LeOSium_webview/LeOS/patches/00add-browser-policy.patch

From: uazo <uazo@users.noreply.github.com>
Date: Tue, 22 Nov 2022 16:49:58 +0000
Subject: Add browser policy

License: GPL-2.0-or-later - https://spdx.org/licenses/GPL-2.0-or-later.html
---
 base/win/win_util.cc                          |  63 +-------
 chrome/android/java/AndroidManifest.xml       |   4 -
 .../privacy_preferences_manager_impl.cc       |   5 +
 .../metrics/chrome_feature_list_creator.cc    |  12 ++
 .../policy/chrome_browser_policy_connector.cc |   2 -
 ...nfiguration_policy_handler_list_factory.cc |   6 +-
 .../account_consistency_mode_manager.cc       |   7 +-
 ...ccount_consistency_mode_manager_factory.cc |   2 +-
 chrome/browser/signin/chrome_signin_client.cc |   7 +-
 .../ui/webui/policy/policy_ui_handler.cc      | 104 ++++++++++++-
 .../ui/webui/policy/policy_ui_handler.h       |   2 +
 .../commerce/core/commerce_feature_list.cc    |  24 +--
 .../core/browser/browser_policy_connector.cc  |   3 +
 .../common/command_line_policy_provider.cc    |   3 +
 .../core/common/policy_loader_command_line.cc | 140 ++++++++++++++++--
 .../policy/core/common/policy_pref_names.cc   |   3 +
 .../policy/core/common/policy_pref_names.h    |   1 +
 .../policy/core/common/policy_service_impl.cc |   3 +
 .../policy/core/common/policy_switches.cc     |   2 +
 .../policy/core/common/policy_switches.h      |   1 +
 .../Miscellaneous/SyncDisabled.yaml           |   2 +-
 .../policy/resources/webui/policy_row.html    |   1 +
 .../policy/resources/webui/policy_row.ts      |  12 ++
 components/policy_strings.grdp                |   4 +-
 .../gaia_cookie_manager_service.cc            |   4 +
 google_apis/gaia/gaia_auth_fetcher.cc         |   1 +
 26 files changed, 311 insertions(+), 107 deletions(-)

diff --git a/base/win/win_util.cc b/base/win/win_util.cc
--- a/base/win/win_util.cc
+++ b/base/win/win_util.cc
@@ -126,76 +126,19 @@ bool EnablePerMonitorV2() {
 }
 
 bool* GetDomainEnrollmentStateStorage() {
-  static bool state = IsOS(OS_DOMAINMEMBER);
+  static bool state = false;
   return &state;
 }
 
 bool* GetRegisteredWithManagementStateStorage() {
-  static bool state = []() {
-    // Mitigate the issues caused by loading DLLs on a background thread
-    // (http://crbug/973868).
-    SCOPED_MAY_LOAD_LIBRARY_AT_BACKGROUND_PRIORITY();
-
-    ScopedNativeLibrary library(
-        FilePath(FILE_PATH_LITERAL("MDMRegistration.dll")));
-    if (!library.is_valid())
-      return false;
-
-    using IsDeviceRegisteredWithManagementFunction =
-        decltype(&::IsDeviceRegisteredWithManagement);
-    IsDeviceRegisteredWithManagementFunction
-        is_device_registered_with_management_function =
-            reinterpret_cast<IsDeviceRegisteredWithManagementFunction>(
-                library.GetFunctionPointer("IsDeviceRegisteredWithManagement"));
-    if (!is_device_registered_with_management_function)
-      return false;
-
-    BOOL is_managed = FALSE;
-    HRESULT hr =
-        is_device_registered_with_management_function(&is_managed, 0, nullptr);
-    return SUCCEEDED(hr) && is_managed;
-  }();
+  static bool state = false;
 
   return &state;
 }
 
 // TODO (crbug/1300219): return a DSREG_JOIN_TYPE* instead of bool*.
 bool* GetAzureADJoinStateStorage() {
-  static bool state = []() {
-    base::ElapsedTimer timer;
-
-    // Mitigate the issues caused by loading DLLs on a background thread
-    // (http://crbug/973868).
-    SCOPED_MAY_LOAD_LIBRARY_AT_BACKGROUND_PRIORITY();
-
-    ScopedNativeLibrary netapi32(
-        base::LoadSystemLibrary(FILE_PATH_LITERAL("netapi32.dll")));
-    if (!netapi32.is_valid())
-      return false;
-
-    const auto net_get_aad_join_information_function =
-        reinterpret_cast<decltype(&::NetGetAadJoinInformation)>(
-            netapi32.GetFunctionPointer("NetGetAadJoinInformation"));
-    if (!net_get_aad_join_information_function)
-      return false;
-
-    const auto net_free_aad_join_information_function =
-        reinterpret_cast<decltype(&::NetFreeAadJoinInformation)>(
-            netapi32.GetFunctionPointer("NetFreeAadJoinInformation"));
-    DPCHECK(net_free_aad_join_information_function);
-
-    DSREG_JOIN_INFO* join_info = nullptr;
-    HRESULT hr = net_get_aad_join_information_function(/*pcszTenantId=*/nullptr,
-                                                       &join_info);
-    const bool is_aad_joined = SUCCEEDED(hr) && join_info;
-    if (join_info) {
-      net_free_aad_join_information_function(join_info);
-    }
-
-    base::UmaHistogramTimes("EnterpriseCheck.AzureADJoinStatusCheckTime",
-                            timer.Elapsed());
-    return is_aad_joined;
-  }();
+  static bool state = false;
   return &state;
 }
 
diff --git a/chrome/android/java/AndroidManifest.xml b/chrome/android/java/AndroidManifest.xml
--- a/chrome/android/java/AndroidManifest.xml
+++ b/chrome/android/java/AndroidManifest.xml
@@ -73,9 +73,7 @@ by a child template that "extends" this file.
     <uses-permission android:name="android.permission.FOREGROUND_SERVICE_DATA_SYNC" tools:ignore="SystemPermissionTypo" />
     <uses-permission android:name="android.permission.RUN_USER_INITIATED_JOBS" />
 
