search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
16.97k stars 2.21k forks source link

Make Brave-specific options configurable through Windows Group Policy templates #26502

Open mherrmann opened 1 year ago

mherrmann commented 1 year ago

This is a follow-up to #26501. There, we provide templates for changing general browser settings. The goal of this present issue is to build on that work and make it possible to configure Brave-specific browser options via Group Policy settings. Per the current documentation, the minimal settings that should be supported are:

Related:

ghost commented 1 year ago

It is nice Brave implemented a policy for Up/Down Shields https://github.com/brave/brave-browser/issues/25394

@bsclifton @mherrmann @spylogsster

I think it would be good if Brave expanded even more Shields/Adblock policies to make Brave a really good browser for admins to control what they want the organizations to see within Brave and even for Parental Control.

I see many people requesting a block site feature, and people talk about DNS and all that way of 'blocking' websites, but technically Brave can already do that, it only needs ways to stop anyone from bypassing them easily when they are not meant to.

First, one important policy/feature would be to have a way for 'organization' to be able to set custom lists and rules that no user can delete or disable, just like how Windows Firewalls features and rules can be set through GPO.

Second, and somehow a more important feature/flag/policy, it's to stop users from clicking the proceed button if/when a domain is blocked by the adblocker or change the warning screen to reflect it was blocked by a organization or something. You know, the little screen which is done by using ||example^ or $document with the first party domain blocking feature https://github.com/brave/brave-browser/issues/14134 Example:

Just adding these two policies will add a way for organizations, admins, parents, schools to easily restrict/block websites without having to deal with another feature and/or Brave Team having to implement a feature that is already done with the adblocker, because the feature is already there, it only needs ways to prevent users to proceed or disable the rules.

Something important to note and why I say Brave already can block sites, it's that when Brave shows the warning screen, Brave hasn't connected to the Domain/IP, it shows the warning based on just on what the URL says before anything gets resolved. The website will only resolve and appear in DNS server logs or firewalls or anything when the user clicks the Proceed button, making it a great way (and already built) to block websites completely. Otherwise if the user clicks proceed, everything gets blocked: scripts, fonts, images, spreadsheets, etc, (when ||example^ is used, not when just $document is used) but the main html document will load, which means Brave will be forced to make 1 connection, and since it will be plain html, then users can still read text which might not be good. That's why not allowing users to proceed is important, to make Brave adblocker a better tool for everything security and privacy.

If adblocker is used for this kind of stuff, not only it will be 'one feature less to build' by Brave Team, but also, no DNS server or VPN or anything else (but using another web browser) can bypass it for the way these document block works which is done only for what it is seen in the URL.

Which means, (another good point about using Adblocker for 'website blocker' feature) is that it can be done in flexible ways.

Example:

You want to block example.com but you want to allow people accessing example.com/category/download/software it can be done by using $document

||example.com^$document and @@||example.com/category/download/software So it doesn't have the same limitations as DNS based blocking website features/programs/servers

And if we count the fact that the adblocker has scriptlet injections like window-close-if or CSP features like sandbox that can prevent popups and stops downloads in whatever website, using CSP is not perfect since people can middle click and download the file that way, but it can prevent automatic downloads, to truly stop downloads, again, $document for the way it works by searching in the URL, would be able to stop the download, so a rule like /(.zip|.exe|.rar)/$document will stop all downloads from happening anywhere if an organization or parent desires, making it superior to any available tool if done right, out of the box and without doing anything but using what it is already available.

I tried to find other issues with this type of request, so hope it is not duplicate, but hope this helps to understand how good these two policies can be. Of course, many flags or policies can be done to control every aspect of the Adblocker but I think these two policies can be the most important to make available for any organization or parent to control websites they want their employees or children or students to have access.

Thank you and have a good day!.

DesertBear commented 1 year ago

The below setting also needs to be added, so that the VPN feature can be disabled across managed devices.

bsclifton commented 1 year ago

@DesertBear thanks for requesting that - I logged that one with https://github.com/brave/brave-browser/issues/29397 and we can look at this soon 😄

rowansc1 commented 1 year ago

Hiya, Is there any further progress with the TorDisabled function being able to be edited via GPO? More specifically the progress of 16351.

Cheers!

DesertBear commented 8 months ago

@DesertBear thanks for requesting that - I logged that one with #29397 and we can look at this soon 😄

While BraveVPNDisabled has been added to Brave Group Policy settings, the documentation at the below link is still missing this information.

Link: https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy

Example: DWord Accepted Values Effect
BraveVPNDisabled 0 (default)
1		 0 = Enabled
1 = Disabled
mherrmann commented 8 months ago

Cc @AlanBreck . Can you update https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy?

AlanBreck commented 8 months ago

The support site is actually managed by @Brave-Matt, so I'm looping him in.

bsclifton commented 8 months ago

BraveVPNDisabled is now added to https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy - thanks @Brave-Matt! 😄👍

bsclifton commented 2 months ago

@mherrmann - I'm not sure how much trouble it is to append to the example/brave.reg in the policy templates (see https://brave-browser-downloads.s3.brave.com/latest/policy_templates.zip)

But we could hardcode (at least for the moment) the following Brave specific values:

Windows Registry Editor Version 5.00
; brave version: 124.1.67.42

[HKEY_LOCAL_MACHINE\Software\Policies\BraveSoftware\Brave]
"TorDisabled"=dword:00000001
"IPFSEnabled"=dword:00000000
"BraveRewardsDisabled"=dword:00000001
"BraveWalletDisabled"=dword:00000001
"BraveVPNDisabled"=dword:00000001
"BraveAIChatEnabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave\BraveShieldsEnabledForUrls]
"1"="[*.]twitter.com"
"2"="https://www.example.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave\BraveShieldsDisabledForUrls]
"1"="https://www.example.com"
"2"="[*.]brave.com"

This should cover all the ones listed at https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy#h_01HE8CWCDW9FWDWB74VCGZZEMR

Maybe you can point me in the right direction?

mherrmann commented 2 months ago

@bsclifton sure. My previous work on the topic was https://github.com/brave/brave-core/pull/16351, but it became obsolete before it was merged due to upstream changes. The policy templates are a GN target, brave/components/policy:pack_policy_templates. Maybe you could extend [pack_policy_templates.py] (https://github.com/brave/brave-core/blob/3311f572f08cd007bf570e8b21dde09d949548ef/components/policy/pack_policy_templates.py#L31) to append the values you mentioned to brave.reg?

Marko-98 commented 2 weeks ago

@bsclifton I'm using these policies to disable Brave Wallet and Brave Rewards from the browser; I have two questions:

  1. Is it possible to keep using these policies, but to hide messages "managed by your organization" throughout the browser?
  2. When policies are enabled, secure DNS option is disabled automatically. Is there a way to keep secure DNS enabled while still managing browser through Group Policy or Registry?

Thank you!

DesertBear commented 5 days ago

@Marko-98

2. When policies are enabled, secure DNS option is disabled automatically. Is there a way to keep secure DNS enabled while still managing browser through Group Policy or Registry?

This is an issue with all Chromium-based browsers. You will need to set the below policies to keep DNS-over-HTTPS enabled.

Controls the mode of DNS-over-HTTPS: https://chromeenterprise.google/policies/#DnsOverHttpsMode

Specify URI template of desired DNS-over-HTTPS resolver: https://chromeenterprise.google/policies/#DnsOverHttpsTemplates

Marko-98 commented 4 days ago

@DesertBear Thanks! :)