[Desktop] Review non-registered components

[fmarier]

@bsclifton found that the root cause for #10607 (comment) is that we don't register a necessary component.

It would be good to review the list of components we don't install to make sure there's nothing we should enable:

• Subresource Filter Rules
• Certificate Error Assistant (Enable certificate error assistant #13010)
• Safety Tips ([Security] Enable Safety Tips #12999)
• File Type Policies (Re-enable download protection remote lookups #6267)
• Zxcvbn Data Dictionaries

Going forward, is there a way we can detect new ones and file issues for deciding what to do with them?

[fmarier]

• File Types Policies

This is used by Safe Browsing and is a dependency of #6267.

[jumde]

Wiki in progress: https://github.com/brave/brave-browser/wiki/Brave-Components

[jumde]

Reached out to Andrew Whalley to check if Safety Tips and Certificate Error Assistant are still being maintained.

[mherrmann]

@jumde In the wiki, are you sure Legacy TLS Deprecation Configuration should be unsupported? See #10607 (comment).

[mherrmann]

Just to mention here that this is related to my PR brave/brave-core#7164. In short: I think Brave currently relies on a bug to not install unwanted components. My PR would fix this bug. So any solution to this issue should probably not rely on the bug being there. @jumde pointed out that the correct way to prevent a component from being installed is to not register it in the first place. Eg. by overriding functions like RegisterSafetyTipsComponent.

[mherrmann]

Also linking #8709 here because I think it is very closely related.

[fmarier]

@jumde In the wiki, are you sure Legacy TLS Deprecation Configuration should be unsupported? See #10607 (comment).

Our fix isn't particularly obvious, but basically we replaced Chrome's list of exceptions with an empty list. So we disable TLS 1.0 and 1.1 for all sites, no exceptions. Therefore there is no need to load the component which updates Chrome's list.

[mherrmann]

Therefore there is no need to load the component which updates Chrome's list.

Do you mean the component should not be updated, or it should not be present in Brave at all? Or does it not matter?

[fmarier]

Do you mean the component should not be updated, or it should not be present in Brave at all? Or does it not matter?

The component is not needed at all in Brave. It doesn't need to be updated or even be present.

[mherrmann]

Got it, thank you. Who can tell us which components exactly should and shouldn't be in Brave?

[jumde]

@mherrmann - I think just installing the components with a non-zero (0.0.0.0) version number on start (in nightly) makes sense. You can enable Crowd Deny as well to resolve #10280.

[mherrmann]

Thank you @jumde. Do you mean that the answer to my question "which components should not be installed" is "those components that show up with version 0.0.0.0 when Brave is installed from scratch"?

[jumde]

Issues to track enabling:

1. Safety Tips: [Security] Enable Safety Tips #12999
2. Certificate Error Assistant: Enable certificate error assistant #13010

[fmarier]

All components have been reviewed and issues have been filed.