Create Chromium policy to mitigate unintended uses of kiosk.

[djchateau]

The Raspberry Pi on a standard Raspbian install has the ability to basically visit any web page without restriction. By setting up a Chromium policy machine-wide, we can prevent malicious and unintended actions from users breaking the kiosk setup and workflow. The following should be set as a JSON file in the /boot directory. A symlink should be setup in /etc/chromium-browser/policies/managed that targets /boot/chromium_kiosk_settings.json. To prevent tampering and corrupted data, set /etc/fstab to mount the /boot directory as read-only.

The following should serve as a basis for the default kiosk settings policy for Chromium:

{
	"AllowDeletingBrowserHistory": false,
	"AutoFillEnabled": false,
	"AutoplayAllowed": false,
	"AudioCaptureAllowed": false,
	"BlockThirdPartyCookies": true,
	"BookmarkBarEnabled": false,
	"BrowserAddPersonEnabled": false,
	"BrowserGuestModeEnabled": false,
	"BrowserNetworkTimeQueriesEnabled": true,
	"BuiltInDnsClientEnabled": false,
	"DefaultBrowserSettingEnabled": false,
	"DefaultPrinterSelection": "",
	"DefaultSearchProviderEnabled": true,
	"DefaultSearchProviderName": "DuckDuckGo",
	"DefaultSearchProviderSearchURL": "https://duckduckgo.com/?q=%s",
	"DefaultSearchProviderSuggestURL": "https://duckduckgo.com/?q=%s",
	"DefaultSearchProviderIconURL": "https://cdn.familab.org/favicon.ico.gzip?x34763",
	"DeveloperToolsAvailability": 2,
	"DisableScreenshots": true,
	"DownloadRestrictions": 3,
	"EditBookmarksEnabled": false,
	"EnableMediaRouter": false,
	"ExtensionInstallBlacklist": ["*"],
	"ForceEphemeralProfiles": true,
	"FullscreenAllowed": true,
	"HardwareAccelerationModeEnabled": true,
	"HideWebStoreIcon": true,
	"Http09OnNonDefaultPortsEnabled": false,
	"HomepageLocation": "https://familab.org",
	"ImportAutofillFormData": false,
	"ImportBookmarks": false,
	"ImportHistory": false,
	"ImportHomepage": false,
	"ImportSavedPasswords": false,
	"ImportSearchEngine": false,
	"IncognitoModeAvailability": 1,
	"ManagedBookmarks": [
				{"toplevel_name": "Kiosk Links"},
				{"name": "Forms", "children": [
					{"url": "https://form.jotform.com/80148700596156", "name":"Membership Application"},
					{"url": "https://l.familab.org/membershipwaiver", "name": "Membership Liability Waiver"},
					{"url": "https://l.familab.org/2u5lCOD", "name": "Liability Waiver and Photo Release"},
					{"url": "https://l.familab.org/2u5gaeG", "name": "Teaching Agreement"},
					{"url": "https://l.familab.org/2vQOOuK", "name": "Donation Request and Transfer Agreement"}
				]},
				{"name": "Calendar and Events", "children": [
					{"url": "https://calendar.google.com/calendar/[email protected]", "name": "FAMiLab Calendar"},
					{"url": "https://docs.google.com/forms/d/1F8_vmRZN0loBM2tQ81DL64kQUar_nH45_K8fbSrF51s/edit", "Submit an Event"}
				]},
				{"url": "https://familab.org", "name": "FAMiLab Website"},
				{"url": "https://join.slack.com/t/familab/shared_invite/enQtMjkyMDk2Mzk5MzYwLWZlODU3YWE5NzdhYWQ0OTAxY2U4MDRiOWJlNWMxYThlZjQzMWU5ODAzZDdjNmU2MTdmM2RiMjUyZDg2N2M5MDA", "name": "FAMiLab Slack Self-Invite"}
	],
	"NewTabPageLocation": "https://familab.org",
	"NotificationsBlockedForUrls": ["*"],
	"PasswordManagerEnabled": false,
	"PrintingEnabled": true,
	"PrintPreviewUseSystemDefaultPrinter": true,
	"ProxyMode": "direct",
	"RestoreOnStartup": 4,
	"RestoreOnStartupURLs": ["https://familab.org"],
	"ShowAppsShortcutInBookmarkBar": false,
	"ShowHomeButton": false,
	"TaskManagerEndProcessEnabled": false,
	"TranslateEnabled": false,
	"URLBlacklist": ["*"],
	"URLWhitelist": [
				"*.familab.org",
				"familab.org",
				"eventbrite.com",
				"facebook.com",
				"duckduckgo.com",
				"docs.google.com",
				"calendar.google.com",
				"form.jotform.com",
				"https://join.slack.com/t/familab/shared_invite/enQtMjkyMDk2Mzk5MzYwLWZlODU3YWE5NzdhYWQ0OTAxY2U4MDRiOWJlNWMxYThlZjQzMWU5ODAzZDdjNmU2MTdmM2RiMjUyZDg2N2M5MDA"
	],
	"VideoCaptureAllowed": false,
	"WebDriverOverridesIncompatiblePolicies": true
}