fix: stop emitting --disable-extensions-except flag

The --disable-extensions-except flag causes Chrome to set
extensions_enabled() to false, which prevents ExtensionService from
creating external providers (including the enterprise policy loader).
This breaks ExtensionInstallForcelist policy-based extension installation.

Changes:
- MergeFlags() now parses --disable-extensions-except but does NOT
  re-emit it; instead, paths are merged into --load-extension
- Updated tests to reflect new behavior

Author: rgarcia

server/lib/chromiumflags/chromiumflags.go

@@ -119,44 +119,52 @@ func ReadOptionalFlagFile(path string) ([]string, error) {
 // The merging logic respects extension-related flag semantics:
 // 1) If runtime specifies --disable-extensions, it overrides everything extension related
 // 2) Else if base specifies --disable-extensions and runtime does NOT specify any --load-extension, keep base disable
-// 3) Else, build from merged load/except
+// 3) Else, build from merged load-extension paths
+//
+// NOTE: --disable-extensions-except is intentionally parsed but NOT re-emitted because it causes
+// Chrome to disable external providers (including the policy loader), which prevents enterprise
+// policy extensions (ExtensionInstallForcelist) from being fetched and installed.
+// See Chromium source: extension_service.cc - external providers are only created when
+// extensions_enabled() returns true, which is false when --disable-extensions-except is used.
+// Any paths from --disable-extensions-except are merged into --load-extension instead.
+//
 // Non-extension flags from both base and runtime are combined with deduplication (first occurrence preserved).
 func MergeFlags(baseTokens, runtimeTokens []string) []string {
 	// Buckets
 	var (
 		baseNonExt     []string // Non-extension related flags contained in base
 		runtimeNonExt  []string // Non-extension related flags contained in runtime
 		baseLoad       []string // --load-extension flags contained in base
-		baseExcept     []string // --disable-extensions-except flags for base
+		baseExcept     []string // --disable-extensions-except flags for base (parsed but not re-emitted)
 		rtLoad         []string // --load-extension flags contained in runtime
-		rtExcept       []string // --disable-extensions-except flags contained in runtime
+		rtExcept       []string // --disable-extensions-except flags contained in runtime (parsed but not re-emitted)
 		baseDisableAll string   // --disable-extensions flag contained in base
 		rtDisableAll   string   // --disable-extensions flag contained in runtime
 	)
 
 	baseNonExt = parseTokenStream(baseTokens, &baseLoad, &baseExcept, &baseDisableAll)
 	runtimeNonExt = parseTokenStream(runtimeTokens, &rtLoad, &rtExcept, &rtDisableAll)
 
-	// Merge extension lists
+	// Merge extension lists - include paths from --disable-extensions-except in load paths
+	// since we no longer emit --disable-extensions-except
 	mergedLoad := union(baseLoad, rtLoad)
-	mergedExcept := union(baseExcept, rtExcept)
+	mergedLoad = union(mergedLoad, baseExcept)
+	mergedLoad = union(mergedLoad, rtExcept)
 
 	// Construct final extension-related flags respecting override semantics:
 	// 1) If runtime specifies --disable-extensions, it overrides everything extension related
 	// 2) Else if base specifies --disable-extensions and runtime does NOT specify any --load-extension, keep base disable
-	// 3) Else, build from merged load/except
+	// 3) Else, build from merged load-extension paths
 	var extFlags []string
 	if rtDisableAll != "" {
 		extFlags = append(extFlags, rtDisableAll)
 	} else {
-		if baseDisableAll != "" && len(rtLoad) == 0 {
+		if baseDisableAll != "" && len(rtLoad) == 0 && len(rtExcept) == 0 {
 			extFlags = append(extFlags, baseDisableAll)
 		} else if len(mergedLoad) > 0 {
 			extFlags = append(extFlags, "--load-extension="+strings.Join(mergedLoad, ","))
 		}
-		if len(mergedExcept) > 0 {
-			extFlags = append(extFlags, "--disable-extensions-except="+strings.Join(mergedExcept, ","))
-		}
+		// NOTE: --disable-extensions-except is intentionally NOT emitted here
 	}
 
