From a98378c29fda0448eb541da9dd226ca5e6692ee4 Mon Sep 17 00:00:00 2001
From: Alex Gough <ajgo@chromium.org>
Date: Wed, 8 Jul 2020 16:31:55 +0000
Subject: [PATCH] Include bug cases where Chrome breaks OS security boundaries.

Change-Id: I17c60ddb3294cc16dd41ff54d86ca95a741aff61
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2284209
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Adrian Taylor <adetaylor@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#786321}
---
 docs/security/faq.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/security/faq.md b/docs/security/faq.md
index d0e30010c84d8b..6cdff5cfef6e62 100644
--- a/docs/security/faq.md
+++ b/docs/security/faq.md
@@ -152,6 +152,17 @@ No. Chromium once contained a reflected XSS filter called the [XSSAuditor](https
 that was a best-effort second line of defense against reflected XSS flaws found
 in web sites. The XSS Auditor was [removed in Chrome 78](https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/TuYw-EZhO9g/blGViehIAwAJ).
 
+<a name="TOC-What-if-a-Chrome-component-breaks-an-OS-security-boundary-"</a>
+## What if a Chrome component breaks an OS security boundary?
+
+If Chrome or any of its components (e.g. updater) can be abused to
+perform a local privilege escalation, then it may be treated as a
+valid security vulnerability.
+
+Running any Chrome component with higher privileges than intended is
+not a security bug and we do not recommend running Chrome as an
+Administrator on Windows, or as root on POSIX.
+
 <a name="TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model-"></a>
 ## Why aren't physically-local attacks in Chrome's threat model?