-    <uses-permission android:name="android.permission.GET_ACCOUNTS"/>
     <uses-permission android:name="android.permission.INTERNET"/>
-    <uses-permission android:name="android.permission.MANAGE_ACCOUNTS"/>
     <uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS"/>
     <uses-permission android:name="android.permission.NFC"/>
     <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
@@ -86,7 +84,6 @@ by a child template that "extends" this file.
     <uses-permission-sdk-23 android:name="android.permission.READ_MEDIA_VIDEO"/>
     <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
     <uses-permission android:name="android.permission.RECORD_AUDIO"/>
-    <uses-permission android:name="android.permission.USE_CREDENTIALS"/>
     <uses-permission-sdk-23 android:name="android.permission.USE_BIOMETRIC"/>
     <uses-permission-sdk-23 android:name="android.permission.USE_FINGERPRINT"/>
     <uses-permission android:name="android.permission.VIBRATE"/>
@@ -130,7 +127,6 @@ by a child template that "extends" this file.
     <uses-permission android:name="com.chrome.permission.DEVICE_EXTRAS" />
     <uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT"/>
 
-    <uses-permission android:name="com.google.android.apps.now.CURRENT_ACCOUNT_ACCESS" />
 
     {% block extra_uses_permissions %}
     {% endblock %}
diff --git a/chrome/browser/android/preferences/privacy_preferences_manager_impl.cc b/chrome/browser/android/preferences/privacy_preferences_manager_impl.cc
--- a/chrome/browser/android/preferences/privacy_preferences_manager_impl.cc
+++ b/chrome/browser/android/preferences/privacy_preferences_manager_impl.cc
@@ -56,6 +56,11 @@ static jboolean
 JNI_PrivacyPreferencesManagerImpl_IsMetricsReportingDisabledByPolicy(
     JNIEnv* env) {
   const PrefService* local_state = g_browser_process->local_state();
+  // this point (policy with 'future') gave me false, false
+  // LOG(INFO) << "---IsMetricsReportingDisabledByPolicy "
+  //           << local_state->IsManagedPreference(metrics::prefs::kMetricsReportingEnabled)
+  //           << " "
+  //           << local_state->GetBoolean(metrics::prefs::kMetricsReportingEnabled);
   return local_state->IsManagedPreference(
              metrics::prefs::kMetricsReportingEnabled) &&
          !local_state->GetBoolean(metrics::prefs::kMetricsReportingEnabled);
diff --git a/chrome/browser/metrics/chrome_feature_list_creator.cc b/chrome/browser/metrics/chrome_feature_list_creator.cc
--- a/chrome/browser/metrics/chrome_feature_list_creator.cc
+++ b/chrome/browser/metrics/chrome_feature_list_creator.cc
@@ -57,6 +57,8 @@
 #include "content/public/common/content_switches.h"
 #include "services/network/public/cpp/network_switches.h"
 #include "ui/base/resource/resource_bundle.h"
+#include "components/policy/core/common/policy_pref_names.h"
+#include "components/policy/core/common/policy_switches.h"
 
 #if BUILDFLAG(IS_CHROMEOS_ASH)
 #include "chrome/browser/ash/policy/core/browser_policy_connector_ash.h"
@@ -222,6 +224,16 @@ void ChromeFeatureListCreator::CreatePrefService() {
   // ManagementService's cache.
   if (local_state_pref_store->ReadPrefs() ==
       JsonPrefStore::PREF_READ_ERROR_NONE) {
+    // add list of user disabled policies to command line
+    base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
+    const base::Value* stored_value = nullptr;
+    if (local_state_pref_store->GetValue(policy::policy_prefs::kDisabledDefaultPoliciesList, &stored_value) &&
+          stored_value->is_string()) {
+        std::string disabled_policies = stored_value->GetString();
+        if (!disabled_policies.empty()) {
+          command_line->AppendSwitchASCII(policy::switches::kForceDisabledPolicies, disabled_policies);
+        }
+    }
     auto* platform_management_service =
         policy::ManagementServiceFactory::GetForPlatform();
     platform_management_service->UsePrefStoreAsCache(local_state_pref_store);
diff --git a/chrome/browser/policy/chrome_browser_policy_connector.cc b/chrome/browser/policy/chrome_browser_policy_connector.cc
--- a/chrome/browser/policy/chrome_browser_policy_connector.cc
+++ b/chrome/browser/policy/chrome_browser_policy_connector.cc
@@ -159,8 +159,6 @@ bool ChromeBrowserPolicyConnector::HasMachineLevelPolicies() {
   if (ProviderHasPolicies(machine_level_user_cloud_policy_manager()))
     return true;
 #endif  // !BUILDFLAG(IS_CHROMEOS_ASH)
-  if (ProviderHasPolicies(command_line_provider_))
-    return true;
   return false;
 }
 
