fix: remove --disable-extensions-except to allow enterprise policy extensions

rgarcia · rgarcia · commit 25459561c311 · 2026-01-26T16:00:10.000-05:00
The --disable-extensions-except flag causes Chrome to set extensions_enabled_
to false, which prevents external providers (including the policy loader) from
being created. This means Chrome never attempts to fetch force-installed
extensions via ExtensionInstallForcelist enterprise policy.

Changes:
- Remove --disable-extensions-except from chromium.go flag generation
- Remove --disable-extensions-except from wrapper.sh proxy extension setup
- Update MergeExtensionPath to only use --load-extension
- Update e2e test to upload kernel-like extension first (mirrors production)

The fix allows enterprise policy extensions to be fetched and installed while
still loading the kernel extension via --load-extension.

See Chromium source: extension_service.cc - external providers are only
created when extensions_enabled() returns true.
diff --git a/images/chromium-headless/image/wrapper.sh b/images/chromium-headless/image/wrapper.sh
@@ -44,11 +44,12 @@ fi
 export HOSTNAME="${HOSTNAME:-kernel-vm}"
 
 # if CHROMIUM_FLAGS is not set, default to the flags used in playwright_stealth
+# NOTE: --disable-background-networking was intentionally removed because it prevents
+# Chrome from fetching extensions via ExtensionInstallForcelist enterprise policy.
+# Enterprise extensions require Chrome to make HTTP requests to fetch update.xml and .crx files.
 if [ -z "${CHROMIUM_FLAGS:-}" ]; then
-  # NOTE: --disable-background-networking was intentionally removed because it prevents
-  # Chrome from fetching extensions via ExtensionInstallForcelist enterprise policy.
-  # Enterprise extensions require Chrome to make HTTP requests to fetch update.xml and .crx files.
-  CHROMIUM_FLAGS="--accept-lang=en-US,en \
+  CHROMIUM_FLAGS=" \
+    --accept-lang=en-US,en \
     --allow-pre-commit-input \
     --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 \
     --crash-dumps-dir=/tmp/chromium-dumps \
@@ -78,8 +79,10 @@ if [ -z "${CHROMIUM_FLAGS:-}" ]; then
     --enable-use-zoom-for-dsf=false \
     --export-tagged-pdf \
     --force-color-profile=srgb \
+    --headless=new \
     --hide-crash-restore-bubble \
     --hide-scrollbars \
+    --ignore-certificate-errors \
     --metrics-recording-only \
     --mute-audio \
     --no-default-browser-check \
@@ -88,10 +91,12 @@ if [ -z "${CHROMIUM_FLAGS:-}" ]; then
     --no-service-autorun \
     --ozone-platform=headless \
     --password-store=basic \
+    --start-maximized \
     --unsafely-disable-devtools-self-xss-warnings \
     --use-angle=swiftshader \
     --use-gl=angle \
-    --use-mock-keychain"
+    --use-mock-keychain \
+    --window-size=1512,982"
 fi
 export CHROMIUM_FLAGS
 
@@ -117,7 +122,7 @@ if [[ "${RUN_AS_ROOT:-}" != "true" ]]; then
   done
 
   # Ensure correct ownership (ignore errors if already correct)
-  chown -R kernel:kernel /home/kernel /home/kernel/user-data /home/kernel/.config /home/kernel/.pki /home/kernel/.cache 2>/dev/null || true
+  chown -R kernel:kernel /home/kernel /home/kernel/user-data /home/kernel/.config /home/kernel/.pki /home/kernel/.cache /home/kernel/extensions 2>/dev/null || true
   # Make policy directory writable for runtime updates
   chown -R kernel:kernel /etc/chromium/policies 2>/dev/null || true
 else
@@ -137,6 +142,39 @@ else
   done
 fi
 
