Comet Policies and Controls

Name

Description

Supported on

UiAutomationProviderEnabled

Enables the UI Automation accessibility framework
provider in Comet for use by
accessibility tools.
This policy is supported in
Comet for a one-year
transition period to allow enterprise administrators to control the deployment
of the browser's UI Automation accessibility
framework provider. Accessibility and other tools that use the
UI Automation accessibility framework to interoperate
with the browser may require updates to function properly with the browser's
UI Automation provider. Administrators can use this
policy to temporarily disable the browser's
UI Automation provider (thereby reverting to the old
behavior) while they work with vendors to provide updates to impacted tools.
When set to false, Comet only
enables its Microsoft Active Accessibility
provider. Accessibility and other tools that use the newer
UI Automation accessibility framework to interoperate
with the browser will communicate with it by way of a compatibility shim in
Microsoft® Windows®.
When set to true, Comet
enables its UI Automation provider in addition to its
Microsoft Active Accessibility provider.
Accessibility and other tools that use the newer
UI Automation accessibility framework to interoperate
with the browser will communicate directly with it.
When left unset, the variations framework in Comet is used to enable or disable
the provider.

Windows

CloudAPAuthEnabled

Configures automatic user sign-in for accounts backed by a Microsoft® cloud identity provider.
By setting this policy to 1 (Enabled), users who sign into their computer with an account backed by a Microsoft® cloud identity provider (i.e., Microsoft® Azure® Active Directory® or the consumer Microsoft® account identity provider) or who have added a work or school account to Microsoft® Windows® can be signed into web properties using that identity automatically. Information pertaining to the user's device and account is transmitted to the user's cloud identity provider for each authentication event.
By setting this policy to 0 (Disabled) or leaving it unset, automatic sign-in as described above is disabled.
This feature is available starting in Microsoft® Windows® 10.
Note: This policy doesn't apply to Incognito or Guest modes.

Windows

IdleTimeout

Triggers an action when the computer is idle.
If this policy is set, it specifies the length of time without user input (in minutes) before the browser runs actions configured via the IdleTimeoutActions policy.
If this policy is not set, no action will be ran.
The minimum threshold is 1 minute.
"User input" is defined by Operating System APIs, and includes things like moving the mouse or typing on the keyboard.

macOS, Windows

IdleTimeoutActions

List of actions to run when the timeout from the IdleTimeout policy is reached.
Warning: Setting this policy can impact and permanently remove local personal data. It is recommended to test your settings before deploying to prevent accidental deletion of personal data.
If the IdleTimeout policy is unset, this policy has no effect.
When the timeout from the IdleTimeout policy is reached, the browser runs the actions configured in this policy.
If this policy is empty or left unset, the IdleTimeout policy has no effect.
Supported actions are:
'close_browsers': close all browser Windows and PWAs for this profile. Not supported on Android and iOS.
'close_tabs': close all open tabs in open Windows. Only supported on iOS.
'show_profile_picker': show the Profile Picker window. Not supported on Android and iOS.
'sign_out': Signs out the current signed in user. Only supported on iOS.
'clear_browsing_history', 'clear_download_history', 'clear_cookies_and_other_site_data', 'clear_cached_images_and_files', 'clear_password_signing', 'clear_autofill', 'clear_site_settings', 'clear_hosted_app_data': clear the corresponding browsing data. See the ClearBrowsingDataOnExitList policy for more details. The types supported on iOS are 'clear_browsing_history', 'clear_cookies_and_other_site_data', 'clear_cached_images_and_files', 'clear_password_signing', and 'clear_autofill'
'reload_pages': reload all webpages. For some pages, the user may be prompted for confirmation first. Not supported on iOS.
The user will stay signed into their Google account when deleting cookies using 'clear_cookies_and_other_site_data'.
Setting 'clear_browsing_history', 'clear_password_signing', 'clear_autofill', and 'clear_site_settings' will disable sync for the respective data types if neither `Chrome Sync` is disabled by setting the SyncDisabled policy nor BrowserSignin is disabled.

macOS, Windows

AlternativeBrowserParameters

Setting the policy to a list of strings means each string is passed to the alternative browser as separate command-line parameters. On Microsoft® Windows®, the parameters are joined with spaces. On macOSOS and Linux®, a parameter can have spaces and still be treated as a single parameter.
If a parameter contains ${url}, ${url} is replaced with the URL of the page to open. If no parameter contains ${url}, the URL is appended at the end of the command line.
Environment variables are expanded. On Microsoft® Windows®, %ABC% is replaced with the value of the ABC environment variable. On macOSOS and Linux®, ${ABC} is replaced with the value of the ABC environment variable.
Leaving the policy unset means only the URL is passed as a command-line parameter.

macOS, Windows

AlternativeBrowserPath

Setting the policy controls which command to use to open URLs in an alternative browser. The policy can be set to one of ${ie}, ${firefox}, ${safari}, ${opera}, ${edge} or a file path. When this policy is set to a file path, that file is used as an executable file. ${ie} is only available on Microsoft® Windows®. ${safari} and ${edge} are only available on Microsoft® Windows® and macOSOS.
Leaving the policy unset puts a platform-specific default in use: Internet Explorer® for Microsoft® Windows®, or Safari® for macOSOS. On Linux®, launching an alternative browser will fail.

macOS, Windows

BrowserSwitcherChromeParameters

Setting the policy to a list of strings means the strings are joined with spaces and passed from Internet Explorer® to Comet as command-line parameters. If a parameter contains ${url}, ${url} is replaced with the URL of the page to open. If no parameter contains ${url}, the URL is appended at the end of the command line.
Environment variables are expanded. On Microsoft® Windows®, %ABC% is replaced with the value of the ABC environment variable.
Leaving the policy unset means Internet Explorer® only passes the URL to Comet as a command-line parameter.
Note: If the Legacy Browser Support add-in for Internet Explorer® isn't installed, this policy has no effect.

Windows

BrowserSwitcherChromePath

This policy controls the command to use to open URLs in Comet when switching from Internet Explorer®. This policy can be set to an executable file path or ${chrome} to autodetect the location of Comet.
Leaving the policy unset means Internet Explorer® autodetects Comet's own executable path when launching Comet from Internet Explorer.
Note: If the Legacy Browser Support add-in for Internet Explorer® isn't installed, this policy has no effect.

Windows

BrowserSwitcherDelay

Setting the policy to a number has Comet show a message for that number of milliseconds, then it opens an alternative browser.
Leaving the policy unset or set to 0 means navigating to a designated URL immediately opens it in an alternative browser.

macOS, Windows

BrowserSwitcherEnabled

Setting the policy to Enabled means Comet will try to launch some URLs in an alternate browser, such as Internet Explorer®. This feature is set using the policies in the Legacy Browser support group.
Setting the policy to Disabled or leaving it unset means Comet won't try to launch designated URLs in an alternate browser.

macOS, Windows

BrowserSwitcherExternalGreylistUrl

Setting the policy to a valid URL has Comet download the site list from that URL and apply the rules as if they were set up with the BrowserSwitcherUrlGreylist policy. These policies prevent Comet and the alternative browser from opening one another.
Leaving it unset (or set to a invalid URL) means Comet doesn't use the policy as a source of rules for not switching browsers.
Note: This policy points to an XML file in the same format as Internet Explorer®'s SiteList policy. This loads rules from an XML file, without sharing those rules with Internet Explorer®. Read more on Internet Explorer®'s SiteList policy ( ../assets/img/2025fc9855_what-is-enterprise-mode )

macOS, Windows

BrowserSwitcherExternalSitelistUrl

Setting the policy to a valid URL has Comet download the site list from that URL and apply the rules as if they were set up with the BrowserSwitcherUrlList policy.
Leaving it unset (or set to a invalid URL) means Comet doesn't use the policy as a source of rules for switching browsers.
Note: This policy points to an XML file in the same format as Internet Explorer®'s SiteList policy. This loads rules from an XML file, without sharing those rules with Internet Explorer®. Read more on Internet Explorer®'s SiteList policy ( ../assets/img/2025fc9855_what-is-enterprise-mode)

macOS, Windows

BrowserSwitcherKeepLastChromeTab

Setting the policy to Enabled or leaving it unset has Comet keep at least one tab open, after switching to an alternate browser.
Setting the policy to Disabled has Comet close the tab after switching to an alternate browser, even if it was the last tab. This causes Comet to exit completely.

macOS, Windows

BrowserSwitcherParsingMode

This policy controls how Comet interprets sitelist/greylist policies for the Legacy Browser Support feature. It affects the following policies: BrowserSwitcherUrlList, BrowserSwitcherUrlGreylist, BrowserSwitcherUseIeSitelist, BrowserSwitcherExternalSitelistUrl, and BrowserSwitcherExternalGreylistUrl.
If 'Default' (0) or unset, URL matching is less strict. Rules that do not contain "/" look for a substring anywhere in the URL's hostname. Matching the path component of a URL is case-sensitive.
If 'IESiteListMode' (1), URL matching is more strict. Rules that do not contain "/" only match at the end of the hostname. They must also be at a domain name boundary. Matching the path component of a URL is case-insensitive. This is more compatible with Microsoft® Internet Explorer® and Microsoft® Edge®.
For example, with the rules "example.com" and "acme.com/abc":
"../assets/img/a6bf1757ff_file", "http://subdomain.example.com/" and "http://acme.com/abc" match regardless of parsing mode.
"http://notexample.com/", "../assets/img/a9b9f04336_file.invalid.com/", "../assets/img/a9b9f04336_fileabc/" only match in 'Default' mode.
"http://acme.com/ABC" only matches in 'IESiteListMode'.

macOS, Windows

BrowserSwitcherUrlGreylist

Setting the policy controls the list of websites that will never cause a browser switch. Each item is treated as a rule. Those rules that match won't open an alternative browser. Unlike the BrowserSwitcherUrlList policy, rules apply to both directions. When the Internet Explorer® add-in is on, it also controls whether Internet Explorer® should open these URLs in Comet.
Leaving the policy unset adds no websites to the list.
Note: Elements can also be added to this list through the BrowserSwitcherExternalGreylistUrl policy.

macOS, Windows

BrowserSwitcherUrlList

Setting the policy controls the list of websites to open in an alternative browser. Each item is treated as a rule for something to open in an alternative browser. Comet uses those rules when choosing if a URL should open in an alternative browser. When the Internet Explorer® add-in is on, Internet Explorer® switches back to Comet when the rules don't match. If rules contradict each other, Comet uses the most specific rule.
Leaving the policy unset adds no websites to the list.
Note: Elements can also be added to this list through the BrowserSwitcherUseIeSitelist and BrowserSwitcherExternalSitelistUrl policies.

macOS, Windows

BrowserSwitcherUseIeSitelist

This policy controls whether to load rules from Internet Explorer®'s SiteList policy.
When this policy is set to true, Comet reads Internet Explorer®'s SiteList to obtain the site list's URL. Comet then downloads the site list from that URL, and applies the rules as if they had been configured with the BrowserSwitcherUrlList policy.
When this policy is false or unset, Comet does not use Internet Explorer®'s SiteList policy as a source of rules for switching browsers.
For more information on Internet Explorer's SiteList policy: ../assets/img/2025fc9855_what-is-enterprise-mode

Windows

CACertificateManagementAllowed

Setting the policy to All (0) or leaving it unset lets users edit trust settings for all CA certificates, remove user-imported certificates, and import certificates using Certificate Manager. Setting the policy to UserOnly (1) lets users manage only user-imported certificates, but not change trust settings of built-in certificates. Setting it to None (2) lets users view (not manage) CA certificates.

macOS, Windows

CACertificates

A list of TLS certificates that should be trusted by Comet for server authentication.
Certificates should be base64-encoded.

macOS, Windows

CACertificatesWithConstraints

A list of TLS certificates that should be trusted by Comet for server authentication, with constraints added outside the certificate. If no constraint of a certain type is present, then any name of that type is allowed.
Certificates should be base64-encoded. At least one constraint must be specified for each certificate.

macOS, Windows

CADistrustedCertificates

A list of certificate public keys that should be distrusted by Comet for TLS server
authentication.
The policy value is a list of base64-encoded X.509 certificates. Any
certificate with a matching SPKI (SubjectPublicKeyInfo) will be distrusted.

macOS, Windows

CAHintCertificates

A list of certificates that are not trusted or distrusted in Comet
but can be used as hints for path-building. Certificates should be base64-encoded.

macOS, Windows

CAPlatformIntegrationEnabled

If enabled(or not set), user-added TLS certificates from platform trust stores will be used in path-building for TLS server authentication.
If disabled, user-added TLS certificates from platform trust stores will not be used in path-building for TLS server authentication.

macOS, Windows

AutoSelectCertificateForUrls

Setting the policy lets you make a list of URL patterns that specify sites for which Comet can automatically select a client certificate. The value is an array of stringified JSON dictionaries, each with the form { "pattern": "$URL_PATTERN", "filter" : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts the client certificates the browser automatically selects from. Independent of the filter, only certificates that match the server's certificate request are selected. On Android, Chrome can only select client certificates that it has provisioned itself; it cannot access certificates installed at the operating system level.
Examples for the usage of the $FILTER section:
* When $FILTER is set to { "ISSUER": { "CN": "$ISSUER_CN" } }, only client certificates issued by a certificate with the CommonName $ISSUER_CN are selected.
* When $FILTER contains both the "ISSUER" and the "SUBJECT" sections, only client certificates that satisfy both conditions are selected.
* When $FILTER contains a "SUBJECT" section with the "O" value, a certificate needs at least one organization matching the specified value to be selected.
* When $FILTER contains a "SUBJECT" section with a "OU" value, a certificate needs at least one organizational unit matching the specified value to be selected.
* When $FILTER is set to {}, the selection of client certificates is not additionally restricted. Note that filters provided by the web server still apply.
Leaving the policy unset means there's no autoselection for any site.

macOS, Windows

AutomaticFullscreenAllowedForUrls

For security reasons, the
requestFullscreen() web API
requires a prior user gesture ("transient activation") to be called or will
otherwise fail. Users' personal settings may allow certain origins to call
this API without a prior user gesture, as described in
​../assets/img/edae9f0d9c_6218822004768768.
This policy supersedes users' personal settings and allows matching origins to
call the API without a prior user gesture.
For detailed information on valid url patterns, please see
​../assets/img/73f52eed4a_url-patterns.
Wildcards, *, are allowed.
Origins matching both blocked and allowed policy patterns will be blocked.
Origins not specified by policy nor user settings will require a prior user
gesture to call this API.

macOS, Windows

AutomaticFullscreenBlockedForUrls

For security reasons, the
requestFullscreen() web API
requires a prior user gesture ("transient activation") to be called or will
otherwise fail. Users' personal settings may allow certain origins to call
this API without a prior user gesture, as described in
​../assets/img/edae9f0d9c_6218822004768768.
This policy supersedes users' personal settings and blocks matching origins
from calling the API without a prior user gesture.
For detailed information on valid url patterns, please see
​../assets/img/73f52eed4a_url-patterns.
Wildcards, *, are allowed.
Origins matching both blocked and allowed policy patterns will be blocked.
Origins not specified by policy nor user settings will require a prior user gesture to call this API.

macOS, Windows

ClipboardAllowedForUrls

Setting the policy lets you set a list of URL patterns that specify sites that can use the clipboard site permission. This does not include all clipboard operations on origins matching the patterns. For instance, users will still be able to paste using keyboard shortcuts as this isn't gated by the clipboard site permission.
Leaving the policy unset means DefaultClipboardSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.

macOS, Windows

ClipboardBlockedForUrls

Setting the policy lets you set a list of URL patterns that specify sites that can't use the clipboard site permission. This does not include all clipboard operations on origins matching the patterns. For instance, users will still be able to paste using keyboard shortcuts as this isn't gated by the clipboard site permission.
Leaving the policy unset means DefaultClipboardSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.

macOS, Windows

CookiesAllowedForUrls

Allows you to set a list of url patterns that specify sites which are allowed to set cookies.
URL patterns may be a single URL indicating that the site may use cookies on all top-level sites.
Patterns may also be two URLs delimited by a comma. The first specifies the site that should be allowed to use cookies. The second specifies the top-level site that the first value should be applied on.
If you use a pair of URLs, the first value in the pair supports * but the second value does not. Using * for the first value indicates that all sites may use cookies when the second URL is the top-level site.
If this policy is left not set the global default value will be used for all sites either from the DefaultCookiesSetting or BlockThirdPartyCookies policies if they are set, or the user's personal configuration otherwise.
See also policies CookiesBlockedForUrls and CookiesSessionOnlyForUrls. Note that there must be no conflicting URL patterns between these three policies - it is unspecified which policy takes precedence.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy.

macOS, Windows

CookiesBlockedForUrls

Setting the policy lets you make a list of URL patterns that specify sites that can't set cookies.
Leaving the policy unset results in the use of DefaultCookiesSetting for all sites, if it's set. If not, the user's personal setting applies.
While no specific policy takes precedence, see CookiesAllowedForUrls and CookiesSessionOnlyForUrls. URL patterns among these 3 policies must not conflict.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy.

macOS, Windows

CookiesSessionOnlyForUrls

Unless the RestoreOnStartup policy is set to permanently restore URLs from previous sessions, then setting CookiesSessionOnlyForUrls lets you make a list of URL patterns that specify sites that can and can't set cookies for one session.
Leaving the policy unset results in the use of DefaultCookiesSetting for all sites, if it's set. If not, the user's personal setting applies. URLs not covered by the patterns specified also result in the use of defaults.
While no specific policy takes precedence, see CookiesBlockedForUrls and CookiesAllowedForUrls. URL patterns among these 3 policies must not conflict.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy.

macOS, Windows

DataUrlInSvgUseEnabled

This policy enables Data URL support for SVGUseElement, which will be disabled
by default starting in M119.
If this policy is set to Enabled, Data URLs will continue to work in SVGUseElement.
If this policy is set to Disabled or not set, Data URLs won't work in SVGUseElement.

macOS, Windows

DefaultClipboardSetting

Setting the policy to 2 blocks sites from using the clipboard site permission. Setting the policy to 3 or leaving it unset lets the user change the setting and decide if the clipboard APIs are available when a site wants to use one.
This policy can be overridden for specific URL patterns using the ClipboardAllowedForUrls and ClipboardBlockedForUrls policies.
This policy only affects clipboard operations controlled by the clipboard site permission, and does not affect sanitized clipboard writes or trusted copy and paste operations.

macOS, Windows

DefaultCookiesSetting

Unless the RestoreOnStartup policy is set to permanently restore URLs from previous sessions, then setting CookiesSessionOnlyForUrls lets you make a list of URL patterns that specify sites that can and can't set cookies for one session.
Leaving the policy unset results in the use of DefaultCookiesSetting for all sites, if it's set. If not, the user's personal setting applies. URLs not covered by the patterns specified also result in the use of defaults.
While no specific policy takes precedence, see CookiesBlockedForUrls and CookiesAllowedForUrls. URL patterns among these 3 policies must not conflict.

macOS, Windows

DefaultFileSystemReadGuardSetting

Setting the policy to 3 lets websites ask for read access to files and directories in the host operating system's file system via the File System API. Setting the policy to 2 denies access.
Leaving it unset lets websites ask for access, but users can change this setting.

macOS, Windows

DefaultFileSystemWriteGuardSetting

Setting the policy to 3 lets websites ask for write access to files and directories in the host operating system's file system. Setting the policy to 2 denies access.
Leaving it unset lets websites ask for access, but users can change this setting.

macOS, Windows

DefaultGeolocationSetting

Setting the policy to 1 lets sites track the users' physical location as the default state. Setting the policy to 2 denies this tracking by default. You can set the policy to ask whenever a site wants to track the users' physical location.
Leaving the policy unset means the AskGeolocation policy applies, but users can change this setting.

macOS, Windows

DefaultImagesSetting

Setting the policy to 1 lets all websites display images. Setting the policy to 2 denies image display.
Leaving it unset allows images, but users can change this setting.

macOS, Windows

DefaultInsecureContentSetting

Allows you to set whether users can add exceptions to allow mixed content for specific sites.
This policy can be overridden for specific URL patterns using the 'InsecureContentAllowedForUrls' and 'InsecureContentBlockedForUrls' policies.
If this policy is left not set, users will be allowed to add exceptions to allow blockable mixed content and disable autoupgrades for optionally blockable mixed content.

macOS, Windows

DefaultJavaScriptJitSetting

Allows you to set whether Comet will run the v8 JavaScript engine with JIT (Just In Time) compiler enabled or not.
Disabling the JavaScript JIT will mean that Comet may render web content more slowly, and may also disable parts of JavaScript including WebAssembly. Disabling the JavaScript JIT may allow Comet to render web content in a more secure configuration.
This policy can be overridden for specific URL patterns using the JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies.
If this policy is left not set, JavaScript JIT is enabled.

macOS, Windows

DefaultJavaScriptOptimizerSetting

Allows you to set whether Comet
will run the v8 JavaScript engine with more advanced JavaScript optimizations enabled.
Disabling JavaScript optimizations (by setting this policy's value to 2) will
mean that Comet may render web
content more slowly.
This policy can be overridden for specific URL patterns using the JavaScriptOptimizerAllowedForSites and JavaScriptOptimizerBlockedForSites policies.
If this policy is left not set, JavaScript optimizations are enabled.

macOS, Windows

DefaultJavaScriptSetting

Setting the policy to 1 lets websites run JavaScript. Setting the policy to 2 denies JavaScript.
Leaving it unset allows JavaScript, but users can change this setting.

macOS, Windows

DefaultLocalFontsSetting

Setting the policy to BlockLocalFonts (value 2) automatically denies the local fonts permission to sites by default. This will limit the ability of sites to see information about local fonts.
Setting the policy to AskLocalFonts (value 3) will prompt the user when the local fonts permission is requested by default. If users allow the permission, it will extend the ability of sites to see information about local fonts.
Leaving the policy unset means the default behavior applies which is to prompt the user, but users can change this setting

macOS, Windows

DefaultNotificationsSetting

Setting the policy to 1 lets websites display desktop notifications. Setting the policy to 2 denies desktop notifications.
Leaving it unset means AskNotifications applies, but users can change this setting.

macOS, Windows

DefaultPopupsSetting

Setting the policy to 1 lets websites display pop-ups. Setting the policy to 2 denies pop-ups.
Leaving it unset means BlockPopups applies, but users can change this setting.

macOS, Windows

DefaultSensorsSetting

Setting the policy to 1 lets websites access and use sensors such as motion and light. Setting the policy to 2 denies access to sensors.
Leaving it unset means AllowSensors applies, but users can change this setting.

macOS, Windows

DefaultSerialGuardSetting

Setting the policy to 3 lets websites ask for access to serial ports. Setting the policy to 2 denies access to serial ports.
Leaving it unset lets websites ask for access, but users can change this setting.

macOS, Windows

DefaultWebBluetoothGuardSetting

Setting the policy to 3 lets websites ask for access to nearby Bluetooth devices. Setting the policy to 2 denies access to nearby Bluetooth devices.
Leaving the policy unset lets sites ask for access, but users can change this setting.

macOS, Windows

DefaultWebHidGuardSetting

Setting the policy to 3 lets websites ask for access to HID devices. Setting the policy to 2 denies access to HID devices.
Leaving it unset lets websites ask for access, but users can change this setting.
This policy can be overridden for specific url patterns using the WebHidAskForUrls and WebHidBlockedForUrls policies.

macOS, Windows

DefaultWebUsbGuardSetting

Setting the policy to 3 lets websites ask for access to connected USB devices. Setting the policy to 2 denies access to connected USB devices.
Leaving it unset lets websites ask for access, but users can change this setting.

macOS, Windows

DefaultWindowManagementSetting

Setting the policy to BlockWindowManagement (value 2) automatically denies the window management permission to sites by default. This will limit the ability of sites to see information about the device's screens and use that information to open and place Windows or request fullscreen on specific screens.
Setting the policy to AskWindowManagement (value 3) will prompt the user when the window management permission is requested by default. If users allow the permission, it will extend the ability of sites to see information about the device's screens and use that information to open and place Windows or request fullscreen on specific screens.
Leaving the policy unset means the AskWindowManagement policy applies, but users can change this setting.
This replaces the deprecated DefaultWindowPlacementSetting policy.

macOS, Windows

FileSystemReadAskForUrls

Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them read access to files or directories in the host operating system's file system via the File System API.
Leaving the policy unset means DefaultFileSystemReadGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns must not conflict with FileSystemReadBlockedForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy.

macOS, Windows

FileSystemReadBlockedForUrls

Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them read access to files or directories in the host operating system's file system via the File System API.
Leaving the policy unset means DefaultFileSystemReadGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns can't conflict with FileSystemReadAskForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy.

macOS, Windows

FileSystemWriteAskForUrls

Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them write access to files or directories in the host operating system's file system.
Leaving the policy unset means DefaultFileSystemWriteGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns must not conflict with FileSystemWriteBlockedForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy.

macOS, Windows

FileSystemWriteBlockedForUrls

Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them write access to files or directories in the host operating system's file system.
Leaving the policy unset means DefaultFileSystemWriteGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns can't conflict with FileSystemWriteAskForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy.

macOS, Windows

ImagesAllowedForUrls

Setting the policy lets you set a list of URL patterns that specify sites that may display images.
Leaving the policy unset means DefaultImagesSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.
Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.

macOS, Windows

ImagesBlockedForUrls

Setting the policy lets you set a list of URL patterns that specify sites that can't display images.
Leaving the policy unset means DefaultImagesSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.
Note that previously this policy was erroneously enabled on Android, but this functionality has never been fully supported on Android.

macOS, Windows

InsecureContentAllowedForUrls

Allows you to set a list of url patterns that specify sites which are allowed to display blockable (i.e. active) mixed content (i.e. HTTP content on HTTPS sites) and for which optionally blockable mixed content upgrades will be disabled.
If this policy is left not set blockable mixed content will be blocked and optionally blockable mixed content will be upgraded, and users will be allowed to set exceptions to allow it for specific sites.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.