 	// Combine and dedupe (preserving first occurrence)

server/lib/chromiumflags/chromiumflags_test.go

@@ -103,44 +103,17 @@ func TestMergeUnion(t *testing.T) {
 
 func TestOverrideSemantics_DisableBase_LoadRuntime(t *testing.T) {
 	// Base has --disable-extensions, runtime has --load-extension → runtime overrides, no disable-all in final
-	baseFlags := "--disable-extensions"
-	runtimeFlags := "--load-extension=/e1"
+	baseFlags := []string{"--disable-extensions"}
+	runtimeFlags := []string{"--load-extension=/e1"}
 
-	baseTokens := parseFlags(baseFlags)
-	runtimeTokens := parseFlags(runtimeFlags)
-
-	var (
-		baseLoad    []string
-		baseExcept  []string
-		rtLoad      []string
-		rtExcept    []string
-		baseDisable string
-		rtDisable   string
-	)
-
-	_ = parseTokenStream(baseTokens, &baseLoad, &baseExcept, &baseDisable)
-	_ = parseTokenStream(runtimeTokens, &rtLoad, &rtExcept, &rtDisable)
-
-	mergedLoad := union(baseLoad, rtLoad)
-	mergedExcept := union(baseExcept, rtExcept)
-
-	var extFlags []string
-	if rtDisable != "" {
-		extFlags = append(extFlags, rtDisable)
-	} else {
-		if baseDisable != "" && len(rtLoad) == 0 {
-			extFlags = append(extFlags, baseDisable)
-		} else if len(mergedLoad) > 0 {
-			extFlags = append(extFlags, "--load-extension="+strings.Join(mergedLoad, ","))
-		}
-		if len(mergedExcept) > 0 {
-			extFlags = append(extFlags, "--disable-extensions-except="+strings.Join(mergedExcept, ","))
-		}
-	}
+	got := MergeFlags(baseFlags, runtimeFlags)
 
-	for _, f := range extFlags {
+	for _, f := range got {
 		if f == "--disable-extensions" {
-			t.Fatalf("unexpected disable-all in final flags when runtime loads extensions: %#v", extFlags)
+			t.Fatalf("unexpected disable-all in final flags when runtime loads extensions: %#v", got)
+		}
+		if strings.HasPrefix(f, "--disable-extensions-except") {
+			t.Fatalf("unexpected disable-extensions-except in final flags: %#v", got)
 		}
 	}
 }
@@ -285,10 +258,10 @@ func TestMergeFlags(t *testing.T) {
 			want:         []string{"--load-extension=/e1,/e2"},
 		},
 		{
-			name:         "merge disable-extensions-except flags",
+			name:         "disable-extensions-except paths merged into load-extension",
 			baseFlags:    []string{"--disable-extensions-except=/x1"},
 			runtimeFlags: []string{"--disable-extensions-except=/x2"},
-			want:         []string{"--disable-extensions-except=/x1,/x2"},
+			want:         []string{"--load-extension=/x1,/x2"},
 		},
 		{
 			name:         "runtime disable-extensions overrides all",
@@ -312,7 +285,7 @@ func TestMergeFlags(t *testing.T) {
 			name:         "complex merge with extensions and non-extensions",
 			baseFlags:    []string{"--foo", "--load-extension=/e1", "--disable-extensions-except=/x1"},
 			runtimeFlags: []string{"--bar", "--load-extension=/e2", "--disable-extensions-except=/x2"},
-			want:         []string{"--foo", "--bar", "--load-extension=/e1,/e2", "--disable-extensions-except=/x1,/x2"},
+			want:         []string{"--foo", "--bar", "--load-extension=/e1,/e2,/x1,/x2"},
 		},
 	}