Group policy/settings: configuration for --sync-url= argument

[tycho]

Test plan

See https://github.com/brave/brave-core/pull/25498

Description

There should be a group policy or UI option for Brave to provide the --sync-url= option without needing to explicitly add a command-line argument.

One issue is that adding command line arguments varies a lot by platform:

• On Linux, you can wrap the Brave launcher to provide custom arguments. This can be annoying if your distribution packager did not provide a functional equivalent to Chrome's ~/.config/chrome-flags.conf file (where each line of the file is treated as a command line argument appended whenever the browser is launched).
• On Windows, you can edit all the Brave shortcuts to add the arguments (this is very painful if you need to do this at scale).
• On macOS, I have no idea how you'd add the arguments without using a shell script or something to launch the app bundle.

A group policy config option would be ideal, because deploying that kind of policy is well defined for each platform. Adding this also makes self-hosting a sync server much easier.

Alternatively, a UI option to customize the sync server URL would be nice as well. As long as the setting persists without needing to add a command-line flag.

Steps to Reproduce

N/A, see description.

Actual result:

The --sync-url= option is difficult to configure consistently across platforms. Self-hosting a sync server is very difficult without a way to consistently customize the sync URL.

Expected result:

The --sync-url= option should be configurable across platforms without having to resort to manipulating command line arguments, to enable self-hosting a sync server.

Reproduces how often:

Always?

Desktop Brave version:

Brave   1.34.80 Chromium: 97.0.4692.71 (Official Build) (64-bit)
Revision    adefa7837d02a07a604c1e6eff0b3a09422ab88d-refs/branch-heads/4692@{#1247}
OS  Windows 10 Version 21H1 (Build 19043.1415)

Version/Channel Information:

All channels at the moment. Nothing provides more than the --sync-url= flag.

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields? N/A
• Does the issue resolve itself when disabling Brave Rewards? N/A
• Is the issue reproducible on the latest version of Chrome? N/A

Miscellaneous Information:

[ppar]

I'd very much like to see this implemented too.

Even exposing the setting in a config file like ~/{.config,Library/Application Support}/BraveSoftware/Brave-Browser/*/Preferences that one could edit manually would be nice.

A group policy config option would be ideal, because deploying that kind of policy is well defined for each platform.

This might be my own shortcoming, but the linked ​documentation at support.brave.com only mentions Windows. If this applies to Linux and Mac as well, instructions (for users outside a managed corporate IT environment) could be useful.

[ppar]

Another aspect of missing a persistent setting is that it's easy to commit changes to the public sync server by accident. I've tested & verified the following:

1) Start Brave processes on 2 computers with --sync-url= set to your self-hosted server 1) Set up Sync between them in the usual way 1) One of the Brave instances stops and then restarts without the --sync-url option (e.g. because the computer crashed and recovered the desktop session, or an automated software update overwrote a shell wrapper, etc) 1) Add a bookmark on the restarted browser instance. It will now push your change to the public Sync endpoint, which happily accepts it, even though the chain didn't exist on the public server before. 1) Restart the other browser, also without --sync-url. It will now pull the new bookmark from the public Sync server.

Apparently the sync chain gets implicitly created (either by Brave or the sync service).

IMO more expected behaviour would have been for Brave to issue an error message if the sync chain that had earlier been set up doesn't exist on the server.

[DaCHack]

This is requested since long time. See related issue #12314 https://github.com/brave/brave-browser/issues/12314#issue-729322829

Hope this gets some new traction. I cannot believe that a UI switch in both desktop and mobile versions is that much of a deal.

Already offered my support and finding my way through the Code despite being a complete noob when I at least receive a clue where to start 😞

[trymeouteh]

What should be done is that a setting should be added in the brave sync menu to change the URL of the sync server. This will be a user friendly way to changing the server and will allow you to use your self hosted sync server on desktop and mobile.

