Add 'behavior over the internet' page.
As discussed extensively in meetings.
In addition:
Other organizations have been requesting a list of all the policies
which we apply to Chromium developers, so here's a start at listing
them all.
Change-Id: I26c6a30244b83430f7db726072653cf519471902
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3270885
Reviewed-by: Emily Stark <[email protected]>
Commit-Queue: Adrian Taylor <[email protected]>
Cr-Commit-Position: refs/heads/main@{#940202}
diff --git a/docs/security/rules.md b/docs/security/rules.md
new file mode 100644
index 0000000..a690780
--- /dev/null
+++ b/docs/security/rules.md
@@ -0,0 +1,19 @@
+# Security rules
+
+This is a list of the security policies Chromium has published.
+
+* [Rule of Two](rule-of-2.md) - don't handle untrustworthy data in the browser
+ process in an unsafe language
+* [The browser process should not handle messages from web
+ content](handling-messages-from-web-content.md)
+* [Behavior should be part of Chrome's binaries or delivered via component
+ updater](behavior-over-the-internet.md) rather than delivered dynamically
+* Rules for [Android IPC](android-ipc.md)
+* [Always assume a compromised renderer](compromised-renderers.md)
+* [Use origin not URL for security decisions](origin-vs-url.md)
+* [Controlling access to powerful web platform
+ features](permissions-for-powerful-web-platform-features.md)
+
+You can also find our position on various matters in the [security FAQ](faq.md):
+for example, on local attackers or on the privilege accorded to enterprise
+admins.