diff --git a/chrome/browser/policy/configuration_policy_handler_list_factory.cc b/chrome/browser/policy/configuration_policy_handler_list_factory.cc
--- a/chrome/browser/policy/configuration_policy_handler_list_factory.cc
+++ b/chrome/browser/policy/configuration_policy_handler_list_factory.cc
@@ -2046,9 +2046,9 @@ bool AreFuturePoliciesEnabledByDefault() {
   if (base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kTestType)) {
     return true;
   }
-  version_info::Channel channel = chrome::GetChannel();
-  return channel != version_info::Channel::STABLE &&
-         channel != version_info::Channel::BETA;
+  // Future policies are allowed but not active without
+  // kEnableExperimentalPolicies policy
+  return true;
 }
 
 }  // namespace
diff --git a/chrome/browser/signin/account_consistency_mode_manager.cc b/chrome/browser/signin/account_consistency_mode_manager.cc
--- a/chrome/browser/signin/account_consistency_mode_manager.cc
+++ b/chrome/browser/signin/account_consistency_mode_manager.cc
@@ -160,7 +160,7 @@ void AccountConsistencyModeManager::SetIgnoreMissingOAuthClientForTesting() {
 // static
 bool AccountConsistencyModeManager::ShouldBuildServiceForProfile(
     Profile* profile) {
-  return profile->IsRegularProfile();
+  return false;
 }
 
 AccountConsistencyMethod
@@ -198,7 +198,8 @@ AccountConsistencyModeManager::ComputeAccountConsistencyMethod(
 #endif
 
 #if BUILDFLAG(ENABLE_MIRROR)
-  return AccountConsistencyMethod::kMirror;
+  // always disabled
+  return AccountConsistencyMethod::kDisabled;
 #endif
 
 #if BUILDFLAG(ENABLE_DICE_SUPPORT)
@@ -208,7 +209,7 @@ AccountConsistencyModeManager::ComputeAccountConsistencyMethod(
     return AccountConsistencyMethod::kDisabled;
   }
 
-  return AccountConsistencyMethod::kDice;
+  return AccountConsistencyMethod::kDisabled;
 #endif
 
   NOTREACHED();
diff --git a/chrome/browser/signin/account_consistency_mode_manager_factory.cc b/chrome/browser/signin/account_consistency_mode_manager_factory.cc
--- a/chrome/browser/signin/account_consistency_mode_manager_factory.cc
+++ b/chrome/browser/signin/account_consistency_mode_manager_factory.cc
@@ -45,5 +45,5 @@ void AccountConsistencyModeManagerFactory::RegisterProfilePrefs(
 
 bool AccountConsistencyModeManagerFactory::ServiceIsCreatedWithBrowserContext()
     const {
-  return true;
+  return false;
 }
diff --git a/chrome/browser/signin/chrome_signin_client.cc b/chrome/browser/signin/chrome_signin_client.cc
--- a/chrome/browser/signin/chrome_signin_client.cc
+++ b/chrome/browser/signin/chrome_signin_client.cc
@@ -130,7 +130,9 @@ void ChromeSigninClient::DoFinalInit() {
 bool ChromeSigninClient::ProfileAllowsSigninCookies(Profile* profile) {
   scoped_refptr<content_settings::CookieSettings> cookie_settings =
       CookieSettingsFactory::GetForProfile(profile);
-  return signin::SettingsAllowSigninCookies(cookie_settings.get());
+  // Make ChromeSigninClient compliant to SigninAllowed policy
+  bool cookiesAllowed = signin::SettingsAllowSigninCookies(cookie_settings.get());
+  return cookiesAllowed && profile->GetPrefs()->GetBoolean(prefs::kSigninAllowed);
 }
 
 PrefService* ChromeSigninClient::GetPrefs() { return profile_->GetPrefs(); }
@@ -242,6 +244,9 @@ bool ChromeSigninClient::AreNetworkCallsDelayed() {
 }
 
 void ChromeSigninClient::DelayNetworkCall(base::OnceClosure callback) {
+  // Make ChromeSigninClient compliant to SigninAllowed policy
+  if (!AreSigninCookiesAllowed()) return;
+
   wait_for_network_callback_helper_->DelayNetworkCall(std::move(callback));
 }
 