+# ------------------------------------------------------------------
+# Proxy extension setup ------------------------------------------------
+# ------------------------------------------------------------------
+# Determine whether we have proxy credentials
+have_proxy_creds=false
+if [[ -n "${PROXY_HOST:-}" ]] && [[ -n "${PROXY_PORT:-}" ]] \
+   && [[ -n "${PROXY_USERNAME:-}" ]] && [[ -n "${PROXY_PASSWORD:-}" ]]; then
+  have_proxy_creds=true
+fi
+
+# If proxy creds present, template the chromeproxy background script
+if [[ "$have_proxy_creds" == true ]]; then
+  echo "Detected proxy configuration - preparing chromeproxy extension"
+  EXT_BASE="/home/kernel/extensions"
+  PROXY_AUTH_EXTENSION_PATH="$EXT_BASE/chromeproxy"
+  BACKGROUND_JS="$PROXY_AUTH_EXTENSION_PATH/background.js"
+  BACKGROUND_JS_TEMPLATE="$PROXY_AUTH_EXTENSION_PATH/background.js.template"
+
+  cp "$BACKGROUND_JS_TEMPLATE" "$BACKGROUND_JS"
+  sed -i "s/PROXY_HOST/${PROXY_HOST}/g" "$BACKGROUND_JS"
+  sed -i "s/PROXY_PORT/${PROXY_PORT}/g" "$BACKGROUND_JS"
+  sed -i "s/PROXY_USERNAME/${PROXY_USERNAME}/g" "$BACKGROUND_JS"
+  sed -i "s/PROXY_PASSWORD/${PROXY_PASSWORD}/g" "$BACKGROUND_JS"
+  ext_list="$EXT_BASE/capmonster,$EXT_BASE/chromeproxy"
+  # Append the necessary Chrome flags unless already present
+  # NOTE: We intentionally do NOT use --disable-extensions-except here because it causes
+  # Chrome to disable external providers (including the policy loader), which prevents
+  # enterprise policy extensions (ExtensionInstallForcelist) from being fetched and installed.
+  if [[ "${CHROMIUM_FLAGS:-}" != *"--load-extension="* ]]; then
+    CHROMIUM_FLAGS="${CHROMIUM_FLAGS:-} --load-extension=${ext_list}"
+  fi
+fi
+
 # -----------------------------------------------------------------------------
 # Dynamic log aggregation for /var/log/supervisord -----------------------------
 # -----------------------------------------------------------------------------
@@ -207,6 +245,8 @@ for i in {1..30}; do
   sleep 0.2
 done
 
+init-envoy.sh
+
 echo "[wrapper] Starting system D-Bus daemon via supervisord"
 supervisorctl -c /etc/supervisor/supervisord.conf start dbus
 for i in {1..50}; do
diff --git a/server/cmd/api/api/chromium.go b/server/cmd/api/api/chromium.go
@@ -260,10 +260,14 @@ func (s *ApiService) UploadExtensionsAndRestart(ctx context.Context, request oap
 
 	// Build flags overlay file in /chromium/flags, merging with existing flags
 	// Only add --load-extension flags for extensions that don't use policy installation
+	// NOTE: We intentionally do NOT use --disable-extensions-except here because it causes
+	// Chrome to disable external providers (including the policy loader), which prevents
+	// enterprise policy extensions (ExtensionInstallForcelist) from being fetched and installed.
+	// See Chromium source: extension_service.cc - external providers are only created when
+	// extensions_enabled() returns true, which is false when --disable-extensions-except is used.
 	var newTokens []string
 	if len(pathsNeedingFlags) > 0 {
 		newTokens = []string{
-			fmt.Sprintf("--disable-extensions-except=%s", strings.Join(pathsNeedingFlags, ",")),
 			fmt.Sprintf("--load-extension=%s", strings.Join(pathsNeedingFlags, ",")),
 		}
 	}
diff --git a/server/e2e/e2e_enterprise_extension_test.go b/server/e2e/e2e_enterprise_extension_test.go
@@ -82,6 +82,17 @@ func runEnterpriseExtensionTest(t *testing.T, image string) {
 	_, err = waitDevtoolsWS(ctx)
 	require.NoError(t, err, "devtools not ready")
 
+	// First upload a simple extension to simulate the kernel extension in production.
+	// This causes Chrome to be launched with --load-extension, which mirrors production
+	// where the kernel extension is always loaded before any enterprise extensions.
+	logger.Info("[test]", "action", "uploading kernel-like extension first (to simulate prod)")
+	uploadKernelLikeExtension(t, ctx, logger)
+
+	// Wait for Chrome to restart with the new flags
+	time.Sleep(3 * time.Second)
+	_, err = waitDevtoolsWS(ctx)
+	require.NoError(t, err, "devtools not ready after kernel extension")
+
 	// Upload the enterprise test extension (with update.xml and .crx)
 	logger.Info("[test]", "action", "uploading enterprise test extension (with update.xml and .crx)")
 	uploadEnterpriseTestExtension(t, ctx, logger)
@@ -138,6 +149,47 @@ func runEnterpriseExtensionTest(t *testing.T, image string) {
 	logger.Info("[test]", "result", "enterprise extension installation test completed")
 }
 
