improve: add additional chromium hardening via policy

config/files/usr/etc/chromium/policies/managed/hardening.json

@@ -0,0 +1,30 @@
+{
+	"DefaultJavaScriptJitSetting": 2,
+	"DefaultSensorsSetting": 2,
+	"EnableMediaRouter": false,
+	"SuggestedContentEnabled": false,
+	"AccessibilityImageLabelsEnabled": false,
+	"BackgroundModeEnabled": false,
+	"BlockThirdPartyCookies": true,
+	"ChromeCleanupReportingEnabled": false,
+	"ChromeVariations": 1,
+	"ClickToCallEnabled": false,
+	"DnsOverHttpsMode": "automatic",
+	"HttpsOnlyMode": "force_enabled",
+	"MediaRecommendationsEnabled": false,
+	"MetricsReportingEnabled": false,
+	"NetworkPredictionOptions": 2,
+	"PaymentMethodQueryEnabled": false,
+	"PromotionalTabsEnabled": false,
+	"RemoteDebuggingAllowed": false,
+	"SafeSitesFilterBehavior": 0,
+	"SearchSuggestEnabled": false,
+	"SharedClipboardEnabled": false,
+	"ShowFullUrlsInAddressBar": true,
+	"SpellCheckServiceEnabled": false,
+	"SyncDisabled": true,
+	"TranslateEnabled": false,
+	"UrlKeyedAnonymizedDataCollectionEnabled": false,
+	"WebRtcEventLogCollectionAllowed": false,
+	"WebRtcIPHandling": "disable_non_proxied_udp"
+}

config/files/usr/etc/chromium/policies/managed/hardening.json.readme.md

@@ -0,0 +1,85 @@
+*The policies set here are a subset of those found in the [brace policy file](https://github.com/divestedcg/Brace/blob/master/brace/etc/chromium/policies/managed/brace.json). All policies that are deprecated, identical to the default, or only for ChromeOS have been removed.*
+
+*Disable Javascript JIT*
+"DefaultJavaScriptJitSetting": 2
+
+*Do not allow any site to access sensors*
+"DefaultSensorsSetting": 2
+
+*Disable Google Cast*
+"EnableMediaRouter": false
+
+*Disable Suggested Content*
+"SuggestedContentEnabled": false
+
+*Disable fetching labels for unlabelled images*
+"AccessibilityImageLabelsEnabled": false
+
+*Disable background mode*
+"BackgroundModeEnabled": false
+
+*Disable third party cookies*
+"BlockThirdPartyCookies": true
+
+*Don't report Chrome Cleanup results*
+"ChromeCleanupReportingEnabled": false
+
+*Permit Chrome Variations only for critical fixes*
+"ChromeVariations": 1
+
+*Disable click to call*
+"ClickToCallEnabled": false
+
+*Automatically use DNS-over-HTTPS if it's available*
+"DnsOverHttpsMode": "automatic"
+
+*Force enable HTTPS-Only Mode*
+"HttpsOnlyMode": "force_enabled"
+
+*Hide media recommendations*
+"MediaRecommendationsEnabled": false
+
+*Disable usage and crash reporting*
+"MetricsReportingEnabled": false
+
+*Disable network prediction*
+"NetworkPredictionOptions": 2
+
+*Disable payment method API*
+"PaymentMethodQueryEnabled": false
+
+*Disable full-tab promotions*
+"PromotionalTabsEnabled": false
+
+*Disable remote debugging*
+"RemoteDebuggingAllowed": false
+
+*Disable sending URLs for content filtering*
+"SafeSitesFilterBehavior": 0
+
+*Disable search suggestions*
+"SearchSuggestEnabled": false
+
+*Disable cross-device clipboard sharing*
+"SharedClipboardEnabled": false
+
+*Show full urls in the address bar*
+"ShowFullUrlsInAddressBar": true
+
+*Disable online spellchecking service*
+"SpellCheckServiceEnabled": false
+
+*Disable sync services*
+"SyncDisabled": true
+
+*Disable translate services*
+"TranslateEnabled": false
+
+*Disable URL-keyed anonymized data collection*
+"UrlKeyedAnonymizedDataCollectionEnabled": false
+
+*Disable WebRTC event log collection and uploading*
+"WebRtcEventLogCollectionAllowed": false
+
+*For WebRTC, use TCP on the public-facing interface, and will only use UDP if supported by a configured proxy.*
+"WebRtcIPHandling": "disable_non_proxied_udp"