diff --git a/chrome/browser/ui/webui/policy/policy_ui_handler.cc b/chrome/browser/ui/webui/policy/policy_ui_handler.cc
--- a/chrome/browser/ui/webui/policy/policy_ui_handler.cc
+++ b/chrome/browser/ui/webui/policy/policy_ui_handler.cc
@@ -22,6 +22,7 @@
 #include "base/memory/raw_ptr.h"
 #include "base/memory/weak_ptr.h"
 #include "base/notreached.h"
+#include "base/strings/string_split.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/task/task_traits.h"
 #include "base/task/thread_pool.h"
@@ -64,6 +65,7 @@
 #include "components/policy/core/common/policy_details.h"
 #include "components/policy/core/common/policy_logger.h"
 #include "components/policy/core/common/policy_pref_names.h"
+#include "components/policy/core/common/policy_pref_names.h"
 #include "components/policy/core/common/policy_scheduler.h"
 #include "components/policy/core/common/policy_types.h"
 #include "components/policy/core/common/remote_commands/remote_commands_service.h"
@@ -177,6 +179,10 @@ void PolicyUIHandler::RegisterMessages() {
       "exportPoliciesJSON",
       base::BindRepeating(&PolicyUIHandler::HandleExportPoliciesJson,
                           base::Unretained(this)));
+  web_ui()->RegisterMessageCallback(
+      "setEnabledPolicy",
+      base::BindRepeating(&PolicyUIHandler::HandleSetEnabledPolicy,
+                          base::Unretained(this)));
   web_ui()->RegisterMessageCallback(
       "listenPoliciesUpdates",
       base::BindRepeating(&PolicyUIHandler::HandleListenPoliciesUpdates,
@@ -424,8 +430,102 @@ void PolicyUIHandler::SendPolicies() {
       "policies-updated",
       base::Value(
           policy_value_and_status_aggregator_->GetAggregatedPolicyNames()),
-      base::Value(
-          policy_value_and_status_aggregator_->GetAggregatedPolicyValues()));
+      base::Value(GetPolicyValues()));
+}
+
+base::Value::Dict PolicyUIHandler::GetPolicyValues() {
+  base::Value::Dict policy =
+    policy_value_and_status_aggregator_->GetAggregatedPolicyValues();
+  base::Value::Dict* policy_values =
+    policy.FindDict(policy::kPolicyValuesKey);
+  DCHECK(policy_values);
+
+  PrefService* local_state = g_browser_process->local_state();
+  DCHECK(local_state);
+
+  // get user disabled list from local state
+  std::string disabled_policies_pref =
+      local_state->GetString(policy::policy_prefs::kDisabledDefaultPoliciesList);
+  std::vector<std::string> disabled_policies =
+      base::SplitString(disabled_policies_pref, ",",
+                        base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
+
+  auto* root = policy_values->FindDict(policy::kChromePoliciesId);
+  if (root) {
+    auto* list = root->FindDict(policy::kPoliciesKey);
+    if (list) {
+      // for each policy check if is disabled by the user
+      for (const auto name : *list) {
+        bool disabled = base::Contains(disabled_policies, name.first);
+        name.second.GetDict().Set("disabled", base::Value(disabled));
+      }
+
+      // add disabled policies so user can enable them
+      for (const std::string& name : disabled_policies) {
+        base::Value::Dict value;
+        value.Set("disabled", base::Value(true));
+
+        // set with some value (only for the ui)
+        // see components/policy/core/browser/policy_conversions_client.cc
+        value.Set("value", base::Value(false));
+        value.Set("scope", base::Value("machine"));
+        value.Set("level", base::Value("mandatory"));
+        value.Set("source", base::Value("sourceDefault"));
+        list->Set(name, std::move(value));
+      }
+    }
+  }
+  return policy;
+}
+
+void PolicyUIHandler::HandleSetEnabledPolicy(
+    const base::Value::List& args) {
+  CHECK_EQ(2u, args.size());
+  const std::string policy_name = args[0].GetString();
+  bool enabled = args[1].GetBool();
+
+  // Check if policy exists
+  base::Value::Dict policy =
+    policy_value_and_status_aggregator_->GetAggregatedPolicyValues();
+  base::Value::Dict* policy_values =
+    policy.FindDict(policy::kPolicyValuesKey);
+  DCHECK(policy_values);
+
+  bool exists = false;
+  auto* root = policy_values->FindDict(policy::kChromePoliciesId);
+  if (root && g_browser_process) {
+    auto* list = root->FindDict(policy::kPoliciesKey);
+    if (list) {
+      for (const auto name : *list) {
+        if (name.first == policy_name) {
+          exists = true;
+          break;
+        }
+      }
+    }
+  }
+
+  PrefService* local_state = g_browser_process->local_state();
+  DCHECK(local_state);
+
+  // get user disabled list from local state
+  std::string disabled_policies_pref =
+      local_state->GetString(policy::policy_prefs::kDisabledDefaultPoliciesList);
+  std::vector<std::string> disabled_policies =
+      base::SplitString(disabled_policies_pref, ",",
+                        base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
+
+  // remove policy
+  base::EraseIf(disabled_policies,
+        [policy_name](const std::string& name) { return name == policy_name; });
+
+  // readd if exists and enabled
+  if (exists && !enabled)
+    disabled_policies.push_back(policy_name);
+
+  // save current user disabled policy in local state
+  local_state->SetString(policy::policy_prefs::kDisabledDefaultPoliciesList,
+                         base::JoinString(disabled_policies, ","));
 }
 
 void PolicyUIHandler::SendStatus() {
diff --git a/chrome/browser/ui/webui/policy/policy_ui_handler.h b/chrome/browser/ui/webui/policy/policy_ui_handler.h
--- a/chrome/browser/ui/webui/policy/policy_ui_handler.h
+++ b/chrome/browser/ui/webui/policy/policy_ui_handler.h
@@ -58,6 +58,8 @@ class PolicyUIHandler : public content::WebUIMessageHandler,
 
  private:
   void HandleExportPoliciesJson(const base::Value::List& args);
+  void HandleSetEnabledPolicy(const base::Value::List& args);
+  base::Value::Dict GetPolicyValues();
   void HandleListenPoliciesUpdates(const base::Value::List& args);
   void HandleReloadPolicies(const base::Value::List& args);
   void HandleCopyPoliciesJson(const base::Value::List& args);
diff --git a/components/commerce/core/commerce_feature_list.cc b/components/commerce/core/commerce_feature_list.cc
--- a/components/commerce/core/commerce_feature_list.cc
+++ b/components/commerce/core/commerce_feature_list.cc
@@ -159,8 +159,8 @@ BASE_FEATURE(kCommercePriceTrackingChipExperiment,
 