+// uploadKernelLikeExtension uploads a simple extension to simulate the kernel extension.
+// In production, the kernel extension is always loaded before any enterprise extensions,
+// so this ensures the test mirrors that behavior.
+func uploadKernelLikeExtension(t *testing.T, ctx context.Context, logger *slog.Logger) {
+	t.Helper()
+
+	client, err := apiClient()
+	require.NoError(t, err, "failed to create API client")
+
+	// Get the path to the simple test extension (no webRequest, so no enterprise policy)
+	extDir, err := filepath.Abs("test-extension")
+	require.NoError(t, err, "failed to get absolute path to test-extension")
+
+	// Create zip of the extension
+	extZip, err := zipDirToBytes(extDir)
+	require.NoError(t, err, "failed to zip test extension")
+
+	// Upload extension
+	var body bytes.Buffer
+	w := multipart.NewWriter(&body)
+	fw, err := w.CreateFormFile("extensions.zip_file", "kernel-like-ext.zip")
+	require.NoError(t, err)
+	_, err = io.Copy(fw, bytes.NewReader(extZip))
+	require.NoError(t, err)
+	err = w.WriteField("extensions.name", "kernel")
+	require.NoError(t, err)
+	err = w.Close()
+	require.NoError(t, err)
+
+	start := time.Now()
+	rsp, err := client.UploadExtensionsAndRestartWithBodyWithResponse(ctx, w.FormDataContentType(), &body)
+	elapsed := time.Since(start)
+	require.NoError(t, err, "uploadExtensionsAndRestart request error")
+
+	require.Equal(t, http.StatusCreated, rsp.StatusCode(),
+		"expected 201 Created but got %d. Body: %s",
+		rsp.StatusCode(), string(rsp.Body))
+
+	logger.Info("[kernel-ext]", "action", "uploaded kernel-like extension", "elapsed", elapsed.String())
+}
+
 // uploadEnterpriseTestExtension uploads the test extension with update.xml and .crx files.
 // This should trigger enterprise policy handling via ExtensionInstallForcelist.
 func uploadEnterpriseTestExtension(t *testing.T, ctx context.Context, logger *slog.Logger) {
diff --git a/server/lib/chromiumflags/chromiumflags.go b/server/lib/chromiumflags/chromiumflags.go
@@ -184,6 +184,38 @@ func MergeFlagsWithRuntimeTokens(baseFlags string, runtimeTokens []string) []str
 	return MergeFlags(base, runtimeTokens)
 }
 
+// MergeExtensionPath appends an extension path to existing --load-extension flags
+// within an args slice. If the flag exists, the path is appended to its comma-separated
+// list. If it doesn't exist, a new flag is added. This preserves other extensions that
+// may already be configured.
+//
+// NOTE: We intentionally do NOT use --disable-extensions-except here because it causes
+// Chrome to disable external providers (including the policy loader), which prevents
+// enterprise policy extensions (ExtensionInstallForcelist) from being fetched and installed.
+// See Chromium source: extension_service.cc - external providers are only created when
+// extensions_enabled() returns true, which is false when --disable-extensions-except is used.
+func MergeExtensionPath(args []string, extPath string) []string {
+	foundLoad := false
+	result := make([]string, 0, len(args)+1)
+
+	for _, arg := range args {
+		switch {
+		case strings.HasPrefix(arg, "--load-extension="):
+			existing := strings.TrimPrefix(arg, "--load-extension=")
+			result = append(result, "--load-extension="+existing+","+extPath)
+			foundLoad = true
+		default:
+			result = append(result, arg)
+		}
+	}
+
+	if !foundLoad {
+		result = append(result, "--load-extension="+extPath)
+	}
+
+	return result
+}
+
 // WriteFlagFile writes the provided tokens to the given path as JSON in the
 // form: { "flags": ["--foo", "--bar=1"] } with file mode 0644.
 // The function creates or truncates the file.