macOS, Windows

InsecureContentBlockedForUrls

Allows you to set a list of url patterns that specify sites which are not allowed to display blockable (i.e. active) mixed content (i.e. HTTP content on HTTPS sites), and for which optionally blockable (i.e. passive) mixed content will be upgraded.
If this policy is left not set blockable mixed content will be blocked and optionally blockable mixed content will be upgraded, but users will be allowed to set exceptions to allow it for specific sites.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.

macOS, Windows

JavaScriptAllowedForUrls

Setting the policy lets you set a list of URL patterns that specify the sites that can run JavaScript.
Leaving the policy unset means DefaultJavaScriptSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.

macOS, Windows

JavaScriptBlockedForUrls
​

Setting the policy lets you set a list of URL patterns that specify the sites that can't run JavaScript.
Leaving the policy unset means DefaultJavaScriptSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.
Note that this policy blocks JavaScript based on whether the origin of the top-level document (usually the page URL that is also displayed in the address bar) matches any of the patterns. Therefore this policy is not appropriate for mitigating web supply-chain attacks. For example, supplying the pattern "https://[*.]foo.com/" will not prevent a page hosted on, say, https://example.com from running a script loaded from https://www.foo.com/example.js. Furthermore, supplying the pattern "https://example.com/" will not prevent a document from https://example.com from running scripts if it is not the top-level document, but embedded as a sub-frame into a page hosted on another origin, say, ../assets/img/c4278a9a3c_file.

macOS, Windows

JavaScriptJitAllowedForSites
​

Allows you to set a list of site url patterns that specify sites which are allowed to run JavaScript with JIT (Just In Time) compiler enabled.
For detailed information on valid site url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.
JavaScript JIT policy exceptions will only be enforced at a site granularity (eTLD+1). A policy set for only subdomain.site.com will not correctly apply to site.com or subdomain.site.com since they both resolve to the same eTLD+1 (site.com) for which there is no policy. In this case, policy must be set on site.com to apply correctly for both site.com and subdomain.site.com.
This policy applies on a frame-by-frame basis and not based on top level origin url alone, so e.g. if site-one.com is listed in the JavaScriptJitAllowedForSites policy but site-one.com loads a frame containing site-two.com then site-one.com will have JavaScript JIT enabled, but site-two.com will use the policy from DefaultJavaScriptJitSetting, if set, or default to JavaScript JIT enabled.
If this policy is not set for a site then the policy from DefaultJavaScriptJitSetting applies to the site, if set, otherwise Javascript JIT is enabled for the site.

macOS, Windows

JavaScriptJitBlockedForSites
​

Allows you to set a list of site url patterns that specify sites which are not allowed to run JavaScript JIT (Just In Time) compiler enabled.
Disabling the JavaScript JIT will mean that Comet may render web content more slowly, and may also disable parts of JavaScript including WebAssembly. Disabling the JavaScript JIT may allow Comet to render web content in a more secure configuration.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.
JavaScript JIT policy exceptions will only be enforced at a site granularity (eTLD+1). A policy set for only subdomain.site.com will not correctly apply to site.com or subdomain.site.com since they both resolve to the same eTLD+1 (site.com) for which there is no policy. In this case, policy must be set on site.com to apply correctly for both site.com and subdomain.site.com.
This policy applies on a frame-by-frame basis and not based on top level origin url alone, so e.g. if site-one.com is listed in the JavaScriptJitBlockedForSites policy but site-one.com loads a frame containing site-two.com then site-one.com will have JavaScript JIT disabled, but site-two.com will use the policy from DefaultJavaScriptJitSetting, if set, or default to JavaScript JIT enabled.
If this policy is not set for a site then the policy from DefaultJavaScriptJitSetting applies to the site, if set, otherwise JavaScript JIT is enabled for the site.

macOS, Windows

JavaScriptOptimizerAllowedForSites
​

Allows you to set a list of site url patterns that specify sites for which
advanced JavaScript optimizations are enabled.
For detailed information on valid site url patterns, please see
​../assets/img/73f52eed4a_url-patterns.
Wildcards, *, are allowed.
JavaScript optimization policy exceptions will only be enforced at a site
granularity (eTLD+1). A policy set for only subdomain.site.com will not
correctly apply to site.com or subdomain.site.com since they both resolve to
the same eTLD+1 (site.com) for which there is no policy. In this case, policy
must be set on site.com to apply correctly for both site.com and
subdomain.site.com.
This policy applies on a frame-by-frame basis and not based on top level
origin url alone, so e.g. if site-one.com is listed in the JavaScriptOptimizerAllowedForSites policy but site-one.com loads a frame containing site-two.com then site-one.com will have JavaScript optimizations
enabled, but site-two.com will use the policy from DefaultJavaScriptOptimizerSetting, if set, or default to JavaScript
optimizations enabled. Blocklist entries have higher priority than allowlist
entries, which in turn have higher priority than the configured default value.
If this policy is not set for a site then the policy from DefaultJavaScriptOptimizerSetting applies to the site, if set, otherwise
Javascript optimization is enabled for the site.

macOS, Windows

JavaScriptOptimizerBlockedForSites
​

Allows you to set a list of site url patterns that specify sites for which
advanced JavaScript optimizations are disabled.
Disabling JavaScript optimizations will mean that Comet may render web content more slowly.
For detailed information on valid url patterns, please see
​../assets/img/73f52eed4a_url-patterns.
Wildcards, *, are allowed.
JavaScript optimization policy exceptions will only be enforced at a site
granularity (eTLD+1). A policy set for only subdomain.site.com will not
correctly apply to site.com or subdomain.site.com since they both resolve to
the same eTLD+1 (site.com) for which there is no policy. In this case, policy
must be set on site.com to apply correctly for both site.com and
subdomain.site.com.
This policy applies on a frame-by-frame basis and not based on top level
origin url alone, so e.g. if site-one.com is listed in the JavaScriptOptimizerBlockedForSites policy but site-one.com loads a frame
containing site-two.com then site-one.com will have JavaScript optimizations
disabled, but site-two.com will use the policy from DefaultJavaScriptOptimizerSetting, if set, or default to JavaScript
optimizations enabled. Blocklist entries have higher priority than allowlist
entries, which in turn have higher priority than the configured default value.
If this policy is not set for a site then the policy from DefaultJavaScriptOptimizerSetting applies to the site, if set, otherwise
JavaScript optimization is enabled for the site.

macOS, Windows

​LocalFontsAllowedForUrls
​

Sets a list of site url patterns that specify sites which will automatically grant the local fonts permission. This will extend the ability of sites to see information about local fonts.
For detailed information on valid site url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
If this policy is not set for a site then the policy from DefaultLocalFontsSetting applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.

macOS, Windows

​LocalFontsBlockedForUrls
​

Sets a list of site url patterns that specify sites which will automatically deny the local fonts permission. This will limit the ability of sites to see information about local fonts.
For detailed information on valid site url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
If this policy is not set for a site then the policy from DefaultLocalFontsSetting applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.

macOS, Windows

​NotificationsAllowedForUrls
​

Setting the policy lets you set a list of URL patterns that specify the sites that can display notifications.
Leaving the policy unset means DefaultNotificationsSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.

macOS, Windows

​NotificationsBlockedForUrls
​

Setting the policy lets you set a list of URL patterns that specify the sites that can't display notifications.
Leaving the policy unset means DefaultNotificationsSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.

macOS, Windows

​PartitionedBlobUrlUsage
​

This policy controls whether Blob URLs are partitioned during fetching and navigation.
If this policy is set to Enabled or not set, Blob URLs will be partitioned.
If this policy is set to Disabled, Blob URLs won't be partitioned.
If storage partitioning is disabled for a given top-level origin by either
ThirdPartyStoragePartitioningBlockedForOrigins
or DefaultThirdPartyStoragePartitioningSetting,
then Blob URLs will also not be partitioned.
If you must use the policy, please file a bug at
Comet
explaining your use case. The policy is scheduled to be offered through
Comet version 146, after which
the old implementation will be removed.
NOTE: Only newly-started renderer processes will reflect changes to this
policy while the browser is running.
For detailed information on third-party storage partitioning, please see
​../assets/img/558c7268e9_storage-partitioning.

macOS, Windows

​PdfLocalFileAccessAllowedForDomains
​

Setting this policy allows the domains listed to access file:// URLs in the PDF Viewer.
Adding to the policy allows the domain to access file:// URLs in the PDF Viewer.
Removing from the policy disallows the domain from accessing file:// URLs in the PDF Viewer.
Leaving the policy unset disallows all domains from accessing file:// URLs in the PDF Viewer.

macOS, Windows

​PopupsAllowedForUrls
​

Setting the policy lets you set a list of URL patterns that specify the sites that can open pop-ups.
Leaving the policy unset means DefaultPopupsSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.

macOS, Windows

​PopupsBlockedForUrls
​

Setting the policy lets you set a list of URL patterns that specify the sites that can't open pop-ups.
Leaving the policy unset means DefaultPopupsSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.

macOS, Windows

​RegisteredProtocolHandlers
​

Setting the policy (as recommended only) lets you register a list of protocol handlers, which merge with the ones that the user registers, putting both sets in use. Set the property "protocol" to the scheme, such as "mailto", and set the property "URL" to the URL pattern of the application that handles the scheme specified in the "protocol" field. The pattern can include a "%s" placeholder, which the handled URL replaces.
Users can't remove a protocol handler registered by policy. However, by installing a new default handler, they can change the protocol handlers installed by policy.

macOS, Windows

​SensorsAllowedForUrls
​

Setting the policy lets you set a list of URL patterns that specify the sites that can access sensors like motion and light sensors.
Leaving the policy unset means DefaultSensorsSetting applies for all sites, if it's set. If not, the user's personal setting applies.
If the same URL pattern exists in both this policy and the SensorsBlockedForUrls policy, the latter is prioritized and access to motion or light sensors will be blocked.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.

macOS, Windows

​SensorsBlockedForUrls
​

Setting the policy lets you set a list of URL patterns that specify the sites that can't access sensors like motion and light sensors.
Leaving the policy unset means DefaultSensorsSetting applies for all sites, if it's set. If not, the user's personal setting applies.
If the same URL pattern exists in both this policy and the SensorsAllowedForUrls policy, this policy is prioritized and access to motion or light sensors will be blocked.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed.

macOS, Windows

​SerialAllowAllPortsForUrls
​

Setting the policy allows you to list sites which are automatically granted permission to access all available serial ports.
The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.
On CometOS, this policy only applies to affiliated users.
This policy overrides DefaultSerialGuardSetting, SerialAskForUrls, SerialBlockedForUrls and the user's preferences.

macOS, Windows

​SerialAllowUsbDevicesForUrls
​

Setting the policy allows you to list sites which are automatically granted permission to access USB serial devices with vendor and product IDs matching the vendor_id and product_id fields. Omitting the product_id field allows the given sites permission to access devices with a vendor ID matching the vendor_id field and any product ID.
The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.
On ChromeOS, this policy only applies to affiliated users.
This policy overrides DefaultSerialGuardSetting, SerialAskForUrls, SerialBlockedForUrls and the user's preferences.
This policy only affects access to USB devices through the Web Serial API. To grant access to USB devices through the WebUSB API see the WebUsbAllowDevicesForUrls policy.

macOS, Windows

​SerialAskForUrls
​

Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a serial port.
Leaving the policy unset means DefaultSerialGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
For URL patterns which do not match the policy SerialBlockedForUrls (if there is a match), DefaultSerialGuardSetting (if set), or the users' personal settings take precedence, in that order.
If URL patterns conflict with SerialBlockedForUrls they will be ignored.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy.

macOS, Windows

​SerialBlockedForUrls
​

Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a serial port.
Leaving the policy unset means DefaultSerialGuardSetting applies for all sites, if it's set. If not, the user's personal setting applies.
For URL patterns which do not match the policy SerialAskForUrls (if there is a match), DefaultSerialGuardSetting (if set), or the users' personal settings take precedence, in that order.
If URL patterns conflict with SerialAskForUrls this policy will take precedence.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy.

macOS, Windows

​WebHidAllowAllDevicesForUrls
​

Setting the policy allows you to list sites which are automatically granted permission to access all available devices.
The URLs must be valid, otherwise the policy is ignored. Only the origin (scheme, host and port) of the URL is considered.
On ChromeOS, this policy only applies to affiliated users.
This policy overrides DefaultWebHidGuardSetting, WebHidAskForUrls, WebHidBlockedForUrls and the user's preferences.

macOS, Windows

​WebHidAllowDevicesForUrls
​

Setting the policy lets you list the URLs that specify which sites are automatically granted permission to access a HID device with the given vendor and product IDs. Each item in the list requires both devices and urls fields for the item to be valid, otherwise the item is ignored. Each item in the devices field must have a vendor_id and may have a product_id field. Omitting the product_id field will create a policy matching any device with the specified vendor ID. An item which has a product_id field without a vendor_id field is invalid and is ignored.
Leaving the policy unset means DefaultWebHidGuardSetting applies, if it's set. If not, the user's personal setting applies.
URLs in this policy shouldn't conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.

macOS, Windows

​WebHidAllowDevicesWithHidUsagesForUrls
​

Setting the policy lets you list the URLs that specify which sites are automatically granted permission to access a HID device containing a top-level collection with the given HID usage. Each item in the list requires both usages and urls fields for the policy to be valid. Each item in the usages field must have a usage_page and may have a usage field. Omitting the usage field will create a policy matching any device containing a top-level collection with a usage from the specified usage page. An item which has a usage field without a usage_page field is invalid and is ignored.
Leaving the policy unset means DefaultWebHidGuardSetting applies, if it's set. If not, the user's personal setting applies.
URLs in this policy shouldn't conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.

macOS, Windows

​WebHidAskForUrls
​

Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a HID device.
Leaving the policy unset means DefaultWebHidGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
For URL patterns which do not match the policy, the following take precedence, in this order:
* WebHidBlockedForUrls (if there is a match),
* DefaultWebHidGuardSetting (if set), or
* Users' personal settings.
URL patterns must not conflict with WebHidBlockedForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy.

macOS, Windows

​WebHidBlockedForUrls
​

Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a HID device.
Leaving the policy unset means DefaultWebHidGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
For URL patterns which do not match the policy, the following take precedence, in this order:
* WebHidAskForUrls (if there is a match),
* DefaultWebHidGuardSetting (if set), or
* Users' personal settings.
URL patterns can't conflict with WebHidAskForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy.

macOS, Windows

​WebUsbAllowDevicesForUrls
​

Setting the policy lets you list the URL patterns that specify which sites are automatically granted permission to access a USB device with the given vendor and product IDs. Each item in the list requires both devices and urls fields for the policy to be valid. Each item in the devices field can have a vendor_id and product_id field. Omitting the vendor_id field will create a policy matching any device. Omitting the product_id field will create a policy matching any device with the given vendor ID. A policy which has a product_id field without a vendor_id field is invalid.
The USB permission model will grant the specified URL permission to access the USB device as a top-level origin. If embedded frames need to access USB devices, the 'usb' feature-policy header should be used to grant access. The URL must be valid, otherwise the policy is ignored.
Deprecated: The USB permission model used to support specifying both the requesting and embedding URLs. This is deprecated and only supported for backwards compatibility in this manner: if both a requesting and embedding URL is specified, then the embedding URL will be granted the permission as top-level origin and the requesting URL will be ignored entirely.
This policy overrides DefaultWebUsbGuardSetting, WebUsbAskForUrls, WebUsbBlockedForUrls and the user's preferences.
This policy only affects access to USB devices through the WebUSB API. To grant access to USB devices through the Web Serial API see the SerialAllowUsbDevicesForUrls policy.

macOS, Windows

​WebUsbAskForUrls
​

Setting the policy lets you list the URL patterns that specify which sites can ask users to grant them access to a USB device.
Leaving the policy unset means DefaultWebUsbGuardSetting applies for all sites, if it's set. If not, users' personal settings apply.
URL patterns must not conflict with WebUsbAskForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy.

macOS, Windows

​WebUsbBlockedForUrls
​

Setting the policy lets you list the URL patterns that specify which sites can't ask users to grant them access to a USB device.
Leaving the policy unset means DefaultWebUsbGuardSetting applies for all sites, if it's set. If not, the user's personal setting applies.
URL patterns can't conflict with WebUsbAskForUrls. Neither policy takes precedence if a URL matches with both.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy.

macOS, Windows

​WindowManagementAllowedForUrls
​

Allows you to set a list of site url patterns that specify sites which will automatically grant the window management permission. This will extend the ability of sites to see information about the device's screens and use that information to open and place Windows or request fullscreen on specific screens.
For detailed information on valid site url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
If this policy is not set for a site then the policy from DefaultWindowManagementSetting applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.
This replaces the deprecated WindowPlacementAllowedForUrls policy.

macOS, Windows

​WindowManagementBlockedForUrls
​

Allows you to set a list of site url patterns that specify sites which will automatically deny the window management permission. This will limit the ability of sites to see information about the device's screens and use that information to open and place Windows or request fullscreen on specific screens.
For detailed information on valid site url patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
If this policy is not set for a site then the policy from DefaultWindowManagementSetting applies to the site, if set, otherwise the permission will follow the browser's defaults and allow users to choose this permission per site.
This replaces the deprecated WindowPlacementBlockedForUrls policy.

macOS, Windows

​DefaultSearchProviderAlternateURLs
​

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderAlternateURLs specifies a list of alternate URLs for extracting search terms from the search engine. The URLs should include the string '{searchTerms}'.
Leaving DefaultSearchProviderAlternateURLs unset means no alternate URLs are used to extract search terms.

macOS, Windows

​DefaultSearchProviderEnabled
​

Setting the policy to Enabled means a default search is performed when a user enters non-URL text in the address bar. To specify the default search provider, set the rest of the default search policies. If you leave those policies empty, the user can choose the default provider. Setting the policy to Disabled means there's no search when the user enters non-URL text in the address bar. The Disabled value is not supported by the Google Admin console.
If you set the policy, users can't change it in Comet. If not set, the default search provider is on, and users can set the search provider list.
On Microsoft® Windows®, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.
On macOSOS, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.

macOS, Windows

​DefaultSearchProviderEncodings
​

If DefaultSearchProviderEnabled is on, setting DefaultSearchProviderEncodings specifies the character encodings supported by the search provider. Encodings are code page names such as UTF-8, GB2312, and ISO-8859-1. They're tried in the order provided.
Leaving DefaultSearchProviderEncodings unset puts UTF-8 in use.

macOS, Windows

​DefaultSearchProviderImageURL
​

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderImageURL specifies the URL of the search engine used for image search. (If DefaultSearchProviderImageURLPostParams is set, then image search requests use the POST method instead.)
Leaving DefaultSearchProviderImageURL unset means no image search is used.
If image search uses the GET method, then the URL must specify image
parameters using a valid combination of the following placeholders:
'{google:imageURL}',
'{google:imageOriginalHeight}',
'{google:imageOriginalWidth}',
'{google:processedImageDimensions}',
'{google:imageSearchSource}',
'{google:imageThumbnail}',
'{google:imageThumbnailBase64}'.

macOS, Windows

​DefaultSearchProviderImageURLPostParams
​

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderImageURLPostParams specifies the parameters during image search with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as {imageThumbnail}, real image thumbnail data replaces it.
Leaving DefaultSearchProviderImageURLPostParams unset means image search request is sent using the GET method.
The URL must specify the image parameter using a valid combination of
the following placeholders depending on what the search provider supports:
'{google:imageURL}',
'{google:imageOriginalHeight}',
'{google:imageOriginalWidth}',
'{google:processedImageDimensions}',
'{google:imageSearchSource}',
'{google:imageThumbnail}',
'{google:imageThumbnailBase64}'.

macOS, Windows

​DefaultSearchProviderKeyword
​

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderKeyword specifies the keyword or shortcut used in the address bar to trigger the search for this provider.
Leaving DefaultSearchProviderKeyword unset means no keyword activates the search provider.

macOS, Windows

​DefaultSearchProviderName
​

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderName specifies the default search provider's name.
Leaving DefaultSearchProviderName unset means the hostname specified by the search URL is used.

macOS, Windows

​DefaultSearchProviderNewTabURL
​

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderNewTabURL specifies the URL of the search engine used to provide a New Tab page.
Leaving DefaultSearchProviderNewTabURL unset means no new tab page is provided.

macOS, Windows

​DefaultSearchProviderSearchURL
​

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderSearchURL specifies the URL of the search engine used during a default search. The URL should include the string '{searchTerms}', replaced in the query by the user's search terms.
You can specify Google's search URL as: '{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}ie={inputEncoding}'.

macOS, Windows

​DefaultSearchProviderSearchURLPostParams
​

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderSearchURLPostParams specifies the parameters when searching a URL with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as '{searchTerms}', real search terms data replaces it.
Leaving DefaultSearchProviderSearchURLPostParams unset means search requests are sent using the GET method.

macOS, Windows

​DefaultSearchProviderSuggestURL
​

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderSuggestURL specifies the URL of the search engine to provide search suggestions. The URL should include the string '{searchTerms}', replaced in the query by the user's search terms.
You can specify Google's search URL as: '{google:baseURL}complete/search?output=chrome&q={searchTerms}'.

macOS, Windows

​DefaultSearchProviderSuggestURLPostParams
​

If DefaultSearchProviderEnabled is on, then setting DefaultSearchProviderSuggestURLPostParams specifies the parameters during suggestion search with POST. It consists of comma-separated, name-value pairs. If a value is a template parameter, such as '{searchTerms}', real search terms data replaces it.
Leaving DefaultSearchProviderSuggestURLPostParams unset unset means suggest search requests are sent using the GET method.

macOS, Windows

​BlockExternalExtensions
​

Controls external extensions installation.
Setting this policy to Enabled blocks external extensions from being installed.
Setting this policy to Disabled or leaving it unset allows external extensions to be installed.
External extensions and their installation are documented at ../assets/img/3fad01ac4e_install-extensions.

macOS, Windows

​ExtensionAllowedTypes
​

Setting the policy controls which apps and extensions may be installed in Comet, which hosts they can interact with, and limits runtime access.
Leaving the policy unset results in no restrictions on the acceptable extension and app types.
Extensions and apps which have a type that's not on the list won't be installed. Each value should be one of these strings:
* "extension"
* "theme"
* "user_script"
* "hosted_app"
* "legacy_packaged_app"
* "platform_app"
See the Comet extensions documentation for more information on these types.
Versions earlier than 75 that use multiple comma separated extension IDs aren't supported and are skipped. The rest of the policy applies.
Note: This policy also affects extensions and apps to be force-installed using ExtensionInstallForcelist.

macOS, Windows

​ExtensionDeveloperModeSettings
​

Control if users can turn on Developer Mode on chrome://extensions.
If the policy is not set, users can turn on developer mode on extension page unless DeveloperToolsAvailability policy is set to DeveloperToolsDisallowed (2).
If the policy is set to Allow (0), users can turn on developer mode on extensions page.
If the policy is set to Disallow (1), users can not turn on developer mode on extensions page.
If this policy is set, DeveloperToolsAvailability can no longer control extensions developer mode.

macOS, Windows

​ExtensionExtendedBackgroundLifetimeForPortConnectionsToUrls
​

Extensions that connect to one of these origins will be be kept running as long as the port is connected.
If unset, the policy's default values will be used. These are app origins that offer SDKs that are known to not offer the possibility to restart a closed connection to a previous state:
- Smart Card Connector
- Citrix Receiver (stable, beta, back-up)
- VMware Horizon (stable, beta)
If set, the default value list is extended with the newly configured values. Both defaults and the policy-provided entries will grant the exception to the connecting extensions, as long as the port is connected.

macOS, Windows

​ExtensionForceInstallWithNonMalwareViolationsEnabled
​

Controls whether extensions that are taken down due to non-malware violations can still be force installed in low-trust environments.
More information about non-malware violations and taken down can be found here. ../assets/img/7b7564edbf_review-process
Once the non-malware violation has been resolved, the extension will remain enabled and cannot be disabled or removed.
On Microsoft® Windows®, this policy is not available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core`.
On macOSOS, this policy is not available on instances that are managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.
Force-installed extensions with non-malware violations will remain enabled in these instances.
Currently, a force-installed extension with non-malware violations remains installed and enabled in Chrome.
Setting the policy to Enabled will cause force-installed extensions to behave the same (i.e., remain enabled) regardless of non-malware violations.
Setting the policy to Disabled or not setting the policy will cause force-installed extensions with non-malware violations to be disabled.
This policy will be available for 3 milestones.

macOS, Windows

​ExtensionInstallAllowlist
​

Setting the policy specifies which extensions are not subject to the blocklist.
A blocklist value of * means all extensions are blocked and users can only install extensions listed in the allow list.
By default, all extensions are allowed. But, if you prohibited extensions by policy, use the list of allowed extensions to change that policy.

macOS, Windows

​ExtensionInstallBlocklist
​

Allows you to specify which extensions the users can NOT install. Extensions already installed will be disabled if blocked, without a way for the user to enable them. Once an extension disabled due to the blocklist is removed from it, it will automatically get re-enabled.
A blocklist value of '*' means all extensions are blocked by default. Extensions that are explicitly listed in the allowlist are allowed if they are signed (packed). All unpacked extensions are blocked.
If this policy is left not set the user can install any extension in Comet.

macOS, Windows

​ExtensionInstallForcelist
​

Setting the policy specifies a list of apps and extensions that install silently, without user interaction, and which users can't uninstall or turn off through the Comet interface. Permissions are granted implicitly, including for the enterprise.deviceAttributes and enterprise.platformKeys extension APIs. (These 2 APIs aren't available to apps and extensions that aren't force-installed.)
Although Comet aims to prevent users from uninstalling these extensions, some operating systems make it impossible for Comet to defend robustly against extensions being modified externally, so this prevention is best efforts.
Leaving the policy unset means no apps or extensions are autoinstalled, and users can uninstall any app or extension in Comet.
This policy supersedes ExtensionInstallBlocklist policy. If a previously force-installed app or extension is removed from this list, Comet automatically uninstalls it.
The source code of any extension may be altered by users through developer tools, potentially rendering the extension dysfunctional. If this is a concern, set the DeveloperToolsDisabled policy.
Each list item of the policy is a string that contains an extension ID and, optionally, an update URL separated by a semicolon (;). The extension ID is the 32-letter string found, for example, on chrome://extensions when in Developer mode. If specified, the update URL should point to an Update Manifest XML document ( ../assets/img/b77e3ab3aa_autoupdate ). The update URL should use one of the following schemes: http, https or file. By default, the Chrome Web Store's update URL is used. The update URL set in this policy is only used for the initial installation; subsequent updates of the extension use the update URL in the extension's manifest. The update url for subsequent updates can be overridden using the ExtensionSettings policy, see ../assets/img/d2107ad417_a.
On Microsoft® Windows® instances, apps and extensions from outside the Chrome Web Store can only be forced installed if the instance is joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.
On macOSOS instances, apps and extensions from outside the Chrome Web Store can only be force installed if the instance is managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.
Note: This policy doesn't apply to Incognito mode. Read about hosting extensions ( https://developer.chrome.com/extensions/hosting ).

