electron/patches/chromium/fix_os_crypt_async_cookie_encryption.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Keeley Hammond <khammond@slack-corp.com>
Date: Tue, 13 Jan 2026 13:26:29 -0800
Subject: fix: revert OS_Crypt Async in Cookie Encryption

Electron 40/M144 uses os_crypt async by default for cookie store
providers when using cookie encryption. We need time to properly
implement this in Electron and make sure the async logic is
working properly.

This patch reverts the port of os_crypt async and falls back to
the old sync logic to unlock Electron 40. This patch can be removed
when os_crypt async is added to Electron.

Revert "Reland "Port net::CookieCryptoDelegate to os_crypt async""

This reverts commit f01b115c7e21a09cc762f65bf7fd9c6ea9d9d0f8.

diff --git a/chrome/browser/BUILD.gn b/chrome/browser/BUILD.gn
index c75d7e336ad00230c2a7852f62c69b8f0cae748d..8e80ebd537871b204f254a4468996350b8f4f231 100644
--- a/chrome/browser/BUILD.gn
+++ b/chrome/browser/BUILD.gn
@@ -716,6 +716,8 @@ static_library("browser") {
     "net/chrome_report_sender.h",
     "net/convert_explicitly_allowed_network_ports_pref.cc",
     "net/convert_explicitly_allowed_network_ports_pref.h",
+    "net/cookie_encryption_provider_impl.cc",
+    "net/cookie_encryption_provider_impl.h",
     "net/default_dns_over_https_config_source.cc",
     "net/default_dns_over_https_config_source.h",
     "net/dns_over_https_config_source.h",
diff --git a/chrome/browser/extensions/chrome_extension_cookies.cc b/chrome/browser/extensions/chrome_extension_cookies.cc
index fc13abe302557d38cfce798d46551989337abb2c..22eac75cf685039796ecf40e7d86c9f54084a08b 100644
--- a/chrome/browser/extensions/chrome_extension_cookies.cc
+++ b/chrome/browser/extensions/chrome_extension_cookies.cc
@@ -6,7 +6,6 @@
 
 #include <optional>
 
-#include "chrome/browser/browser_process.h"
 #include "chrome/browser/content_settings/cookie_settings_factory.h"
 #include "chrome/browser/content_settings/host_content_settings_map_factory.h"
 #include "chrome/browser/extensions/chrome_extension_cookies_factory.h"
@@ -49,9 +48,7 @@ ChromeExtensionCookies::ChromeExtensionCookies(Profile* profile)
         profile_->GetPath().Append(chrome::kExtensionsCookieFilename),
         profile_->ShouldRestoreOldSessionCookies(),
         profile_->ShouldPersistSessionCookies()));
-    creation_config->crypto_delegate = cookie_config::GetCookieCryptoDelegate(
-        g_browser_process->os_crypt_async(),
-        content::GetUIThreadTaskRunner({}));
+    creation_config->crypto_delegate = cookie_config::GetCookieCryptoDelegate();
   }
   creation_config->cookieable_schemes.push_back(extensions::kExtensionScheme);
 
