Chromium - Privacy-Focused Builds

Discussion in 'other software & services' started by WildByDesign, Oct 5, 2016.

  1. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    751
    Location:
    South Park, CO
    Thanks, Puff MD! After the FF 57 debacle, I've started trialing Chromium again in case the FF problems aren't fixed by ESR 59. So far I'm finding Chromium 62 stable 32-bit to run fairly well on my old Pentium Dual Core W7 laptop with only 3 GB of RAM.
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
  3. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello,

    Both the 32 bit and the 64 bit lkcr (dev) Nik builds have been updated...
    32 bit:
    Sync • WebRTC • Widevine • 64.0.3275.0 (518192) • Tuesday, 21 Nov 2017
    No sync • No WebRTC • No Widevine • 64.0.3275.0 (518192) • Tuesday, 21 Nov 2017
    Chromium for 64-bit and 32-bit Windows (Woolyss)
    v64.0.3275.0-r518192-win32 (GitHub)
    64 bit:
    Sync • WebRTC • Widevine • 64.0.3275.0 (518192) • Tuesday, 21 Nov 2017
    No sync • No WebRTC • No Widevine • 64.0.3275.0 (518192) • Tuesday, 21 Nov 2017
    Chromium for 64-bit Windows only (Woolyss)
    v64.0.3275.0-r518192-win64 (GitHub)
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  7. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    6,184
    gna, just loaded v63 final yesterday and fixed my extension problem (need to pack again with newer build, otherwise "corrupt"). thx

    meh, ist there an flag present to re-enable local installed extensions again?
    v63 fine, but v64 and v66_def refuses to load crx/pem whil unpacked is possible (wtf who ***)
     
    Last edited: Jan 27, 2018
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Group Policy & Chromium

    After several months (quite literally), I have finally figured out how to use Group Policy settings to force settings upon Chromium now. I had always used Group Policy before with Google Chrome which is quite easy to do by copying the templates (https://www.chromium.org/administrators/policy-templates) and getting started. However, those templates do not work with Chromium. You would have to compile Chromium policies from source code and I wanted to figure out an easier way.

    Goal: Anytime I install Chromium or start a brand new user profile, the user profile is setup just the way I like it right from the beginning without having to bother changing dozens of settings. And allow this to scale easily if necessary.

    Per documentation:
    As you would imagine, HKEY_CURRENT_USER covers user level policies while HKEY_LOCAL_MACHINE is machine/system level and therefore covers any and all user profiles create on the system. HKEY_LOCAL_MACHINE is what I wanted.

    Problem: Chrome/Chromium stopped utilizing the registry settings only in the past couple of years and therefore absolutely required you to have the GPO policy templates installed or, in the case of Chromium, compiled policies from source code. This is where I had been stuck for the past couple of months. My machine level policies set for Google Chrome were indeed showing correctly under (chrome://policy/), however, no policies showed there under Chromium and therefore not enforced. Only systems joined to Active Directory will utilize registry policy settings only.

    Solution: Chromium developers have created a brand new internal URL (chrome://policy-tool/) which allows you to enable/modify/set user level policies in Chromium (and Chrome, of course) in a much, much easier method than having to do all of the group policy templates and such. Now, the new Policy Management Tool URL has to be enabled via a Flag before the new internal URL (chrome://policy-tool/) becomes accessible.

    • Enable the following: chrome://flags/#enable-policy-tool
    • Allow Chromium to restart the browser
    • Navigate to chrome://policy-tool/

    Voila, you can now set user level group policy options without having to mess with gpedit.msc or policy templates at all. :thumb:

    Now, I did not care for the user level policies nor did I do much testing with the new chrome://policy-tool/ URL. I did, however, enable and disable several user level policy settings with that new tool. Once I restarted Chromium, it automatically started to enforce the HKEY_LOCAL_MACHINE system level policies which I had previous set in the registry a month or two ago. Those settings were not recognized at all until I played around with the new chrome://policy-tool/ page a bit.

    My registry settings (examples):
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chromium]
    "SitePerProcess"=dword:00000001
    "AutofillCreditCardEnabled"=dword:00000000
    "AutoFillEnabled"=dword:00000000
    "BackgroundModeEnabled"=dword:00000000
    "BookmarkBarEnabled"=dword:00000001
    "BrowserAddPersonEnabled"=dword:00000000
    "BrowserGuestModeEnabled"=dword:00000000
    "PasswordManagerEnabled"=dword:00000000
    "UserDataDir"="R:\\Chromium\\Profile"
    "ShowHomeButton"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chromium\PluginsAllowedForUrls]
    "1"="https://helpx.adobe.com/flash-player.html"
    "2"="http://get.adobe.com/flashplayer/about/"
    
    
    Keep in mind that the examples above might not work for everyone, as these are just examples. But it shows how to force utilization of a RAMDisk for UserDataDir which I previously had to add that as a command line to the Chromium shortcut. So this is much more smoother of a setup.

    You will also notice that it is possible to force allow/whitelist specific web pages to always allow Flash Player which has been difficult in recent Chrome/Chromium builds via the GUI. Only on certain sites that you absolutely can trust, of course. But this can make things much easier.

    Also, I have force enabled SitePerProcess (Site Isolation) on a system level. Therefore with this setup, I do not have to manually enable the SitePerProcess flag anymore since this is enforced system-wide now.

    Other settings that I prefer Disabled by default, such disabling the built-in password manager, autofill, credit card storing, etc.