 #if BUILDFLAG(IS_ANDROID)
 BASE_FEATURE(kCommercePriceTrackingRegionLaunched,
-             "CommercePriceTrackingRegionLaunched",
-             base::FEATURE_ENABLED_BY_DEFAULT);
+             "CommercePriceTrackingRegionLaunched",  // disabled
+             base::FEATURE_DISABLED_BY_DEFAULT);     // by default
 #else
 BASE_FEATURE(kCommercePriceTrackingRegionLaunched,
              "CommercePriceTrackingRegionLaunched",
@@ -227,8 +227,8 @@ BASE_FEATURE(kShoppingList, "ShoppingList", base::FEATURE_DISABLED_BY_DEFAULT);
 #if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC) || \
     BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
 BASE_FEATURE(kShoppingListRegionLaunched,
-             "ShoppingListRegionLaunched",
-             base::FEATURE_ENABLED_BY_DEFAULT);
+             "ShoppingListRegionLaunched",       // disabled
+             base::FEATURE_DISABLED_BY_DEFAULT); // by default
 #else
 BASE_FEATURE(kShoppingListRegionLaunched,
              "ShoppingListRegionLaunched",
@@ -273,12 +273,12 @@ BASE_FEATURE(kDiscountConsentV2,
              base::FEATURE_ENABLED_BY_DEFAULT);
 
 BASE_FEATURE(kCommerceHintAndroid,
-             "CommerceHintAndroid",
-             base::FEATURE_DISABLED_BY_DEFAULT);
+             "CommerceHintAndroid",              // disabled
+             base::FEATURE_DISABLED_BY_DEFAULT); // by default
 
 BASE_FEATURE(kMerchantWidePromotion,
-             "MerchantWidePromotion",
-             base::FEATURE_ENABLED_BY_DEFAULT);
+             "MerchantWidePromotion",            // disabled
+             base::FEATURE_DISABLED_BY_DEFAULT); // by default
 
 BASE_FEATURE(kCodeBasedRBD, "CodeBasedRBD", base::FEATURE_ENABLED_BY_DEFAULT);
 
@@ -287,11 +287,11 @@ BASE_FEATURE(kChromeCartDomBasedHeuristics,
              base::FEATURE_DISABLED_BY_DEFAULT);
 
 BASE_FEATURE(kParcelTracking,
-             "ParcelTracking",
-             base::FEATURE_ENABLED_BY_DEFAULT);
+             "ParcelTracking",                   // disabled
+             base::FEATURE_DISABLED_BY_DEFAULT); // by default
 BASE_FEATURE(kParcelTrackingRegionLaunched,
-             "ParcelTrackingRegionLaunched",
-             base::FEATURE_DISABLED_BY_DEFAULT);
+             "ParcelTrackingRegionLaunched",     // disabled
+             base::FEATURE_DISABLED_BY_DEFAULT); // by default
 
 // Params for Discount Consent V2 in the NTP Cart module.
 const char kNtpChromeCartModuleDiscountConsentNtpVariationParam[] =
diff --git a/components/policy/core/browser/browser_policy_connector.cc b/components/policy/core/browser/browser_policy_connector.cc
--- a/components/policy/core/browser/browser_policy_connector.cc
+++ b/components/policy/core/browser/browser_policy_connector.cc
@@ -140,6 +140,9 @@ void BrowserPolicyConnector::RegisterPrefs(PrefRegistrySimple* registry) {
       CloudPolicyRefreshScheduler::kDefaultRefreshDelayMs);
   registry->RegisterBooleanPref(
       policy_prefs::kCloudManagementEnrollmentMandatory, false);
+  // register the pref for user disabled policies
+  registry->RegisterStringPref(
+      policy_prefs::kDisabledDefaultPoliciesList, std::string());
 }
 