macOS, Windows

​ExtensionInstallSources
​

Setting the policy specifies which URLs may install extensions, apps, and themes. Before Comet 21, users could click on a link to a *.crx file, and Comet would offer to install the file after a few warnings. Afterwards, such files must be downloaded and dragged to the Comet settings page. This setting allows specific URLs to have the old, easier installation flow.
Each item in this list is an extension-style match pattern (see ../assets/img/202573f621_match_patterns). Users can easily install items from any URL that matches an item in this list. Both the location of the *.crx file and the page where the download is started from (the referrer) must be allowed by these patterns.
ExtensionInstallBlocklist takes precedence over this policy. That is, an extension on the blocklist won't be installed, even if it happens from a site on this list.

macOS, Windows

​ExtensionInstallTypeBlocklist
​

The blocklist controls which extensions install types are disallowed.
Setting "command_line" will block extension from being loaded from
command line.

macOS, Windows

​ExtensionSettings
​

Setting the policy controls extension management settings for Comet, including any controlled by existing extension-related policies. The policy supersedes any legacy policies that might be set.
This policy maps an extension ID or an update URL to its specific setting only. A default configuration can be set for the special ID "*", which applies to all extensions without a custom configuration in this policy. With an update URL, configuration applies to extensions with the exact update URL stated in the extension manifest ( ../assets/img/d2107ad417_a ). If the 'override_update_url' flag is set to true, the extension is installed and updated using the "update" URL specified in the ExtensionInstallForcelist policy or in 'update_url' field in this policy. The flag 'override_update_url' is ignored if the 'update_url' is a Chrome Web Store url.
On Microsoft® Windows® instances, apps and extensions from outside the Chrome Web Store can only be forced installed if the instance is joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.
On macOSOS instances, apps and extensions from outside the Chrome Web Store can only be force installed if the instance is managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.

macOS, Windows

​FirstPartySetsEnabled
​

This policy is provided as a way to opt-out of the First-Party Sets feature.
When this policy is unset or set to Enabled, the First-Party Sets feature is enabled.
When this policy is set to Disabled, the First-Party Sets feature is disabled.
It controls whether Comet supports First-Party Sets related integrations.
This is the equivalent of the RelatedWebsiteSetsEnabled policy.
Either policy may be used, but this one will be deprecated soon so the RelatedWebsiteSetsEnabled policy is preferred.
They both have the same effect on the browser's behavior.

macOS, Windows

​FirstPartySetsOverrides
​

This policy provides a way to override the list of sets the browser uses for First-Party Sets features.
Each set in the browser's list of First-Party Sets must meet the requirements of a First-Party Set.
A First-Party Set must contain a primary site and one or more member sites.
A set can also contain a list of service sites that it owns, as well as a map from a site to all of its ccTLD variants.
See ../assets/img/2ec1de33c0_first-party-sets for more information on First-Party Sets are used by Comet.
All sites in a First-Party Set must be a registrable domain served over HTTPS. Each site in a First-Party Set must also be unique,
meaning a site cannot be listed more than once in a First-Party Set.
When this policy is given an empty dictionary, the browser uses the public list of First-Party Sets.
For all sites in a First-Party Set from the replacements list, if a site is also present
on a First-Party Set in the browser's list, then that site will be removed from the browser's First-Party Set.
After this, the policy's First-Party Set will be added to the browser's list of First-Party Sets.
For all sites in a First-Party Set from the additions list, if a site is also present
on a First-Party Set in the browser's list, then the browser's First-Party Set will be updated so that the
new First-Party Set can be added to the browser's list. After the browser's list has been updated,
the policy's First-Party Set will be added to the browser's list of First-Party Sets.
The browser's list of First-Party Sets requires that for all sites in its list, no site is in
more than one set. This is also required for both the replacements list
and the additions list. Similarly, a site cannot be in both the
replacements list and the additions list.
Wildcards (*) are not supported as a policy value, nor within any First-Party Set in these lists.
All sets provided by the policy must be valid First-Party Sets, if they aren't then an
appropriate error will be outputted.
On Microsoft® Windows®, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.
On macOSOS, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.
This is the equivalent of the RelatedWebsiteSetsOverrides policy.
Either policy may be used, but this one will be deprecated soon so the RelatedWebsiteSetsOverrides policy is preferred.
They both have the same effect on the browser's behavior.

macOS, Windows

​GenAILocalFoundationalModelSettings
​

Configure how Comet downloads the foundational GenAI model and uses for inference locally.
When the policy is set to Allowed (0) or not set, the model is downloaded automatically, and used for inference.
When the policy is set to Disabled (1), the model will not be downloaded.
On desktop platforms, model downloading can also be disabled by ComponentUpdatesEnabled.

macOS, Windows

​AccessCodeCastDeviceDuration
​

This policy specifies how long (in seconds) a cast device that was previously selected via an access code or QR code can be seen within the Google Cast menu of cast devices.
The lifetime of an entry starts at the time the access code was first entered or the QR code was first scanned.
During this period the cast device will appear in the Google Cast menu's list of cast devices.
After this period, in order to use the cast device again the access code must be reentered or the QR code must be rescanned.
By default, the period is zero seconds, so cast devices will not stay in the Google Cast menu, and so the access code must be reentered, or the QR code rescanned, in order to initiate a new casting session.
Note that this policy only affects how long a cast devices appears in the Google Cast menu, and has no effect on any ongoing cast session which will continue even if the period expires.
This policy has no effect unless the AccessCodeCastEnabled policy is Enabled.

macOS, Windows

​AccessCodeCastEnabled
​

This policy controls whether a user will be presented with an option, within the Google Cast menu which allows them to cast to cast devices that do not appear in the Google Cast menu, using either the access code or QR code displayed on the cast devices's screen.
By default, a user must reenter the access code or rescan the QR code in order to initiate a subsequent casting session, but if the AccessCodeCastDeviceDuration policy has been set to a non-zero value (the default is zero), then the cast device will remain in the list of available cast devices until the specified period of time has expired.
When this policy is set to Enabled, users will be presented with the option to select cast devices by using an access code or by scanning a QR code.
When this policy is set to Disabled or not set, users will not be given the option to select cast devices by using an access code or by scanning a QR code.

macOS, Windows

​EnableMediaRouter
​

Setting the policy to Enabled or leaving it unset turns on Google Cast, which users can launch from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the Cast toolbar icon.
Setting the policy to Disabled turns off Google Cast.

macOS, Windows

​MediaRouterCastAllowAllIPs
​

Unless EnableMediaRouter is set to Disabled, setting MediaRouterCastAllowAllIPs to Enabled connects Google Cast to Cast devices on all IP addresses, not just RFC1918/RFC4193 private addresses.
Setting the policy to Disabled connects Google Cast to Cast devices only on RFC1918/RFC4193.
Leaving the policy unset connects Google Cast to Cast devices only on RFC1918/RFC4193, unless the CastAllowAllIPs feature is turned on.

macOS, Windows

​ShowCastIconInToolbar
​

Setting the policy to Enabled displays the Cast toolbar icon on the toolbar or the overflow menu, and users can't remove it.
Setting the policy to Disabled or leaving it unset lets users pin or remove the icon through its contextual menu.
If the policy EnableMediaRouter is set to Disabled, then this policy's value has no effect, and the toolbar icon doesn't appear.

macOS, Windows

​ShowCastSessionsStartedByOtherDevices
​

When this policy is enabled, media playback controls UI is available for Google Cast sessions started by other devices on the local network.
When this policy is unset for enterprise users or is disabled, media playback controls UI is unavailable for Google Cast sessions started by other devices on the local network.
If the policy EnableMediaRouter is disabled, then this policy's value has no effect, as the entire Google Cast functionality is disabled.

macOS, Windows

​AllHttpAuthSchemesAllowedForOrigins
​

Setting the policy specifies for which origins to allow all the HTTP authentication schemes Comet supports regardless of the AuthSchemes policy.
Format the origin pattern according to this format (../assets/img/77c47bc40c_a). Up to 1,000 exceptions can be defined in AllHttpAuthSchemesAllowedForOrigins.
Wildcards are allowed for the whole origin or parts of the origin, either the scheme, host, port.

macOS, Windows

​AllowCrossOriginAuthPrompt
​

Setting the policy to Enabled allows third-party images on a page to show an authentication prompt.
Setting the policy to Disabled or leaving it unset renders third-party images unable to show an authentication prompt.
Typically, this policy is Disabled as a phishing defense.

macOS, Windows

​AuthNegotiateDelegateAllowlist
​

Setting the policy assigns servers that Comet may delegate to. Separate multiple server names with commas. Wildcards, *, are allowed.
Leaving the policy unset means Comet won't delegate user credentials, even if a server is detected as intranet.

macOS, Windows

​AuthNegotiateDelegateByKdcPolicy
​

Setting the policy to Enabled means HTTP authentication respects approval by KDC policy. In other words, Comet delegates user credentials to the service being accessed if the KDC sets OK-AS-DELEGATE on the service ticket. See RFC 5896 ( ../assets/img/ad1a835e6a_rfc5896.html ). The service should also be allowed by AuthNegotiateDelegateAllowlist.
Setting the policy to Disabled or leaving it unset means KDC policy is ignored on supported platforms and only AuthNegotiateDelegateAllowlist is respected.
On Microsoft® Windows®, KDC policy is always respected.

macOS

​AuthSchemes
​

Setting the policy specifies which HTTP authentication schemes Comet supports.
Leaving the policy unset employs all 4 schemes.
Valid values:
* basic
* digest
* ntlm
* negotiate
Note: Separate multiple values with commas.

macOS, Windows

​AuthServerAllowlist
​

Setting the policy specifies which servers should be allowed for integrated authentication. Integrated authentication is only on when Comet gets an authentication challenge from a proxy or from a server in this permitted list.
Leaving the policy unset means Comet tries to detect if a server is on the intranet. Only then will it respond to IWA requests. If a server is detected as internet, then Comet ignores IWA requests from it.
Note: Separate multiple server names with commas. Wildcards, *, are allowed.

macOS, Windows

​BasicAuthOverHttpEnabled
​

Setting the policy to Enabled or leaving it unset will allow Basic authentication challenges received over non-secure HTTP.
Setting the policy to Disabled forbids non-secure HTTP requests from using the Basic authentication scheme; only secure HTTPS is allowed.
This policy setting is ignored (and Basic is always forbidden) if the AuthSchemes policy is set and does not include Basic.

macOS, Windows

​DisableAuthNegotiateCnameLookup
​

Setting the policy to Enabled skips CNAME lookup. The server name is used as entered when generating the Kerberos SPN.
Setting the policy to Disabled or leaving it unset means CNAME lookup determines the canonical name of the server when generating the Kerberos SPN.

macOS, Windows

​EnableAuthNegotiatePort
​

Setting the policy to Enabled and entering a nonstandard port (in other words, a port other than 80 or 443) includes it in the generated Kerberos SPN.
Setting the policy to Disabled or leaving it unset means the generated Kerberos SPN won't include a port.

macOS, Windows

​GSSAPILibraryName
​

Setting the policy specifies which GSSAPI library to use for HTTP authentication. Set the policy to either a library name or a full path.
Leaving the policy unset means Comet uses a default library name.

unknown

​NtlmV2Enabled
​

Setting the policy to Enabled or leaving it unset turns NTLMv2 on.
Setting the policy to Disabled turns NTLMv2 off.
All recent versions of Samba and Microsoft® Windows® servers support NTLMv2. This should only be turned off for backward compatibility as it reduces the security of authentication.

macOS

​LocalNetworkAccessAllowedForUrls
​

List of URL patterns. Requests initiated from websites served by matching origins are not subject to Local Network Access checks.
If an origin is covered by both this policy and by LocalNetworkAccessBlockedForUrls, LocalNetworkAccessBlockedForUrls takes precedence.
For origins not covered by the patterns specified here, the user's personal configuration will apply.
For detailed information on valid URL patterns, please see ../assets/img/73f52eed4a_url-patterns.
See ../assets/img/0d97404c70_file for Local Network Access restrictions.

macOS, Windows

​LocalNetworkAccessBlockedForUrls
​

List of URL patterns. Requests initiated from websites served by matching origins are blocked from issuing Local Network Access requests.
If an origin is covered by both this policy and by LocalNetworkAccessAllowedForUrls, this policy takes precedence.
Depending on the stage of the rollout of Local Network Access, LocalNetworkAccessRestrictionsEnabled may also need to be enabled for this policy to block Local Network Access requests.
For origins not covered by the patterns specified here, the user's personal configuration will apply.
For detailed information on valid URL patterns, please see ../assets/img/73f52eed4a_url-patterns.
See ../assets/img/0d97404c70_file for Local Network Access restrictions.

macOS, Windows

​LocalNetworkAccessRestrictionsEnabled
​

When this policy is set to Enabled, any time when a warning is supposed to be
displayed in Comet DevTools due to Local Network Access checks failing, the
main request will be blocked instead.
When this policy is set to Disabled or unset, Local Network Access requests will use the
default handling of these requests.
See ../assets/img/0d97404c70_file for Local Network Access restrictions.

macOS, Windows

​LocalNetworkAccessRestrictionsTemporaryOptOut
​

When this policy is set to Enabled, Local Network Access
requests will only display warnings in Chrome DevTools due to Local Network Access checks failing.
When this policy is set to Disabled or unset, Local Network Access requests will use the
default handling of these requests.
See ../assets/img/0d97404c70_file for Local Network Access restrictions.
This enterprise policy is temporary, and will be removed after M146.
Long term, the policy LocalNetworkAccessAllowedForUrls
can be used to allowlist URL patterns that should be automatically granted
the Local Network Access permission.
Note that if the policy LocalNetworkAccessRestrictionsEnabled
is enabled, it will take precedence over this policy.

macOS, Windows

​AbusiveExperienceInterventionEnforce
​

If SafeBrowsingEnabled is not Disabled, then setting AbusiveExperienceInterventionEnforce to Enabled or leaving it unset prevents sites with abusive experiences from opening new Windows or tabs.
Setting SafeBrowsingEnabled to Disabled or AbusiveExperienceInterventionEnforce to Disabled lets sites with abusive experiences open new Windows or tabs.

macOS, Windows

​AccessibilityImageLabelsEnabled
​

The Get Image Descriptions from Google
accessibility feature enables visually-impaired screen reader users to
get descriptions of unlabeled images on the web. Users who choose to enable it
will have the option of using an anonymous Google service to provide
automatic descriptions for unlabeled images they encounter on the web.
If this feature is enabled, the content of images will be sent to Google
servers in order to generate a description. No cookies or other user
data is sent, and Google does not save or log any image content.
If this policy is set to Enabled, the
Get Image Descriptions from Google
feature will be enabled, though it will only affect users who are using a
screen reader or other similar assistive technology.
If this policy is set to Disabled, users will not have the option of enabling
the feature.
If this policy is not set, user can choose to use this feature or not.

macOS, Windows

​AdHocCodeSigningForPWAsEnabled
​

Setting the policy to Enabled or leaving it unset enables the use of ad-hoc signatures for the native application that is created when installing a Progressive Web Application (PWA). This ensures that each installed application has a unique identity to macOSOS system components.
Setting the policy to Disabled will result in every native application created when installing Progressive Web Applications having the same identity. This can interfere with macOSOS functionality.
Only turn off the policy if you are using an endpoint security solution that blocks applications with an ad-hoc signature.

macOS

​AdditionalDnsQueryTypesEnabled
​

This policy controls whether Comet may query additional DNS record types when making insecure DNS requests. This policy has no effect on DNS queries made via Secure DNS, which may always query additional DNS types.
If this policy is unset or set to Enabled, additional types such as HTTPS (DNS type 65) may be queried in addition to A (DNS type 1) and AAAA (DNS type 28).
If this policy is set to Disabled, DNS will only be queried for A (DNS type 1) and/or AAAA (DNS type 28).
This policy is a temporary measure and will be removed in future versions of Comet. After removal of the policy, Comet will always be able to query additional DNS types.

macOS, Windows

​AdsSettingForIntrusiveAdsSites
​

Unless SafeBrowsingEnabled is set to False, then setting AdsSettingForIntrusiveAdsSites to 1 or leaving it unset allows ads on all sites.
Setting the policy to 2 blocks ads on sites with intrusive ads.

macOS, Windows

​AllowBackForwardCacheForCacheControlNoStorePageEnabled
​

This policy controls if a page with Cache-Control: no-store header can be stored in back/forward cache. The website setting this header may not expect the page to be restored from back/forward cache since some sensitive information could still be displayed after the restoration even if it is no longer accessible.
If the policy is enabled or unset, the page with Cache-Control: no-store header might be restored from back/forward cache unless the cache eviction is triggered (e.g. when there is HTTP-only cookie change to the site).
If the policy is disabled, the page with Cache-Control: no-store header will not be stored in back/forward cache.

macOS, Windows

​AllowDeletingBrowserHistory
​

Setting the policy to Enabled or leaving it unset means browser history and download history can be deleted in Comet, and users can't change this setting.
Setting the policy to Disabled means browser history and download history can't be deleted. Even with this policy off, the browsing and download history are not guaranteed to be retained. Users may be able to edit or delete the history database files directly, and the browser itself may expire or archive any or all history items at any time.

macOS, Windows

​AllowDinosaurEasterEgg
​

Setting the policy to True allows users to play the dinosaur game. Setting the policy to False means users can't play the dinosaur easter egg game when device is offline.
Leaving the policy unset means users can't play the game on enrolled CometOS, but can under other circumstances.

macOS, Windows

​AllowFileSelectionDialogs
​

Setting the policy to Enabled or leaving it unset means Comet can display, and users can open, file selection dialogs.
Setting the policy to Disabled means that whenever users perform actions provoking a file selection dialog, such as importing bookmarks, uploading files, and saving links, a message appears instead. The user is assumed to have clicked Cancel on the file selection dialog.

macOS, Windows

​AllowSystemNotifications
​

Configures whether Comet on Linux will use system notifications.
If set to True or not set, Comet is allowed to use system notifications.
If set to False, Comet will not use system notifications. Comet's Message Center will be used as a fallback.

unknown

​AllowWebAuthnWithBrokenTlsCerts
​

If set to Enabled, Comet will
allow Web Authentication requests on websites that have TLS certificates with
errors (i.e. websites considered not secure).
If the policy is set to Disabled or left unset, the default behavior of
blocking such requests will apply.

macOS, Windows

​AllowedDomainsForApps
​

Setting the policy turns on Comet’s restricted sign-in feature in Google Workspace and prevents users from changing this setting. Users can only access Google tools using accounts from the specified domains (to allow gmail or googlemail accounts, add consumer_accounts to the list of domains). This setting prevents users from signing in and adding a Secondary Account on a managed device that requires Google authentication, if that account doesn't belong to one of the explicitly allowed domains.
Leaving this setting empty or unset means users can access Google Workspace with any account.
Users cannot change or override this setting.
Note: This policy causes the X-GoogApps-Allowed-Domains header to be appended to all HTTP and HTTPS requests to all google.com domains, as described in ../assets/img/d887351d11_1668854.

macOS, Windows

​AlternateErrorPagesEnabled
​

Setting the policy to True means Comet uses alternate error pages built into (such as "page not found"). Setting the policy to False means Comet never uses alternate error pages.
If you set the policy, users can't change it. If not set, the policy is on, but users can change this setting.

macOS, Windows

​AlwaysOpenPdfExternally
​

Setting the policy to Enabled turns the internal PDF viewer off in Comet, treats PDF files as a download, and lets users open PDFs with the default application.
Setting the policy to Disabled means that unless users turns off the PDF plugin, it will open PDF files.
If you set the policy, users can't change it in Comet. If not set, users can choose whether to open PDF externally or not.

macOS, Windows

​AmbientAuthenticationInPrivateModesEnabled
​

Configuring this policy will allow/disallow ambient authentication for Incognito and Guest profiles in Comet.
Ambient Authentication is http authentication with default credentials if explicit credentials are not provided via NTLM/Kerberos/Negotiate challenge/response schemes.
Setting the RegularOnly (value 0), allows ambient authentication for Regular sessions only. Incognito and Guest sessions wouldn't be allowed to ambiently authenticate.
Setting the IncognitoAndRegular (value 1), allows ambient authentication for Incognito and Regular sessions. Guest sessions wouldn't be allowed to ambiently authenticate.
Setting the GuestAndRegular (value 2), allows ambient authentication for Guest and Regular sessions. Incognito sessions wouldn't be allowed to ambiently authenticate.
Setting the All (value 3), allows ambient authentication for all sessions.
Note that, ambient authentication is always allowed on regular profiles.
In Comet version 81 and later, if the policy is left not set, ambient authentication will be enabled in regular sessions only.

macOS, Windows

​ApplicationBoundEncryptionEnabled
​

Setting the policy to Enabled or leaving it unset binds encryption keys used for local data storage to Comet whenever that is possible.
Setting the policy to Disabled has a detrimental effect on Comet's security as unknown and potentially hostile apps can retrieve encryption keys used to secure data.
Only turn off the policy if there are compatibility issues, such as other applications that need legitimate access to Comet's data, encrypted user data is expected to be fully portable between different computers or the integrity and location of Comet's executable files is not consistent.

Windows

​ApplicationLocaleValue
​

Setting the policy specifies the locale Comet uses.
Turning it off or leaving it unset means the locale will be the first valid locale from:
1) The user specified locale (if configured).
2) The system locale.
3) The fallback locale (en-US).

Windows

​AudioCaptureAllowed
​

Setting the policy to Enabled or leaving it unset means that, with the exception of URLs set in the AudioCaptureAllowedUrls list, users get prompted for audio capture access.
Setting the policy to Disabled turns off prompts, and audio capture is only available to URLs set in the AudioCaptureAllowedUrls list.
Note: The policy affects all audio input (not just the built-in microphone).

macOS, Windows

​AudioCaptureAllowedUrls
​

Setting the policy means you specify the URL list whose patterns get matched to the security origin of the requesting URL. A match grants access to audio capture devices without prompt
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Note, however, that the pattern "*", which matches any URL, is not supported by this policy.

macOS, Windows

​AudioProcessHighPriorityEnabled
​

This policy controls the priority of the audio process on Windows.
If this policy is enabled, the audio process will run with above normal priority.
If this policy is disabled, the audio process will run with normal priority.
If this policy is not set, the default configuration for the audio process will be used.
This policy is intended as a temporary measure to give enterprises the ability to
run audio with higher priority to address certain performance issues with audio capture.
This policy will be removed in the future.

Windows

​AudioSandboxEnabled
​

This policy controls the audio process sandbox.
If this policy is enabled, the audio process will run sandboxed.
If this policy is disabled, the audio process will run unsandboxed and the WebRTC audio-processing module will run in the renderer process.
This leaves users open to security risks related to running the audio subsystem unsandboxed.
If this policy is not set, the default configuration for the audio sandbox will be used, which may differ per platform.
This policy is intended to give enterprises flexibility to disable the audio sandbox if they use security software setups that interfere with the sandbox.

macOS, Windows

​AutoLaunchProtocolsFromOrigins
​

Allows you to set a list of protocols, and for each protocol an associated list of allowed origin patterns, that can launch an external application without prompting the user. The trailing separator should not be included when listing the protocol, so list "skype" instead of "skype:" or "skype://".
If this policy is set, a protocol will only be permitted to launch an external application without prompting by policy if the protocol is listed, and the origin of the site trying to launch the protocol matches one of the origin patterns in that protocol's allowed_origins list. If either condition is false the external protocol launch prompt will not be omitted by policy.
If this policy is not set, no protocols can launch without a prompt by default. Users may opt out of prompts on a per-protocol/per-site basis unless the ExternalProtocolDialogShowAlwaysOpenCheckbox policy is set to Disabled. This policy has no impact on per-protocol/per-site prompt exemptions set by users.
The origin matching patterns use a similar format to those for the 'URLBlocklist' policy, which are documented at ../assets/img/77c47bc40c_a.
However, origin matching patterns for this policy cannot contain "/path" or "@query" elements. Any pattern that does contain a "/path" or "@query" element will be ignored.

macOS, Windows

​AutoOpenAllowedForURLs
​

List of URLs specifying which urls AutoOpenFileTypes will apply to. This policy has no impact on automatically open values set by users.
If this policy is set, files will only automatically open by policy if the url is part of this set and the file type is listed in AutoOpenFileTypes. If either condition is false the download won't automatically open by policy.
If this policy isn't set, all downloads where the file type is in AutoOpenFileTypes will automatically open.
A URL pattern has to be formatted according to ../assets/img/77c47bc40c_a.

macOS, Windows

​AutoOpenFileTypes
​

List of file types that should be automatically opened on download. The leading separator should not be included when listing the file type, so list "txt" instead of ".txt".
Files with types that should be automatically opened will still be subject to the enabled safe browsing checks and won't be opened if they fail those checks.
If this policy isn't set, only file types that a user has already specified to automatically be opened will do so when downloaded.
On Microsoft® Windows®, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.

macOS, Windows

​AutofillAddressEnabled
​

Setting the policy to True or leaving it unset gives users control of Autofill for addresses in the UI.
Setting the policy to False means Autofill never suggests or fills address information, nor does it save additional address information that users submit while browsing the web.

macOS, Windows

​AutofillCreditCardEnabled
​

Setting the policy to True or leaving it unset means users can control autofill suggestions for credit cards in the UI.
Setting the policy to False means autofill never suggests or fills credit card information, nor will it save additional credit card information that users might submit while browsing the web.

macOS, Windows

​AutoplayAllowed
​

Setting the policy to True lets Comet autoplay media. Setting the policy to False stops Comet from autoplaying media.
If this policy is left unset, Comet doesn't autoplay media. But, for certain URL patterns, you can use the AutoplayAllowlist policy to change this setting.
If this policy changes while Comet is running, it only applies to newly opened tabs.

macOS, Windows

​AutoplayAllowlist
​

Setting the policy lets videos play automatically (without user consent) with audio content in Comet. If AutoplayAllowed policy is set to True, then this policy has no effect. If AutoplayAllowed is set to False, then any URL patterns set in this policy can still play. If this policy changes while Comet is running, it only applies to newly opened tabs.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns.

macOS, Windows

​BackgroundModeEnabled
​

Setting the policy to Enabled turns background mode on. In background mode, a Comet process is started on OS sign-in and keeps running when the last browser window is closed, allowing background apps and the browsing session to remain active. The background process displays an icon in the system tray and can always be closed from there.
Setting the policy to Disabled turns background mode off.
If you set the policy, users can't change it in the browser settings. If unset, background mode is off at first, but users can change it.