    Now that I have this working the way that I like it, I still have to go through many more group policy settings and figure out what else to enable or disable. You can find an entire listing of all available group policy settings at: https://www.chromium.org/administrators/policy-list-3

    You can view your policies anytime at: chrome://policy/

    Click on "Show policies with no value set" to show settings that you have not specifically set.

    If you have added some new policies and want them applied, click the "Reload policies" button and it will apply all of your new policies without having to restart Chromium, although some settings such as SitePerProcess would likely need you to restart the browser to take affect.

    Anyway, that is it for now. I will comment more later if I figure out some more interesting things. :)
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,902
    Location:
    Slovenia, EU
    Back, when I was using Chromium I used GPO to edit policies. I just downloaded templates for Chrome, modified ADM file with text editor (some modifications were logical, some I figured out by trail and error), imported it in Gpedit and modified settings. I changed only some settings but they were working and were honored by Chromium.
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    There was an updated release of chrlauncher today that was affecting Windows 10 users downloading updated Chromium builds but did not seem to affect Windows 7 users. It had to do with implementation of TLS 1.2

    Changelog:
    Download: https://github.com/henrypp/chrlauncher/releases/tag/v.2.4.3
     
  12. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,557
    What exactly is this?

    Question about group policy. Want to push this out to people at my job. Are you able to include extensions or no?
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    chrlauncher is essentially a very tiny, fast and portable executable which takes entire care of downloading, unpacking and launching (also updating) various Chromium builds using the API underlying the Woolyss' Chromium site (https://chromium.woolyss.com/).

    Using the .ini file included in the package (either 32-bit or 64-bit), you can configure which Chromium package you want to use, how often to check for updates, and even a section to add command lines and much more. It's quite handy for users who use Chromium.

    chrlauncher has nothing to do with Group Policy though. That post was entirely different and not related to chrlauncher.


    If you are talking about Group Policy specifically, there are policies which you can force Chromium to download and install extensions at first launch which I use. See here: https://www.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist

    I always want Chromium to install the original RSS Extension (from Google) so I use:

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chromium\ExtensionInstallForcelist]
    "1"="nlbjncdgjeocebhnmkbbbdekmmmcbfjd;https://clients2.google.com/service/update2/crx"
    That extension code is specific to that RSS Extension, for example. So other extensions have different extension code which you could use this example and modify it and even add more forced extensions.

    The group policy for Chromium also allows Extension whitelist, blacklist, etc. plus much more to customize and secure. Let me know if there is anything specific you want help with regarding the group policy stuff.
     
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,660
    Location:
    Under a bushel ...
    Thanks WBD :thumb:.
     
  15. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,557
    Thank you for all the info sir. I have not even begun to look at creating a GPO yet but need to. Good to know about extensions as I would love to add uBlock if at all possible. I also want to look at chrlauncher too. Question: Can you run Google Chrome and Chromium side by side?
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Last edited: Mar 7, 2018
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Sorry, I forgot to answer this earlier. Yes, absolutely. You can run both side by side and quite literally at the same time. Although in Windows you can only make one of them the Default browser, of course. But you can use the Archive or Portable build of Chromium and extract that anywhere to run from. For example, I run my Chromium builds from RAMDisk for the stable branch build. And I also use chrlauncher to easily play around with canary and dev branch builds of Chromium so that I can verify different new features and such.
     
  18. yeL

    yeL Registered Member

    Joined:
    Aug 10, 2015
    Posts:
    327
    How does one do that?
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Personally, I use the Archive builds from Woolyss' site and extract them into a directory on RAMDisk (SoftPerfect RAMDisk) and therefore run the binaries and profile from RAMDisk. However, using the Archive builds requires you to modify the UserDataDir flag, either by group policy or within the shortcut, and point that toward where you store your profile on RAMDisk.

    Another option is to use the Portable builds from Woolyss' site which will easily and automatically store the profile on RAMDisk once you've extracted the portable build to RAMDisk. No need to mess with UserDataDir with the Portable builds. However, this requires utilizing the chrlauncher program which is included in the Portable builds and chrlauncher has built-in UserDataDir option in it's configuration file along with other flags.
     
  20. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,557

    Hey man,

    Thank you for the help. Began working on a group policy for Google Chrome Enterprise yesterday. I need to figure out how to install uBlock Origin, but with a specific set of filters. Is that even possible?

    EDIT: Figured out the prompt for download.

    Thanks!
     
    Last edited: Mar 8, 2018
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Trooper You're welcome. You can get it to auto-install uBlock Origin but I believe it would start with default settings. I don't know how to set it with group policy to choose certain filters at that stage unfortunately.
     
  22. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    Any plans for woolyss to produce linux versions of its builds ?
     
  23. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,557
    I had a feeling you might say that. I am going to look to just deploy uBlock and see how it goes. Thanks!

    EDIT: New question. I blocked users using the blacklist by adding the * into the GPO and that works. However, now I want to install uBO. I guess I need to whitelist it or force install it? Playing around with it here at work. Thanks.
     
    Last edited: Mar 8, 2018
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    That would be the ExtensionInstallForcelist option.
    Code:
    cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx
    That should be the correct code for uBlock Origin but I did not test it yet myself.
     
  25. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,557
    Thanks. That is the code I got as well, but for some reason it will not install. Thinking the Blacklist has something to do with it though.

    EDIT: Figured it out. Thanks again man!
     
    Last edited: Mar 8, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.