hints-with-reduced-user-a.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: fgei 3 | Date: Sun, 12 Nov 2023 04:26:12 +0000 4 | Subject: [PATCH] Derive high entropy client hints with reduced user agent by 5 | default 6 | 7 | This patchset adds support to disable high entropy client hints or to 8 | populate some of it with information derived from reduced user agent in 9 | Android. 10 | --- 11 | .../embedder_support/user_agent_utils.cc | 29 +++++++++++++++++++ 12 | content/browser/client_hints/client_hints.cc | 14 +++++++++ 13 | third_party/blink/common/features.cc | 10 +++++++ 14 | third_party/blink/public/common/features.h | 3 ++ 15 | 4 files changed, 56 insertions(+) 16 | 17 | diff --git a/components/embedder_support/user_agent_utils.cc b/components/embedder_support/user_agent_utils.cc 18 | index 9f62e20a03d9d..712c5d01269c8 100644 19 | --- a/components/embedder_support/user_agent_utils.cc 20 | +++ b/components/embedder_support/user_agent_utils.cc 21 | @@ -638,6 +638,35 @@ blink::UserAgentMetadata GetUserAgentMetadata(const PrefService* pref_service, 22 | : metadata; 23 | } 24 | 25 | + if (base::FeatureList::IsEnabled( 26 | + blink::features::kClientHintsLowEntropyOnly)) { 27 | + return metadata; 28 | + } 29 | + 30 | + if (base::FeatureList::IsEnabled( 31 | + blink::features::kClientHintsFromReducedUA)) { 32 | + // Values reflected from reduced user agent obtained from 33 | + // GetReducedUserAgent from //content/common/user_agent.cc 34 | + std::string reduced_version_number = 35 | + base::StrCat({version_info::GetMajorVersionNumber(), ".0.", 36 | + blink::features::kUserAgentFrozenBuildVersion.Get(), ".0"}); 37 | + // See GetFormFactorsForClientHints. Do not include XR Form Factor. 38 | + // By default, use "Mobile" or "Desktop" depending on the `mobile` bit. 39 | + std::vector form_factors = { 40 | + metadata.mobile ? blink::kMobileFormFactor : blink::kDesktopFormFactor}; 41 | + metadata.brand_full_version_list = 42 | + GetUserAgentBrandList(version_info::GetMajorVersionNumber(), 43 | + reduced_version_number, 44 | + blink::UserAgentBrandVersionType::kFullVersion, 45 | + std::nullopt); 46 | + // Only based on low-entropy client hints for mobile, keep the same logic. 47 | + metadata.form_factors = form_factors; 48 | + metadata.model = "K"; 49 | + metadata.platform_version = "10.0.0"; 50 | + metadata.full_version = reduced_version_number; 51 | + return metadata; 52 | + } 53 | + 54 | if (only_low_entropy_ch) { 55 | return metadata; 56 | } 57 | diff --git a/content/browser/client_hints/client_hints.cc b/content/browser/client_hints/client_hints.cc 58 | index d40ff68f9ee36..ed6912c265902 100644 59 | --- a/content/browser/client_hints/client_hints.cc 60 | +++ b/content/browser/client_hints/client_hints.cc 61 | @@ -848,6 +848,20 @@ void AddRequestClientHintsHeaders( 62 | 63 | GURL url = origin.GetURL(); 64 | 65 | + if (base::FeatureList::IsEnabled( 66 | + blink::features::kClientHintsLowEntropyOnly)) { 67 | + return; 68 | + } 69 | + 70 | + if (base::FeatureList::IsEnabled( 71 | + blink::features::kClientHintsFromReducedUA)) { 72 | + UpdateNavigationRequestClientUaHeadersImpl( 73 | + delegate, is_ua_override_on, frame_tree_node, 74 | + ClientUaHeaderCallType::kDuringCreation, headers, container_policy, 75 | + request_url, data); 76 | + return; 77 | + } 78 | + 79 | // Add Headers 80 | if (ShouldAddClientHint(data, WebClientHintsType::kDeviceMemory_DEPRECATED)) { 81 | AddDeviceMemoryHeader(headers, /*use_deprecated_version*/ true); 82 | diff --git a/third_party/blink/common/features.cc b/third_party/blink/common/features.cc 83 | index f115f43b22b53..60d08d362d392 100644 84 | --- a/third_party/blink/common/features.cc 85 | +++ b/third_party/blink/common/features.cc 86 | @@ -441,6 +441,16 @@ BASE_FEATURE(kCheckHTMLParserBudgetLessOften, 87 | "CheckHTMLParserBudgetLessOften", 88 | base::FEATURE_DISABLED_BY_DEFAULT); 89 | 90 | +// Enable low-entropy client hints only. 91 | +BASE_FEATURE(kClientHintsLowEntropyOnly, 92 | + "ClientHintsLowEntropyOnly", 93 | + base::FEATURE_DISABLED_BY_DEFAULT); 94 | + 95 | +// Use information from reduced user agent for high entropy client hints. 