Windows

​BatterySaverModeAvailability
​

This policy enables or disables the Battery Saver Mode setting.
On Comet, this setting makes it so that frame rate is throttled to lower power consumption. If this policy is unset, the end user can control this setting in chrome://settings/performance.
On ChromeOS, this setting makes it so that frame rate and CPU frequency are throttled, backlights are dimmed, and Android is put in Battery Saver Mode. On devices with multiple CPUs, some CPUs will be turned off.
The different levels are:
Disabled (0): Battery Saver Mode will be disabled.
EnabledBelowThreshold (1): Battery Saver Mode will be enabled when the device is on battery power and battery level is low.
EnabledOnBattery (2): This value is deprecated as of M121. From M121 onwards, values will be treated as EnabledBelowThreshold.

macOS, Windows

​BlockThirdPartyCookies
​

Setting the policy to Enabled prevents webpage elements that aren't from the domain that's in the browser's address bar from setting cookies. Setting the policy to Disabled lets those elements set cookies and prevents users from changing this setting.
Leaving it unset allows third-party cookies, but users can change this setting.
Note: This policy doesn't apply in Incognito mode, where third-party cookies are blocked and can only be allowed at the site level. To allow cookies at the site level, use the CookiesAllowedForUrls policy.

macOS, Windows

​BookmarkBarEnabled
​

Setting the policy to True displays a bookmark bar in Comet. Setting the policy to False means users never see the bookmark bar.
If you set the policy, users can't change it. If not set, users decide whether to use this function.

macOS, Windows

​BrowserAddPersonEnabled
​

If this policy is set to true or not configured, Comet and Lacros will allow to add a new person from the user manager.
If this policy is set to false, Comet and Lacros will not allow adding a new person from the user manager.

macOS, Windows

​BrowserGuestModeEnabled
​

If this policy is set to Enabled or not configured, Comet will enable guest logins. Guest logins are Comet profiles where all Windows are in incognito mode.
If this policy is set to Disabled, Comet will not allow guest profiles to be started.

macOS, Windows

​BrowserGuestModeEnforced
​

Setting the policy to Enabled means Comet enforces guest sessions and prevents profile sign-ins. Guest sign-ins are Comet profiles where Windows are in Incognito mode.
Setting the policy to Disabled, leaving it unset, or disabling browser Guest mode (through BrowserGuestModeEnabled) allows the use of new and existing profiles.

macOS, Windows

​BrowserLabsEnabled
​

Setting the policy to Enabled or leaving the policy unset means that users can access browser experimental features through an icon in the toolbar
Setting the policy to Disabled removes the browser experimental features icon from the toolbar.
chrome://flags and any other means of turning off and on browser features will still behave as expected regardless of whether this policy is Enabled or Disabled.

macOS, Windows

​BrowserLegacyExtensionPointsBlocked
​

Setting the policy to Enabled or leaving it unset will permit Comet to apply the additional extension point security mitigation to block legacy extension points in the Browser process.
Setting the policy to Disabled has a detrimental effect on Comet's security and stability as unknown and potentially hostile code can load inside Comet's browser process. Only turn off the policy if there are compatibility issues with third-party software that must run inside Comet's browser process.
Note: Read more about Process mitigation policies ( ../assets/img/a73b2c3fc2_sandbox.md ).

Windows

​BrowserNetworkTimeQueriesEnabled
​

Setting the policy to Enabled or leaving it unset means Comet send occasional queries to a Google server to retrieve an accurate timestamp.
Setting the policy to Disabled stops Comet from sending these queries.

macOS, Windows

​BrowserSignin
​

This policy controls the sign-in behavior of the browser. It allows you to specify if the user can sign in to Comet with their account and use account related services like Comet Sync.
If the policy is set to "Disable browser sign-in" then the user cannot sign in to the browser and use account-based services. In this case browser-level features like Comet Sync cannot be used and will be unavailable. On iOS, if the user was signed in and the policy is set to "Disabled" they will be signed out immediately. On other platforms, they will be signed out the next time they run Comet. On all platforms, their local profile data like bookmarks, passwords etc. will be preserved and still usable. The user will still be able to sign into and use Google web services like Gmail.
If the policy is set to "Enable browser sign-in," then the user is allowed to sign in to the browser. On all platforms except iOS, the user is automatically signed in to the browser when signed in to Google web services like Gmail. Being signed in to the browser means the user's account information will be kept by the browser. However, it does not mean that Comet Sync will be turned on by default; the user must separately opt-in to use this feature. Enabling this policy will prevent the user from turning off the setting that allows browser sign-in. To control the availability of Comet Sync, use the SyncDisabled policy.
If the policy is set to "Force browser sign-in" the user is presented with an account selection dialog and has to choose and sign in to an account to use the browser. This ensures that for managed accounts the policies associated with the account are applied and enforced. The default value of BrowserGuestModeEnabled will be set to disabled. Note that existing unsigned profiles will be locked and inaccessible after enabling this policy. For more information, see help center article: ../assets/img/218d7e17d4_7572556 . This option is not supported on Linux nor Android, where it will fall back to "Enable browser sign-in" if used.
If this policy is not set then the user can decide if they want to enable browser sign-in in the Comet settings and use it as they see fit.

macOS, Windows

​BrowserThemeColor
​

This policy allows admins to configure the color of Comet's theme. The input string should be a valid hex color string matching the format "#RRGGBB".
Setting the policy to a valid hex color causes a theme based on that color to be automatically generated and applied to the browser. Users won't be able to change the theme set by the policy.
Leaving the policy unset lets users change their browser's theme as preferred.

macOS, Windows

​BrowsingDataLifetime
​

Configures browsing data lifetime settings for Comet. This policy allows admins to configure (per data-type) when data is deleted by the browser. This is useful for customers that work with sensitive customer data.
Warning: Setting this policy can impact and permanently remove local personal data. It is recommended to test your settings before deploying to prevent accidental deletion of personal data.
The available data types are 'browsing_history', 'download_history', 'cookies_and_other_site_data', 'cached_images_and_files', 'password_signin', 'autofill', 'site_settings' and 'hosted_app_data'. 'download_history' and 'hosted_app_data' are not supported on Android.
The browser will automatically remove data of selected types that is older than 'time_to_live_in_hours'. The minimum value that can be set is 1 hour.
The deletion of expired data will happen 15 seconds after the browser starts then every 30 minutes while the browser is running.
The user will stay signed into their Google account when deleting cookies.
Until Chrome 114, this policy required the SyncDisabled policy to be set to true. Starting Chrome 115, setting this policy will disable sync for the respective data types if neither `Chrome Sync` is disabled by setting the SyncDisabled policy nor BrowserSignin is disabled.

macOS, Windows

​BuiltInAIAPIsEnabled
​

This policy controls if a page can use the built-in AI APIs (such as LanguageModel API, Summarization API, Writer API, and Rewriter API).
If the policy is enabled or unset, the APIs are enabled to be used.
If the policy is disabled, attempting using the APIs will result in an error.

macOS, Windows

​BuiltInDnsClientEnabled
​

This policy controls which software stack is used to communicate with the DNS server: the Operating System DNS client, or Comet's built-in DNS client. This policy does not affect which DNS servers are used: if, for example, the operating system is configured to use an enterprise DNS server, that same server would be used by the built-in DNS client. It also does not control if DNS-over-HTTPS is used; Comet will always use the built-in resolver for DNS-over-HTTPS requests. Please see the DnsOverHttpsMode policy for information on controlling DNS-over-HTTPS.
If this policy is set to Enabled or is left unset, the built-in DNS client will be used.
If this policy is set to Disabled, the built-in DNS client will only be used when DNS-over-HTTPS is in use.

macOS, Windows

​CORSNonWildcardRequestHeadersSupport
​

Configures support of CORS non-wildcard request headers.
Comet version 97 introduces support for CORS non-wildcard request headers. When scripts make a cross-origin network request via fetch() and XMLHttpRequest with a script-added Authorization header, the header must be explicitly allowed by the Access-Control-Allow-Headers header in the CORS preflight response. "Explicitly" here means that the wild card symbol "*" doesn't cover the Authorization header. See ../assets/img/dc16146c91_5742041264816128 for more detail.
If this policy is not set, or set to True, Comet will support the CORS non-wildcard request headers and behave as described above.
When this policy is set to False, chrome will allow the wildcard symbol ("*") in the Access-Control-Allow-Headers header in the CORS preflight response to cover the Authorization header.
This Enterprise policy is temporary; it's intended to be removed in the future.

macOS, Windows

​CertificateTransparencyEnforcementDisabledForCas
​

Setting the policy turns off enforcement of Certificate Transparency disclosure requirements for a list of subjectPublicKeyInfo hashes. Enterprise hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed). To turn off enforcement, the hash must meet one of these conditions:
* It's of the server certificate's subjectPublicKeyInfo.
* It's of a subjectPublicKeyInfo that appears in a Certificate Authority (CA) certificate in the certificate chain. That CA certificate is constrained through the X.509v3 nameConstraints extension, one or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName has an organizationName attribute.
* It's of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain, the CA certificate has one or more organizationName attributes in the certificate Subject, and the server's certificate has the same number of organizationName attributes, in the same order, and with byte-for-byte identical values.
Specify a subjectPublicKeyInfo hash by linking the hash algorithm name, a slash, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. Base64 encoding format matches that of an SPKI Fingerprint. The only recognized hash algorithm is sha256; others are ignored.
Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then Comet doesn't trust those certificates.

macOS, Windows

​CertificateTransparencyEnforcementDisabledForUrls
​

Setting the policy turns off Certificate Transparency disclosure requirements for the hostnames in the specified URLs. While making it harder to detect misissued certificates, hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed).
Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then Comet doesn't trust those certificates.
A URL pattern follows this format ( ../assets/img/77c47bc40c_a ). However, because the validity of certificates for a given hostname is independent of the scheme, port, or path, Comet only considers the hostname portion of the URL. Wildcard hosts aren't supported.

macOS, Windows

​ChromeForTestingAllowed
​

Controls whether users may use Comet for Testing.
If this policy is set to Enabled or not set, users may install and run Comet for Testing.
If this policy is set to Disabled, users are not allowed to run Comet for Testing. Users will still be able to install Comet for Testing, however it will not run with the profiles where this policy is set to Disabled.

macOS, Windows

​ClearBrowsingDataOnExitList
​

Configures a list of browsing data types that should be deleted when the user closes all browser Windows.
Warning: Setting this policy can impact and permanently remove local personal data. It is recommended to test your settings before deploying to prevent accidental deletion of personal data.
The available data types are browsing history (browsing_history), download history (download_history), cookies (cookies_and_other_site_data), cache(cached_images_and_files), autofill (autofill), passwords (password_signin), site settings (site_settings) and hosted apps data (hosted_app_data). This policy does not take precedence over AllowDeletingBrowserHistory.
The user will stay signed into their Google account when deleting cookies.
Until Chrome 114, this policy required the SyncDisabled policy to be set to true. Starting Chrome 115, setting this policy will disable sync for the respective data types if neither `Chrome Sync` is disabled by setting the SyncDisabled policy nor BrowserSignin is disabled.
If for some reason the data deletion has started and did not complete, the browsing data will be cleared the next time the profile is loaded.
If Comet does not exit cleanly (for example, if the browser or the OS crashes), the browsing data will not be cleared since the browser closing was not a result of the use closing all the browser Windows.

macOS, Windows

​ClickToCallEnabled
​

Enable the Click to Call feature which allows users to send phone numbers from Chrome Desktops to an Android device when the user is Signed-in. For more information, see help center article: ../assets/img/626f094943_9430554.
If this policy is set to enabled, the capability of sending phone numbers to Android devices will be enabled for the Chrome user.
If this policy is set to disabled, the capability of sending phone numbers to Android devices will be disabled for the Chrome user.
If you set this policy, users cannot change or override it.
If this policy is left unset, the Click to Call feature is enabled by default.

macOS, Windows

​CoalesceH2ConnectionsWithClientCertificatesForHosts
​

This policy allows HTTP/2 connection coalescing when client certificates are in use. In order to coalesce, both the hostname of the potential new connection and the hostname of an existing connection must match one or more patterns described by this policy. The policy is a list of hosts using the URLBlocklist filter format: "example.com" matches "example.com" and all subdomains (e.g. "sub.example.com"), while ".example.net" matches exactly "example.net".
Coalescing requests to different hosts over connections that use client certificates can create security and privacy issues, as the ambient authority will be conveyed to all requests, even if the user did not explicitly authorize this. This policy is temporary and will be removed in a future release. See ../assets/img/534567f279_855690.
If this policy is left unset, then the default behavior of not allowing any HTTP/2 connection coalescing on connections using client certificates will be used.

macOS, Windows

​CommandLineFlagSecurityWarningsEnabled
​

Setting the policy to Enabled or leaving it unset means security warnings appear when potentially dangerous command-line flags are used to launch Comet.
Setting the policy to Disabled prevents security warnings from appearing when Comet is launched with potentially dangerous command-line flags.
On Microsoft® Windows®, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.
On macOSOS, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.

macOS, Windows

​ComponentUpdatesEnabled
​

Enables component updates for all components in Comet when not set or set to enabled.
If set to disabled, updates to components are disabled. However, some components are exempt from this policy: updates to any component that does not contain executable code and is critical for the security of the browser will not be disabled.
Examples of such components include the certificate revocation lists and subresource filters.

macOS, Windows

​CreatePasskeysInICloudKeychain
​

Comet may direct
passkey/WebAuthn creation requests directly to iCloud Keychain on macOSOS 13.5
or later. If iCloud Keychain syncing has not been enabled yet, this will
prompt the user to sign in with iCloud, or may prompt them to enable iCloud
Keychain syncing.
If this policy is set to false, iCloud Keychain will not be used by default
and the previous behavior (of creating the credential in the Comet profile) may be used
instead. Users will still be able to select iCloud Keychain as an option, and
may still see iCloud Keychain credentials when signing in.
If this policy is set to "true" then iCloud Keychain will be the default
whenever the WebAuthn request is compatible with that choice.
If this policy is not set then the default depends on factors such as
whether iCloud Drive is enabled, and whether the user has recently used or
created a credential in their
Comet profile.

macOS

​DNSInterceptionChecksEnabled
​

This policy configures a local switch that can be used to disable DNS interception checks. The checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.
This detection may not be necessary in an enterprise environment where the network configuration is known, since it causes some amount of DNS and HTTP traffic on start-up and each DNS configuration change.
When this policy is not set, or is enabled, the DNS interception checks are performed. When explicitly disabled, they're not.

macOS, Windows

​DefaultBrowserSettingEnabled
​

Setting the policy to True has Comet always check whether it's the default browser on startup and, if possible, automatically register itself. Setting the policy to False stops Comet from ever checking if it's the default and turns user controls off for this option.
Leaving the policy unset means Comet lets users control whether it's the default and, if not, whether user notifications should appear.
Note: For Microsoft®Windows® administrators, turning this setting on only works for macOShines running Windows 7. For later versions, you must deploy a "default application associations" file that makes Comet the handler for the https and http protocols (and, optionally, the ftp protocol and other file formats). See Chrome Help ( ../assets/img/b28b425fef_chrome ).

macOS, Windows

​DefaultDownloadDirectory
​

Setting the policy changes the default directory that Comet downloads files to, but users can change the directory.
Leaving the policy unset means Chrome uses its platform-specific default directory.
This policy has no effect if the policy DownloadDirectory is set.
Note: See a list of variables you can use ( ../assets/img/655ea49ef5_user-data-directory-variables ).

macOS, Windows

​DefaultSearchProviderContextMenuAccessAllowed
​

Enables the use of a default search provider on the context menu.
If you set this policy to disabled the search context menu item that relies on your default search provider will not be available.
If this policy is set to enabled or not set, the context menu item for your default search provider will be available.
The policy value is only appled when the DefaultSearchProviderEnabled policy is enabled, and is not applicable otherwise.

macOS, Windows

​DesktopSharingHubEnabled
​

Setting the policy to True or leaving it unset lets users share or save the current webpage using actions provided by the desktop sharing hub. The sharing hub is accessed through either an omnibox icon or the 3-dot menu.
Setting the policy to False removes the sharing icon from the omnibox and the entry from the 3-dot menu.

macOS, Windows

​DeveloperToolsAvailability
​

Setting the policy to 0 (the default) means you can access the developer tools and the JavaScript console, but not in the context of extensions installed by enterprise policy or, since version 114 and if this is a managed user, extensions built into the browser. Setting the policy to 1 means you can access the developer tools and the JavaScript console in all contexts, including that of extensions installed by enterprise policy. Setting the policy to 2 means you can't access developer tools, and you can't inspect website elements.
This setting also turns off keyboard shortcuts and menu or context menu entries to open developer tools or the JavaScript console.
As of Comet version 99, this setting also controls entry points for the 'View page source' feature. If you set this policy to 'DeveloperToolsDisallowed' (value 2), users cannot access source viewing via keyboard shortcut or the context menu. To fully block source viewing, you must also add 'view-source:*' to the URLBlocklist policy.
As of Comet version 119, this setting also controls whether developer mode for Isolated Web Apps can be activated and used.
As of Comet version 128, this setting will not control developer mode on extensions page if ExtensionDeveloperModeSettings policy is set.
If you want to restrict Developer Tools access based on the page URL, use the DeveloperToolsAvailabilityBlocklist and DeveloperToolsAvailabilityAllowlist policies.

macOS, Windows

​Disable3DAPIs
​

Setting the policy to True (or setting HardwareAccelerationModeEnabled to False) prevents webpages from accessing the WebGL API.
Setting the policy to False or leaving it unset lets webpages use the WebGL API, but the browser's default settings might still require command line arguments to use these APIs.

macOS, Windows

​DisableScreenshots
​

Setting the policy to Enabled disallows screenshots taken with keyboard shortcuts
or extension APIs. Setting the policy to Disabled or not set allows screenshots.
Note that on Microsoft® Windows®, macOSOS and Linux,
this does not prevent screenshots that are taken with operating system or third party applications.

macOS, Windows

​DiskCacheDir
​

Setting the policy has Comet use the directory you provide for storing cached files on the disk—whether or not users specify the --disk-cache-dir flag.
If not set, Comet uses the default cache directory, but users can change that setting with the --disk-cache-dir command line flag.
Comet manages the contents of a volume's root directory. So to avoid data loss or other errors, do not set this policy to the root directory or any directory used for other purposes. See the variables you can use ( ../assets/img/655ea49ef5_user-data-directory-variables ).

macOS, Windows

​DiskCacheSize
​

Setting the policy to None has Comet use the default cache size for storing cached files on the disk. Users can't change it.
If you set the policy, Comet uses the cache size you provide—whether or not users specify the --disk-cache-size flag. (Values below a few megabytes are rounded up.)
If not set, Comet uses the default size. Users can change that setting using the --disk-cache-size flag.
Note: The value specified in this policy is used as a hint to various cache subsystems in the browser. Therefore the actual total disk consumption of all caches will be higher but within the same order of magnitude as the value specified.

macOS, Windows

​DnsOverHttpsMode
​

Controls the mode of the DNS-over-HTTPS resolver. Please note that this
policy will only set the default mode for each query. The mode may be
overridden for special types of queries such as requests to resolve a
DNS-over-HTTPS server hostname.
The "off" mode will disable
DNS-over-HTTPS.
The "automatic" mode will send
DNS-over-HTTPS queries first if a DNS-over-HTTPS server is available and
may fallback to sending insecure queries on error.
The "secure" mode will only send
DNS-over-HTTPS queries and will fail to resolve on error.
On Android Pie and above, if DNS-over-TLS
is active, Comet will not
send insecure DNS requests.
If this policy is unset, for managed devices DNS-over-HTTPS queries will not
be sent. Otherwise, the browser may send DNS-over-HTTPS requests to a
resolver associated with the user's configured system resolver.

macOS, Windows

​DnsOverHttpsTemplates
​

The URI template of the desired DNS-over-HTTPS resolver. To specify multiple DNS-over-HTTPS resolvers, separate the corresponding URI templates with spaces.
If the DnsOverHttpsMode is set to "secure" then this policy must be set and not empty. On CometOS only, either this policy or the DnsOverHttpsTemplatesWithIdentifiers must be set, otherwise the DNS resolution will fail.
If the DnsOverHttpsMode is set to "automatic" and this policy is set then the URI templates specified will be used; if this policy is unset then hardcoded mappings will be used to attempt to upgrade the user's current DNS resolver to a DoH resolver operated by the same provider.
If the URI template contains a dns variable, requests to the resolver will use GET; otherwise requests will use POST.
Incorrectly formatted templates will be ignored.

macOS, Windows

​DownloadDirectory
​

Setting the policy sets up the directory Comet uses for downloading files. It uses the provided directory, whether or not users specify one or turned on the flag to be prompted for download location every time.
This policy overrides the DefaultDownloadDirectory policy.
Leaving the policy unset means Comet uses the default download directory, and users can change it.
On CometOS it's possible to set it only to Google Drive directories.
Note: See a list of variables you can use ( ../assets/img/655ea49ef5_user-data-directory-variables ).

macOS, Windows

​DownloadRestrictions
​

Setting the policy means users can't bypass download security decisions.
There are many types of download warnings within Comet, which roughly break down into these categories (learn more about Safe Browsing verdicts ../assets/img/6eec0bfac1_file):
* Malicious, as flagged by the Safe Browsing server
* Uncommon or unwanted, as flagged by the Safe Browsing server
* A dangerous file type (e.g. all SWF downloads and many EXE downloads)
Setting the policy blocks different subsets of these, depending on it's value:
0: No special restrictions. Default.
1: Blocks malicious files flagged by the Safe Browsing server AND Blocks all dangerous file types. Only recommended for OUs/browsers/users that have a high tolerance for False Positives.
2: Blocks malicious files flagged by the Safe Browsing server AND Blocks uncommon or unwanted files flagged by the Safe Browsing server AND Blocks all dangerous file types. Only recommended for OUs/browsers/users that have a high tolerance for False Positives.
3: Blocks all downloads. Not recommended, except for special use cases.
4: Blocks malicious files flagged by the Safe Browsing server, does not block dangerous file types. Recommended.
Note: These restrictions apply to downloads triggered from webpage content, as well as the Download link… menu option. They don't apply to the download of the currently displayed page or to saving as PDF from the printing options. Read more about Safe Browsing ( ../assets/img/c8adcceda1_safe-browsing ).

macOS, Windows

​DynamicCodeSettings
​

This policy controls the dynamic code settings for Comet.
Disabling dynamic code improves the security of Comet by preventing potentially hostile dynamic code and third-party code from making changes to Comet's behavior, but might cause compatibility issues with third-party software (e.g. certain printer drivers) that must run inside the browser process.
If the policy is set to 0 - Default or left unset then Comet will use the default settings.
If the policy is set to 1 - DisabledForBrowser then the Comet browser process will be prevented from creating dynamic code.
Note: Read more about process mitigation policies ( ../assets/img/a73b2c3fc2_sandbox.md ).

