From 8654a613a107f890d0fc0aca975e8026c5d70680 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Mon, 4 Dec 2023 23:26:00 -0700
Subject: [PATCH] Add uBO Lite whitelist

Signed-off-by: Tommy <contact@tommytran.io>
---
 Linux/managed.json                                 |  8 ++++++++
 README.md                                          |  1 +
 macOS/Managed Preferences/com.microsoft.Edge.plist | 14 ++++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/Linux/managed.json b/Linux/managed.json
index e65ae29..5e92c06 100644
--- a/Linux/managed.json
+++ b/Linux/managed.json
@@ -13,6 +13,14 @@
   "SpotlightExperiencesAndRecommendationsEnabled": false,
   "FeatureFlagOverridesControl": 1,
   "ExtensionInstallBlocklist": [ "*" ],
+  "ExtensionSettings": {
+    "ddkjiahejlhfcafbddmgiahcphecmpfh": {
+      "installation_mode": "allowed",
+      "update_url": "https://clients2.google.com/service/update2/crx",
+      "override_update_url": true,
+      "sidebar_auto_open_blocked": true
+    }
+  },
   "GamerModeEnabled": false,
   "WindowsHelloForHTTPAuthEnabled": false,
   "ImmersiveReaderGrammarToolsEnabled": false,
diff --git a/README.md b/README.md
index e5f9db2..07ba7da 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,7 @@ For corporate environments, you will need make approprieate changes, including b
 - Disable `DeveloperToolsAvailability`. Users can be tricked into running malicious code in the browser console otherwise.
 - Set `DefaultWebUsbGuardSetting` to "Block". In most cases, the websites will never need to use this API. I need it to flash GrapheneOS and StockOS on my phones.
 - Set `DefaultJavaScriptJitSetting` to "Block". This will prevent users from adding exceptions to Enhanced Security Mode.
+- Remove the uBlockOrigin Lite extension whitelist. I am not aware of any way to block users from granting uBlockOrigin Lite access to all content on a website, which is a security risk. If you know of a way to enforce that the extension runs permission-less, please let me know.
 - Further restrict permissions that websites can prompt for.
 - Consider removing the `Disable3DAPIs` policy. Currently, WebGL is disabled in my policies and a few sites will break, so whether to do this highly depends on your organization.
 - Consider mandating that `SmartScreenEnabled` is set to disabled. `TyposquattingCheckerEnabled` is also potentially invasive, though I have not confirmed this. Please make an issue to let me know of your findings.
diff --git a/macOS/Managed Preferences/com.microsoft.Edge.plist b/macOS/Managed Preferences/com.microsoft.Edge.plist
index c64e9f0..151bd0b 100644
--- a/macOS/Managed Preferences/com.microsoft.Edge.plist	
+++ b/macOS/Managed Preferences/com.microsoft.Edge.plist	
@@ -34,6 +34,20 @@
     <array>
       <string>*</string>
     </array>
+    <key>ExtensionSettings</key>
+    <dict>
+      <key>ddkjiahejlhfcafbddmgiahcphecmpfh</key>
+      <dict>
+        <key>installation_mode</key>
+        <string>allowed</string>
+        <key>update_url</key>
+        <string>https://clients2.google.com/service/update2/crx</string>
+        <key>override_update_url</key>
+        <true />
+        <key>sidebar_auto_open_blocked</key>
+        <true />
+      </dict>
+    </dict>
     <key>GamerModeEnabled</key>
     <false />
     <key>WindowsHelloForHTTPAuthEnabled</key>