96 | +BASE_FEATURE(kClientHintsFromReducedUA, 97 | + "ClientHintsFromReducedUA", 98 | + base::FEATURE_ENABLED_BY_DEFAULT); 99 | + 100 | BASE_FEATURE(kClearSiteDataPrefetchPrerenderCache, 101 | "ClearSiteDataPrefetchPrerenderCache", 102 | base::FEATURE_DISABLED_BY_DEFAULT); 103 | diff --git a/third_party/blink/public/common/features.h b/third_party/blink/public/common/features.h 104 | index 76c2f97e486be..56f27556d196e 100644 105 | --- a/third_party/blink/public/common/features.h 106 | +++ b/third_party/blink/public/common/features.h 107 | @@ -228,6 +228,9 @@ BLINK_COMMON_EXPORT BASE_DECLARE_FEATURE(kCaptureJSExecutionLocation); 108 | // is a no-op if kTimedHTMLParserBudget is disabled. 109 | BLINK_COMMON_EXPORT BASE_DECLARE_FEATURE(kCheckHTMLParserBudgetLessOften); 110 | 111 | +BLINK_COMMON_EXPORT BASE_DECLARE_FEATURE(kClientHintsLowEntropyOnly); 112 | +BLINK_COMMON_EXPORT BASE_DECLARE_FEATURE(kClientHintsFromReducedUA); 113 | + 114 | // If enabled, the Clear-Site-Data header will handle "prefetchCache" and 115 | // "prerenderCache" to clear the Prefetch and Prerender caches respectively. 116 | BLINK_COMMON_EXPORT BASE_DECLARE_FEATURE(kClearSiteDataPrefetchPrerenderCache); 117 | -------------------------------------------------------------------------------- /vanadium_patches/0126-Use-local-list-of-supported-languages-for-Language-s.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: fgei 3 | Date: Sat, 25 Feb 2023 05:11:12 +0100 4 | Subject: [PATCH] Use local list of supported languages for Language settings 5 | 6 | Disable requests or connections to fetch language list from server 7 | --- 8 | .../translate/core/browser/translate_language_list.cc | 6 +++++- 9 | 1 file changed, 5 insertions(+), 1 deletion(-) 10 | 11 | diff --git a/components/translate/core/browser/translate_language_list.cc b/components/translate/core/browser/translate_language_list.cc 12 | index 8efa43783444e..3a708375b59ac 100644 13 | --- a/components/translate/core/browser/translate_language_list.cc 14 | +++ b/components/translate/core/browser/translate_language_list.cc 15 | @@ -309,7 +309,7 @@ const char* const kDefaultSupportedPartialTranslateLanguages[] = { 16 | const char kLanguageListFetchPath[] = "translate_a/l?client=chrome"; 17 | 18 | // Represent if the language list updater is disabled. 19 | -bool update_is_disabled = false; 20 | +bool update_is_disabled = true; 21 | 22 | // Retry parameter for fetching. 23 | const int kMaxRetryOn5xx = 5; 24 | @@ -393,6 +393,10 @@ GURL TranslateLanguageList::TranslateLanguageUrl() { 25 | } 26 | 27 | void TranslateLanguageList::RequestLanguageList() { 28 | + if (update_is_disabled) { 29 | + return; 30 | + } 31 | + 32 | // If resource requests are not allowed, we'll get a callback when they are. 33 | if (!resource_requests_allowed_) { 34 | request_pending_ = true; 35 | -------------------------------------------------------------------------------- /vanadium_patches/0159-enable-subresource-filter-on-all-sites.