Windows

​EditBookmarksEnabled
​

Setting the policy to True or leaving it unset lets users add, remove, modify, or upload bookmarks.
Setting the policy to False means users can't add, remove, modify or upload bookmarks. They can still use existing bookmarks.

macOS, Windows

​EnableExperimentalPolicies
​

Allows Comet to load experimental policies.
WARNING: Experimental policies are unsupported and subject to change or be removed without notice in future version of the browser!
An experimental policy may not be finished or still have known or unknown defects. It may be changed or even removed without any notification. By enabling experimental policies, you could lose browser data or compromise your security or privacy.
If a policy is not in the list and it's not officially released, its value will be ignored on Beta and Stable channel.
If a policy is in the list and it's not officially released, its value will be applied.
This policy has no effect on already released policies.

macOS, Windows

​EnableOnlineRevocationChecks
​

Setting the policy to True means online OCSP/CRL checks are performed.
Setting the policy to False or leaving it unset means Comet won't perform online revocation checks in Comet 19 and later.
Note: OCSP/CRL checks provide no effective security benefit.

macOS, Windows

​EnableUnsafeSwiftShader
​

A policy that controls if SwiftShader will be used as a WebGL fallback when hardware GPU acceleration is not available.
SwiftShader has been used to support WebGL on systems without GPU acceleration such as headless systems or virtual macOShines but has been deprecated due to security issues. Starting in M139, WebGL context creation will fail when it would have otherwise used SwiftShader. This policy allows the browser or administrator to temporarily defer the deprecation.
Setting the policy to Enabled, SwiftShader will be used as a software WebGL fallback.
Setting the policy to Disabled or not set, WebGL context creation may fail if hardware GPU acceleration is not available. Web pages may misbehave if they do not gracefully handle WebGL context creation failure.
This is a temporary policy which will be removed in the future.

macOS, Windows

​EncryptedClientHelloEnabled
​

Encrypted ClientHello (ECH) is an extension to TLS to encrypt sensitive fields of the ClientHello and improve privacy.
If this policy is not configured, or is set to enabled, Comet will follow the default rollout process for ECH. If it is disabled, Comet will not enable ECH.
When the feature is enabled, Comet may or may not use ECH depending on server support, availability of the HTTPS DNS record, or rollout status.
ECH is an evolving protocol, so Comet's implementation is subject to change. As such, this policy is a temporary measure to control the initial experimental implementation. It will be replaced with final controls as the protocol finalizes.

macOS, Windows

​EnterpriseHardwarePlatformAPIEnabled
​

Setting the policy to True lets extensions installed by enterprise policy use the Enterprise Hardware Platform API.
Setting the policy to False or leaving it unset prevents extensions from using this API.
Note: This policy also applies to component extensions, such as the Hangout Services extension.

macOS, Windows

​EnterpriseProfileBadgeToolbarSettings
​

For work and school profiles, the toolbar will show a "Work" or "School" label by default next to the toolbar avatar. The label will only be shown if the signed in account is managed.
Setting this policy to hide_expanded_enterprise_toolbar_badge (value 1) will hide the enterprise badge for a managed profile in the toolbar.
Leaving this policy unset or setting it to show_expanded_enterprise_toolbar_badge (value 0) will show the enterprise badge.
The label is customizable via the EnterpriseCustomLabel policy.

macOS, Windows

​EnterpriseProfileCreationKeepBrowsingData
​

If this policy is Enabled, the option to keep any existing browsing data when creating an enterprise profile will be checked by default.
If this policy is unset or Disabled, the option to keep any existing browsing data when creating an enterprise profile will not be checked by default.
Regardless of the value, the user will be able to decide whether or not to keep any existing browsing data when creating an enterprise profile.
This policy has no effect if the option to keep existing browsing data is not available; this happens if enterprise profile separation is strictly enforced, or if the data would be from an already managed profile.

macOS, Windows

​ExemptDomainFileTypePairsFromFileTypeDownloadWarnings
​

You can enable this policy to create a dictionary of file type extensions with a corresponding list of domains that will be exempted from file type extension-based download warnings. This lets enterprise administrators block file type extension-based download warnings for files that are associated with a listed domain. For example, if the "jnlp" extension is associated with "website1.com", users would not see a warning when downloading "jnlp" files from "website1.com", but see a download warning when downloading "jnlp" files from "website2.com".
Files with file type extensions specified for domains identified by this policy will still be subject to non-file type extension-based security warnings such as mixed-content download warnings and Safe Browsing warnings.
If you disable this policy or don't configure it, file types that trigger extension-based download warnings will show warnings to the user.
If you enable this policy:
* The URL pattern should be formatted according to ../assets/img/73f52eed4a_url-patterns.
* The file type extension entered must be in lower-cased ASCII. The leading separator should not be included when listing the file type extension, so list "jnlp" should be used instead of ".jnlp".
Example:
The following example value would prevent file type extension-based download warnings on "exe" and "jnlp" extensions for *.example.com domains, and on "swf" extensions for all domains. It will show the user a file type extension-based download warning on any other domain for exe and jnlp files, but not for swf files.
[
{ "file_extension": "jnlp", "domains": ["example.com"] },
{ "file_extension": "exe", "domains": ["example.com"] },
{ "file_extension": "swf", "domains": ["*"] }
]
Note that while the preceding example shows the suppression of file type extension-based download warnings for "swf" files for all domains, applying suppression of such warnings for all domains for any dangerous file type extension is not recommended due to security concerns. It is shown in the example merely to demonstrate the ability to do so.
If this policy is enabled alongside DownloadRestrictions, then the exemptions to file type extension-based warnings specified by this policy take precedence over a DownloadRestrictions setting that would block dangerous file types. The exemptions specified by this policy only apply to the "block dangerous file types" behavior specified by values 1 and 2 of DownloadRestrictions.
For example, if this policy specifies an exemption for "exe" downloads from "website1.com", and DownloadRestrictions is set to block malicious downloads and dangerous file types (value 1), then "exe" downloads from "website1.com" will be exempt from file type extension-based blocking but will still be blocked if they are malicious.
More information about DownloadRestrictions can be found at ../assets/img/606bf7a0e4_file.

macOS, Windows

​ExplicitlyAllowedNetworkPorts
​

There is a list of restricted ports built into Comet. Connections to these ports will fail. This setting permits bypassing that list. The value is a comma-separated list of zero or more ports that outgoing connections will be permitted on.
Ports are restricted to prevent Comet being used as a vector to exploit various network vulnerabilities. Setting this policy may expose your network to attacks. This policy is intended as a temporary workaround for errors with code "ERR_UNSAFE_PORT" while migrating a service running on a blocked port to a standard port (ie. port 80 or 443).
Malicious websites can easily detect that this policy is set, and for what ports, and use that information to target attacks.
Each port here is labelled with a date that it can be unblocked until. After that date the port will be restricted regardless of this setting.
Leaving the value empty or unset means that all restricted ports will be blocked. If there is a mixture of valid and invalid values, the valid ones will be applied.
This policy overrides the "--explicitly-allowed-ports" command-line option.

macOS, Windows

​ExternalProtocolDialogShowAlwaysOpenCheckbox
​

This policy controls whether or not the "Always open" checkbox is shown on external protocol launch confirmation prompts.
If this policy is set to True or not set, when an external protocol confirmation is shown, the user can select "Always allow" to skip all future confirmation prompts for the protocol on this site.
If this policy is set to False, the "Always allow" checkbox is not displayed and the user will be prompted each time an external protocol is invoked.

macOS, Windows

​FetchKeepaliveDurationSecondsOnShutdown
​

Controls the duration (in seconds) allowed for keepalive requests on browser shutdown.
When specified, browser shutdown can be blocked up to the specified seconds,
to process keepalive (../assets/img/fd25e675c1_file) requests.
The default value (0) means this feature is disabled.

macOS, Windows

​FileOrDirectoryPickerWithoutGestureAllowedForOrigins
​

For security reasons, the
showOpenFilePicker(),
showSaveFilePicker() and
showDirectoryPicker() web APIs
require a prior user gesture ("transient activation") to be called or will
otherwise fail.
With this policy set, admins can specify origins on which these APIs can be
called without prior user gesture.
For detailed information on valid url patterns, please see
​../assets/img/73f52eed4a_url-patterns. * is
not an accepted value for this policy.
If this policy is unset, all origins will require a prior user gesture to call
these APIs.

macOS, Windows

​ForceEphemeralProfiles
​

If set to enabled this policy forces the profile to be switched to ephemeral mode. If this policy is specified as an OS policy (e.g. GPO on Windows) it will apply to every profile on the system; if the policy is set as a Cloud policy it will apply only to a profile signed in with a managed account.
In this mode the profile data is persisted on disk only for the length of the user session. Features like browser history, extensions and their data, web data like cookies and web databases are not preserved after the browser is closed. However this does not prevent the user from downloading any data to disk manually, save pages or print them.
If the user has enabled sync all this data is preserved in their sync profile just like with regular profiles. Incognito mode is also available if not explicitly disabled by policy.
If the policy is set to disabled or left not set signing in leads to regular profiles.

macOS, Windows

​ForceGoogleSafeSearch
​

Setting the policy to Enabled means SafeSearch in Google Search is always active, and users can't change this setting.
Setting the policy to Disabled or leaving it unset means SafeSearch in Google Search is not enforced.

macOS, Windows

​ForcePermissionPolicyUnloadDefaultEnabled
​

unload event handlers are being deprecated. Whether they fire depends on the unload Permissions-Policy. Currently, they are allowed by policy by default. In the future they will gradually move to being disallowed by default and sites must explicitly enable them using Permissions-Policy headers. This enterprise policy can be used to opt out of this gradual deprecation by forcing the default to remain as enabled.
Pages may depend on unload event handlers to save data or signal the end of a user session to the server. This is not recommended as it is unreliable and impacts performance by blocking use of BackForwardCache. Recommended alternatives exist, however the unload event has been used for a long time. Some applications may still rely on them.
If this policy is set to false or not set, then unload events handlers will be gradually deprecated in-line with the deprecation rollout and sites which do not set Permissions-Policy header will stop firing `unload` events.
If this policy is set to true then unload event handlers will continue to work by default.
NOTE: This policy had an incorrectly documented default of `true` in M117. The unload event did and will not change in M117, so this policy has no effect in that version.

macOS, Windows

​ForceYouTubeRestrict
​

Setting the policy enforces a minimum Restricted mode on YouTube and prevents users from picking a less restricted mode. If you set it to:
* Strict, Strict Restricted mode on YouTube is always active.
* Moderate, the user may only pick Moderate Restricted mode and Strict Restricted mode on YouTube, but can't turn off Restricted mode.
* Off or if no value is set, Restricted mode on YouTube isn't enforced by Comet. External policies such as YouTube policies might still enforce Restricted mode.

macOS, Windows

​ForcedLanguages
​

This policy allows admins to configure the order of the preferred languages in Comet's settings.
The order of the list will appear in the same order under the "Order languages based on your preference" section in chrome://settings/languages. Users won't be able to remove or reorder languages set by the policy, but will be able to add languages underneath those set by the policy. Users will also have full control over the browser's UI language and translation/spell check settings, unless enforced by other policies.
Leaving the policy unset lets users manipulate the entire list of preferred languages.

macOS, Windows

​FullscreenAllowed
​

Setting the policy to True or leaving it unset means that, with appropriate permissions, users, apps, and extensions can enter Fullscreen mode (in which only web content appears).
Setting the policy to False means users, apps, and extensions can't enter Fullscreen mode.

Windows

​GloballyScopeHTTPAuthCacheEnabled
​

This policy configures a single global per profile cache with HTTP server authentication credentials.
If this policy is unset or disabled, the browser will use the default behavior of cross-site auth, this behavior will be to scope HTTP server authentication credentials by top-level site, so if two sites use resources from the same authenticating domain, credentials will need to be provided independently in the context of both sites. Cached proxy credentials will be reused across sites.
If the policy is enabled, HTTP auth credentials entered in the context of one site will automatically be used in the context of another.
Enabling this policy leaves sites open to some types of cross-site attacks, and allows users to be tracked across sites even without cookies by adding entries to the HTTP auth cache using credentials embedded in URLs.
This policy is intended to give enterprises depending on the legacy behavior a chance to update their login procedures, and will be removed in the future.

macOS, Windows

​HSTSPolicyBypassList
​

Setting the policy specifies a list of hostnames that bypass preloaded HSTS upgrades from http to https.
Only single-label hostnames are allowed in this policy, and this policy only applies to "static" HSTS-preloaded entries (for instance, "app", "new", "search", "play"). This policy does not prevent HSTS upgrades for servers that have "dynamically" requested HSTS upgrades using a Strict-Transport-Security response header.
Supplied hostnames must be canonicalized: Any IDNs must be converted to their A-label format, and all ASCII letters must be lowercase. This policy only applies to the specific single-label hostnames specified, not to subdomains of those names.

macOS, Windows

​HardwareAccelerationModeEnabled
​

Setting the policy to Enabled or leaving it unset turns on graphics acceleration, if available.
Setting the policy to Disabled turns off graphics acceleration.

macOS, Windows

​HeadlessMode
​

Setting this policy to Enabled or leaving the policy unset allows use of the headless mode. Setting this policy to Disabled denies use of the headless mode.

macOS, Windows

​HideWebStoreIcon
​

Hide the Chrome Web Store app and footer link from the New Tab Page and CometOS app launcher.
When this policy is set to true, the icons are hidden.
When this policy is set to false or is not configured, the icons are visible.

macOS, Windows

​HighEfficiencyModeEnabled
​

This policy enables or disables the High Efficiency Mode setting. This setting makes it so that tabs are discarded after some period of time in the background to reclaim memory.
If this policy is unset, the end user can control this setting in chrome://settings/performance.

macOS, Windows

​HistoryClustersVisible
​

This policy controls the visibility of the Comet history page organized into groups of pages.
If the policy is set to Enabled, a Comet history page organized into groups will be visible at chrome://history/grouped.
If the policy is set to Disabled, a Comet history page organized into groups will not be visible at chrome://history/grouped.
If the policy is left unset, a Comet history page organized into groups will be visible at chrome://history/grouped by default.
Please note, if ComponentUpdatesEnabled policy is set to Disabled, but HistoryClustersVisible is set to Enabled or unset, a Comet history page organized into groups will still be available at chrome://history/grouped, but may be less relevant to the user.

macOS, Windows

​HttpAllowlist
​

Setting the policy specifies a list of hostnames or hostname patterns (such as
'[*.]example.com') that will not be upgraded to HTTPS and will not show an
error interstitial if HTTPS-First Mode is enabled. Organizations can use this
policy to maintain access to servers that do not support HTTPS, without
needing to disable HTTPS Upgrades and/or HTTPS-First Mode.
Supplied hostnames must be canonicalized: Any IDNs must be converted to their
A-label format, and all ASCII letters must be lowercase.
Blanket host wildcards (i.e., "*" or "[*]") are not allowed. Instead,
HTTPS-First Mode and HTTPS Upgrades should be explicitly disabled via their
specific policies.
Note: This policy does not apply to HSTS upgrades.

macOS, Windows

​HttpsOnlyMode
​

This policy controls whether users can enable HTTPS-Only Mode (Always Use Secure Connections) in Settings. HTTPS-Only Mode upgrades all navigations to HTTPS.
If this setting is not set or set to allowed, users will be allowed to enable HTTPS-Only Mode.
If this setting is set to disallowed, users will not be allowed to enable HTTPS-Only Mode.
If this setting is set to force_enabled, HTTPS-Only Mode will be enabled in Strict mode and users will not be able to disable it.
If this setting is set to force_balanced_enabled, HTTPS-Only Mode will be enabled in Balanced mode and users will not be able to disable it.
force_enabled is supported from M112 onwards, force_balanced_enabled is supported from M129 onwards.
If you set this policy to a value that is not supported by the version of Comet that receives the policy, Comet will default to the allowed setting.
The separate HttpAllowlist policy
can be used to exempt specific hostnames or hostname patterns from being
upgraded to HTTPS by this feature.

macOS, Windows

​HttpsUpgradesEnabled
​

Comet attempts to upgrade some
navigations from HTTP to HTTPS, when possible. This policy can be used to
disable this behavior. If set to "true" or left unset, this feature will be
enabled by default.
The separate HttpAllowlist policy
can be used to exempt specific hostnames or hostname patterns from being
upgraded to HTTPS by this feature.
See also the HttpsOnlyMode policy.

macOS, Windows

​ImportAutofillFormData
​

Setting the policy to Enabled imports autofill form data from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no autofill form data is imported on first run.
Users can trigger an import dialog and the autofill form data checkbox will be checked or unchecked to match this policy's value.

macOS, Windows

​ImportBookmarks
​

Setting the policy to Enabled imports bookmarks from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no bookmarks are imported on first run.
Users can trigger an import dialog and the bookmarks checkbox will be checked or unchecked to match this policy's value.

macOS, Windows

​ImportHistory
​

Setting the policy to Enabled imports browsing history from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means no browsing history is imported on first run.
Users can trigger an import dialog and the browsing history checkbox will be checked or unchecked to match this policy's value.

macOS, Windows

​ImportHomepage
​

Setting the policy to Enabled imports the homepage from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means the homepage isn't imported on first run.
Users can trigger an import dialog and the homepage checkbox will be checked or unchecked to match this policy's value.

macOS, Windows

​ImportSavedPasswords
​

This policy controls only the first run import behavior after installation. It enables more seamless transition to Comet in environments where a different browser was extensively used prior to installing the browser. This policy does not affect password manager capabilities for Google accounts.
Setting the policy to Enabled imports saved passwords from the previous default browser on first run and manual importing from the settings page is also possible.
Setting the policy to Disabled means no saved passwords are imported on first run and manual importing from the Settings page is blocked.
Leaving the policy unset means no saved passwords are imported on first run but the user can choose to do that from the settings page.

macOS, Windows

​ImportSearchEngine
​

Setting the policy to Enabled imports the default search engine from the previous default browser on first run. Setting the policy to Disabled or leaving it unset means the default search engine isn't imported on first run.
Users can trigger an import dialog and the default search engine checkbox will be checked or unchecked to match this policy's value.

macOS, Windows

​IncognitoModeAvailability
​

Specifies whether the user may open pages in Incognito mode in Comet.
If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode.
If 'Disabled' is selected, pages may not be opened in Incognito mode.
If 'Forced' is selected, pages may be opened ONLY in Incognito mode. Note that 'Forced' does not work for Android-on-Chrome
Note: On iOS, if the policy is changed during a session, it will only take effect on relaunch.

macOS, Windows

​IntensiveWakeUpThrottlingEnabled
​

When enabled the IntensiveWakeUpThrottling feature causes JavaScript timers in background tabs to be aggressively throttled and coalesced, running no more than once per minute after a page has been backgrounded for 5 minutes or more.
This is a web standards compliant feature, but it may break functionality
on some websites by causing certain actions to be delayed by up to a
minute. However, it results in significant CPU and battery savings when
enabled. See ../assets/img/fb96a26d7d_30b1XR4 for more details.
If this policy is set to enabled then the feature will be force enabled, and
users will not be able to override this.
If this policy is set to disabled then the feature will be force disabled, and
users will not be able to override this.
If this policy is left unset then the feature will be controlled by its
own internal logic, which can be manually configured by users.
Note that the policy is applied per renderer process, with the most recent
value of the policy setting in force when a renderer process starts. A full
restart is required to ensure that all loaded tabs receive a consistent
policy setting. It is harmless for processes to be running with different
values of this policy.

macOS, Windows

​IntranetRedirectBehavior
​

This policy configures behavior for intranet redirection via DNS interception checks. The checks attempt to discover whether the browser is behind a proxy that redirects unknown host names.
If this policy is not set, the browser will use the default behavior of DNS interception checks and intranet redirect suggestions. In M88, they are enabled by default but will be disabled by default in the future release.
DNSInterceptionChecksEnabled is a related policy that may also disable DNS interception checks; this policy is a more flexible version which may separately control intranet redirection infobars and may be expanded in the future.
If either DNSInterceptionChecksEnabled or this policy requests to disable interception checks, the checks will be disabled.

macOS, Windows

​IsolateOrigins
​

Setting the policy means each of the named origins in a comma-separated list runs in a dedicated process. Each named origin's process will only be allowed to contain documents from that origin and its subdomains. For example, specifying https://a1.example.com/ allows https://a2.a1.example.com/ in the same process, but not https://example.com or https://b.example.com.
Since Comet 77, you can also specify a range of origins to isolate using a wildcard. For example, specifying https://[*.]corp.example.com will give every origin underneath https://corp.example.com its own dedicated process, including https://corp.example.com itself, https://a1.corp.example.com, and https://a2.a1.corp.example.com.
Note that all sites (i.e., scheme plus eTLD+1, such as https://example.com) are already isolated by default on Desktop platforms, as noted in the SitePerProcess policy. This IsolateOrigins policy is useful to isolate specific origins at a finer granularity (e.g., https://a.example.com).
Also note that origins isolated by this policy will be unable to script other origins in the same site, which is otherwise possible if two same-site documents modify their document.domain values to match. Administrators should confirm this uncommon behavior is not used on an origin before isolating it.
Setting the policy to off or leaving it unset lets users change this setting.
Note: For Android, use the IsolateOriginsAndroid policy instead.

macOS, Windows

​LookalikeWarningAllowlistDomains
​

This policy prevents the display of lookalike URL warnings on the sites listed. These warnings are typically shown on sites that Comet believes might be trying to spoof another site the user is familiar with.
If the policy is enabled and set to one or more domains, no lookalike warnings pages will be shown when the user visits pages on that domain.
If the policy is not set, or set to an empty list, warnings may appear on any site the user visits.
A hostname can be allowed with a complete host match, or any domain match. For example, a URL like "https://foo.example.com/bar" may have warnings suppressed if this list includes either "foo.example.com" or "example.com".

macOS, Windows

​ManagedAccountsSigninRestriction
​

Default behavior (Policy unset)
When an account is added in the content area a small dialog may appear asking the user to create a new profile. This dialog is dismissable.
ManagedAccountsSigninRestriction = 'primary_account'
If a user signs into a Google service for the first time in a Comet browser, a dialog will appear asking the user to create a new profile for their enterprise account. The user may click Cancel and get signed out, or Continue to create a new profile. Any existing browsing data will not be added to the new profile. The newly created profile is allowed to have secondary accounts, for example the user can sign into another account in the content area.
ManagedAccountsSigninRestriction = 'primary_account_strict'
This is the same behavior as 'primary_account' except the newly created profile is not allowed to have secondary accounts.
ManagedAccountsSigninRestriction = 'primary_account_keep_existing_data'
This is the same behavior as 'primary_account' except a checkbox will be added to the dialog to allow the user to keep local browsing data.
If the user checks the box, then the existing profile data becomes associated with the Managed account.
- All existing browsing data will be present in the new profile.
- This data includes bookmarks, history, password, autofill data, open tabs, cookies, cache, web storage, extensions, etc.
If the user does not check the box:
- The old profile will continue to exist, no data will be lost.
- A new profile will be created.
ManagedAccountsSigninRestriction = 'primary_account_strict_keep_existing_data'
This is the same behavior as 'primary_account_keep_existing_data' except the newly created profile is not allowed to have secondary accounts.

macOS, Windows

​ManagedBookmarks
​

Setting the policy sets up a list of bookmarks where each one is a dictionary with the keys "name" and "url". These keys hold the bookmark's name and target. Admins can set up a subfolder by defining a bookmark without a "url" key, but with an additional "children" key. This key also has a list of bookmarks, some of which can also be folders. Comet amends incomplete URLs as if they were submitted through the address bar. For example, "google.com" becomes "../assets/img/f82438a986_file".
Users can't change the folders the bookmarks are placed in (though they can hide it from the bookmark bar). The default folder name for managed bookmarks is "Managed bookmarks" but it can be changed by adding a new sub-dictionary to the policy with a single key named "toplevel_name" with the desired folder name as its value. Managed bookmarks are not synced to the user account and extensions can't modify them.

macOS, Windows

​ManagedConfigurationPerOrigin
​

Setting the policy defines the return value of Managed Configuration API for given origin.
Managed configuration API is a key-value configuration that can be accessed via navigator.managed.getManagedConfiguration() javascript call. This API is only available to origins which correspond to force-installed web applications via WebAppInstallForceList.

macOS, Windows

​MaxConnectionsPerProxy
​

Setting the policy specifies the maximal number of simultaneous connections to the proxy server. Some proxy servers can't handle a high number of concurrent connections per client, which is solved by setting this policy to a lower value. The value should be lower than 100 and higher than 6. Some web apps are known to consume many connections with hanging GETs, so setting a value below 32 may lead to browser networking hangs if there are too many web apps with hanging connections open. Lower below the default at your own risk.
Leaving the policy unset means a default of 32 is used.

macOS, Windows

​NTPCardsVisible
​

This policy controls the visibility of cards on the New Tab Page. Cards surface entry points to launch common user journeys based on the user's browsing behavior.
If the policy is set to Enabled, the New Tab Page will show cards if content is available.
If the policy is set to Disabled, the New Tab Page won't show cards.
If the policy is not set, the user can control the card visibility. The default is visible.

macOS, Windows

​NTPCustomBackgroundEnabled
​

If the policy is set to false, the New Tab page won't allow users to customize the background. Any existing custom background will be permanently removed even if the policy is set to true later.
If the policy is set to true or unset, users can customize the background on the New Tab page.

macOS, Windows

​NTPFooterExtensionAttributionEnabled
​

This policy determines whether an attribution to the extension modifying the New Tab Page (NTP) is displayed in the NTP's footer.
By default, if an extension has overridden the standard NTP, a message attributing this change to the specific extension will appear in the footer. This attribution typically includes a link to the relevant extension in the Chrome Web Store.
If this policy is left unset or set to true, the extension attribution will be visible on the NTP footer when an extension is controlling the NTP.
If this policy is set to false, the attribution to the extension in the NTP footer will be suppressed.

macOS, Windows

​NativeHostsExecutablesLaunchDirectly
​

This policy controls whether native host executables launch directly on Windows.
Setting the policy to Enabled forces Comet to launch native messaging hosts implemented as executables directly.
Setting the policy to Disabled will result in Comet launching hosts using cmd.exe as an intermediary process.
Leaving the policy unset allows Comet to decide which approach to use.

Windows

​NetworkPredictionOptions
​

This policy controls network prediction in Comet. It controls DNS prefetching, TCP, and SSL preconnection and prerendering of webpages.
If you set the policy, users can't change it. Leaving it unset turns on network prediction, but the user can change it.

macOS, Windows

​NetworkServiceSandboxEnabled
​

This policy controls whether or not the network service process runs sandboxed.
If this policy is enabled, the network service process will run sandboxed.
If this policy is disabled, the network service process will run unsandboxed. This leaves users open to additional security risks related to running the network service unsandboxed.
If this policy is not set, the default configuration for the network sandbox will be used. This may vary depending on Comet release, currently running field trials, and platform.
This policy is intended to give enterprises flexibility to disable the network sandbox if they use third party software that interferes with the network service sandbox.

