Skip to content

Custom Chromium Flags

CustomChromiumFlags is a sandbox setting in Sandboxie Ini available since v1.14.2 / 5.69.2. This setting allows you to pass additional command line flags to Chromium-based browsers when they are launched within the sandbox. Sandboxie automatically injects these flags into the browser's startup command line, enabling fine-tuned control over browser behavior for enhanced compatibility and functionality within the sandboxed environment.

Usage

[DefaultBox]

CustomChromiumFlags=--disable-features=PrintCompositorLPAC --disable-gpu

Syntax

CustomChromiumFlags=--disable-features=PrintCompositorLPAC [<flag 1> <flag 2> ...]

Technical Details

When CustomChromiumFlags is configured, Sandboxie modifies the command line of applications identified as Chromium-based browsers during process initialization:

  1. Browser Detection: The setting applies only to applications classified as Chrome through the SpecialImage configuration or automatic detection1.

  2. Command Line Injection: During kernel initialization, Sandboxie intercepts the process parameters and reconstructs the command line by inserting the custom flags7 between the executable path and existing arguments2.

  3. Child Process Filtering: The flags are only added to main browser processes, not to child processes that contain the --type= parameter, preventing duplication and potential conflicts3.

Default Configuration

Sandboxie includes a default value to ensure browser compatibility:

CustomChromiumFlags=--disable-features=PrintCompositorLPAC

This default flag disables the Print Compositor LPAC (Low Privilege App Container) feature which can cause compatibility issues in sandboxed environments4.

Usage Examples

  • Basic GPU Acceleration Disable: 

    CustomChromiumFlags=--disable-features=PrintCompositorLPAC --disable-gpu

  • Multiple Performance Flags: 

    CustomChromiumFlags=--disable-features=PrintCompositorLPAC --no-sandbox --disable-web-security

  • Debugging Options: 

    CustomChromiumFlags=--disable-features=PrintCompositorLPAC --enable-logging --log-level=0

Security Implications

  • Browser Compatibility: The default PrintCompositorLPAC flag prevents printing-related crashes and ensures stable browser operation within sandboxes
  • Flag Validation: Users should carefully validate custom flags as some may compromise sandbox security or browser stability
  • Automatic Application: The setting automatically applies to all applications defined as Chrome browsers, whether configured manually or detected automatically

Implementation Notes

The setting is processed during DLL initialization when Sandboxie detects a Chromium-based browser. The system:

  • Queries the configuration using SbieApi_QueryConfAsIs with the key CustomChromiumFlags5
  • Allocates additional memory for the expanded command line to accommodate the custom flags
  • Reconstructs the command line by copying the executable path, inserting the custom flags, and appending remaining arguments6
  • Hooks the GetCommandLineW and GetCommandLineA functions to return the modified command line to the application

Browser Support

This setting works with all Chromium-based browsers, including: - Google Chrome - Microsoft Edge (Chromium) - Brave Browser - Opera - Vivaldi - Any other browser built on the Chromium engine

  • SpecialImage - Used to classify applications as Chromium browsers

Related Sandboxie Plus setting: Not directly exposed in UI (uses default value automatically)

  1. Browser detection in dllmain.c: Applications are classified as DLL_IMAGE_GOOGLE_CHROME through the SpecialImage configuration system, which maps browser executables to the Chrome image type for specialized handling. 

  2. Command line reconstruction in kernel.c: The system calls SbieDll_FindArgumentEnd to locate the boundary between the executable path and arguments, then allocates expanded memory and reconstructs the command line with injected flags. 

  3. Child process filtering in kernel.c: The condition !wcsstr(ProcessParms->CommandLine.Buffer, L" --type=") ensures that only main browser processes receive the custom flags, excluding renderer and utility processes. 

  4. Default configuration in Templates.ini: The default --disable-features=PrintCompositorLPAC flag prevents Low Privilege App Container printing issues that can cause browser instability in sandboxed environments. 

  5. Configuration query in kernel.c: SbieApi_QueryConfAsIs(NULL, L"CustomChromiumFlags", 0, CustomChromiumFlags, ARRAYSIZE(CustomChromiumFlags)) retrieves the setting value during kernel initialization. 

  6. Command line modification in kernel.c: The system copies the original executable path, appends the custom flags with proper spacing, and concatenates the remaining arguments to create the modified command line. 

  7. List of Chromium Command Line Switches - https://peter.sh/experiments/chromium-command-line-switches/