Skip to content

fix: remove flags blocking enterprise extension loading #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rgarcia merged 8 commits into from
Jan 27, 2026
Merged

fix: remove flags blocking enterprise extension loading #133

rgarcia merged 8 commits into from
Jan 27, 2026

Conversation

@rgarcia
Copy link
Contributor

@rgarcia rgarcia commented Jan 26, 2026
edited by cursor bot
Loading

Summary

  • Removes --disable-background-networking from the default CHROMIUM_FLAGS in the headless wrapper
  • Removes --disable-extensions-except flag usage - this flag was preventing Chrome from creating external providers (including the policy loader), blocking enterprise extension installation
  • Chrome's ExtensionInstallForcelist enterprise policy requires background networking to fetch update.xml and .crx files from the extension server

Root Cause

Two issues were preventing enterprise extensions from loading:

  1. --disable-background-networking prevented Chrome from making HTTP requests to fetch extensions
  2. --disable-extensions-except caused Chrome to set extensions_enabled_ to false, which prevents external providers (including the policy loader) from being created in extension_service.cc

Changes

Flag Changes

  • Remove --disable-background-networking from headless wrapper defaults
  • Remove --disable-extensions-except from:
    • wrapper.sh proxy extension setup
    • chromium.go API flag generation
    • chromiumflags.go MergeExtensionPath function
  • Keep --load-extension for loading extensions via command line

Test Changes

  • Add TestEnterpriseExtensionInstallation e2e test
  • Test uploads a kernel-like extension first (mirrors production behavior)
  • Then uploads enterprise extension and verifies it loads via policy

Test plan

  • Add new e2e test TestEnterpriseExtensionInstallation
  • Test verifies Chrome fetches update.xml and .crx
  • Test verifies extension appears in chrome://extensions
  • Run existing e2e tests to ensure no regressions

Note

Allows enterprise policy (ExtensionInstallForcelist) extensions to install correctly.

  • Removes --disable-background-networking from headless wrapper.sh defaults
  • Eliminates use/emission of --disable-extensions-except; chromiumflags.MergeFlags now folds its paths into --load-extension and never re-emits it; adds MergeExtensionPath
  • server/cmd/api/api/chromium.go no longer writes --disable-extensions-except when building flags; only uses --load-extension for non-policy extensions with clear inline rationale
  • Adds e2e TestEnterpriseExtensionInstallation (headless/headful) plus minimal enterprise test extension assets and pack script; verifies policy config, update.xml/.crx fetch, logs, and presence in chrome://extensions

Written by Cursor Bugbot for commit 1472fd8. This will update automatically on new commits. Configure here.

cursor[bot]
cursor bot reviewed Jan 26, 2026
View reviewed changes
@rgarcia rgarcia force-pushed the fix/enterprise-extension-loading branch 2 times, most recently from 5f2d3eb to 6c33f9b Compare January 26, 2026 19:40
@rgarcia rgarcia changed the title fix: remove --disable-background-networking to enable enterprise extension loading fix: remove flags blocking enterprise extension loading Jan 26, 2026
cursor[bot]
cursor bot reviewed Jan 26, 2026
View reviewed changes
@rgarcia rgarcia force-pushed the fix/enterprise-extension-loading branch from 2545956 to 878c9f2 Compare January 26, 2026 21:10
@rgarcia
fix: remove --disable-background-networking to enable enterprise exte…
1944f9d 
…nsion loading

The default CHROMIUM_FLAGS included --disable-background-networking which
prevented Chrome from fetching extensions via ExtensionInstallForcelist
enterprise policy. Enterprise extensions require Chrome to make HTTP
requests to fetch update.xml and .crx files from the local API server.

Changes:
- Remove --disable-background-networking from default CHROMIUM_FLAGS in headless image
- Add e2e test for enterprise extension installation via policy (tests both headless and headful)

The e2e test verifies that:
1. Extension is uploaded with update.xml and .crx files
2. Enterprise policy is correctly configured with ExtensionInstallForcelist
3. Chrome fetches the extension from the policy URL
4. Extension appears in chrome://extensions with correct ID
@rgarcia
chore: update vendored web-bot-auth extension
3f5b01b 
Rebuild with updated kernel CLI that preserves webRequestBlocking
permission (valid for policy-installed MV3 extensions).
@rgarcia
fix: remove --disable-extensions-except to allow enterprise policy ex…
4d56dbb 
…tensions

The --disable-extensions-except flag causes Chrome to set extensions_enabled_
to false, which prevents external providers (including the policy loader) from
being created. This means Chrome never attempts to fetch force-installed
extensions via ExtensionInstallForcelist enterprise policy.

Changes:
- Remove --disable-extensions-except from chromium.go flag generation
- Remove --disable-extensions-except from wrapper.sh proxy extension setup
- Update MergeExtensionPath to only use --load-extension
- Update e2e test to upload kernel-like extension first (mirrors production)

The fix allows enterprise policy extensions to be fetched and installed while
still loading the kernel extension via --load-extension.

See Chromium source: extension_service.cc - external providers are only
created when extensions_enabled() returns true.
@rgarcia
refactor: use minimal enterprise test extension
9d70ef7 
Replace the web-bot-auth-based test extension with a minimal extension
that only has the webRequest permission needed to trigger enterprise
policy installation. This makes the test more focused and reduces the
extension size from 360KB to 1.3KB.

Also fix runContainer to:
- Add mode=1777 to tmpfs mount
- Ensure CHROMIUM_FLAGS includes --no-sandbox for CI
@rgarcia
chore: remove private_key.pem and add .gitignore
6594b13
@rgarcia
chore: add back private_key.pem for future extension updates
077b62c
@rgarcia
chore: add pack.sh script for regenerating extension.crx
9f66c28
@rgarcia rgarcia force-pushed the fix/enterprise-extension-loading branch from 9197976 to 9f66c28 Compare January 26, 2026 21:47
cursor[bot]
cursor bot reviewed Jan 26, 2026
View reviewed changes
@rgarcia
fix: stop emitting --disable-extensions-except flag
1472fd8 
The --disable-extensions-except flag causes Chrome to set
extensions_enabled() to false, which prevents ExtensionService from
creating external providers (including the enterprise policy loader).
This breaks ExtensionInstallForcelist policy-based extension installation.

Changes:
- MergeFlags() now parses --disable-extensions-except but does NOT
  re-emit it; instead, paths are merged into --load-extension
- Updated tests to reflect new behavior
cursor[bot]
cursor bot reviewed Jan 27, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

@rgarcia rgarcia merged commit 51fd470 into main Jan 27, 2026
5 checks passed
@rgarcia rgarcia deleted the fix/enterprise-extension-loading branch January 27, 2026 16:47
@rgarcia rgarcia mentioned this pull request Jan 27, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rgarcia