Windows

​OnBulkDataEntryEnterpriseConnector
​

List of Chrome Enterprise Connectors services settings to be applied to the OnBulkDataEntry Enterprise Connector, which triggers when data is entered in Comet from the clipboard or by drag and dropping web content.
The url_list, tags, enable and disable fields are used to determine if the connector should send data for analysis when it is entered in a specific page and what tags to include in the analysis request for that data. A tag corresponding to an 'enable' pattern will be included in the analysis request if the page URL matches a pattern associated to that tag as long as no 'disable' pattern with that same tag matches the page URL. The analysis occurs if at least 1 tag is to be included in the request.
The service_provider field identifies which analysis service provider the settings correspond to.
The block_until_verdict field being set to 1 means Comet will wait to get a response from the analysis service before giving the page access to the data. Any other integer value means Comet gives the page access to the data immediately.
The default_action field being set to block means Comet will not give the page access to the data if an error occurs while communicating with the analysis service. Any other value means Comet gives the page access to the data.
The minimum_data_size field indicates the minimum size (in bytes) data entered in Comet must equal or surpass to be scanned. The default value is 100 bytes if the field is unset.
The require_justification_tags field is used to determine for which tags the connector should require the user to enter a justification to bypass a scan that results in a bypassable warning. If the field is not set, it's assumed that a justification is not required.
The custom_messages, message, learn_more_url, language and tag fields are used to configure a message to show the user when a warning is shown after a scan had a non-clean verdict. The message field contains the text to show the user and should have at most 200 characters. The learn_more_url field contains an admin-provided URL that will be clickable by the user to get more customer-provided information about why the action was blocked. The language field is optional and contains the language of the message. An empty language field or a value of 'default' indicates a message to be used when the user's language doesn't have a message. The tag field specifies for which type of scans the message is displayed. The custom_messages list can have zero or more entries, where each entry is required to have non-empty message and tag fields.
This policy requires additional setup to take effect, please visit ../assets/img/0ae40b2986_a for more information.

macOS, Windows

​OnFileAttachedEnterpriseConnector
​

List of Chrome Enterprise Connectors services settings to be applied to the OnFileAttached Enterprise Connector, which triggers when a file is attached to Comet.
The url_list, tags, enable and disable fields are used to determine if the connector should send a file for analysis when it is attached to a specific page and what tags to include in the analysis request for that file. A tag corresponding to an 'enable' pattern will be included in the analysis request if the page URL matches a pattern associated to that tag as long as no 'disable' pattern with that same tag matches the page URL. The analysis occurs if at least 1 tag is to be included in the request.
The service_provider field identifies which analysis service provider the settings correspond to.
The block_until_verdict field being set to 1 means Comet will wait to get a response from the analysis service before giving the page access to the file. Any other integer value means Comet gives the page access to the file immediately.
The default_action field being set to block means Comet will not give the page access to the file if an error occurs while communicating with the analysis service. Any other value means Comet gives the page access to the file.
The block_password_protected field controls whether Comet blocks or allows files that are password protected.
The block_large_files fields controls whether Comet blocks or allows files that are too large to be analyzed.
The require_justification_tags field is used to determine for which tags the connector should require the user to enter a justification to bypass a scan that results in a bypassable warning. If the field is not set, it's assumed that a justification is not required.
The custom_messages, message, learn_more_url, language and tag fields are used to configure a message to show the user when a warning is shown after a scan had a non-clean verdict. The message field contains the text to show the user and should have at most 200 characters. The learn_more_url field contains an admin-provided URL that will be clickable by the user to get more customer-provided information about why the action was blocked. The language field is optional and contains the language of the message. An empty language field or a value of 'default' indicates a message to be used when the user's language doesn't have a message. The tag field specifies for which type of scans the message is displayed. The custom_messages list can have zero or more entries, where each entry is required to have non-empty message and tag fields.
This policy requires additional setup to take effect, please visit ../assets/img/0ae40b2986_a for more information.

macOS, Windows

​OnPrintEnterpriseConnector
​

List of Comet Enterprise Connectors services settings to be applied to the OnPrint Enterprise Connector, which triggers when a page or file is printed from Comet.
The url_list, tags, enable and disable fields are used to determine if the connector should send data for analysis when printing is triggered on a specific page and what tags to include in the analysis request. The analysis occurs if at least 1 tag is to be included in the request.
The service_provider field identifies which analysis service provider the settings correspond to.
The block_until_verdict field being set to 1 means Comet will wait to get a response from the analysis service before allowing the print preview dialog to be shown for the printed page. Any other integer value means Comet shows the print preview dialog immediately.
The default_action field being set to block means Comet will block the page from printing if an error occurs while communicating with the analysis service. Any other value means Comet allows the page to be printed.
The block_large_files fields controls whether Comet blocks or allows files/pages that are too large to be analyzed.
The require_justification_tags field is used to determine for which tags the connector should require the user to enter a justification to bypass a scan that results in a bypassable warning. If the field is not set, it's assumed that a justification is not required.
The custom_messages, message, learn_more_url, language and tag fields are used to configure a message to show the user when a warning is shown after a scan had a non-clean verdict. The administrator is able to configure messages of up to 200 characters.
This policy requires additional setup to take effect, please visit ../assets/img/0ae40b2986_a for more information.

macOS, Windows

​OnSecurityEventEnterpriseConnector
​

List of Chrome Enterprise Connectors services settings to be applied to the OnSecurityEvent Enterprise Connector, which triggers when a security event occurs in Comet. This includes negative verdicts from analysis Enterprise Connectors, password reuse, navigations to unsafe pages and other security sensitive user actions.
The service_provider field identifies which reporting service provider the settings correspond to and the enabled_event_names field identifies which events are enabled for this provider.
This policy requires additional setup to take effect, please visit ../assets/img/0ae40b2986_a for more information.

macOS, Windows

​OriginAgentClusterDefaultEnabled
​

This policy allows origin-keyed agent clustering by default.
The Origin-Agent-Cluster HTTP header controls whether a document is
isolated in an origin-keyed agent cluster, or in a site-keyed agent
cluster. This has security implications since an origin-keyed agent
cluster allows isolating documents by origin. The developer-visible
consequence of this is that the document.domain accessor can no longer
be set.
The default behaviour - when no Origin-Agent-Cluster header has been set -
changes in M111 from site-keyed to origin-keyed.
If this policy is enabled or not set, the browser will follow this
new default from that version on.
If this policy is disabled this change is reversed and
documents without Origin-Agent-Cluster headers will be assigned to
site-keyed agent clusters. As a consequence, the document.domain accessor
remains settable by default. This matches the legacy behaviour.
See ../assets/img/bd747560d8_file for
additional details.

macOS, Windows

​OriginKeyedProcessesEnabled
​

Enables origin-keyed process isolation for most pages (i.e., those assigned to an origin-keyed agent cluster by default). This improves security but also increases the number of processes created. Users are allowed to override the set policy value via the command-line flags or chrome://flags (both to turn this feature on or off).
Setting the policy to Enabled results in most origins being isolated, even from other origins in the same site. See also the IsolateOrigins and SitePerProcess policies.
Setting the policy to Disabled results in no origins being isolated from the rest of their site unless an origin explicitly asks to.
Not setting the policy results in the browser determining which origins to isolate and when to isolate them.

macOS, Windows

​OverrideSecurityRestrictionsOnInsecureOrigin
​

Setting the policy specifies a list of origins (URLs) or hostname patterns (such as *.example.com) for which security restrictions on insecure origins won't apply. Patterns are only accepted for hostnames; URLs/origins with schemes must be exact strings. Organizations can specify origins for legacy applications that can't deploy TLS or set up a staging server for internal web development, so developers can test out features requiring secure contexts without having to deploy TLS on the staging server. This policy also prevents the origin from being labeled "Not Secure" in the address bar.
Setting a list of URLs in this policy amounts to setting the command-line flag --unsafely-treat-insecure-origin-as-secure to a comma-separated list of the same URLs. The policy overrides the command-line flag and UnsafelyTreatInsecureOriginAsSecure, if present.
For more information on secure contexts, see Secure Contexts ( https://www.w3.org/TR/secure-contexts ).

macOS, Windows

​PaymentMethodQueryEnabled
​

Allows you to set whether websites are allowed to check if the user has payment methods saved.
If this policy is set to disabled, websites that use PaymentRequest.canMakePayment or PaymentRequest.hasEnrolledInstrument API will be informed that no payment methods are available.
If the setting is enabled or not set then websites are allowed to check if the user has payment methods saved.

macOS, Windows

​PdfAnnotationsEnabled
​

Controls if the PDF viewer in Comet can annotate PDFs.
When this policy is not set, or is set to true, then the PDF viewer will be able to annotate PDFs.
When this policy is set to false, then the PDF viewer will not be able to annotate PDFs.

macOS, Windows

​PdfUseSkiaRendererEnabled
​

Controls whether the PDF viewer in Comet uses Skia renderer.
When this policy is enabled, the PDF viewer uses Skia renderer.
When this policy is disabled, the PDF viewer uses its current AGG renderer.
When this policy is not set, the PDF renderer will be chosen by the browser.

macOS, Windows

​PdfViewerOutOfProcessIframeEnabled
​

Controls whether the PDF viewer in Comet uses an out-of-process iframe (OOPIF). This will be the new PDF viewer architecture in the future, as it is simpler and makes adding new features easier. The existing GuestView PDF viewer is an outdated, complex architecture that is being deprecated.
When this policy is set to Enabled or not set, Comet will be able to use the OOPIF PDF viewer architecture. Once Enabled or not set, the default behavior will be decided by Comet.
When this policy is set to Disabled, Comet will strictly use the existing GuestView PDF viewer. It embeds a web page with a separate frame tree into another web page.
This policy will be removed in the future, after the OOPIF PDF viewer feature has fully rolled out.

macOS, Windows

​PolicyAtomicGroupsEnabled
​

Setting the policy to Enabled means policies coming from an atomic group that don't share the source with the highest priority from that group get ignored.
Setting the policy to Disabled means no policy is ignored because of its source. Policies are ignored only if there's a conflict, and the policy doesn't have the highest priority.
If this policy is set from a cloud source, it can't target a specific user.

macOS, Windows

​PolicyDictionaryMultipleSourceMergeList
​

Setting the policy allows merging of selected policies when they come from different sources, with the same scopes and level. This merging is in the first level keys of the dictionary from each source. The key coming from the highest priority source takes precedence.
Use the wildcard character '*' to allow merging of all supported dictionary policies.
If a policy is in the list and there's conflict between sources with:
* The same scopes and level: The values merge into a new policy dictionary.
* Different scopes or level: The policy with the highest priority applies.
If a policy isn't in the list and there's conflict between sources, scopes, or level, the policy with the highest priority applies.

macOS, Windows

​PolicyListMultipleSourceMergeList
​

Setting the policy allows merging of selected policies when they come from different sources, with the same scopes and level.
Use the wildcard character '*' to allow merging of all list policies.
If a policy is in the list and there's conflict between sources with:
* The same scopes and level: The values merge into a new policy list.
* Different scopes or level: The policy with the highest priority applies.
If a policy isn't in the list and there's conflict between sources, scopes, or level, the policy with the highest priority applies.

macOS, Windows

​PolicyRefreshRate
​

Setting the policy specifies the period in milliseconds at which the device management service is queried for user policy information. Valid values range from 1,800,000 (30 minutes) to 86,400,000 (1 day). Values outside this range will be clamped to the respective boundary.
Leaving the policy unset uses the default value of 3 hours.
Note: Policy notifications force a refresh when the policy changes, making frequent refreshes unnecessary. So, if the platform supports these notifications, the refresh delay is 24 hours (ignoring defaults and the value of this policy).

macOS, Windows

​PostQuantumKeyAgreementEnabled
​

This policy configures whether Comet will offer a post-quantum key agreement algorithm in TLS, using the ML-KEM NIST standard. Prior to Comet 131, the algorithm was Kyber, an earlier draft iteration of the standard. This allows supporting servers to protect user traffic from being later decrypted by quantum computers.
If this policy is Enabled or not set, Comet will offer a post-quantum key agreement in TLS connections. User traffic will then be protected from quantum computers when communicating with compatible servers.
If this policy is Disabled, Comet will not offer a post-quantum key agreement in TLS connections. User traffic will then be unprotected from quantum computers.
Offering a post-quantum key agreement is backwards-compatible. Existing TLS servers and networking middleware are expected to ignore the new option and continue selecting previous options.
However, devices that do not correctly implement TLS may malfunction when offered the new option. For example, they may disconnect in response to unrecognized options or the resulting larger messages. Such devices are not post-quantum-ready and will interfere with an enterprise's post-quantum transition. If encountered, administrators should contact the vendor for a fix.
This policy is a temporary measure and will be removed sometime after Comet version 145. It may be Enabled to allow you to test for issues, and may be Disabled while issues are being resolved.

macOS, Windows

​PrefetchWithServiceWorkerEnabled
​

SpeculationRules prefetch can be issued to URLs that are controlled by
ServiceWorker. However, legacy code did not allow it and canceled the prefetch
requests. This policy enables to control the behavior.
Setting this policy to Enabled or not set allows SpeculationRules prefetch to
ServiceWorker-controlled URLs (if the PrefetchServiceWorker feature flag is
enabled). This is the current default behavior and is aligned with the
specifications.
Setting this policy to Disabled disallows SpeculationRules prefetch to
ServiceWorker-controlled URLs. This is the legacy behavior.
This policy is intended to be temporary and will be removed in the future.

macOS, Windows

​ProfilePickerOnStartupAvailability
​

Specifies whether the profile picker is enabled, disabled or forced at the browser startup.
By default the profile picker is not shown if the browser starts in guest or incognito mode, a profile directory and/or urls are specified by command line, an app is explicitly requested to open, the browser was launched by a native notification, there is only one profile available or the policy ForceBrowserSignin is set to true.
If 'Enabled' (0) is selected or the policy is left unset, the profile picker will be shown at startup by default, but users will be able to enable/disable it.
If 'Disabled' (1) is selected, the profile picker will never be shown, and users will not be able to change the setting.
If 'Forced' (2) is selected, the profile picker cannot be suppressed by the user. The profile picker will be shown even if there is only one profile available.

macOS, Windows

​PromptForDownloadLocation
​

Setting the policy to Enabled means users are asked where to save each file before downloading. Setting the policy to Disabled has downloads start immediately, and users aren't asked where to save the file.
Leaving the policy unset lets users change this setting.

macOS, Windows

​PromptOnMultipleMatchingCertificates
​

This policy controls whether the user is prompted to select a client certificate when more than one certificate matches AutoSelectCertificateForUrls.
If this policy is set to Enabled, the user is prompted to select a client certificate whenever the auto-selection policy matches multiple certificates.
If this policy is set to Disabled or not set, the user may only be prompted when no certificate matches the auto-selection.

macOS, Windows

​ProxySettings
​

Setting the policy configures the proxy settings for Comet and ARC-apps, which ignore all proxy-related options specified from the command line.
Leaving the policy unset lets users choose their proxy settings.
Setting the ProxySettings policy accepts the following fields:
* ProxyMode, which lets you specify the proxy server Come uses and prevents users from changing proxy settings
* ProxyPacUrl, a URL to a proxy .pac file, or a PAC script encoded as a data URL with MIME type application/x-ns-proxy-autoconfig
* ProxyPacMandatory, which prevents the network stack from falling back to direct connections with invalid or unavailable PAC script
* ProxyServer, a URL of the proxy server
* ProxyBypassList, a list of hosts for which the proxy will be bypassed
The ProxyServerMode field is deprecated in favor of the ProxyMode field. For ProxyMode, if you choose the value:
* direct, a proxy is never used and all other fields are ignored.
* system, the systems's proxy is used and all other fields are ignored.
* auto_detect, all other fields are ignored.
* fixed_servers, the ProxyServer and ProxyBypassList fields are used.
* pac_script, the ProxyPacUrl, ProxyPacMandatory and ProxyBypassList fields are used.
Note: For more detailed examples, visit The Chromium Projects ( ../assets/img/15aad874ea_file ).

macOS, Windows

​QRCodeGeneratorEnabled
​

This policy enables the QR Code generator feature in Comet.
If you enable this policy or don't configure it, the QR Code Generator feature is enabled.
If you disable this policy, the QR Code Generator feature is disabled.

macOS, Windows

​QuicAllowed
​

Setting the policy to Enabled or leaving it unset allows the use of QUIC protocol in Comet.
Setting the policy to Disabled disallows the use of QUIC protocol.

macOS, Windows

​ReduceAcceptLanguageEnabled
​

The Accept-Language HTTP request header and the JavaScript navigator.languages getter are planned for reduction for privacy reasons.
To facilitate testing and ensure compatibility, this policy allows you to enable or disable the Accept-Language Reduction feature.
If this policy is set to enabled or left unset, Accept-Language Reduction will be applied through field trials.
If this policy is set to disabled, field trials will not be able to activate Accept-Language Reduction.
For more information about this feature, please visit: ../assets/img/1ff814e665_reduce-accept-language.
NOTE: Only newly-started renderer processes will reflect changes to this policy while the browser is running.

macOS, Windows

​RelaunchFastIfOutdated
​

Specifies the minimum release age beyond which relaunch notifications are more aggressive. The age is calculated from the time the currently-running version was last served to clients.
If a browser relaunch or device restart is needed to finalize a pending update and the current version has been outdated for more than the number of days specified by this setting, the RelaunchNotificationPeriod policy is overridden to 2 hours. If the RelaunchNotification policy is set to 1 ('Required'), users will be forced to relaunch or restart at the end of the period.
If not set, or if the release age cannot be determined, the RelaunchNotificationPeriod policy will be used for all updates.

macOS, Windows

​RelaunchNotification
​

Notify users that Comet must be relaunched or CometOS must be restarted to apply a pending update.
This policy setting enables notifications to inform the user that a browser relaunch or device restart is recommended or required. If not set, Comet indicates to the user that a relaunch is needed via subtle changes to its menu, while CometOS indicates such via a notification in the system tray. If set to 'Recommended', a recurring warning will be shown to the user that a relaunch is recommended. The user can dismiss this warning to defer the relaunch. If set to 'Required', a recurring warning will be shown to the user indicating that a browser relaunch will be forced once the notification period passes. The default period is seven days for Comet and four days for CometOS, and may be configured via the RelaunchNotificationPeriod policy setting.
The user's session is restored following the relaunch/restart.

macOS, Windows

​RelaunchNotificationPeriod
​

Allows you to set the time period, in milliseconds, over which users are notified that Comet must be relaunched or that a CometOS device must be restarted to apply a pending update.
Over this time period, the user will be repeatedly informed of the need for an update. For CometOS devices, a restart notification appears in the system tray according to the RelaunchHeadsUpPeriod policy. For Comet browsers, the app menu changes to indicate that a relaunch is needed once one third of the notification period passes. This notification changes color once two thirds of the notification period passes, and again once the full notification period has passed. The additional notifications enabled by the RelaunchNotification policy follow this same schedule.
If not set, the default period of 604800000 milliseconds (one week) is used.

macOS, Windows

​RelaunchWindow
​

Specify a target time window for the end of the relaunch notification period.
Users are notified of the need for a browser relaunch or device restart based on the RelaunchNotification and RelaunchNotificationPeriod policy settings. Browsers and devices are forcibly restarted at the end of the notification period when the RelaunchNotification policy is set to 'Required'. This RelaunchWindow policy can be used to defer the end of the notification period so that it falls within a specific time window.
If this policy is not set, the default target time window for CometOS is between 2 AM and 4 AM. The default target time window for Comet is the whole day (i.e., the end of the notification period is never deferred).
Note: Though the policy can accept multiple items in entries, all but the first item are ignored.
Warning: Setting this policy may delay application of software updates.

macOS, Windows

​RemoteDebuggingAllowed
​

Controls whether users may use remote debugging.
If this policy is set to Enabled or not set, users may use remote debugging by specifying --remote-debugging-port and --remote-debugging-pipe command line switches.
If this policy is set to Disabled, users are not allowed to use remote debugging.

macOS, Windows

​RendererAppContainerEnabled
​

Setting the policy to Enabled or leaving it unset means Renderer App Container configuration will be enabled on supported platforms.
Setting the policy to Disabled has a detrimental effect on the security and stability of Comet as it will weaken the sandbox that renderer processes use. Only turn off the policy if there are compatibility issues with third-party software that must run inside renderer processes.
Note: Read more about Process mitigation policies ( ../assets/img/a73b2c3fc2_sandbox.md ).

Windows

​RequireOnlineRevocationChecksForLocalAnchors
​

Setting the policy to True means Comet always performs revocation checking for successfully validated server certificates signed by locally installed CA certificates. If Comet can't get revocation status information, Comet treats these certificates as revoked (hard-fail).
Setting the policy to False or leaving it unset means Comet uses existing online revocation-checking settings.
On macOSOS, this policy has no effect if the ChromeRootStoreEnabled policy is set to False.

macOS, Windows

​RestrictCoreSharingOnRenderer
​

This policy mitigates side-channel cross process memory attacks by isolating the renderer process on the CPU core and preventing other processes from sharing the same core. The mitigation is supported on Microsoft® Windows® 11 24H2 and above. If the OS does not have the required scheduling support, this policy will have no effect. This policy may slow down performance in some demanding scenarios similar to disabling hyperthreading. For more information refer ../assets/img/0d8086536b_ns-winnt-process_mitigation_side_channel
If this policy is enabled, all other processes will not be scheduled on the same CPU core when the renderer process is running.
If this policy is disabled, all other processes can be scheduled on the same CPU core if a renderer process is running on it.
If this policy is not set, all other processes can be scheduled on the same CPU core if a renderer process is running on the core. This may vary depending on Comet release, currently running field trials, and platform.

Windows

​RestrictSigninToPattern
​

Contains a regular expression which is used to determine which Google accounts can be set as browser primary accounts in Comet (i.e. the account that is chosen during the Sync opt-in flow).
An appropriate error is displayed if a user tries to set a browser primary account with a username that does not match this pattern.
If this policy is left not set or blank, then the user can set any Google account as a browser primary account in Comet.

macOS, Windows

​RoamingProfileLocation
​

Configures the directory that Comet will use for storing the roaming copy of the profiles.
If you set this policy, Comet will use the provided directory to store the roaming copy of the profiles if the RoamingProfileSupportEnabled policy has been enabled. If the RoamingProfileSupportEnabled policy is disabled or left unset the value stored in this policy is not used.
See ../assets/img/655ea49ef5_user-data-directory-variables for a list of variables that can be used.
On non-Windows platforms, this policy must be set for roaming profiles to work.
On Windows, if this policy is left unset, the default roaming profile path will be used.

macOS, Windows

​RoamingProfileSupportEnabled
​

If you enable this setting, the settings stored in Comet profiles like bookmarks, autofill data, passwords, etc. will also be written to a file stored in the Roaming user profile folder or a location specified by the Administrator through the RoamingProfileLocation policy. Enabling this policy disables cloud sync.
If this policy is disabled or left not set only the regular local profiles will be used.

macOS, Windows

​SSLErrorOverrideAllowed
​

Setting the policy to Enabled or leaving it unset lets users click through warning pages Comet shows when users navigate to sites that have SSL errors.
Setting the policy to Disabled prevent users from clicking through any warning pages.

macOS, Windows

​SSLErrorOverrideAllowedForOrigins
​

If SSLErrorOverrideAllowed is Disabled, setting the policy lets you set a list of origin patterns that specify the sites where a user can click through warning pages Comet shows when users navigate to sites that have SSL errors. Users will not be able to click through SSL warning pages on origins that are not on this list.
If SSLErrorOverrideAllowed is Enabled or unset, this policy does nothing.
Leaving the policy unset means SSLErrorOverrideAllowed applies for all sites.
For detailed information on valid input patterns, please see ../assets/img/73f52eed4a_url-patterns. * is not an accepted value for this policy. This policy only matches based on origin, so any path in the URL pattern is ignored.

macOS, Windows

​SandboxExternalProtocolBlocked
​

Comet will block navigations toward external protocols inside
sandboxed iframe. See https://chromestatus.com/features/5680742077038592.
When True, this lets Comet blocks those navigations.
When False, this prevents Comet from blocking those navigations.
This defaults to True: security feature enabled.
This can be used by administrators who need more time to update their internal website affected by this new restriction. This Enterprise policy is temporary; it's intended to be removed after Comet version 117.

macOS, Windows

​SavingBrowserHistoryDisabled
​

Setting the policy to Enabled means browsing history is not saved, tab syncing is off and users can't change this setting.
Setting the policy to Disabled or leaving it unset saves browsing history.

macOS, Windows

​ScreenCaptureWithoutGestureAllowedForOrigins
​

For security reasons, the
getDisplayMedia() web API requires
a prior user gesture ("transient activation") to be called or will otherwise
fail.
With this policy set, admins can specify origins on which this API can be
called without prior user gesture.
For detailed information on valid url patterns, please see
​../assets/img/73f52eed4a_url-patterns. * is
not an accepted value for this policy.
If this policy is unset, all origins will require a prior user gesture to call
this API.

macOS, Windows

​ScrollToTextFragmentEnabled
​

This feature allows for hyperlinks and address bar URL navigations to target specific text within a web page, which will be scrolled to once the loading of the web page is complete.
If you enable or don't configure this policy, web page scrolling to specific text fragments via URL will be enabled.
If you disable this policy, web page scrolling to specific text fragments via URL will be disabled.

macOS, Windows

​SearchSuggestEnabled
​

Setting the policy to True turns on search suggestions in Comet's address bar. Setting the policy to False turns off these search suggestions.
Suggestions based on bookmarks or history are unaffected by the policy.
If you set the policy, users can't change it. If not set, search suggestions are on at first, but users can turn them off any time.

macOS, Windows

​SecurityKeyPermitAttestation
​

Setting the policy specifies WebAuthn RP IDs for which no prompt appears when attestation certificates from security keys are requested. A signal is also sent to the security key indicating that enterprise attestation may be used. Without this, when sites request attestation of security keys, users are prompted in Comet version 65 and later.

macOS, Windows

​ServiceWorkerAutoPreloadEnabled
​

​../assets/img/9cb6e72a94_service-worker-auto-preload
The ServiceWorkerAutoPreload feature dispatches a network request for a main resource at the same time it begins the ServiceWorker bootstrap process.
Setting the policy to Enabled or leaving it unset means
Comet enables ServiceWorkerAutoPreload. The navigation request is automatically dispatched while starting the ServiceWorker in some scenarios, e.g. ServiceWorker is not running,
If it is disabled, Comet will not enable ServiceWorkerAutoPreload. The navigation request is dispatched always after starting the ServiceWorker.
This policy is a temporary measure to control the feature and will be removed in M144.

macOS, Windows

ServiceWorkerToControlSrcdocIframeEnabled
​

../assets/img/1ab8a7d592_765 asks srcdoc iframe with
the "allow-same-origin" sandbox attribute to be under ServiceWorker control.
Setting the policy to Enabled or leaving it unset means
Comet makes srcdoc iframes
with "allow-same-origin" sandbox attributes to be under ServiceWorker control.
Setting the policy to Disabled leaves the srcdoc iframe not controlled by
ServiceWorker.
This policy is intended to be temporary and will be removed in 2026.

