Presumably this is for enterprise policy permissions?

I'm able to see the "Remove button" for all list sites, but enterprise policy patterns do not response to "Remove".

raymes@: This sounds important to me to get right. Could you triage?

battre: Is this release-blocking from a privacy perspective?

I showed this to lgarron and attached a screenshot of what the site looks like after clicking on remove (the button stays grayed).

This seems unrelated to enterprise policies. And I am surprised that I have ever granted http://goodnews.click permission to send me notifications. I am typically not a fan of any kind of push notifications and decline them all.

Deleted: Screen Shot 2017-05-19 at 4.41.14 PM.png 63.7 KB

	Screen Shot 2017-05-19 at 4.41.14 PM.png 63.7 KB View Download

Adding two more screenshots from chrome://settings-frame. Surprisingly, the items that I cannot delete don't have an X next to them, while other entries do have an X.

Setting as P1 as per discussion with lgarron.

Deleted: Screen Shot 2017-05-19 at 4.50.00 PM.png 93.6 KB

	Screen Shot 2017-05-19 at 4.50.00 PM.png 93.6 KB View Download

Deleted: Screen Shot 2017-05-19 at 4.50.07 PM.png 92.9 KB

	Screen Shot 2017-05-19 at 4.50.07 PM.png 92.9 KB View Download

I believe the setting is coming from a hosted app that you have installed. You can reproduce this by installing https://chrome.google.com/webstore/detail/good-news/deegloljmdbfbjhlimieancmcfombgjj/related 

I'm thinking that we should probably just remove these permissions from the list. We don't show entries for v2 apps or extensions in this list, nor do we do this for other permission types. Apps permissions are treated separately and users should just remove the app that is installed if they don't want permissions.

benwells,meacer: what do you think?

Long term we have work to do to make more sense of the relationship between app/extension permissions and website permissions.

I'm downgrading to P2 because it's confusing, but I don't think it's risking user privacy or control.

Long term we should remove the ability for hosted apps to set permissions, and deprecate them :)

I think hosted apps are quite different to v2 apps and extensions, in that the permission is just granted to a normal origin which you can browse to naturally. So I think they should be included in this list. Maybe we can put a little extension icon next to them to show that they can't be removed as they come from a hosted app. Ideally we'd also make it easy to uninstall the hosted app.

+maxwalker for thoughts

> granted to a normal origin which you can browse to naturally

Ah right, that makese sense. 

Good catch. This is indeed a hosted app. I think that we need to keep the information that a domain has the permission. I suggest to add an icon similarly to the enterprise icon that indicates why this setting exists. I think that we have a precedent for that where an extension configures your proxy or privacy settings.

Issue 734625 has been merged into this issue.