[JamesJosephFinn]

Why has this basic feature request languished for over a year? Self-hosting a bravesync server is only practical/useful if we can set the self-hosted bravesync sever location within brave browser settings! Thank you to the amazing team at Brave, but this right here is a curious omission. Please advise.

[Graxo]

Are there any plans to give this more priority? Or is there some sort of Roadmap for Brave?

[NicholasFlamy]

This is requested since long time. See related issue #12314 #12314 (comment)

Hope this gets some new traction. I cannot believe that a UI switch in both desktop and mobile versions is that much of a deal.

Already offered my support and finding my way through the Code despite being a complete noob when I at least receive a clue where to start 😞

They f8cking shadow deleted the issue.

Edit: They as in somebody, I have no clue who might have done that and for what reason, may have been accidental.

[bsclifton]

@NicholasFlamy (and others) for full transparency, I'm not sure who deleted that issue. I'm trying to find out now - I've asked internally and so far haven't found anyone with privs that has done this. I'll dig in more and find out

For now, you are welcome to recreate the issue. I don't have the original issue content - was this just asking to make the URL configurable in app?

UPDATE: I opened a ticket with GitHub support to find out what happened

[NicholasFlamy]

@NicholasFlamy (and others) for full transparency, I'm not sure who deleted that issue. I'm trying to find out now - I've asked internally and so far haven't found anyone with privs that has done this. I'll dig in more and find out

For now, you are welcome to recreate the issue. I don't have the original issue content - was this just asking to make the URL configurable in app?

UPDATE: I opened a ticket with GitHub support to find out what happened

I pulled up the latest Google Webcache of it and posted a link to the Webcache in the discussion I made: https://github.com/orgs/flamy-brave/discussions/3 Here is the link to the Webcache: https://webcache.googleusercontent.com/search?q=cache:https://github.com/brave/brave-browser/issues/12314

I might make a new issue but I'll hold off because the issue being deleted is super strange.

[bsclifton]

@NicholasFlamy got a response from GitHub - seems the person who created the original issue set their account as private and that is why it's not showing. We definitely keep posts up - although sometimes we will remove posts in an issue if they cross the line (disrespectful, etc).

Please create a new issue describing what you were wanting. Here's the official response from GitHub support:

[NicholasFlamy]

Wow, that's something I've never seen before. Okay, I'll get on it.

[NicholasFlamy]

37448 made this for now.

[GanerCodes]

This really, really, really shouldn't be a two-year delayed feature. For an open source project the fact I can't use a basic feature on my phone without using their servers is really annoying

[h7sj]

It seems extremely suspicious that this simple issue has not been resolved. There are so many ways to fix it, i.e. UI option, brave://flags, brave://sync-internals, config file, chrome-command-line, group policy etc.

This would certainly qualify as a priority issue for a browser that emphasizes privacy to the extent Brave does. Customers switching to Brave absolutely want this functionality as we are increasingly turning our backs on corporate-owned clouds in general. This feature would be significantly more popular if officially supported.

Not actioning this request is clearly deliberate, but with no stated reason perhaps we should question why Brave are resisting. There is a dizzying amount of information in sync payloads and I highly suspect these may not be as private and secure as Brave claim. Is this omission Brave's warrant canary? Is Brave being compelled to retain a role in the flow of sync data by outside influences?

[h7sj]

I couldn't resist - There is exactly one mention of https://sync-v2.brave.com/v2 in chrome.dll.

I have a domain name that is a few characters less than that in length. Using a hex editor, I overwrote the brave URL with mine and padded the dead space with null characters.

Amazingly this works according to brave://sync-internals and some light testing. Brave doesn't seem to notice it's running with a hacked dll.

I'm going down with the Win7 ship, so I'm on 1.47.186. Maybe this works in newer versions too? If it does, a patcher would only be a few lines of Python, a scheduled task and a line in the hosts file to drop sync-v2.brave.com.