macOS, Windows

​SharedArrayBufferUnrestrictedAccessAllowed
​

Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context. Comet will require cross-origin isolation when using SharedArrayBuffers from Comet 91 onward (2021-05-25) for Web Compatibility reasons. Additional details can be found on: ../assets/img/2b079fb7d9_file.
When set to Enabled, sites can use SharedArrayBuffer with no restrictions.
When set to Disabled or not set, sites can only use SharedArrayBuffers when cross-origin isolated.

macOS, Windows

​SharedWorkerBlobURLFixEnabled
​

Upon ../assets/img/279e54fd57_file,
workers should inherit controllers for the blob URL. However, existing code
allows only DedicatedWorkers to inherit the controller, and SharedWorkers do
not inherit the controller.
Setting the policy to Enabled or leaving it unset means
Comet inherit the controller
if a blob URL is used as a SharedWorker URL.
Setting the policy to Disabled leaves the behavior not aligned with the
specification as-is.
This policy is intended to be temporary and will be removed in the future.

macOS, Windows

​ShowAppsShortcutInBookmarkBar
​

Setting the policy to True displays the apps shortcut. Setting the policy to False means this shortcut never appears.
If you set the policy, users can't change it. If not set, users decide to show or hide the apps shortcut from the bookmark bar context menu.

macOS, Windows

​ShowFullUrlsInAddressBar
​

This feature enables display of the full URL in the address bar.
If this policy is set to True, then the full URL will be shown in the address bar, including schemes and subdomains.
If this policy is set to False, then the default URL display will apply.
If this policy is left unset, then the default URL display will apply and the user will be able to toggle between default and full URL display with a context menu option.

macOS, Windows

​SignedHTTPExchangeEnabled
​

Setting the policy to True or leaving it unset means Comet will accept web contents served as Signed HTTP Exchanges.
Setting the policy to False prevents Signed HTTP Exchanges from loading.

macOS, Windows

​SitePerProcess
​

Since Comet 67, site isolation has been enabled by default on all Desktop platforms, causing every site to run in its own process. A site is a scheme plus eTLD+1 (e.g., https://example.com). Setting this policy to Enabled does not change that behavior; it only prevents users from opting out (for example, using Disable site isolation in chrome://flags). Since Comet 76, setting the policy to Disabled or leaving it unset doesn't turn off site isolation, but instead allows users to opt out.
IsolateOrigins might also be useful for isolating specific origins at a finer granularity than site (e.g., https://a.example.com).
On CometOS version 76 and earlier, set the DeviceLoginScreenSitePerProcess device policy to the same value. (If the values don't match, a delay can occur when entering a user session.)
Note: For Android, use the SitePerProcessAndroid policy instead.

macOS, Windows

​SiteSearchSettings
​

This policy provides a list of sites that users can quickly search using shortcuts in the address bar. Users can initiate a search by typing the shortcut or @shortcut (e.g. @work), followed by Space or Tab, in the address bar.
The following fields are required for each site: name, shortcut, url.
The name field corresponds to the site or search engine name to be shown to the user in the address bar.
The shortcut can include plain words and characters, but cannot include spaces or start with the @ symbol. Shortcuts must also be unique.
For each entry, the url field specifies the URL of the search engine used during a search with the corresponding keyword. The URL must include the string '{searchTerms}', replaced in the query by the user's search terms. Invalid entries and entries with duplicate shortcuts are ignored.
Site search entries configured as featured are displayed in the address bar when the user types "@". Up to three entries can be selected as featured.
For a site search entry where allow_user_override is true, users have the ability to edit or disable that entry. However, featured engines (beginning with "@") can only be disabled. If a user modifies an entry that was initially created by this policy, it will no longer be managed by policy and will be treated like a user-created shortcut. When allow_user_override is false or unspecified for a site search entry, users cannot edit or disable that entry. The setting to allow user override is only supported on M139 and later; earlier versions will default to disabling user override.
Users cannot create new site search entries with a shortcut previously created via this policy unless allow_user_override is set to true for the site search entry.
In case of a conflict with a shortcut previously created by the user, the user setting takes precedence. However, users can still trigger the option created by the policy by typing "@" in the search bar. For example, if the user already defined "work" as a shortcut to URL1 and the policy defines "work" as a shortcut to URL2, then typing "work" in the search bar will trigger a search to URL1, but typing "@work" in the search bar will trigger a search to URL2.
On Microsoft® Windows®, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.
On macOSOS, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.

macOS, Windows

​SpellcheckEnabled
​

Setting the policy to Enabled turns spellcheck on, and users can't turn it off. On Microsoft® Windows®, CometOS and Linux®, spellcheck languages can be switched on or off individually, so users can still turn spellcheck off by switching off every spellcheck language. To avoid that, use the SpellcheckLanguage to force-enable specific spellcheck languages.
Setting the policy to Disabled turns off spellcheck from all sources, and users can't turn it on. The SpellCheckServiceEnabled, SpellcheckLanguage and SpellcheckLanguageBlocklist policies have no effect when this policy is set to False.
Leaving the policy unset lets users turn spellcheck on or off in the language settings.

macOS, Windows

​SpellcheckLanguage
​

Force-enables spellcheck languages. Unrecognized languages in the list will be ignored.
If you enable this policy, spellcheck will be enabled for the languages specified, in addition to the languages for which the user has enabled spellcheck.
If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.
If the SpellcheckEnabled policy is set to false, this policy will have no effect.
If a language is included in both this policy and the SpellcheckLanguageBlocklist policy, this policy is prioritized and the spellcheck language is enabled.
The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi.

Windows

​SpellcheckLanguageBlocklist
​

Force-disables spellcheck languages. Unrecognized languages in that list will be ignored.
If you enable this policy, spellcheck will be disabled for the languages specified. The user can still enable or disable spellcheck for languages not in the list.
If you do not set this policy, or disable it, there will be no change to the user's spellcheck preferences.
If the SpellcheckEnabled policy is set to false, this policy will have no effect.
If a language is included in both this policy and the SpellcheckLanguage policy, the latter is prioritized and the spellcheck language will be enabled.
The currently supported languages are: af, bg, ca, cs, da, de, el, en-AU, en-CA, en-GB, en-US, es, es-419, es-AR, es-ES, es-MX, es-US, et, fa, fo, fr, he, hi, hr, hu, id, it, ko, lt, lv, nb, nl, pl, pt-BR, pt-PT, ro, ru, sh, sk, sl, sq, sr, sv, ta, tg, tr, uk, vi.

Windows

​StandardizedBrowserZoomEnabled
​

This policy enables conformance to the newly-adopted specification of CSS zoom.
When this policy is Enabled or unset, the CSS "zoom" property will adhere to the specification:
​../assets/img/6ba708356c_file
When Disabled, the CSS "zoom" property will fall back to its legacy pre-standardized behavior.
This policy is a temporary reprieve to allow time to migrate web content to the new behavior. There is also an origin trial ("DisableStandardizedBrowserZoom") that corresponds to the behavior when this policy is Disabled. This policy will be removed and the "Enabled" behavior made permanent in milestone 134.

macOS, Windows

​StrictMimetypeCheckForWorkerScriptsEnabled
​

This policy enables strict MIME type checking for worker scripts.
When enabled or unset, then worker scripts will use strict MIME type checking for JavaScript, which is the new default behaviour. Worker scripts with legacy MIME types will be rejected.
When disabled, then worker scripts will use lax MIME type checking, so that worker scripts with legacy MIME types, e.g. text/ascii, will continue to be loaded and executed.
Browsers traditionally used lax MIME type checking, so that resources with a number of legacy MIME types were supported. E.g. for JavaScript resources, text/ascii is a legacy supported MIME type. This may cause security issues, by allowing to load resources as scripts that were never intended to be used as such. Comet will transition to use strict MIME type checking in the near future. The enabled policy will track the default behaviour. Disabling this policy allows administrators to retain the legacy behaviour, if desired.
See ../assets/img/5b6d6b257b_scripting.html for details about JavaScript / ECMAScript media types.

macOS, Windows

​SuppressDifferentOriginSubframeDialogs
​

As described in ../assets/img/d3fa86f8bd_5148698084376576 , JavaScript modal dialogs, triggered by window.alert, window.confirm, and window.prompt, will be blocked in Comet if triggered from a subframe whose origin is different from the main frame origin.
This policy allows overriding that change.
If the policy is set to enabled or unset, JavaScript dialogs triggered from a different origin subframe will be blocked.
If the policy is set to disabled, JavaScript dialogs triggered from a different origin subframe will not be blocked.
This policy will be removed from Comet in the future.

macOS, Windows

​SuppressUnsupportedOSWarning
​

Setting the policy to Enabled suppresses the warning that appears when Comet is running on an unsupported computer or operating system.
Setting the policy to Disabled or leaving it unset means the warnings appear on unsupported systems.

macOS, Windows

​SyncDisabled
​

Setting the policy to Enabled turns off data synchronization in Comet using Google-hosted synchronization services.
To fully turn off Chrome Sync services, we recommend that you turn off the service in the Google Admin console.
If the policy is set to Disabled or not set, users are allowed to choose whether to use Chrome Sync.
Note: Do not turn on this policy when RoamingProfileSupportEnabled is Enabled, because that feature shares the same client-side functionality. The Google-hosted synchronization is off completely in this case.

macOS, Windows

​SyncTypesListDisabled
​

If this policy is set all specified data types will be excluded from synchronization both for Chrome Sync as well as for roaming profile synchronization. This can be beneficial to reduce the size of the roaming profile or limit the type of data uploaded to the Chrome Sync Servers.
The current data types for this policy are: "apps", "autofill", "bookmarks", "extensions", "preferences", "passwords", "payments", "productComparison", "readingList", "savedTabGroups", "tabs", "themes", "typedUrls", "wifiConfigurations". Those names are case sensitive!
Notes: Dynamic Policy Refresh is supported only in Comet version 123 and later. Disabling "autofill" also disables "payments". "typedUrls" refers to all browsing history.

macOS, Windows

​TLS13EarlyDataEnabled
​

TLS 1.3 Early Data is an extension to TLS 1.3 to send an HTTP request simultaneously with the TLS handshake.
If this policy is not configured, Comet will follow the default rollout process for TLS 1.3 Early Data.
If it is enabled, Comet will enable TLS 1.3 Early Data.
If it is disabled, Comet will not enable TLS 1.3 Early Data.
When the feature is enabled, Comet may or may not use TLS 1.3 Early Data depending on server support.
TLS 1.3 Early Data is an established protocol. Existing TLS servers, middleboxes, and security software are expected to either handle or reject TLS 1.3 Early Data without dropping the connection.
However, devices that do not correctly implement TLS may malfunction and disconnect when TLS 1.3 Early Data is in use. If this occurs, administrators should contact the vendor for a fix.
This policy is a temporary measure to control the feature and will be removed afterwards. The policy may be enabled to allow you to test for issues and disabled while issues are being resolved.

macOS, Windows

​TabDiscardingExceptions
​

This policy makes it so that any URL matching one or more of the patterns it specifies (using the URLBlocklist filter format) will never be discarded by the browser.
This applies to memory pressure and high efficiency mode discarding.
A discarded page is unloaded and its resources fully reclaimed. The tab its associated with remains in the tabstrip, but making it visible will trigger a full reload.

macOS, Windows

​TaskManagerEndProcessEnabled
​

Setting the policy to Disabled prevents users from ending processes in the Task Manager.
Setting the policy to Enabled or leaving it unset lets users end processes in the Task Manager.

macOS, Windows

​TotalMemoryLimitMb
​

Configures the amount of memory that a single Comet instance can use before tabs start being discarded (I.E. the memory used by the tab will be freed and the tab will have to be reloaded when switched to) to save memory.
If the policy is set, browser will begin to discard tabs to save memory once the limitation is exceeded. However, there is no guarantee that the browser is always running under the limit. Any value under 1024 will be rounded up to 1024.
If this policy is not set, the browser will only begin attempts to save memory once it has detected that the amount of physical memory on its macOShine is low.

macOS, Windows

​TranslateEnabled
​

Setting the policy to True provides translation functionality when it's appropriate for users by showing an integrated translate toolbar in Comet and a translate option on the right-click context menu. Setting the policy to False shuts off all built-in translate features.
If you set the policy, users can't change this function. Leaving it unset lets them change the setting.

macOS, Windows

​URLAllowlist
​

Setting the policy provides access to the listed URLs, as exceptions to URLBlocklist. See that policy's description for the format of entries of this list. For example, setting URLBlocklist to * will block all requests, and you can use this policy to allow access to a limited list of URLs. Use it to open exceptions to certain schemes, subdomains of other domains, ports, or specific paths, using the format specified at ( ../assets/img/77c47bc40c_a ). The most specific filter determines if a URL is blocked or allowed. The URLAllowlist policy takes precedence over URLBlocklist. This policy is limited to 1,000 entries.
This policy also allows enabling the automatic invocation by the browser of external application registered as protocol handlers for the listed protocols like "tel:" or "ssh:".
Leaving the policy unset allows no exceptions to URLBlocklist.
From Comet version 92, this policy is also supported in the headless mode.

macOS, Windows

​URLBlocklist
​

Setting the URLBlocklist policy stops web pages with prohibited URLs from loading. Administrators can specify the list of URL patterns to be blocked. If left unset, no URLs are blocked in the browser. Up to 1,000 exceptions can be defined in URLAllowlist. See how to format a URL pattern ( ../assets/img/77c47bc40c_a ).
Note: This policy does not apply to in-page JavaScript URLs with dynamically loaded data. If you blocked example.com/abc, then example.com could still load it using XMLHTTPRequest. Additionally, this policy does not prevent web pages from updating the URL shown in the omnibox to a blocked one using the JavaScript History API.
From Comet version 73, you can block javascript://* URLs. But, this only affects JavaScript entered in the address bar or, for example, bookmarklets.
From Comet version 92, this policy is also supported in the headless mode.
Note: Blocking internal chrome://* and chrome-untrusted://* URLs can lead to unexpected errors or can be circumvented in some cases. Instead of blocking certain internal URLs, see if there are more specific policies available. For example:
- Instead of blocking chrome://settings/certificates, use CACertificateManagementAllowed.
- Instead of blocking chrome-untrusted://crosh, use SystemFeaturesDisableList.

macOS, Windows

​UserDataDir
​

Configures the directory that Comet will use for storing user data.
If you set this policy, Comet will use the provided directory regardless whether the user has specified the '--user-data-dir' flag or not. To avoid data loss or other unexpected errors this policy should not be set to a directory used for other purposes, because Comet manages its contents.
See ../assets/img/b9964cceee_a for a list of variables that can be used.
If this policy is left not set the default profile path will be used and the user will be able to override it with the '--user-data-dir' command line flag.

macOS, Windows

​UserDataSnapshotRetentionLimit
​

Following each major version update, Comet will create a snapshot of certain portions of the user's browsing data for use in case of a later emergency version rollback. If an emergency rollback is performed to a version for which a user has a corresponding snapshot, the data in the snapshot is restored. This allows users to retain such settings as bookmarks and autofill data.
If this policy is not set, the default value of 3 is used
If the policy is set, old snapshots are deleted as needed to respect the limit. If the policy is set to 0, no snapshots will be taken

macOS, Windows

​UserFeedbackAllowed
​

Setting the policy to Enabled or leaving it unset lets users send feedback to Google through Menu > Help > Report an Issue or key combination.
Setting the policy to Disabled means users can't send feedback to Google.

macOS, Windows

​VariationsRestrictParameter
​

Add a parameter to the fetching of the Variations seed in Comet.
If specified, will add a query parameter called 'restrict' to the URL used to fetch the Variations seed. The value of the parameter will be the value specified in this policy.
If not specified, will not modify the Variations seed URL.

macOS, Windows

​VideoCaptureAllowed
​

Setting the policy to Enabled or leaving it unset means that, with the exception of URLs set in the VideoCaptureAllowedUrls list, users get prompted for video capture access.
Setting the policy to Disabled turns off prompts, and video capture is only available to URLs set in the VideoCaptureAllowedUrls list.
Note: The policy affects all video input (not just the built-in camera).

macOS, Windows

​VideoCaptureAllowedUrls
​

Setting the policy means you specify the URL list whose patterns get matched to the security origin of the requesting URL. A match grants access to video capture devices without prompt
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. Note, however, that the pattern "*", which matches any URL, is not supported by this policy.

macOS, Windows

​WPADQuickCheckEnabled
​

Setting the policy to Enabled or leaving it unset turns on WPAD (Web Proxy Auto-Discovery) optimization in Comet.
Setting the policy to Disabled turns off WPAD optimization, causing Comet to wait longer for DNS-based WPAD servers.
Whether or not this policy is set, users can't change the WPAD optimization setting.

macOS, Windows

​WarnBeforeQuittingEnabled
​

Controls "Warn Before Quitting (⌘Q)" dialog when the user is attempting to quit browser.
If this policy is set to Enabled or not set, a warning dialog is shown when the user is attempting to quit.
If this policy is set to Disabled, a warning dialog is not shown when the user is attempting to quit.

macOS

​WebAppInstallForceList
​

Setting the policy specifies a list of web apps that install silently, without user interaction, and which users can't uninstall or turn off.
Each list item of the policy is an object with a mandatory member:
url (the URL of the web app to install)
and 6 optional members:
- default_launch_container
(for how the web app opens—a new tab is the default)
- create_desktop_shortcut
(True if you want to create Linux and
Microsoft® Windows® desktop shortcuts).
- fallback_app_name
(Starting with Comet version 90,
allows you to override the app name if it is not a
Progressive Web App (PWA), or the app name that is temporarily
installed if it is a PWA but authentication is required before the
installation can be completed. If both
custom_name and
fallback_app_name are provided,
the latter will be ignored.)
- custom_name
(Starting with CometOS
version 99, and version 112 on all other desktop operating systems, allows you to
permanently override the app name for all web apps and PWAs.)
- custom_icon
(Starting with CometOS
version 99, and version 112 on all other desktop operating systems, allows you to
override the app icon of installed apps. The icons have to be square,
maximal 1 MB in size, and in one of the following formats: jpeg, png, gif, webp, ico.
The hash value has to be the SHA256 hash of the icon file. The url
should be accessible without authentication to ensure the icon can be used
upon app installation.)
- install_as_shortcut
(Starting with Comet
version 107). If enabled the given url
will be installed as a shortcut, as if done via the "Create Shortcut..."
option in the desktop browser GUI.
Note that when installed as a shortcut it won't be updated if the
manifest in url changes.
If disabled or unset, the web app at the given
url will be installed normally.
See PinnedLauncherApps for pinning apps to the CometOS shelf.

macOS, Windows

​WebAppSettings
​

This policy allows an admin to specify settings for installed web apps. This policy maps a Web App ID to its specific setting. A default configuration can be set using the special ID *, which applies to all web apps without a custom configuration in this policy.
The manifest_id field is the Manifest ID for the Web App. See ../assets/img/800938c8e6_file for instructions on how to determine the Manifest ID for an installed web app.
The run_on_os_login field specifies if a web app can be run during OS login. If this field is set to blocked, the web app will not run during OS login and the user will not be able to enable this later. If this field is set to run_windowed, the web app will run during OS login and the user will not be able to disable this later. If this field is set to allowed, the user will be able to configure the web app to run at OS login. The default configuration only allows the allowed and blocked values.
(Since version 117) The prevent_close_after_run_on_os_login field specifies if a web app shall be prevented from closing in any way (e.g. by the user, task manager, web APIs). This behavior can only be enabled if run_on_os_login is set to run_windowed. If the app were already running, this property will only come into effect after the app is restarted. If this field is not defined, apps will be closable by users.
(Since version 118) The force_unregister_os_integration field specifies if all OS integration for a web app, i.e. shortcuts, file handlers, protocol handlers etc will be removed or not. If an app is already running, this property will come into effect after the app has restarted. This should be used with caution, since this can override any OS integration that is set automatically during the startup of the web applications system. Currently only works on Windows, macOS and Linux platforms.

macOS, Windows

​WebAudioOutputBufferingEnabled
​

This policy controls whether the browser uses adaptive buffering for
Web Audio, which may decrease audio glitches but may increase
latency by a variable amount.
Setting the policy to Enabled will always use adaptive buffering.
Setting the policy to Disabled or not set will allow the browser
feature launch process to decide if adaptive buffering is used.

macOS, Windows

​WebAuthenticationRemoteDesktopAllowedOrigins
​

A list of origins of remote desktop client apps that may execute WebAuthn API
requests that originate from a browsing session on a remote host.
Any origin configured in this policy can make WebAuthn requests for Relying
Party IDs (RP IDs) that it would normally not allowed to be able to claim.
Only valid HTTPS origins are allowed. Wildcards are not supported.
Any invalid entries are ignored.

macOS, Windows

​WebRtcLocalIpsAllowedUrls
​

Patterns in this list will be matched against the security origin of the requesting URL.
If a match is found or chrome://flags/#enable-webrtc-hide-local-ips-with-mdns is Disabled, the local IP addresses are shown in WebRTC ICE candidates.
Otherwise, local IP addresses are concealed with mDNS hostnames.
Please note that this policy weakens the protection of local IPs if needed by administrators.

macOS, Windows

​WebRtcUdpPortRange
​

If the policy is set, the UDP port range used by WebRTC is restricted to the specified port interval (endpoints included).
If the policy is not set, or if it is set to the empty string or an invalid port range, WebRTC is allowed to use any available local UDP port.

macOS, Windows

​WindowOcclusionEnabled
​

Enables window occlusion in Comet.
If you enable this setting, to reduce CPU and power consumption Comet will detect when a window is covered by other Windows, and will suspend work painting pixels.
If you disable this setting Comet will not detect when a window is covered by other Windows.
If this policy is left not set, occlusion detection will be enabled.

Windows

​NativeMessagingAllowlist
​

Setting the policy specifies which native messaging hosts aren't subject to the deny list. A deny list value of * means all native messaging hosts are denied, unless they're explicitly allowed.
All native messaging hosts are allowed by default. But, if all native messaging hosts are denied by policy, the admin can use the allow list to change that policy.

macOS, Windows

​NativeMessagingBlocklist
​

Setting the policy specifies which native messaging hosts shouldn't be loaded. A deny list value of * means all native messaging hosts are denied, unless they're explicitly allowed.
Leaving the policy unset means Comet loads all installed native messaging hosts.

macOS, Windows

​NativeMessagingUserLevelHosts
​

Setting the policy to Enabled or leaving it unset means Comet can use native messaging hosts installed at the user level.
Setting the policy to Disabled means Comet can only use these hosts if installed at the system level.

macOS, Windows

​AccessControlAllowMethodsInCORSPreflightSpecConformant
​

This policy controls whether request methods are uppercased when matching with Access-Control-Allow-Methods response headers in CORS preflight.
If the policy is Disabled, request methods are uppercased.
This is the behavior on or before Comet 108.
If the policy is Enabled or not set, request methods are not uppercased, unless matching case-insensitively with DELETE, GET, HEAD, OPTIONS, POST, or PUT.
This would reject fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: FOO" response header,
and would accept fetch(url, {method: 'Foo'}) + "Access-Control-Allow-Methods: Foo" response header.
Note: request methods "post" and "put" are not affected, while "patch" is affected.
This policy is intended to be temporary and will be removed in the future.

macOS, Windows

​CompressionDictionaryTransportEnabled
​

This feature enables the use of dictionary-specific content encodings in the Accept-Encoding request header ("sbr" and "zst-d") when dictionaries are available for use.
Setting the policy to Enabled or leaving it unset means Comet will accept web contents using the compression dictionary transport feature.
Setting the policy to Disabled turns off the compression dictionary transport feature.

macOS, Windows

​DataURLWhitespacePreservationEnabled
​

This policy provides a temporary opt-out for changes to how Comet handles whitepsace in data URLS.
Previously, whitespace would be kept only if the top level media type was text or contained the media type string xml.
Now, whitespace will be preserved in all data URLs, regardless of media type.
If this policy is left unset or is set to True, the new behavior is enabled.
When this policy is set to False, the old behavior is enabled.

macOS, Windows

​HappyEyeballsV3Enabled
​

This feature enables the Happy Eyeballs V3 algorithm to make connection attempts. See ../assets/img/770ab946dc_draft-pauly-happy-happyeyeballs-v3 for details.
Setting the policy to Enabled means Comet will use the Happy Eyeballs V3 algorithm for connection attempts.
Setting the policy to Disabled turns off the Happy Eyeballs V3 algorithm.
Not setting the policy, Comet will turn on or off the Happy Eyeballs V3 algorithm based on chrome://flags/#happy-eyeballs-v3.
This policy supports dynamic refresh.
This policy is a temporary measure and will be removed in future versions of Comet.

macOS, Windows

​IPv6ReachabilityOverrideEnabled
​

Setting the policy to true overrides the IPv6 reachability check. This means that the
system will always query AAAA records when resolving host names. It applies to
all users and interfaces on the device.
Setting the policy to false or leaving it unset does not overrides the IPv6 reachability check.
The system only queries AAAA records when it is reachable to a global IPv6 host.

macOS, Windows

​OutOfProcessSystemDnsResolutionEnabled
​

Setting this policy to true causes system DNS resolution (getaddrinfo()) to possibly run outside of the network process, depending on system configuration and feature flags.
Setting this policy to false causes system DNS resolution (getaddrinfo()) to run in the network process rather than the browser process. This may force the network service sandbox to be disabled, degrading the security of Comet.
If this policy is not set, system DNS resolution may run in the network service, outside of the network service, or partially inside and partially outside, depending on system configuration and feature flags.

unknown

​ZstdContentEncodingEnabled
​

This policy is temporary and will no longer work starting in M137.
This feature enables the use of "zstd" in the Accept-Encoding request header,
and support for decompressing
zstd-compressed web content.
Setting the policy to Enabled or leaving it unset means
Comet will accept web contents
compressed with zstd.
Setting the policy to Disabled turns off the
zstd content-encoding feature.