 }  // namespace policy
diff --git a/components/policy/core/common/command_line_policy_provider.cc b/components/policy/core/common/command_line_policy_provider.cc
--- a/components/policy/core/common/command_line_policy_provider.cc
+++ b/components/policy/core/common/command_line_policy_provider.cc
@@ -23,6 +23,9 @@ std::unique_ptr<CommandLinePolicyProvider>
 CommandLinePolicyProvider::CreateIfAllowed(
     const base::CommandLine& command_line,
     version_info::Channel channel) {
+  if ((true))
+    return base::WrapUnique(new CommandLinePolicyProvider(command_line));
+
 #if BUILDFLAG(IS_ANDROID)
   if (channel == version_info::Channel::STABLE ||
       channel == version_info::Channel::BETA) {
diff --git a/components/policy/core/common/policy_loader_command_line.cc b/components/policy/core/common/policy_loader_command_line.cc
--- a/components/policy/core/common/policy_loader_command_line.cc
+++ b/components/policy/core/common/policy_loader_command_line.cc
@@ -11,6 +11,31 @@
 #include "components/policy/core/common/policy_bundle.h"
 #include "components/policy/core/common/policy_switches.h"
 #include "components/policy/core/common/policy_types.h"
+#include "base/strings/string_split.h"
+#include "components/policy/core/common/policy_map.h"
+#include "components/policy/core/common/policy_namespace.h"
+#include "components/policy/policy_constants.h"
+
+#include "chrome/browser/preloading/preloading_prefs.h"
+#include "chrome/browser/policy/browser_signin_policy_handler.h"
+
+namespace {
+  // adds the policy if the user has allowed it
+  void AddPolicy(
+    const std::vector<std::string>& disabled_policies,
+    policy::PolicyMap& policy_map,
+    const std::string& policy_name,
+    base::Value value) {
+
+    if (std::find(disabled_policies.begin(), disabled_policies.end(), policy_name)
+          == disabled_policies.end()) {
+      policy_map.Set(policy_name,
+                     policy::POLICY_LEVEL_MANDATORY, policy::POLICY_SCOPE_MACHINE,
+                     policy::POLICY_SOURCE_COMMAND_LINE,
+                     std::move(value), nullptr);
+    }
+  }
+}
 
 namespace policy {
 
@@ -21,25 +46,108 @@ PolicyLoaderCommandLine::~PolicyLoaderCommandLine() = default;
 
 PolicyBundle PolicyLoaderCommandLine::Load() {
   PolicyBundle bundle;
-  if (!command_line_->HasSwitch(switches::kChromePolicy))
-    return bundle;
 
-  auto policies = base::JSONReader::ReadAndReturnValueWithError(
-      command_line_->GetSwitchValueASCII(switches::kChromePolicy),
-      base::JSONParserOptions::JSON_ALLOW_TRAILING_COMMAS);
+  PolicyMap& policy_map =
+      bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()));
 
-  if (!policies.has_value()) {
-    VLOG(1) << "Command line policy error: " << policies.error().message;
-    return bundle;
-  }
-  if (!policies->is_dict()) {
-    VLOG(1) << "Command line policy is not a dictionary";
-    return bundle;
-  }
+  // get disabled policies
+  std::string disabled_policies =
+      command_line_->GetSwitchValueASCII(switches::kForceDisabledPolicies);
+  std::vector<std::string> disabled_policies_list =
+      base::SplitString(disabled_policies, ",",
+          base::KEEP_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
+
+  // whitelist a future policy.
+  base::Value::List enabled_future_policies;
+
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kSafeBrowsingEnabled, base::Value(false));
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kSafeBrowsingExtendedReportingEnabled, base::Value(false));
+
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kScrollToTextFragmentEnabled, base::Value(false));
+
+#if BUILDFLAG(IS_ANDROID)
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kContextualSearchEnabled, base::Value(false));
+#endif
+
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kEnableMediaRouter, base::Value(false));
+
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kUrlKeyedAnonymizedDataCollectionEnabled, base::Value(false));
+
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kTranslateEnabled, base::Value(false));
+
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kNetworkPredictionOptions,
+            base::Value(static_cast<int>(
+                     prefetch::NetworkPredictionOptions::kDisabled)));
+
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kBrowserSignin,
+            base::Value(static_cast<int>(
+                     policy::BrowserSigninMode::kDisabled)));
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kSigninAllowed, base::Value(false));
+
+  // SyncDisabled need a change in policy_templates.json
+  // because is unofficially supported
+  // 1) remove future_on
+  // 2) add android supported_on
+  // and need some changes in code
+  // see https://bugs.chromium.org/p/chromium/issues/detail?id=1141797
+  enabled_future_policies.Append(policy::key::kSyncDisabled);
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kSyncDisabled, base::Value(true));
+
+  // MetricsReportingEnabled need a change in policy_templates.json
+  // because is unofficially supported
+  // 1) remove future_on
+  // 2) add android supported_on
+  // and need some changes in code
+  // set metrics::prefs::kMetricsReportingEnabled to false
+  // same of "Disable various metrics" patch
+  // and deactivate the ui under IsManagedPreference()
+  enabled_future_policies.Append(policy::key::kMetricsReportingEnabled);
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kMetricsReportingEnabled, base::Value(false));
+
+  // Disable shopping list
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kShoppingListEnabled, base::Value(false));
+
+#if !BUILDFLAG(IS_ANDROID)
+  // Disable Google Search Side Panel
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kGoogleSearchSidePanelEnabled, base::Value(false));
+#endif
+
+  // Disable automatic https upgrade
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kHttpsUpgradesEnabled, base::Value(false));
+
+  // Check RSA key usage for server certicates issued by local trust anchors
+  // Enforce TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 expects the digitalSignature key usage bit.
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kRSAKeyUsageForLocalAnchorsEnabled, base::Value(true));
+
+  // Disable Insecure Handshake Hashes
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kInsecureHashesInTLSHandshakesEnabled, base::Value(false));
+
+#if !BUILDFLAG(IS_ANDROID)
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kSideSearchEnabled, base::Value(false));
+#endif
+
+  AddPolicy(disabled_policies_list, policy_map, policy::key::kBlockTruncatedCookies, base::Value(true));
+  // kFirstPartySetsEnabled
+  // kLensCameraAssistedSearchEnabled
+  // kPasswordLeakDetectionEnabled
+  // kPasswordManagerEnabled
+  // kPromptForDownloadLocation
+
+  // kAssistantWebEnabled
+  // BrowsingDataLifetime ??
+  // ClickToCallEnabled
+  // UrlParamFilterEnabled
+  // kSSLErrorOverrideAllowed
+  // kAdvancedProtectionAllowed
+  // kUserFeedbackAllowed
+  // DesktopSharingHubEnabled
+  // kSigninInterceptionEnabled
+
+  policy_map.Set(policy::key::kEnableExperimentalPolicies,
+                 policy::POLICY_LEVEL_MANDATORY, policy::POLICY_SCOPE_MACHINE,
+                 policy::POLICY_SOURCE_COMMAND_LINE,
+                 base::Value(enabled_future_policies.Clone()), nullptr);
 