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Zoraver Kang 3 | Date: Thu, 22 Aug 2019 01:24:00 -0400 4 | Subject: [PATCH] enable subresource filter on all sites 5 | 6 | --- 7 | .../core/browser/subresource_filter_features.cc | 13 ++++++++++++- 8 | .../core/browser/subresource_filter_features.h | 2 ++ 9 | 2 files changed, 14 insertions(+), 1 deletion(-) 10 | 11 | diff --git a/components/subresource_filter/core/browser/subresource_filter_features.cc b/components/subresource_filter/core/browser/subresource_filter_features.cc 12 | index 33c2e0878108e..272b9c9aa43ef 100644 13 | --- a/components/subresource_filter/core/browser/subresource_filter_features.cc 14 | +++ b/components/subresource_filter/core/browser/subresource_filter_features.cc 15 | @@ -136,7 +136,9 @@ std::vector FillEnabledPresetConfigurations( 16 | {kPresetPerformanceTestingDryRunOnAllSites, ad_tagging_enabled, 17 | &Configuration::MakePresetForPerformanceTestingDryRunOnAllSites}, 18 | {kPresetLiveRunForBetterAds, true, 19 | - &Configuration::MakePresetForLiveRunForBetterAds}}; 20 | + &Configuration::MakePresetForLiveRunForBetterAds}, 21 | + {kPresetLiveRunOnAllSites, true, 22 | + &Configuration::MakePresetForLiveRunOnAllSites}}; 23 | 24 | CommaSeparatedStrings enabled_presets( 25 | TakeVariationParamOrReturnEmpty(params, kEnablePresetsParameterName)); 26 | @@ -286,6 +288,7 @@ const char kPresetPerformanceTestingDryRunOnAllSites[] = 27 | "performance_testing_dryrun_on_all_sites"; 28 | const char kPresetLiveRunForBetterAds[] = 29 | "liverun_on_better_ads_violating_sites"; 30 | +const char kPresetLiveRunOnAllSites[] = "liverun_on_all_sites"; 31 | 32 | // Configuration -------------------------------------------------------------- 33 | 34 | @@ -316,6 +319,14 @@ Configuration Configuration::MakePresetForLiveRunForBetterAds() { 35 | return config; 36 | } 37 | 38 | +// static 39 | +Configuration Configuration::MakePresetForLiveRunOnAllSites() { 40 | + Configuration config(mojom::ActivationLevel::kEnabled, 41 | + ActivationScope::ALL_SITES); 42 | + config.activation_conditions.priority = 600; 43 | + return config; 44 | +} 45 | + 46 | Configuration::Configuration() = default; 47 | Configuration::Configuration(mojom::ActivationLevel activation_level, 48 | ActivationScope activation_scope, 49 | diff --git a/components/subresource_filter/core/browser/subresource_filter_features.h b/components/subresource_filter/core/browser/subresource_filter_features.h 50 | index 22f56f69d0d31..8fb68c0ca0dfc 100644 51 | --- a/components/subresource_filter/core/browser/subresource_filter_features.h 52 | +++ b/components/subresource_filter/core/browser/subresource_filter_features.h 53 | @@ -125,6 +125,7 @@ struct Configuration { 54 | static Configuration MakePresetForLiveRunOnPhishingSites(); 55 | static Configuration MakePresetForPerformanceTestingDryRunOnAllSites(); 56 | static Configuration MakePresetForLiveRunForBetterAds(); 57 | + static Configuration MakePresetForLiveRunOnAllSites(); 58 | 59 | ActivationConditions activation_conditions; 60 | ActivationOptions activation_options; 61 | @@ -231,6 +232,7 @@ extern const char kDisablePresetsParameterName[]; 62 | extern const char kPresetLiveRunOnPhishingSites[]; 63 | extern const char kPresetPerformanceTestingDryRunOnAllSites[]; 64 | extern const char kPresetLiveRunForBetterAds[]; 65 | +extern const char kPresetLiveRunOnAllSites[]; 66 | 67 | } // namespace subresource_filter 68 | 69 | -------------------------------------------------------------------------------- /vanadium_patches/0165-Enable-content-settings-partitioning-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: fgei 3 | Date: Tue, 11 Jun 2024 02:56:51 +0000 4 | Subject: [PATCH] Enable content settings partitioning by default 5 | 6 | --- 7 | components/content_settings/core/common/features.