Google Chrome Manifest force Flag to Enabled

arivera
New Contributor III

Hello everyone,

I am trying to find out how to enable a Chrome flag on the Chrome manifest. The flag I want enabled is SitePerProcess which is Strict Site Isolation, the reason I am doing this is because of all this new specter and meltdown issue. I have looked into the Policy List on Chromium : [http://www.chromium.org/administrators/policy-list-3#SitePerProcess](link URL)

The problem I am having is I don't know which is the proper way to add this to the manifest. Does this look right ? This is just an example, any help will be greatly appreciated.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>SitePerProcess</key>
<true/>
</dict>

Let me know what you all think, thank you.

1 ACCEPTED SOLUTION

zachary_fisher
New Contributor III

The configuration profile method works. Chrome://flags and Chrome://Policy are different settings. If you deploy the configuration profile, you can verify it was successful at chrome://policy.

Do not go off chrome:/flags that is just a way to "force" enable other features.

They do state this in their documentation but it is very easy to miss. I must of spent a few hours trying to enable the flag before I realized that the policy was already enabled.

"If you choose to deploy the site isolation feature, Google recommends you use Chrome policy and not the command line flag."

View solution in original post

7 REPLIES 7

NoahRJ
Contributor II

We're testing that in our environment, but decided to enforce it as a configuration profile (since we want this to be an immutable setting). Your syntax looks fine for the plist to enforce that value, but you might consider creating a Config Profile in Jamf Pro, uploading the Chrome plist as a payload under the Custom Settings section, and scoping it out from there.

arivera
New Contributor III

Thanks for the response, I will try your method after testing the plist on a couple of test machines. Thank you.

donmontalvo
Esteemed Contributor III

Tried using <true /> (as outlined by Google), and <true/> (common sense)...neither work.

e35d27a03092461b8ee15488fe3674ca

Tried using a Configuration Profile. Tried User level...then tried Computer level...neither work.

Tried using defaults write com.google.Chrome SitePerProcess -bool true as the user...nada.

Definitely using Google Chrome 63.x, the setting doesn't seem to work on standard Google Chrome.

c29d59cf430541bb8a8d70e69c126d17

I wonder if this setting only works with Google Chrome for Enterprise?

Maybe Google needs to #fixTheirShit?

--
https://donmontalvo.com

mrowell
Contributor

@donmontalvo I can't remember where I saw it mentioned, but I read that that the managed settings are not reflected in the Chrome UI (so yes Google still need to #fixTheirShit).

On this page https://support.google.com/chrome/a/answer/7581529 there are steps to "Verify site isolation".

I deployed a profile with the following as a custom payload. Machines with this profile passed the test mentioned above (ie sites were isolated). The Chrome UI reports that Strict Site Isolation is not enabled.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>SitePerProcess</key> <true/> </dict> </plist>

donmontalvo
Esteemed Contributor III

@mrowell thanks, you're the second person to state this.

Ed Marczak (@marczak) just left Google, he suggested opening a ticket.

--
https://donmontalvo.com

zachary_fisher
New Contributor III

The configuration profile method works. Chrome://flags and Chrome://Policy are different settings. If you deploy the configuration profile, you can verify it was successful at chrome://policy.

Do not go off chrome:/flags that is just a way to "force" enable other features.

They do state this in their documentation but it is very easy to miss. I must of spent a few hours trying to enable the flag before I realized that the policy was already enabled.

"If you choose to deploy the site isolation feature, Google recommends you use Chrome policy and not the command line flag."

arivera
New Contributor III

@zachary.fisher You are absolutely right, I spent hours reading through documentation until I found this, to verify if it worked you have to go to chrome://policy . I was able to make it work and test it as Google has documentation and a test site that they have created for testing if Strict Site Isolation is actually working or not. Here is the site [https://support.google.com/chrome/a/answer/7581529](link URL)