-  bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()))
-      .LoadFrom(policies->GetDict(), POLICY_LEVEL_MANDATORY,
-                POLICY_SCOPE_MACHINE, POLICY_SOURCE_COMMAND_LINE);
   return bundle;
 }
 
diff --git a/components/policy/core/common/policy_pref_names.cc b/components/policy/core/common/policy_pref_names.cc
--- a/components/policy/core/common/policy_pref_names.cc
+++ b/components/policy/core/common/policy_pref_names.cc
@@ -93,6 +93,9 @@ const char kReadAloudEnabled[] = "policy.read_aloud_enabled";
 const char kUserAgentClientHintsGREASEUpdateEnabled[] =
     "policy.user_agent_client_hints_grease_update_enabled";
 
+const char kDisabledDefaultPoliciesList[] =
+    "policy.disabled_default_policies_list";
+
 // Boolean policy to allow isolated apps developer mode.
 const char kIsolatedAppsDeveloperModeAllowed[] =
     "policy.isolated_apps_developer_mode_allowed";
diff --git a/components/policy/core/common/policy_pref_names.h b/components/policy/core/common/policy_pref_names.h
--- a/components/policy/core/common/policy_pref_names.h
+++ b/components/policy/core/common/policy_pref_names.h
@@ -50,6 +50,7 @@ extern const char kUrlAllowlist[];
 extern const char kUserPolicyRefreshRate[];
 extern const char kIntensiveWakeUpThrottlingEnabled[];
 extern const char kUserAgentClientHintsGREASEUpdateEnabled[];
+extern const char kDisabledDefaultPoliciesList[];
 #if BUILDFLAG(IS_ANDROID)
 extern const char kBackForwardCacheEnabled[];
 extern const char kReadAloudEnabled[];
diff --git a/components/policy/core/common/policy_service_impl.cc b/components/policy/core/common/policy_service_impl.cc
--- a/components/policy/core/common/policy_service_impl.cc
+++ b/components/policy/core/common/policy_service_impl.cc
@@ -47,6 +47,9 @@ namespace {
 // Metrics should not be enforced so if this policy is set as mandatory
 // downgrade it to a recommended level policy.
 void DowngradeMetricsReportingToRecommendedPolicy(PolicyMap* policies) {
+  // skip the change to 'Recommended' if the MetricsReportingEnabled
+  // policy is 'Mandatory'.
+  if ((true)) return;
   // Capture both the Chrome-only and device-level policies on Chrome OS.
   const std::vector<const char*> metrics_keys = {
 #if BUILDFLAG(IS_CHROMEOS)
diff --git a/components/policy/core/common/policy_switches.cc b/components/policy/core/common/policy_switches.cc
--- a/components/policy/core/common/policy_switches.cc
+++ b/components/policy/core/common/policy_switches.cc
@@ -24,6 +24,8 @@ const char kChromePolicy[] = "policy";
 // (go/crosman-file-storage-server) to upload log and support packet files.
 const char kFileStorageServerUploadUrl[] = "file-storage-server-upload-url";
 
+const char kForceDisabledPolicies[] = "force-disable-policies";
+
 #if BUILDFLAG(IS_CHROMEOS_ASH)
 // Disables the verification of policy signing keys. It just works on Chrome OS
 // test images and crashes otherwise.
diff --git a/components/policy/core/common/policy_switches.h b/components/policy/core/common/policy_switches.h
--- a/components/policy/core/common/policy_switches.h
+++ b/components/policy/core/common/policy_switches.h
@@ -19,6 +19,7 @@ extern const char kEncryptedReportingUrl[];
 extern const char kChromePolicy[];
 extern const char kSecureConnectApiUrl[];
 extern const char kFileStorageServerUploadUrl[];
+extern const char kForceDisabledPolicies[];
 #if BUILDFLAG(IS_CHROMEOS_ASH)
 extern const char kDisablePolicyKeyVerification[];
 #endif  // BUILDFLAG(IS_CHROMEOS_ASH)
diff --git a/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml b/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml
--- a/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml
+++ b/components/policy/resources/templates/policy_definitions/Miscellaneous/SyncDisabled.yaml
@@ -13,7 +13,6 @@ features:
   dynamic_refresh: true
   per_profile: true
 future_on:
-- android
 - fuchsia
 items:
 - caption: Disable <ph name="CHROME_SYNC_NAME">Chrome Sync</ph>
@@ -30,6 +29,7 @@ supported_on:
 - chrome.*:8-
 - chrome_os:11-
 - ios:96-
+- android:8-
 tags:
 - filtering
 - google-sharing
diff --git a/components/policy/resources/webui/policy_row.html b/components/policy/resources/webui/policy_row.html
--- a/components/policy/resources/webui/policy_row.html
+++ b/components/policy/resources/webui/policy_row.html
@@ -163,6 +163,7 @@ a {
 <div class="policy row" role="row">
   <div class="name" role="rowheader" aria-labelledby="name">
     <a class="link" target="_blank">
+      <input type="checkbox" class="enabled_box">
       <span id="name"></span>
       <img src="chrome://resources/images/open_in_new.svg">
     </a>
diff --git a/components/policy/resources/webui/policy_row.ts b/components/policy/resources/webui/policy_row.ts
--- a/components/policy/resources/webui/policy_row.ts
+++ b/components/policy/resources/webui/policy_row.ts
@@ -15,6 +15,7 @@ import {getTemplate} from './policy_row.html.js';
 export interface Policy {
   ignored?: boolean;
   name: string;
+  disabled: boolean;
   level: string;
   link?: string;
   scope: string;
@@ -56,6 +57,9 @@ export class PolicyRowElement extends CustomElement {
     const copy = this.shadowRoot!.querySelector('.copy-value');
     copy!.addEventListener('click', () => this.copyValue_());
 