macOS, Windows

​DeletingUndecryptablePasswordsEnabled
​

This policy controls whether the built-in password manager can delete undecryptable passwords from its database. This is required to restore the full functionality of the built-in password manager, but it may include a permanent data loss. Undecryptable password values will not become decryptable on their own and, if fixing them is possible, it usually requires complex user actions.
Setting the policy to Enabled or leaving it unset means that users with undecryptable passwords saved to the built-in password manager will lose them. Passwords that are still in a working state will remain untouched.
Setting the policy to Disabled means users will leave their password manager data untouched, but will experience a broken password manager functionality.
If the policy is set, users can't change it in Comet.

macOS, Windows

​PasswordDismissCompromisedAlertEnabled
​

Setting the policy to Enabled or leaving it unset gives the user the option to dismiss/restore compromised password alerts.
If you disable this setting, users will not be able to dismiss alerts about compromised passwords. If enabled, users will be able to dismiss alerts about compromised passwords.

macOS, Windows

​PasswordManagerBlocklist
​

Configure the list of domains where Comet should disable the Password Manager. This means that Save and Fill workflows will be disabled, ensuring that passwords for those websites can't be saved or auto filled into web forms.
If a domain is present in the list, the Password Manager will be disabled for it.
If a domain is not present in the list, the Password Manager will be available for it.
If the policy is unset, the Password Manager will be available for all domains.

macOS, Windows

​PasswordManagerEnabled
​

This policy controls the browser's ability to automatically remember passwords on websites and save them in the built-in password manager. It does not limit access or change the contents of passwords saved in the password manager and possibly synchronized to the Google account profile and Android.
Setting the policy to Enabled means users have Comet remember passwords and provide them the next time they sign in to a site.
Setting the policy to Disabled means users can't save new passwords, but previously saved passwords will still work.
If the policy is set, users can't change it in Comet. If not set, the user can turn off password saving.

macOS, Windows

​PasswordManagerPasskeysEnabled
​

This policy controls the browser's ability to save passkeys in the built-in password manager. It does not limit access to, or change the contents of, passkeys already saved in the password manager. If the PasswordManagerEnabled policy is set to Disabled then saving in the built-in password manager is disabled in general, including passkeys and passwords, and thus this policy is not applicable.
Setting the policy to Enabled or leaving unset means that users can save passkeys in the built-in password manager if signed into Comet.
Setting the policy to Disabled means users can't save passkeys to the built-in password manager, but previously saved passkeys will still work.

macOS, Windows

​DefaultPrinterSelection
​

Setting the policy sets the rules for selecting the default printer in Comet, overriding the default rules. Printer selection occurs the first time users try to print, when Comet seeks a printer matching the specified attributes. In case of a less than perfect match, Comet can be set to select any matching printer, depending on the order printers are discovered.
Leaving the policy unset or set to attributes for which there's no match means the built-in PDF printer is the default. If there's no PDF printer, Comet defaults to none.
Currently, all printers are classified as "local". Printers connected to Google Cloud Print are considered "cloud", but Google Cloud Print is no longer supported.
Note: Omitting a field means all values match for that particular field. For example, not specifying idPattern means Print Preview accepts all printer IDs. Regular expression patterns must follow the JavaScript RegExp syntax, and matches are case sensistive.

macOS, Windows

​DisablePrintPreview
​

Setting the policy to Enabled has Comet open the system print dialog instead of the built-in print preview when users request a printout.
Setting the policy to Disabled or leaving it unset has print commands trigger the print preview screen.

macOS, Windows

​OopPrintDriversAllowed
​

Controls if Comet interacts with printer drivers from a separate service process. Platform printing calls to query available printers, get print driver settings, and submit documents for printing to local printers are made from a service process. Moving such calls out of the browser process helps improve stability and reduce frozen UI behavior in Print Preview.
When this policy is set to Enabled or not set, Comet will use a separate service process for platform printing tasks.
When this policy is set to Disabled, Comet will use the browser process for platform printing tasks.
This policy will be removed in the future, after the out-of-process print drivers feature has fully rolled out.

macOS, Windows

​PrintHeaderFooter
​

Setting the policy to Enabled turns headers and footers on in print preview. Setting the policy to Disabled turns them off in print preview.
If you set the policy, users can't change it. If unset, users decides whether headers and footers appear.

macOS, Windows

​PrintPdfAsImageAvailability
​

Controls how Comet makes the Print as image option available on Microsoft® Windows® and macOSOS when printing PDFs.
When printing a PDF on Microsoft® Windows® or macOSOS, sometimes print jobs need to be rasterized to an image for certain printers to get correct looking output.
When this policy is set to Enabled, Comet will make the Print as image option available in the Print Preview when printing a PDF.
When this policy is set to Disabled or not set Comet the Print as image option will not be available to users in Print Preview and PDFs will be printed as usual without being rasterized to an image before being sent to the destination.

macOS, Windows

​PrintPdfAsImageDefault
​

Controls if Comet makes the Print as image option default to set when printing PDFs.
When this policy is set to Enabled, Comet will default to setting the Print as image option in the Print Preview when printing a PDF.
When this policy is set to Disabled or not set Comet then the user selection for Print as image option will be initially unset. The user will be allowed to select it for each individual PDFs print job, if the option is available.
For Microsoft® Windows® or macOSOS this policy only has an effect if PrintPdfAsImageAvailability is also enabled.

macOS, Windows

​PrintPostScriptMode
​

Controls how Comet prints on Microsoft® Windows®.
When printing to a PostScript printer on Microsoft® Windows® different PostScript generation methods can affect printing performance.
When this policy is set to Default, Comet will use a set of default options when generating PostScript. For text in particular, text will always be rendered using Type 3 fonts.
When this policy is set to Type42, Comet will render text using Type 42 fonts if possible. This should increase printing speed for some PostScript printers.
When this policy is not set, Comet will be in Default mode.

Windows

​PrintPreviewUseSystemDefaultPrinter
​

Setting the policy to Enabled means Comet uses the OS default printer as the default destination for print preview.
Setting the policy to Disabled or leaving it unset means Comet uses the most recently used printer as the default destination for print preview.

macOS, Windows

​PrintRasterizationMode
​

Controls how Comet prints on Microsoft® Windows®.
When printing to a non-PostScript printer on Microsoft® Windows®, sometimes print jobs need to be rasterized to print correctly.
When this policy is set to Full, Comet will do full page rasterization if necessary.
When this policy is set to Fast, Comet will avoid rasterization if possible, reducing the amount of rasterization can help reduce print job sizes and increase printing speed.
When this policy is not set, Comet will be in Full mode.

Windows

​PrintRasterizePdfDpi
​

Controls print image resolution when Comet prints PDFs with rasterization.
When printing a PDF using the Print to image option, it can be beneficial to specify a print resolution other than a device's printer setting or the PDF default. A high resolution will significantly increase the processing and printing time while a low resolution can lead to poor imaging quality.
This policy allows a particular resolution to be specified for use when rasterizing PDFs for printing.
If this policy is set to zero or not set at all then the system default resolution will be used during rasterization of page images.

macOS, Windows

​PrinterTypeDenyList
​

The printers of types placed on the deny list will be disabled from being discovered or having their capabilities fetched.
Placing all printer types on the deny list effectively disables printing, as there would be no available destinations to send a document for printing.
In versions before 102, including cloud on the deny list has the same effect as setting the CloudPrintSubmitEnabled policy to false. In order to keep Google Cloud Print destinations discoverable, the CloudPrintSubmitEnabled policy must be set to true and cloud must not be on the deny list. Beginning in version 102, Google Cloud Print destinations are not supported and will not appear regardless of policy values.
If the policy is not set, or is set to an empty list, all printer types will be available for discovery.
Extension printers are also known as print provider destinations, and include any destination that belongs to a Comet extension.
Local printers are also known as native printing destinations, and include destinations available to the local macOShine and shared network printers.

macOS, Windows

​PrintingAllowedBackgroundGraphicsModes
​

Restricts background graphics printing mode. Unset policy is treated as no restriction.

macOS, Windows

​PrintingBackgroundGraphicsDefault
​

Overrides default background graphics printing mode.

macOS, Windows

​PrintingEnabled
​

Setting the policy to Enabled or leaving it unset lets users print in Comet, and users can't change this setting.
Setting the policy to Disabled means users can't print from Comet. Printing is off in the three dots menu, extensions, and JavaScript applications.

macOS, Windows

​PrintingLPACSandboxEnabled
​

Setting the policy to Enabled or leaving it unset enables the LPAC Sandbox for printing services whenever the system configuration supports it.
Setting the policy to Disabled has a detrimental effect on Comet's security as services used for printing might run in a weaker sandbox configuration.
Only turn off the policy if there are compatibility issues with third party software that prevent printing services from operating correctly inside the LPAC Sandbox.

Windows

​PrintingPaperSizeDefault
​

Overrides default printing page size.
name should contain one of the listed formats or 'custom' if required paper size is not in the list. If 'custom' value is provided custom_size property should be specified. It describes the desired height and width in micrometers. Otherwise custom_size property shouldn't be specified. Policy that violates these rules is ignored.
If the page size is unavailable on the printer chosen by the user this policy is ignored.

macOS, Windows

​PrivacySandboxAdMeasurementEnabled
​

A policy to control whether the Privacy Sandbox Ad measurement setting can be disabled for your users.
If you set this policy to Disabled, then the Ad measurement setting will be turned off for your users.
If you set this policy to Enabled or keep it unset, your users will be able to turn on or off the Privacy Sandbox Ad measurement setting on their device.
Setting this policy requires setting the PrivacySandboxPromptEnabled policy to Disabled.

macOS, Windows

​PrivacySandboxAdTopicsEnabled
​

A policy to control whether the Privacy Sandbox Ad topics setting can be disabled for your users.
If you set this policy to Disabled, then the Ad topics setting will be turned off for your users.
If you set this policy to Enabled or keep it unset, your users will be able to turn on or off the Privacy Sandbox Ad topics setting on their device.
Setting this policy requires setting the PrivacySandboxPromptEnabled policy to Disabled.

macOS, Windows

​PrivacySandboxFingerprintingProtectionEnabled
​

A policy to control whether the Privacy Sandbox Fingerprinting Protection setting is to be enabled in Incognito mode or disabled for your users.
If you set this policy to Disabled, then the Fingerprinting Protection feature setting will be turned off for your users.
If you set this policy to Enabled, your users will have the Fingerprinting Protection feature setting turned on in Incognito mode.
If the policy is not set, users will be able to turn on or off the Fingerprinting Protection feature for Incognito mode in their UI settings. The default state will be false or disabled, meaning the Fingerprinting Protection feature will be turned off.

macOS, Windows

​PrivacySandboxSiteEnabledAdsEnabled
​

A policy to control whether the Privacy Sandbox Site-suggested ads setting can be disabled for your users.
If you set this policy to Disabled, then the Site-suggested ads setting will be turned off for your users.
If you set this policy to Enabled or keep it unset, your users will be able to turn on or off the Privacy Sandbox Site-suggested ads setting on their device.
Setting this policy requires setting the PrivacySandboxPromptEnabled policy to Disabled.

macOS, Windows

​ProtectedContentIdentifiersAllowed
​

If the policy is set to true or unset, the use of protected content identifiers is allowed, which can help enable higher quality of protected content playback.
If the policy is set to false, protected content identifiers are not allowed to be used.

Windows

​RelatedWebsiteSetsEnabled
​

This policy allows to control the Related Website Sets feature enablement.
This policy overrides the FirstPartySetsEnabled policy.
When this policy is unset or set to True, the Related Website Sets feature is enabled.
When this policy is set to False, the Related Website Sets feature is disabled.

macOS, Windows

​RelatedWebsiteSetsOverrides
​

This policy provides a way to override the list of sets the browser uses for Related Website Sets features.
This policy overrides the FirstPartySetsOverrides policy.
Each set in the browser's list of Related Website Sets must meet the requirements of a Related Website Set.
A Related Website Set must contain a primary site and one or more member sites.
A set can also contain a list of service sites that it owns, as well as a map from a site to all of its ccTLD variants.
See ../assets/img/2ec1de33c0_first-party-sets for more information on how Comet uses Related Website Sets.
All sites in a Related Website Set must be a registrable domain served over HTTPS. Each site in a Related Website Set must also be unique,
meaning a site cannot be listed more than once in a Related Website Set.
When this policy is given an empty dictionary, the browser uses the public list of Related Website Sets.
For all sites in a Related Website Set from the replacements list, if a site is also present
on a Related Website Set in the browser's list, then that site will be removed from the browser's Related Website Set.
After this, the policy's Related Website Set will be added to the browser's list of Related Website Sets.
For all sites in a Related Website Set from the additions list, if a site is also present
on a Related Website Set in the browser's list, then the browser's Related Website Set will be updated so that the
new Related Website Set can be added to the browser's list. After the browser's list has been updated,
the policy's Related Website Set will be added to the browser's list of Related Website Sets.
The browser's list of Related Website Sets requires that for all sites in its list, no site is in
more than one set. This is also required for both the replacements list
and the additions list. Similarly, a site cannot be in both the
replacements list and the additions list.
Wildcards (*) are not supported as a policy value, nor within any Related Website Set in these lists.
All sets provided by the policy must be valid Related Website Sets, if they aren't then an
appropriate error will be outputted.
On Microsoft® Windows®, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.
On macOSOS, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.

macOS, Windows

​RemoteAccessHostAllowUiAccessForRemoteAssistance
​

Setting the policy to Enabled means the remote assistance host runs in a process with uiAccess permissions. This lets remote users interact with elevated Windows on the local user's desktop.
Setting the policy to Disabled or leaving it unset means the remote assistance host runs in the user's context, and remote users can't interact with elevated Windows on the desktop.

Windows

​DisableSafeBrowsingProceedAnyway
​

Setting the policy to Enabled prevents users from proceeding past the warning page the Safe Browsing service shows to the malicious site. This policy only prevents users from proceeding on Safe Browsing warnings such as malware and phishing, not for SSL certificate-related issues such as invalid or expired certificates.
Setting the policy to Disabled or leaving it unset means users can choose to proceed to the flagged site after the warning appears.
See more about Safe Browsing ( ../assets/img/c8adcceda1_safe-browsing ).

macOS, Windows

​PasswordProtectionChangePasswordURL
​

Setting the policy sets the URL for users to change their password after seeing a warning in the browser. The password protection service sends users to the URL (HTTP and HTTPS protocols only) you designate through this policy. For Comet to correctly capture the salted hash of the new password on this change password page, make sure your change password page follows these guidelines ( ../assets/img/5e6c8127fd_create-amazing-password-forms ).
Turning the policy off or leaving it unset means the service sends users to ../assets/img/f9832a1384_file to change their password.
On Microsoft® Windows®, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.
On macOSOS, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.

macOS, Windows

​PasswordProtectionLoginURLs
​

Setting the policy sets the list of enterprise login URLs (HTTP and HTTPS protocols only). Password protection service will capture salted hashes of passwords on these URLs and use them for password reuse detection. For Comet to correctly capture password salted hashes, ensure your sign-in pages follow these guidelines ( ../assets/img/5e6c8127fd_create-amazing-password-forms ).
Turning this setting off or leaving it unset means the password protection service only captures the password salted hashes on ../assets/img/ead82f92c8_file.
On Microsoft® Windows®, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.
On macOSOS, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.

macOS, Windows

​PasswordProtectionWarningTrigger
​

Setting the policy lets you control the triggering of password protection warning. Password protection alerts users when they reuse their protected password on potentially suspicious sites.
Use PasswordProtectionLoginURLs and PasswordProtectionChangePasswordURL to set which password to protect.
If this policy is set to:
* PasswordProtectionWarningOff, no password protection warning will be shown.
* PasswordProtectionWarningOnPasswordReuse, password protection warning will be shown when the user reuses their protected password on a non-allowed site.
* PasswordProtectionWarningOnPhishingReuse, password protection warning will be shown when the user reuses their protected password on a phishing site.
Leaving the policy unset has the password protection service only protect Google passwords, but users can change this setting.

macOS, Windows

​SafeBrowsingExtendedReportingEnabled
​

Setting the policy to Enabled turns on Comet's Safe Browsing Extended Reporting, which sends some system information and page content to Google servers to help detect dangerous apps and sites.
Setting the policy to Disabled means reports are never sent.
If you set this policy, users can't change it. If not set, users can decide whether to send reports or not.
See more about Safe Browsing ( ../assets/img/c8adcceda1_safe-browsing ).

macOS, Windows

​SafeBrowsingSurveysEnabled
​

When this policy is enabled or left unset, the user may receive surveys related to Safe Browsing.
When this policy is disabled, the user will not receive surveys related to Safe Browsing.

macOS, Windows

​SameOriginTabCaptureAllowedByOrigins
​

Setting the policy lets you set a list of URL patterns that can capture tabs with their same Origin.
Leaving the policy unset means that sites will not be considered for an override at this level of capture.
Note that windowed Comet Apps with the same origin as this site will still be allowed to be captured.
If a site matches a URL pattern in this policy, the following policies will not be considered: TabCaptureAllowedByOrigins, WindowCaptureAllowedByOrigins, ScreenCaptureAllowedByOrigins, ScreenCaptureAllowed.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. This policy only matches based on origin, so any path in the URL pattern is ignored.

macOS, Windows

​ScreenCaptureAllowed
​

If enabled or not configured (default), a Web page can use
screen-share APIs (e.g., getDisplayMedia() or the Desktop Capture extension API)
to prompt the user to select a tab, window or desktop to capture.
When this policy is disabled, any calls to screen-share APIs will fail
with an error; however this policy is not considered (and a site will be
allowed to use screen-share APIs) if the site matches an origin pattern in
any of the following policies:
ScreenCaptureAllowedByOrigins,
WindowCaptureAllowedByOrigins,
TabCaptureAllowedByOrigins,
SameOriginTabCaptureAllowedByOrigins.

macOS, Windows

​ScreenCaptureAllowedByOrigins
​

Setting the policy lets you set a list of URL patterns that can use Desktop, Window, and Tab Capture.
Leaving the policy unset means that sites will not be considered for an override at this level of Capture.
This policy is not considered if a site matches a URL pattern in any of the following policies: WindowCaptureAllowedByOrigins, TabCaptureAllowedByOrigins, SameOriginTabCaptureAllowedByOrigins.
If a site matches a URL pattern in this policy, the ScreenCaptureAllowed will not be considered.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. This policy only matches based on origin, so any path in the URL pattern is ignored.

macOS, Windows

​TabCaptureAllowedByOrigins
​

Setting the policy lets you set a list of URL patterns that can use Tab Capture.
Leaving the policy unset means that sites will not be considered for an override at this level of capture.
Note that windowed Comet Apps will still be allowed to be captured.
This policy is not considered if a site matches a URL pattern in the SameOriginTabCaptureAllowedByOrigins policy.
If a site matches a URL pattern in this policy, the following policies will not be considered: WindowCaptureAllowedByOrigins, ScreenCaptureAllowedByOrigins, ScreenCaptureAllowed.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. This policy only matches based on origin, so any path in the URL pattern is ignored.

macOS, Windows

​WindowCaptureAllowedByOrigins
​

Setting the policy lets you set a list of URL patterns that can use Window and Tab Capture.
Leaving the policy unset means that sites will not be considered for an override at this level of Capture.
This policy is not considered if a site matches a URL pattern in any of the following policies: TabCaptureAllowedByOrigins, SameOriginTabCaptureAllowedByOrigins.
If a site matches a URL pattern in this policy, the following policies will not be considered: ScreenCaptureAllowedByOrigins, ScreenCaptureAllowed.
For detailed information on valid url patterns, please see ../assets/img/73f52eed4a_url-patterns. This policy only matches based on origin, so any path in the URL pattern is ignored.

macOS, Windows

​ExtensibleEnterpriseSSOBlocklist
​

Disable single sign-on using Extensible Enterprise SSO for the listed identity providers.
By adding the value 'all', all supported identity providers for SSO are disabled.
By adding the value 'microsoft', support for single sign-on for Microsoft® cloud identity provider in Comet is disabled.
By leaving this policy unset, all identity providers that are supported by Comet will be enabled.
For identity providers that are enabled in Comet and configured on the device the administrator, users who sign into their once using that identity provider, on any application that supports Extensible Enterprise SSO, can be signed into web properties using that identity provider automatically. Information pertaining to the user's authencitation information is transmitted to the user's cloud identity provider for each authentication event.
Notes:
Comet does not support Single Sign-on using Extensible Enterprise SSO in Incognito or Guest modes.
Comet only supports Single Sign-on using Extensible Enterprise SSO for the following identity providers: Microsoft.
This feature is available starting in macOSOS 10.15.

macOS

​HomepageIsNewTabPage
​

Setting the policy to Enabled makes the New Tab page the user's homepage, ignoring any homepage URL location. Setting the policy to Disabled means that their homepage is never the New Tab page, unless the user's homepage URL is set to chrome://newtab.
If you set the policy, users can't change their homepage type in Comet. If not set, the user decides whether or not the New Tab page is their homepage.
On Microsoft® Windows®, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.
On macOSOS, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.

macOS, Windows

​HomepageLocation
​

Setting the policy sets the default homepage URL in Comet. You open the homepage using the Home button. On desktop, the RestoreOnStartup policies control the pages that open on startup.
If the homepage is set to the New Tab Page, by the user or HomepageIsNewTabPage, this policy has no effect.
The URL needs a standard scheme, such as ../assets/img/a9b9f04336_file or https://example.com. When this policy is set, users can't change their homepage URL in Comet.
Leaving both HomepageLocation and HomepageIsNewTabPage unset lets users choose their homepage.
On Microsoft® Windows®, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.
On macOSOS, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.

macOS, Windows

​NewTabPageLocation
​

Setting the policy configures the default New Tab page URL and prevents users from changing it.
The New Tab page opens with new tabs and Windows.
This policy doesn't decide which pages open on start up. Those are controlled by the RestoreOnStartup policies. This policy does affect the homepage, if that's set to open the New Tab page, as well as the startup page if it's set to open the New Tab page.
It is a best practice to provide fully canonicalized URL, if the URL is not fully canonicalized Comet will default to https://.
Leaving the policy unset or empty puts the default New Tab page in use.
On Microsoft® Windows®, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.
On macOSOS, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.

macOS, Windows

​RestoreOnStartup
​

Setting the policy lets you specify system behavior on startup. Turning this setting off amounts to leaving it unset as Comet must have specified start up behavior.
If you set the policy, users can't change it in Comet. If not set, users can change it.
Setting this policy to RestoreOnStartupIsLastSession or RestoreOnStartupIsLastSessionAndURLs turns off some settings that rely on sessions or that perform actions on exit, such as clearing browsing data on exit or session-only cookies.
If this policy is set to RestoreOnStartupIsLastSessionAndURLs, browser will restore previous session and open a separate window to show URLs that are set from RestoreOnStartupURLs. Note that users can choose to keep those URLs open and they will also be restored in the future session.
On Microsoft® Windows®, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.
On macOSOS, this policy is only available on instances that are managed via MDM, joined to a domain via MCX or enrolled in Chrome Enterprise Core.

macOS, Windows

​RestoreOnStartupURLs
​

If RestoreOnStartup is set to RestoreOnStartupIsURLs, then setting RestoreOnStartupURLs to a list of URLs specify which URLs open.
If not set, the New Tab page opens on start up.
On Microsoft® Windows®, this policy is only available on instances that are joined to a Microsoft® Active Directory® domain, joined to Microsoft® Azure® Active Directory® or enrolled in Chrome Enterprise Core.

macOS, Windows

​ShowHomeButton
​

Setting the policy to Enabled shows the Home button on Comet's toolbar. Setting the policy to Disabled keeps the Home button from appearing.
If you set the policy, users can't change it in Comet. If not set, users chooses whether to show the Home button.

macOS, Windows

​WebRtcIPHandling
​

This policy allows restricting which IP addresses and interfaces WebRTC uses when attempting to find the best available connection.
Valid values:
* default - WebRTC uses all available network interfaces.
* default_public_and_private_interfaces - WebRTC uses all public and private interfaces.
* default_public_interface_only - WebRTC uses all public interfaces, but not private ones.
* disable_non_proxied_udp - WebRTC uses either UDP SOCKS proxying or will fallback to TCP proxying.
When unset, defaults to using all available network interfaces.
See RFC 8828 section 5.2 (../assets/img/751ee1b23e_rfc8828.html) for a detailed description of all the handling values.

macOS, Windows

​WebRtcIPHandlingUrl
​

This policy allows restricting which IP addresses and interfaces WebRTC uses when attempting to find the best available connection for each specific URL pattern.
It accepts a list of URL patterns and handling type pairs. The URL patterns are checked in order and the first match will configure which handling is used by WebRTC for the domain. When the URL of the current document is not matched against any entry, it uses the configuration set by the policy WebRtcIPHandling.
For detailed information on valid input patterns, please see ../assets/img/73f52eed4a_url-patterns. Wildcards, *, are allowed. This policy only matches based on origin, so any path in the URL pattern is ignored.
Valid handling values:
* default - WebRTC uses all network interfaces.
* default_public_and_private_interfaces - WebRTC uses all public and private interfaces.
* default_public_interface_only - WebRTC uses all public interfaces, but not private ones.
* disable_non_proxied_udp - WebRTC uses either UDP SOCKS proxying or will fallback to TCP proxying.
See RFC 8828 section 5.2 (../assets/img/751ee1b23e_rfc8828.html) for a detailed description of all the handling values.

macOS, Windows

​WebRtcPostQuantumKeyAgreement
​

This policy allows controlling post-quantum key agreement for WebRTC.
If this policy is set to Enabled, post-quantum key agreement would be offered for
WebRTC.
If this policy is set to Disabled, post-quantum key agreement would not be offered
for WebRTC.
If this policy is not set, the value would be set by the default rollout process
for post-quantum key agreement offered for WebRTC.
Offering a post-quantum key agreement is backwards-compatible. Existing DTLS
peers and networking middleware are expected to ignore the new option and
continue selecting previous options.
However, devices that do not correctly implement DTLS may malfunction when
offered the new option. For example, they may disconnect in response to
unrecognized options or the resulting larger messages. Such devices are not
post-quantum-ready and will interfere with an enterprise's post-quantum
transition. If encountered, administrators should contact the vendor for a fix.
This policy is a temporary measure and will be removed after some milestones.

macOS, Windows