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/components/content_settings/core/common/features.cc b/components/content_settings/core/common/features.cc 11 | index 3cfa770ae49b7..2f599c76fb4d2 100644 12 | --- a/components/content_settings/core/common/features.cc 13 | +++ b/components/content_settings/core/common/features.cc 14 | @@ -161,7 +161,7 @@ const base::FeatureParam 15 | 16 | BASE_FEATURE(kContentSettingsPartitioning, 17 | "ContentSettingsPartitioning", 18 | - base::FEATURE_DISABLED_BY_DEFAULT); 19 | + base::FEATURE_ENABLED_BY_DEFAULT); 20 | 21 | } // namespace features 22 | } // namespace content_settings 23 | -------------------------------------------------------------------------------- /vanadium_patches/0180-Isolate-sandboxed-iframes-per-site-by-default.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: fgei 3 | Date: Tue, 23 Jul 2024 19:40:14 +0000 4 | Subject: [PATCH] Isolate sandboxed iframes per site by default 5 | 6 | --- 7 | third_party/blink/common/features.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/third_party/blink/common/features.cc b/third_party/blink/common/features.cc 11 | index a623cce2fcd56..c738c85cf627c 100644 12 | --- a/third_party/blink/common/features.cc 13 | +++ b/third_party/blink/common/features.cc 14 | @@ -1248,7 +1248,7 @@ BASE_FEATURE_ENUM_PARAM(IsolateSandboxedIframesGrouping, 15 | kIsolateSandboxedIframesGroupingParam, 16 | &kIsolateSandboxedIframes, 17 | "grouping", 18 | - IsolateSandboxedIframesGrouping::kPerOrigin, 19 | + IsolateSandboxedIframesGrouping::kPerSite, 20 | &isolated_sandboxed_iframes_grouping_types); 21 | 22 | // Serves as killswitch for migrating CanvasRenderingContext2D::IsPaintable() 23 | -------------------------------------------------------------------------------- /vanadium_patches/0193-Enable-HSTS-upgrades-for-top-level-navigation-only-b.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: quh4gko8 <88831734+quh4gko8@users.noreply.github.com> 3 | Date: Tue, 17 Dec 2024 13:43:02 +0000 4 | Subject: [PATCH] Enable HSTS upgrades for top-level navigation only by default 5 | 6 | --- 7 | net/base/features.cc | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/net/base/features.cc b/net/base/features.cc 11 | index dc61a7aec2323..67468c4cffbd2 100644 12 | --- a/net/base/features.cc 13 | +++ b/net/base/features.cc 14 | @@ -735,7 +735,7 @@ BASE_FEATURE(kNewClientCertPathBuilding, 15 | 16 | BASE_FEATURE(kHstsTopLevelNavigationsOnly, 17 | "HstsTopLevelNavigationsOnly", 18 | - base::FEATURE_DISABLED_BY_DEFAULT); 19 | + base::FEATURE_ENABLED_BY_DEFAULT); 20 | 21 | BASE_FEATURE(kHttpCacheNoVarySearch, 22 | "HttpCacheNoVarySearch", 23 | -------------------------------------------------------------------------------- /vanadium_patches/0209-Further-disable-password-leak-detection-checks.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: quh4gko8 <88831734+quh4gko8@users.noreply.github.com> 3 | Date: Tue, 13 May 2025 14:00:49 +0000 4 | Subject: [PATCH] Further disable password leak detection checks 5 | 6 | --- 7 | .../core/browser/leak_detection/leak_detection_check_impl.cc | 4 ++++ 8 | 1 file changed, 4 insertions(+) 9 | 10 | diff --git a/components/password_manager/core/browser/leak_detection/leak_detection_check_impl.cc b/components/password_manager/core/browser/leak_detection/leak_detection_check_impl.cc 11 | index 99388eede8bd8..5909f382b0c12 100644 12 | --- a/components/password_manager/core/browser/leak_detection/leak_detection_check_impl.cc 13 | +++ b/components/password_manager/core/browser/leak_detection/leak_detection_check_impl.cc 14 | @@ -227,6 +227,7 @@ bool LeakDetectionCheck::CanStartLeakCheck( 15 | const PrefService& prefs, 16 | const GURL& form_url, 17 | std::unique_ptr logger) { 18 | +#if defined(PASSWORD_LEAK_DETECTION_ENABLED) 19 | const bool is_leak_protection_on = 20 | prefs.GetBoolean(prefs::kPasswordLeakDetectionEnabled); 21 | if (base::FeatureList::IsEnabled(safe_browsing::kPasswordLeakToggleMove)) { 22 | @@ -262,6 +263,9 @@ bool LeakDetectionCheck::CanStartLeakCheck( 23 | logger.get()); 24 | } 25 | } 26 | +#else 27 | + return false; 28 | +#endif 29 | } 30 | 31 | void LeakDetectionCheckImpl::OnAccessTokenRequestCompleted( 32 | -------------------------------------------------------------------------------- /vanadium_patches/0211-enable-certificate-transparency-feature-by-default-f.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: fgei 3 | Date: Wed, 14 May 2025 05:22:22 +0000 4 | Subject: [PATCH] enable certificate transparency feature by default for 5 | browser 6 | 7 | --- 8 | chrome/browser/browser_features.cc | 4 ---- 9 | 1 file changed, 4 deletions(-) 10 | 11 | diff --git a/chrome/browser/browser_features.cc b/chrome/browser/browser_features.cc 12 | index fdf45d1c2c8ea..a2599a833ceb5 100644 13 | --- a/chrome/browser/browser_features.cc 14 | +++ b/chrome/browser/browser_features.cc 15 | @@ -49,11 +49,7 @@ BASE_FEATURE(kBookmarkTriggerForPrerender2, 16 | // switch. 17 | BASE_FEATURE(kCertificateTransparencyAskBeforeEnabling, 18 | "CertificateTransparencyAskBeforeEnabling", 19 | -#if BUILDFLAG(GOOGLE_CHROME_BRANDING) 20 | base::FEATURE_ENABLED_BY_DEFAULT); 21 | -#else 22 | - base::FEATURE_DISABLED_BY_DEFAULT); 23 | -#endif // BUILDFLAG(GOOGLE_CHROME_BRANDING) 24 | 25 | // Enables using network time for certificate verification. If enabled, network 26 | // time will be used to verify certificate validity, however certificates that 27 | -------------------------------------------------------------------------------- /vanadium_patches/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright © 2016-2025 GrapheneOS 2 | 3 | Vanadium patches are available under the terms of the GNU General Public 4 | License version 2 only, according with LICENSE.GPL-2.0. Also see 5 | LICENSE.WebView-note, LICENSE.Apache-2.0-note and LICENSE.FTL-note for 6 | exceptions from the GPLv2 terms. 7 | 8 | In order for us to continue to contribute upstream, contributors to Vanadium 9 | give permission to the GrapheneOS project to submit their changes to the 10 | Chromium project or a future replacement for the base Vanadium code based on 11 | it under the preferred choice of licensing for that project. Only the code 12 | accepted by them will be available under their choice of license. -------------------------------------------------------------------------------- /vanadium_patches/LICENSE.Apache-2.0-note: -------------------------------------------------------------------------------- 1 | The Vanadium code may be used as part of a work containing code under the 2 | Apache 2 license. An exception is made for the specific patent clause of the 3 | Apache 2 license. This exception does not permit using our code in a project 4 | containing GPLv3 code which has additional restrictions. -------------------------------------------------------------------------------- /vanadium_patches/LICENSE.FTL-note: -------------------------------------------------------------------------------- 1 | The Vanadium code may be used as part of a work containing code under the 2 | FreeType License (FTL). An exception is made for the specific credit clause of 3 | the FTL license. -------------------------------------------------------------------------------- /vanadium_patches/LICENSE.WebView-note: -------------------------------------------------------------------------------- 1 | Applications using Vanadium through the WebView library including our changes 2 | and extensions to the API are not considered derivative works of Vanadium for 3 | the terms of the GPL-2.0 license. 4 | --------------------------------------------------------------------------------