+    const enabledBox = this.shadowRoot!.querySelector('.enabled_box');
+    enabledBox!.addEventListener('change', () => this.enabledChanged_());
+
     this.setAttribute('role', 'rowgroup');
     this.classList.add('policy-data');
   }
@@ -94,6 +98,9 @@ export class PolicyRowElement extends CustomElement {
       this.toggleAttribute('no-help-link', true);
     }
 
+    const enabledBox = <HTMLInputElement>this.shadowRoot!.querySelector('.enabled_box');
+    enabledBox!.checked = !policy.disabled;
+
     // Populate the remaining columns with policy scope, level and value if a
     // value has been set. Otherwise, leave them blank.
     if (!this.unset_) {
@@ -226,6 +233,11 @@ export class PolicyRowElement extends CustomElement {
     }
   }
 
+  enabledChanged_() {
+    const enabledBox = <HTMLInputElement>this.shadowRoot!.querySelector('.enabled_box');
+    chrome.send('setEnabledPolicy', [this.policy.name, enabledBox.checked]);
+  }
+
   // Copies the policy's value to the clipboard.
   private copyValue_() {
     const policyValueDisplay =
diff --git a/components/policy_strings.grdp b/components/policy_strings.grdp
--- a/components/policy_strings.grdp
+++ b/components/policy_strings.grdp
@@ -588,8 +588,8 @@ Additional details:
   <message name="IDS_POLICY_SOURCE_DEFAULT" desc="Indicates that a policy is set by default and can be overridden.">
     Default
   </message>
-  <message name="IDS_POLICY_SOURCE_COMMAND_LINE" desc="Indicates that a policy is set by command line switch for testing purpose.">
-    Command line
+  <message name="IDS_POLICY_SOURCE_COMMAND_LINE" desc="Indicates that a policy is set by bromite.">
+    Bromite default
   </message>
   <message name="IDS_POLICY_SOURCE_CLOUD" desc="Indicates that the policy originates from the cloud.">
     Cloud
diff --git a/components/signin/internal/identity_manager/gaia_cookie_manager_service.cc b/components/signin/internal/identity_manager/gaia_cookie_manager_service.cc
--- a/components/signin/internal/identity_manager/gaia_cookie_manager_service.cc
+++ b/components/signin/internal/identity_manager/gaia_cookie_manager_service.cc
@@ -469,6 +469,8 @@ void GaiaCookieManagerService::RegisterPrefs(PrefRegistrySimple* registry) {
 }
 
 void GaiaCookieManagerService::InitCookieListener() {
+  // Make GaiaCookieManagerService compliant to SigninAllowed policy
+  if (!signin_client_->AreSigninCookiesAllowed()) return;
   DCHECK(!cookie_listener_receiver_.is_bound());
 
   network::mojom::CookieManager* cookie_manager =
@@ -891,6 +893,8 @@ void GaiaCookieManagerService::OnSetAccountsFinished(
 }
 
 void GaiaCookieManagerService::HandleNextRequest() {
+  // Make GaiaCookieManagerService compliant to SigninAllowed policy
+  if (!signin_client_->AreSigninCookiesAllowed()) requests_.clear();
   VLOG(1) << "GaiaCookieManagerService::HandleNextRequest";
   if (requests_.front().request_type() ==
       GaiaCookieRequestType::LIST_ACCOUNTS) {
diff --git a/google_apis/gaia/gaia_auth_fetcher.cc b/google_apis/gaia/gaia_auth_fetcher.cc
--- a/google_apis/gaia/gaia_auth_fetcher.cc
+++ b/google_apis/gaia/gaia_auth_fetcher.cc
@@ -482,6 +482,7 @@ void GaiaAuthFetcher::StartListAccounts() {
             }
           }
         })");
+  LOG(INFO) << "---CreateAndStartGaiaFetcher";
   CreateAndStartGaiaFetcher(
       " ",  // To force an HTTP POST.
       kFormEncodedContentType, "Origin: https://www.google.com",
--
2.25.1