diff --git a/chrome/browser/net/chrome_network_service_browsertest.cc b/chrome/browser/net/chrome_network_service_browsertest.cc
index fa37d56b3a3b1e324ca121992fd7b54a945d75f7..05d4d5eaecf119a956210539f601b8f437aaa788 100644
--- a/chrome/browser/net/chrome_network_service_browsertest.cc
+++ b/chrome/browser/net/chrome_network_service_browsertest.cc
@@ -5,7 +5,6 @@
 #include "base/feature_list.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
-#include "base/task/sequenced_task_runner.h"
 #include "base/test/bind.h"
 #include "base/test/scoped_feature_list.h"
 #include "base/threading/thread_restrictions.h"
@@ -20,7 +19,6 @@
 #include "chrome/test/base/in_process_browser_test.h"
 #include "chrome/test/base/ui_test_utils.h"
 #include "components/cookie_config/cookie_store_util.h"
-#include "components/os_crypt/async/browser/test_utils.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/network_service_instance.h"
 #include "content/public/browser/network_service_util.h"
@@ -139,16 +137,10 @@ class ChromeNetworkServiceBrowserTest
 IN_PROC_BROWSER_TEST_P(ChromeNetworkServiceBrowserTest,
                        PRE_PRE_EncryptedCookies) {
   // These test is only valid if crypto is enabled on the platform.
-  auto os_crypt_async = os_crypt_async::GetTestOSCryptAsyncForTesting(
-      /*is_sync_for_unittests=*/true);
-  auto crypto_delegate = cookie_config::GetCookieCryptoDelegate(
-      os_crypt_async.get(), base::SequencedTaskRunner::GetCurrentDefault());
+  auto crypto_delegate = cookie_config::GetCookieCryptoDelegate();
   if (!crypto_delegate) {
     GTEST_SKIP() << "No crypto on this platform.";
   }
-  base::RunLoop run_loop;
-  crypto_delegate->Init(run_loop.QuitClosure());
-  run_loop.Run();
   std::string ciphertext;
   crypto_delegate->EncryptString(kCookieValue, &ciphertext);
   ASSERT_NE(ciphertext, kCookieValue) << "Crypto should really encrypt.";
diff --git a/services/network/public/cpp/cookie_encryption_provider_impl.cc b/chrome/browser/net/cookie_encryption_provider_impl.cc
similarity index 71%
rename from services/network/public/cpp/cookie_encryption_provider_impl.cc
rename to chrome/browser/net/cookie_encryption_provider_impl.cc
index 52fedf2057b963951be560a362fec28208c2a4b5..3f770666618f2df56b8cd6855766418d319481f0 100644
--- a/services/network/public/cpp/cookie_encryption_provider_impl.cc
+++ b/chrome/browser/net/cookie_encryption_provider_impl.cc
@@ -1,19 +1,18 @@
-// Copyright 2025 The Chromium Authors
+// Copyright 2024 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "services/network/public/cpp/cookie_encryption_provider_impl.h"
+#include "chrome/browser/net/cookie_encryption_provider_impl.h"
 
+#include "chrome/browser/browser_process.h"
 #include "components/os_crypt/async/browser/os_crypt_async.h"
 
-CookieEncryptionProviderImpl::CookieEncryptionProviderImpl(
-    os_crypt_async::OSCryptAsync* os_crypt_async)
-    : os_crypt_async_(os_crypt_async) {}
+CookieEncryptionProviderImpl::CookieEncryptionProviderImpl() = default;
 
 CookieEncryptionProviderImpl::~CookieEncryptionProviderImpl() = default;
 
 void CookieEncryptionProviderImpl::GetEncryptor(GetEncryptorCallback callback) {
-  os_crypt_async_->GetInstance(base::BindOnce(
+  g_browser_process->os_crypt_async()->GetInstance(base::BindOnce(
       [](GetEncryptorCallback callback, os_crypt_async::Encryptor encryptor) {
         std::move(callback).Run(std::move(encryptor));
       },
diff --git a/services/network/public/cpp/cookie_encryption_provider_impl.h b/chrome/browser/net/cookie_encryption_provider_impl.h
similarity index 65%
rename from services/network/public/cpp/cookie_encryption_provider_impl.h
rename to chrome/browser/net/cookie_encryption_provider_impl.h
index 8f80cabd7c919c682e603ff6af0c12ae4431e366..68df8a7a04e9a8455b7143432173d9e48dc1ea5e 100644
--- a/services/network/public/cpp/cookie_encryption_provider_impl.h
+++ b/chrome/browser/net/cookie_encryption_provider_impl.h
@@ -1,27 +1,20 @@
-// Copyright 2025 The Chromium Authors
+// Copyright 2024 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef SERVICES_NETWORK_PUBLIC_CPP_COOKIE_ENCRYPTION_PROVIDER_IMPL_H_
-#define SERVICES_NETWORK_PUBLIC_CPP_COOKIE_ENCRYPTION_PROVIDER_IMPL_H_
+#ifndef CHROME_BROWSER_NET_COOKIE_ENCRYPTION_PROVIDER_IMPL_H_
+#define CHROME_BROWSER_NET_COOKIE_ENCRYPTION_PROVIDER_IMPL_H_
 
-#include "base/component_export.h"
-#include "base/memory/raw_ptr.h"
 #include "components/os_crypt/async/common/encryptor.h"
 #include "mojo/public/cpp/bindings/receiver_set.h"
 #include "services/network/public/mojom/cookie_encryption_provider.mojom.h"
 
