Chrome on macOS: purge stale screen capture permission

If Chrome 97 or earlier was used to screen share a stale designated
requirement may be cached in the system TCC.db. This stale record can
cause issues starting with Chrome 98.0.4758.132 (extended stable),
99.0.4844.74 (stable), 100.0.4896.45 (beta), 101.0.4929.5 (dev),
101.0.4933.0 (canary). These are the first releases to be signed with
the new Developer ID certificate (

This CL will attempt to purge stale or thought to be stale screen
capture records at early startup on macOS 10.15+. See for more details.

Without the TCC reset, the checkbox in System Preferences:Security &
Privacy:Privacy:Screen Recording is wrong—it will show Chrome as
approved (checked checkbox) based on its bundle ID, but contemporary
Chromes will not match the saved designated requirement. Users looking
at the checked checkbox will see that they’ve given Chrome access, but
the system will not actually allow it access. The TCC reset revokes
Chrome’s permission based on bundle ID, so the next attempt to access
the screen will be treated the same as the initial attempt in a fresh
installation. The system will create a new entry with the updated
designated requirement on first access, the user will see an unchecked
checkbox, and by checking it, will grant Chrome access, which the
system will respect.

This doesn’t carry existing screen recording permission granted to
archaic Chromes forward to modern Chromes, but it does make it so that
the established UI flow for inspecting and granting permission works as
intended and tracks reality.

(cherry picked from commit 682276951958656e68188b004f4109b90a9ecc15)

Bug: 1307502
Change-Id: I88cf37fefc6511a9406bb8ebcab2b3e25e938e04
Reviewed-by: Mark Mentovai <>
Commit-Queue: Tom Burgin <>
Cr-Original-Commit-Position: refs/heads/main@{#983016}
Commit-Queue: Mark Mentovai <>
Auto-Submit: Mark Mentovai <>
Commit-Queue: Rubber Stamper <>
Bot-Commit: Rubber Stamper <>
Cr-Commit-Position: refs/branch-heads/4951@{#24}
Cr-Branched-From: 27de6227ca357da0d57ae2c7b18da170c4651438-refs/heads/main@{#982481}
5 files changed
tree: 9a723fcfc60af49f91ebe4ae8da7e154c087e1bb
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chromecast/
  11. chromeos/
  12. cloud_print/
  13. codelabs/
  14. components/
  15. content/
  16. courgette/
  17. crypto/
  18. dbus/
  19. device/
  20. docs/
  21. extensions/
  22. fuchsia/
  23. gin/
  24. google_apis/
  25. google_update/
  26. gpu/
  27. headless/
  28. infra/
  29. ios/
  30. ipc/
  31. media/
  32. mojo/
  33. native_client_sdk/
  34. net/
  35. pdf/
  36. ppapi/
  37. printing/
  38. remoting/
  39. rlz/
  40. sandbox/
  41. services/
  42. skia/
  43. sql/
  44. storage/
  45. styleguide/
  46. testing/
  47. third_party/
  48. tools/
  49. ui/
  50. url/
  51. weblayer/
  52. .clang-format
  53. .clang-tidy
  54. .eslintrc.js
  55. .git-blame-ignore-revs
  56. .gitattributes
  57. .gitignore
  58. .gn
  59. .mailmap
  60. .rustfmt.toml
  61. .vpython
  62. .vpython3
  63. .yapfignore
  67. codereview.settings
  68. DEPS
  72. LICENSE.chromium_os
  73. OWNERS

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is

To check out the source code locally, don't use git clone! Instead, follow the instructions on how to get the code.

Documentation in the source is rooted in docs/

Learn how to Get Around the Chromium Source Code Directory Structure .

For historical reasons, there are some small top level directories. Now the guidance is that new top level directories are for product (e.g. Chrome, Android WebView, Ash). Even if these products have multiple executables, the code should be in subdirectories of the product.

If you found a bug, please file it at