[mnlhfr]

I couldn't resist - There is exactly one mention of https://sync-v2.brave.com/v2 in chrome.dll.

I have a domain name that is a few characters less than that in length. Using a hex editor, I overwrote the brave URL with mine and padded the dead space with null characters.

Amazingly this works according to brave://sync-internals and some light testing. Brave doesn't seem to notice it's running with a hacked dll.

I'm going down with the Win7 ship, so I'm on 1.47.186. Maybe this works in newer versions too? If it does, a patcher would only be a few lines of Python, a scheduled task and a line in the hosts file to drop sync-v2.brave.com.

thats hilarious, but i rather keep using firefox until they implement it than adding a weekly task of updating and patching to my schedule :D

if it really is that easy, its also really suspicious why they would not add this..

[GanerCodes]

cool, someone make a script to do this with the APK or something lol

[drajabr]

if it really is that easy, its also really suspicious why they would not add this..

For real! I just started looking for alternative browser (using Edge for work, but Firefox at home with selfhosted sync) and my only requirement is self-hostable sync server, preferably to work cross platform (Windows + Linux + Android).

Brave would be the IDEAL choice if it had self-hostable browser, but it looks quite shady why they didn't implement one of the very basic features in a product marketed as a privacy focused, user data respecting browser! Apparently, someone want to keep the users attached to their servers for some reason...

[NicholasFlamy]

if it really is that easy, its also really suspicious why they would not add this..

For real! I just started looking for alternative browser (using Edge for work, but Firefox at home with selfhosted sync) and my only requirement is self-hostable sync server, preferably to work cross platform (Windows + Linux + Android).

Brave would be the IDEAL choice if it had self-hostable browser, but it looks quite shady why they didn't implement one of the very basic features in a product marketed as a privacy focused, user data respecting browser! Apparently, someone want to keep the users attached to their servers for some reason...

So on desktop I have been using the command line argument. On mobile I have been using the developer options QA Preferences menu and the command line string option.

[drajabr]

So on desktop I have been using the command line argument. On mobile I have been using the developer options QA Preferences menu and the command line string option.

This is amazing! So I assume its possible to get a browser that do any outgoing connections I didn't tell it to make? I mean, I want to setup my sync server, but want to make sure that the browser is not sending any request except to my server, and ofc the web pages I only open, is that possible ..? I may setup a test few hours later, if that achievable then I'm definitely switching to brave!

[NicholasFlamy]

So on desktop I have been using the command line argument. On mobile I have been using the developer options QA Preferences menu and the command line string option.

This is amazing! So I assume its possible to get a browser that do any outgoing connections I didn't tell it to make? I mean, I want to setup my sync server, but want to make sure that the browser is not sending any request except to my server, and ofc the web pages I only open, is that possible ..? I may setup a test few hours later, if that achievable then I'm definitely switching to brave!

So if you want to be more secure about it you could firewall your setup and block the default brave sync server, on case your browser crashes and relaunches and therefore wasn't launched from the shortcut on desktop. But yeah.

Edit: personally I don't firewall it at the moment. I just configured the sync server on both desktop and mobile. Also, I would recommend against storing passwords in Brave simply because sync broke on my Android phone (through strangely not my Android Tablet) and is an issue for some others. Also, a dedicated password manager such as Bitwarden (I self-host VaultWarden) is usually considered better.

[metal450]

So if you want to be more secure about it you could firewall your setup and block the default brave sync server, on case your browser crashes and relaunches and therefore wasn't launched from the shortcut on desktop

Or it should just have a proper setting rather than using a command-line arg, which avoids this risk

[bsclifton]

Hi folks - thanks for the enthusiasm for this feature.

To be completely transparent, I deleted a few recent posts. Off-topic posts and then one sharing a password for restricted functionality. I'll keep this locked for now as things went off topic.

With regards to this comment:

if it really is that easy, its also really suspicious why they would not add this

There's nothing to be suspicious of, it's just simple logistics. If you look at our issue log... our issue count is (at the time of this comment) now at 7,705 issues. We're looking into the big ones first (crashes, proper bugs, data loss, etc). You can see this is assigned a P4. You can search for issues with labels P1, P2, and P3 and those have been determined (as we triage issues) to have a higher priority.

We'll do our best to get to this - I added it to a special tracking board "Papercuts" back in April after noticing all the community attention it received. I might know a contributor that might be interested in this - will share with them. Thanks for your patience

[davidstrauss]

We'll do our best to get to this - I added it to a special tracking board "Papercuts" back in April

Just so you know, @bsclifton, this board is not publicly accessible.

[bsclifton]

@davidstrauss thanks for the heads up on that - try now please 😄 I just fixed

BTW - I took a stab at this over the weekend. It's not exactly trivial, but I do have something working. Will need to clean things up and then rebase/squash/write tests and submit for review

[NicholasFlamy]

@davidstrauss thanks for the heads up on that - try now please 😄 I just fixed

BTW - I took a stab at this over the weekend. It's not exactly trivial, but I do have something working. Will need to clean things up and then rebase/squash/write tests and submit for review

You mentioned here that Android supports group policy: https://github.com/brave/brave-browser/issues/29397#issue-1646608736

I haven't found any documentation provided by brave on this functionality. Is it the same as Linux? If not, could you please provide some information on this?

[NicholasFlamy]

@davidstrauss thanks for the heads up on that - try now please 😄 I just fixed

BTW - I took a stab at this over the weekend. It's not exactly trivial, but I do have something working. Will need to clean things up and then rebase/squash/write tests and submit for review

Apparently, someone made a draft PR very recently: https://github.com/brave/brave-core/pull/25484

[bsclifton]

@davidstrauss thanks for the heads up on that - try now please 😄 I just fixed BTW - I took a stab at this over the weekend. It's not exactly trivial, but I do have something working. Will need to clean things up and then rebase/squash/write tests and submit for review

Apparently, someone made a draft PR very recently: brave/brave-core#25484

Yup - I'm working together on this with @jagadeshjai. I'm getting the group policy part working - where the interception needs to happen. And then he can do the custom URL which will also need to show that field as read-only (non-editable) if group policy is set. Some of my existing work can be found in https://github.com/brave/brave-core/pull/25498

[bsclifton]

You mentioned here that Android supports group policy: #29397 (comment)

I haven't found any documentation provided by brave on this functionality. Is it the same as Linux? If not, could you please provide some information on this?

Hi @NicholasFlamy - I think the code is basically done at this point. I'll be adding a test plan for each OS. I'll dig in and see if it's possible to do w/ Android also (it should be, as far as I know). If it's not possible, I'll remove the OS/Android label. In that case the solution might be with https://github.com/brave/brave-browser/issues/12314

[bsclifton]

OK folks - this is merged 😄

Unfortunately, I couldn't find a way to do Android group policy. I do believe it's possible - but I don't know at the moment though. If someone has more information, please do share it.

I'll work with @jagadeshjai on https://github.com/brave/brave-core/pull/25484 next

[NicholasFlamy]

OK folks - this is merged 😄

Unfortunately, I couldn't find a way to do Android group policy. I do believe it's possible - but I don't know at the moment though. If someone has more information, please do share it.

I'll work with @jagadeshjai on brave/brave-core#25484 next

I appreciate the work! If configuration through the UI is the solution for Android (and I assume same for iOS) then that's alright.

[MadhaviSeelam]

Verification PASSED using

Brave | 1.72.85 Chromium: 130.0.6723.58 (Official Build) beta (64-bit)
-- | --
Revision | 2c872aa4d2694bc73ec58e3b14538a4008a6381e
OS | Windows 11 Version 23H2 (Build 22631.4391)

Installed 1.72.85 opened Registry editor

Case 1: Using regedit.exe

1. opened Registry editor
2. navigated to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
3. navigated to the key (folders) BraveSoftware\Brave\
4. created a new string value (REG_SZ) with the name BraveSyncUrl and the value https://sync-v2.brave.com/v2
5. launched Brave
6. opened brave://policy/ in a new tab
7. confirmed BraveSyncUrl link is shown under Policy name field
8. confirmed https://sync-v2.brave.com/v2 is shown under Policy value field
9. confirmed when clicked on the BraveSyncUrl link, it navigated to https://chromeenterprise.google/policies/?policy=BraveSyncUrl

step 4	step 7-8	step 9

Case 2: Adding using a .reg file

1. new profile

2. created a new empty file called sync-policy.reg

3. opened it in Notepad and put this for the content:

   
     Windows Registry Editor Version 5.00
   
      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave]
      "BraveSyncUrl"="https://sync-v2.brave.com/v2"

4. saved and closed the file

5. double clicked the sync-policy.reg file

6. clicked Yes

7. clicked Ok

8. launched Brave

9. opened brave://policy/ in a new tab

10. confirmed BraveSyncUrl link is shown under Policy name field

11. confirmed https://sync-v2.brave.com/v2 is shown under Policy value field

12. confirmed when hovered the BraveSyncUrl, correct URL is shown at the bottom left

13. confirmed registry keys (from steps 5-7) created as expected

step 2-3	step 5-6	step 7	step 10-12	step 13

[DaCHack]

@MadhaviSeelam Great, thanks! Can you confirm whether there is also work going on to enable it on iOS? There is no brave://policy/ in the iOS app. This would finally enable syncing tabs and other items between desktop and mobile.

[NicholasFlamy]

@MadhaviSeelam Great, thanks! Can you confirm whether there is also work going on to enable it on iOS? There is no brave://policy/ in the iOS app. This would finally enable syncing tabs and other items between desktop and mobile.

They're working on a GUI option that will handle mobile as well (since afaik mobile doesn't have policies): https://github.com/brave/brave-core/pull/25484

[bsclifton]

Unfortunately, I'm not sure how to do group policy on iOS and Android. I believe it's possible, I just don't know how

@NicholasFlamy thanks for linking the custom URL one. That will solve for Desktop. We'll need to do a similar pull request for Android and iOS to enable changing sync URL.

[MadhaviSeelam]

Verification PASSED using

Brave | 1.72.93 Chromium: 131.0.6778.14 (Official Build) beta (arm64)
-- | --
Revision | 69e5dc20ca483a13316632df5bcd9279bb2a3cb7
OS | macOS Version 14.6.1 (Build 23G93)

1. Installed 1.72.93
2. launched terminal and ran following:
   • defaults write com.brave.Browser.beta BraveSyncUrl -string https://sync-v2.brave.com/v2
3. launched Brave
4. opened brave://policy in a new tab
5. confirmed BraveSyncUrl link is shown under Policy name field
6. confirmed https://sync-v2.brave.com/v2 is shown under Policy value field
7. confirmed when hovered the BraveSyncUrl, correct URL is shown at the bottom left
8. confirmed when clicked the BraveSyncUrl, it navigated to https://chromeenterprise.google/policies/?policy=BraveSyncUrl

step 2	step 5-6	step 7	step 8

[LaurenWags]

Verified with

Brave | 1.73.86 Chromium: 131.0.6778.39 (Official Build) (64-bit)
-- | --
Revision | 52163bcf4e40f27ddb76ffa79c90a8833084a9bd
OS | Linux

Verified modified test plan from https://github.com/brave/brave-core/pull/25498#issue-2515073108 for Linux.

Notes - I created each directory under /etc separately and then used touch to create the needed file. I was able to use a code editor (Sublime) to add the necessary info in the file to create the policy.

Confirmed that once created, the file displays under brave://policy:

Confirmed that once the sync_url_policy.json is deleted, that it no longer displays under brave://policy: