Skip to content

nesdeq/chromejail

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
chromejail.ps1
chromejail.ps1
 
 
chromejail.sh
chromejail.sh
 
 
logo.svg
logo.svg
 
 
policies.json
policies.json
 
 

Repository files navigation

chromejail — open-source Chrome privacy and security hardening



License Platforms Browsers Policies Extensions Shell PowerShell

78 enterprise policies · 5 privacy extensions · Zero telemetry · All platforms · MIT licensed


Quick install · What it does · Install · Customize · How it works · FAQ

Quick install

macOS / Linux — open Terminal and run:

curl -fsSL https://raw.githubusercontent.com/nesdeq/chromejail/main/chromejail.sh | sudo bash -s install

Windows — open PowerShell as Administrator and run:

irm https://raw.githubusercontent.com/nesdeq/chromejail/main/chromejail.ps1 -OutFile "$env:TEMP\chromejail.ps1"; & "$env:TEMP\chromejail.ps1" install

Auto-detects all installed Chromium browsers, downloads the policy config, and applies 78 privacy/security policies in one shot. Restart your browser and verify at chrome://policy.

The problem

Out of the box, Google Chrome phones home constantly: usage metrics, crash reports, spell checking every word you type, URL suggestions on every keystroke, network error diagnostics, Safe Browsing extended reports, DNS prefetch to servers you never asked for, AI feature telemetry, Privacy Sandbox ad tracking, and more. Other Chromium-based browsers like Brave, Microsoft Edge, Vivaldi, and Chromium inherit many of these data collection behaviors.

Most of these privacy and security settings cannot be fully disabled through chrome://settings.

chromejail is a free, open-source browser hardening tool that uses Chrome's own enterprise policy system to enforce 78 privacy, security, and performance settings at the OS level — stopping telemetry, disabling tracking, blocking third-party cookies, enforcing HTTPS and encrypted DNS, and locking down permissions across all your Chromium browsers from a single JSON config. Policies are machine-managed and cannot be overridden by the user, extensions, or browser updates.

Install

# macOS / Linux — auto-detects and hardens all installed Chromium browsers
sudo ./chromejail.sh install

# Windows (run PowerShell as Administrator)
.\chromejail.ps1 install

Restart your browser. Open chrome://policy to verify — every policy shows as enforced.

To undo everything:

sudo ./chromejail.sh uninstall        # macOS / Linux
.\chromejail.ps1 uninstall            # Windows

Target specific browsers

sudo ./chromejail.sh install --browser brave
sudo ./chromejail.sh install --browser chrome,edge
.\chromejail.ps1 install -Browser chrome,brave

Check status

./chromejail.sh status
  BROWSER              INSTALLED    POLICY
  Google Chrome        yes          active  /Library/Managed Preferences/com.google.Chrome.plist
  Brave                yes          active  /Library/Managed Preferences/com.brave.Browser.plist
  Microsoft Edge       no           none

Supported browsers

Browser macOS Linux Windows
Google Chrome yes yes yes
Chromium yes yes yes
Brave yes yes yes
Microsoft Edge yes yes yes
Vivaldi yes yes yes

All Chromium-based browsers share the same policy engine. chromejail auto-detects which browsers are installed and applies the privacy configuration to each one individually.

What it does

Privacy — all telemetry and data collection is disabled

What Setting Why it matters
Telemetry & crash reports Disabled Stops usage metrics and diagnostics from reaching Google's servers
Google sign-in & sync Disabled No account linking, no cloud sync of any browsing data
Third-party cookies Blocked Eliminates the primary mechanism for cross-site tracking
First-party cookies Persistent Kept across sessions so you stay logged in — third-party cookies are still blocked
Privacy Sandbox Disabled Topics API, FLEDGE, Attribution Reporting — Google's ad tracking APIs are all off
Autofill & passwords Disabled No address autofill, no credit card autofill, no password manager, no leak detection
URL-keyed data collection Disabled The URLs you visit are not sent to Google for analysis
Network predictions Disabled No prefetch, preconnect, or prerender to servers you haven't visited
Search suggestions Disabled Your keystrokes are not streamed to the search provider as you type
Online spell check Disabled The text you write is not sent to Google's remote spell check service
Translation Disabled Page content is not forwarded to Google Translate
AI features Disabled Gemini, Help Me Write, tab organizer, AI history search — all off
WebRTC IP handling TCP only Prevents your real IP address from leaking through WebRTC connections
Geolocation, camera, mic Blocked No website can request access to your location or media devices
Notifications & sensors Blocked No push notification prompts, no access to device motion sensors
Browser history Not saved Your browsing activity is never written to disk
Data on exit Auto-cleared History, cache, autofill, site settings — wiped on every close (cookies are kept)
NTP suggestions & shopping Disabled No personalized or commercial content on new tab page
Domain reliability monitoring Disabled No network diagnostic reports sent to Google
Accessibility image labels Disabled Images are not uploaded to Google for automatic captioning
Time sync queries Disabled No periodic timestamp pings to Google's time servers

Security — browser hardening with enforced safe defaults

What Setting Why it matters
HTTPS-Only Mode Enforced Every navigation is upgraded to HTTPS; insecure HTTP is blocked
TLS minimum version 1.2 Rejects connections using deprecated TLS 1.0/1.1 protocols
Encrypted Client Hello Enabled Encrypts the SNI field so network observers can't see which domain you're visiting
Post-quantum TLS Enabled Future-proof key exchange that resists quantum computing attacks
SSL error bypass Blocked Users cannot click through certificate warnings to reach unsafe sites
Safe Browsing Disabled Zero calls to Google — no phishing/malware checks, no data sent to Google servers
DNS-over-HTTPS Secure-only All DNS queries encrypted via Quad9 — no plaintext DNS fallback
Site isolation Per-process Every site runs in its own renderer process, mitigating Spectre-class attacks
Chrome experiments Critical only Google's A/B test variations are not pushed to your browser
Default search engine DuckDuckGo Privacy-respecting search with no keystroke suggestion URL
Extensions Locked down The Chrome Web Store is blocked by default; only vetted privacy extensions are force-installed

Performance — faster browsing without compromising privacy

What Setting Why it matters
GPU acceleration Locked on Hardware compositing and rasterization enforced for smoother rendering
Memory Saver Enabled Inactive background tabs are frozen and discarded to free RAM
Background JS throttling Enabled Timers in background tabs throttled to once per minute — saves CPU and battery
V8 JIT optimizer Locked on Full JavaScript JIT compilation pipeline enforced for maximum speed
Zstandard compression Enabled Modern compression with better ratios than gzip/Brotli for faster page loads
Shared-dictionary transport Enabled Delta compression on repeat visits — only changed content is transferred
Back-forward cache Safe mode Instant back/forward navigation, but sensitive no-store pages are properly excluded
Media autoplay Blocked Videos and audio don't play until you explicitly interact

Force-installed extensions

These privacy and quality-of-life extensions install automatically on launch and cannot be disabled or removed:

Extension What it does
uBlock Origin Lite Lightweight ad blocker and tracker blocker (Manifest V3 compatible)
I still don't care about cookies Auto-dismisses GDPR cookie consent banners across the web
Decentraleyes Serves common CDN libraries locally, preventing CDN-based tracking
Privacy Badger Learns and blocks invisible third-party trackers as you browse
Dark Reader System-wide dark mode for every website — reduces eye strain

Customize

Edit policies.json, then re-run install. Every privacy and security setting is a single JSON key-value pair.

Add or remove a force-installed extension

Find the extension's ID from its Chrome Web Store URL (the 32-character string after /detail/).

"ExtensionInstallForcelist": [
  "extension_id_here;https://clients2.google.com/service/update2/crx"
]
Fix video calls (WebRTC)

The default TCP-only mode blocks WebRTC IP leak but may break video conferencing. Relax it to allow your public IP:

"WebRtcIPHandling": "default_public_interface_only"
Allow SSL error bypass (for local development) 
"SSLErrorOverrideAllowed": true
Switch encrypted DNS provider 
"DnsOverHttpsTemplates": "https://adblock.doh.mullvad.net/dns-query{?dns}"

Other privacy-respecting DNS options: Cloudflare (https://cloudflare-dns.com/dns-query{?dns}), Mullvad with ad-blocking (shown above), or any RFC 8484 compliant DNS-over-HTTPS resolver.

Re-enable Safe Browsing (standard)

Enables Google's phishing and malware protection (contacts Google servers for blocklist updates):

"SafeBrowsingProtectionLevel": 1
Keep browser history 
"SavingBrowserHistoryDisabled": false

Remove "browsing_history" from ClearBrowsingDataOnExitList to persist it across sessions.

How it works

All Chromium-based browsers support enterprise managed policies — a configuration layer designed for organizations to enforce browser security settings. No MDM enrollment or Chrome Enterprise license is required. The browser reads these policies from a local file (or the Windows registry) on every launch.

Platform Format Location
macOS XML plist /Library/Managed Preferences/<bundle_id>.plist
Linux JSON file /etc/opt/chrome/policies/managed/ (varies by browser)
Windows Registry HKLM\SOFTWARE\Policies\<vendor>\<browser>\

policies.json is the single source of truth for all privacy, security, and performance settings. The install scripts convert it to the platform-native format:

  • macOS — converts JSON to plist via Python 3, writes to /Library/Managed Preferences/ as root:wheel
  • Linux — copies JSON directly to the browser's managed policy directory as root:root
  • Windows — reads JSON and writes each key to the Windows registry under HKLM

Policies in managed locations are machine-level and show as "enforced" in chrome://policy. Settings controlled by policy appear greyed out in chrome://settings with a "managed by your organization" indicator.

Optional: chrome://flags

These optional flags provide additional performance gains but are not enforceable via enterprise policy. Set them manually in each browser profile — they may reset on browser updates.

Flag Value Effect
#enable-gpu-rasterization Enabled GPU-accelerated page rasterization
#enable-zero-copy Enabled Direct GPU memory writes, eliminates CPU copy overhead
#enable-parallel-downloading Enabled Splits large downloads into parallel streams for faster completion
#smooth-scrolling Enabled Fluid scroll interpolation for smoother browsing

Why chromejail?

Unlike browser extensions that request privacy changes, chromejail enforces security and privacy settings at the operating system level using the same managed policy mechanism that enterprises and IT departments rely on. Extensions can be disabled and settings can be reset by users or updates, but enterprise policies cannot be bypassed — not by the browser, not by websites, not by Chrome updates.

Compared to other browser privacy and security solutions:

  • Manual chrome://settings hardening — most privacy options are buried, incomplete, or silently reset on browser updates. chromejail configures everything in one command and it stays configured permanently.
  • Ungoogled Chromium — requires building from source or trusting a third-party browser binary. chromejail hardens your existing Chrome, Brave, or Edge installation without replacing it.
  • Firefox with user.js / arkenfox — an excellent privacy option, but if you need the Chromium engine for site compatibility, extension support, or developer tools, chromejail is the equivalent hardening tool for the Chromium ecosystem.
  • Browser extensions alone — privacy extensions run inside the browser's sandbox. Managed policies run above it at the OS level. Extensions simply cannot disable telemetry, enforce minimum TLS versions, lock DNS-over-HTTPS settings, or block Chrome's built-in data collection.

Project structure

chromejail/
├── policies.json     Single source of truth — 78 policies, plain JSON
├── chromejail.sh     macOS + Linux installer (bash 3.2+)
├── chromejail.ps1    Windows installer (PowerShell 7.0+)
├── logo.svg          Project logo
└── README.md

FAQ

Will this break websites?

Most sites work fine. The two settings most likely to cause issues:

  • Cookies are persistent by default — you stay logged in across browser restarts. For maximum privacy, change DefaultCookiesSetting from 1 to 4 (session-only) and add "cookies_and_other_site_data" to ClearBrowsingDataOnExitList.
  • WebRTC TCP-only — video calls on Google Meet, Zoom (web), etc. may not connect. Change WebRtcIPHandling to "default_public_interface_only" to fix this while still preventing private IP leak.
Why does it need sudo / Administrator?

Managed policy files live in system-owned directories (/Library/Managed Preferences/, /etc/, HKLM registry). This is a security feature — if policies lived in a user-writable location, any malware running as your user could silently disable them.

Does this work without Chrome Enterprise or MDM enrollment?

Yes. Enterprise policies are a built-in feature of every Chromium-based browser. Any machine can write managed policies — no enrollment, no license, no Google account, and no corporate IT department needed.

Can I use this alongside an existing MDM profile?

On macOS, if your MDM already manages Chrome browser settings, chromejail will merge with or override those policies (machine-level policies take precedence). On Linux/Windows, policies from different sources merge. Check chrome://policy for any conflicts.

How do I verify the privacy policies are active?

Open chrome://policy in any hardened browser. Every policy should appear with source "Platform" and status "OK". Privacy and security settings controlled by policy show a lock icon in chrome://settings.

How do I undo all changes and restore defaults?

sudo ./chromejail.sh uninstall (or .\chromejail.ps1 uninstall on Windows). This removes the managed policy file and creates a timestamped backup. Restart the browser — chrome://policy should show no active policies.

Does this survive Chrome and browser updates?

Yes. Managed policies are stored outside the browser's application directory in a system location. Chrome reads them fresh on every launch, regardless of browser version. Your privacy and security configuration persists across all updates.

Requirements

  • macOS — Python 3 (included with Xcode Command Line Tools)
  • Linux — Python 3
  • Windows — PowerShell 7.0+ (install via Microsoft Store or winget install Microsoft.PowerShell)

License

MIT License. See LICENSE for details.

If chromejail improved your browser privacy, consider giving it a star.

About

One command to stop Chrome from phoning home. 78 enterprise policies for maximum privacy, security, and performance — across Chrome, Brave, Edge, Chromium, and Vivaldi on macOS, Linux, and Windows.

Topics

bash chrome privacy powershell telemetry chromium edge vivaldi brave browser-hardening anti-tracking enterprise-policy

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages