Remove unsupported components in brave://components

[jumde]

Description

Components like MEI preload, Legacy TLS Deprecation Configuration and Origin Trials are not supported by Brave. We should clean up the list to only list components supported by Brave.

Steps to Reproduce

1. Navigate to brave://components

Actual result:

Unsupported components are displayed.

Expected result:

Should not be displayed

Reproduces how often:

Easily

Brave version (brave://version info)

1.4.96 Chromium: 80.0.3987.132 (Official Build) (64-bit)

Version/Channel Information:

All Channels

[mherrmann]

I am looking into this issue because it needs to be implemented before my fix for #10464 can be merged.

@jumde suggested we remove those components that appear with version 0.0.0.0 in brave://components when a clean installation of Brave is started. As of Brave Nightly 1.19.44 on Linux and Brave Nightly 1.20.8 on Windows and macOS, this list is:

• Legacy TLS Deprecation Configuration: bklopemakmnopmghhmccadeonafabnal
• Federated Learning of Cohorts: cmahhnpholdijhjokonmfdjbfmklppij
• Autofill States Data: eeigpngbgcognadeebkilcpcaedhellh
• Subresource Filter Rules: gcmjkmgdlgnkkcocmoeiminaijmmjnii
• Crowd Deny: ggkkehgbnfjpeggfpleeakpidbkibbmn
• Certificate Error Assistant: giekcmmlnklenlaomppkphknjmnnpneh
• Safety Tips: jflookgnkcckhobaglndicnbbgbonegd
• Origin Trials: llkgjffcdpffmhiakmfcdcblohccpfmo
• Zxcvbn Data Dictionaries: ojhpjlocmbogdgmfpkhlaaeamibhnphh

On Android, Brave stable 1.17.74 has the above components at 0.0.0.0, plus:

• CRLSet: hfnkpimlhhgieaddgfemjhofmfblmnib
• Optimization Hints: lmelglejhemejginpboagddgdfbepgmp
• OnDeviceHeadSuggest: obedbbhbpmojnkanicioggnmelmoomoc

[mherrmann]

An interesting first finding is that Chromium's source code doesn't mention the IDs I quoted above, except in comments. For example safety_tips_component_installer.cc:

// The SHA256 of the SubjectPublicKeyInfo used to sign the extension.
// The extension id is: jflookgnkcckhobaglndicnbbgbonegd
const uint8_t kSafetyTipsPublicKeySHA256[32] = {
    0x95, 0xbe, 0xea, 0x6d, 0xa2, 0x2a, 0x7e, 0x10, 0x6b, 0xd3, 0x82,
    0xd1, 0x16, 0x1e, 0xd4, 0x63, 0x21, 0xfe, 0x79, 0x5d, 0x02, 0x30,
    0xc2, 0xcf, 0x4a, 0x9c, 0x8a, 0x39, 0xcc, 0x4a, 0x00, 0xce};

Per https://chromium.googlesource.com/chromium/src/+/lkgr/components/component_updater/README.md, the string jflookgnkcckhobaglndicnbbgbonegd can be obtained from this array by discarding the first half and rendering as hexadecimal using the characters a-p. For example: 0x95 becomes "the 10th char in abc...p followed by the 6th char in abc...p", which is jf.

It would be nice to have an implementation for blacklisting unwanted components in Brave that simply keeps a list of the string ids jflookgnkcckhobaglndicnbbgbonegd. A logical place for this would be ComponentInstaller::Register, which is called from places like RegisterTLSDeprecationConfigComponent.

[fmarier]

Looks like this might be broken. I checked the latest nightly (Version 1.20.40 Chromium: 88.0.4315.5 (Official Build) nightly (64-bit)) and a fresh build of master and I can still see all of disabled 0.0.0.0 components.

[mherrmann]

I'm looking into it. From what I see so far, it appears as if the override in Brave that should prevent the components from being installed does not get called. The override blocks unwanted components by their ID. I already ruled out that those IDs have changed. Will update here as I obtain more info.

[mherrmann]

The override is called, even with the correct component IDs, but fails to identify them as disallowed. Still investigating.

[mherrmann]

Fixed in brave/brave-core#7496. @fmarier you could test the binaries there if you like.

[mherrmann]

Checked in Nightly v1.20.48 that my fix in brave/brave-core#7496 worked. On Linux with an empty profile, the components are not there:

[fmarier]

It works for me too (Nightly). Thanks for the follow-up fix!

[mherrmann]

Sure. Sorry for the initial bug.

[LaurenWags]

@fmarier @mherrmann @jumde I'm still seeing the following components from #8709 (comment) listed on brave://components in 1.20.x, however I believe this is expected per other issues in this milestone, correct?

Crowd Deny - expected per #13426
Certificate Error Assistant - expected per #13010
Safety Tips - expected per #12999

All other components listed have non-zero version numbers:

[jumde]

@LaurenWags - That is correct.

[LaurenWags]

Verified passed with

Brave | 1.20.88 Chromium: 88.0.4324.96 (Official Build) dev (x86_64)
-- | --
Revision | 68dba2d8a0b149a1d3afac56fa74648032bcf46b-refs/branch-heads/4324@{#1784}
OS | macOS Version 10.15.7 (Build 19H15)

Verified components listed in #8709 (comment) are not shown on brave://components except for:

Crowd Deny - per #13426
Certificate Error Assistant - per #13010
Safety Tips - per #12999

All components listed on brave://components have non-zero version numbers:

---

Verification passed on

Brave | 1.20.88 Chromium: 88.0.4324.96 (Official Build) dev (64-bit)
-- | --
Revision | 68dba2d8a0b149a1d3afac56fa74648032bcf46b-refs/branch-heads/4324@{#1784}
OS | Windows 10 OS Version 2004 (Build 19041.746)

Verified components listed in #8709 (comment) are not shown on brave://components

---

Verification passed on

Brave	1.20.88 Chromium: 88.0.4324.96 (Official Build) dev (64-bit)
Revision	68dba2d8a0b149a1d3afac56fa74648032bcf46b-refs/branch-heads/4324@{#1784}
OS	Ubuntu 18.04 LTS

Verified components listed in #8709 (comment) are not shown on brave://components except for:

Crowd Deny - per #13426
Certificate Error Assistant - per #13010
Safety Tips - per #12999

All components listed on brave://components have non-zero version numbers:

[GeetaSarvadnya]

@fmarier @mherrmann @jumde In Windows 10 x64 - Dev build 1.20.88, I am seeing Hyphenation components. Is this expected? (I don't see this component in macOS)

[fmarier]

I am seeing Hyphenation components. Is this expected? (I don't see this component in macOS)

I'm not sure why it's not avaiable on Mac because I can also see it on Linux, but it is supposed to be enabled: https://bravesoftware.slack.com/archives/C8MP8ME4C/p1607477451338100?thread_ts=1607461532.330600&cid=C8MP8ME4C

I added it to the list on https://github.com/brave/brave-browser/wiki/Brave-Components.

[LaurenWags]

@jumde do you see Hyphenation on macOS, I do not.

[jumde]

No Hyphenation on macOS, will debug