-namespace os_crypt_async {
-class OSCryptAsync;
-}
-
 // Implementation of CookieEncryptionProvider interface. This is Windows only
 // for now, but will be expanded to other platforms in future.
-class COMPONENT_EXPORT(NETWORK_CPP) CookieEncryptionProviderImpl
+class CookieEncryptionProviderImpl
     : public network::mojom::CookieEncryptionProvider {
  public:
-  explicit CookieEncryptionProviderImpl(
-      os_crypt_async::OSCryptAsync* os_crypt_async);
+  CookieEncryptionProviderImpl();
   ~CookieEncryptionProviderImpl() override;
 
   CookieEncryptionProviderImpl(const CookieEncryptionProviderImpl&) = delete;
@@ -37,7 +30,6 @@ class COMPONENT_EXPORT(NETWORK_CPP) CookieEncryptionProviderImpl
 
  private:
   mojo::ReceiverSet<network::mojom::CookieEncryptionProvider> receivers_;
-  raw_ptr<os_crypt_async::OSCryptAsync> os_crypt_async_;
 };
 
-#endif  // SERVICES_NETWORK_PUBLIC_CPP_COOKIE_ENCRYPTION_PROVIDER_IMPL_H_
+#endif  // CHROME_BROWSER_NET_COOKIE_ENCRYPTION_PROVIDER_IMPL_H_
diff --git a/chrome/browser/net/cookie_encryption_provider_interactive_uitest.cc b/chrome/browser/net/cookie_encryption_provider_interactive_uitest.cc
index b862afe7663111a6cbd342d33723942770bb0490..9dc46cedb109cea63bf71aa43fc7a2b64730ed12 100644
--- a/chrome/browser/net/cookie_encryption_provider_interactive_uitest.cc
+++ b/chrome/browser/net/cookie_encryption_provider_interactive_uitest.cc
@@ -13,6 +13,7 @@
 #include "base/test/test_future.h"
 #include "build/config/linux/dbus/buildflags.h"
 #include "chrome/browser/browser_features.h"
+#include "chrome/browser/net/cookie_encryption_provider_impl.h"
 #include "chrome/browser/policy/chrome_browser_policy_connector.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ui/browser.h"
@@ -25,7 +26,6 @@
 #include "content/public/test/browser_test.h"
 #include "content/public/test/test_launcher.h"
 #include "net/cookies/canonical_cookie.h"
-#include "services/network/public/cpp/cookie_encryption_provider_impl.h"
 #include "services/network/public/mojom/cookie_manager.mojom.h"
 #include "services/network/public/mojom/network_context.mojom.h"
 #include "testing/gtest/include/gtest/gtest.h"
diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc
index 223c7a55b1db65430d22dcff9898845ccaca68a0..9f7347a39c1a0a982632fc6a6b04240b0a3b9510 100644
--- a/chrome/browser/net/system_network_context_manager.cc
+++ b/chrome/browser/net/system_network_context_manager.cc
@@ -919,13 +919,8 @@ void SystemNetworkContextManager::DisableQuic() {
 void SystemNetworkContextManager::
     AddCookieEncryptionManagerToNetworkContextParams(
         network::mojom::NetworkContextParams* network_context_params) {
-  if (!cookie_encryption_provider_) {
-    cookie_encryption_provider_ =
-        std::make_unique<CookieEncryptionProviderImpl>(
-            g_browser_process->os_crypt_async());
-  }
   network_context_params->cookie_encryption_provider =
-      cookie_encryption_provider_->BindNewRemote();
+      cookie_encryption_provider_.BindNewRemote();
 }
 
 void SystemNetworkContextManager::AddSSLConfigToNetworkContextParams(
diff --git a/chrome/browser/net/system_network_context_manager.h b/chrome/browser/net/system_network_context_manager.h
index 611833bce86135d792670a2cbfbfc661bcedf8dd..6d39b73f77d294ec21aa2d9c328e7f1fa9aad47d 100644
--- a/chrome/browser/net/system_network_context_manager.h
+++ b/chrome/browser/net/system_network_context_manager.h
@@ -14,6 +14,7 @@
 #include "base/memory/raw_ptr.h"
 #include "base/memory/scoped_refptr.h"
 #include "chrome/browser/net/cert_verifier_service_time_updater.h"
+#include "chrome/browser/net/cookie_encryption_provider_impl.h"
 #include "chrome/browser/net/proxy_config_monitor.h"
 #include "chrome/browser/net/stub_resolver_config_reader.h"
 #include "chrome/browser/ssl/ssl_config_service_manager.h"
@@ -23,7 +24,6 @@
 #include "mojo/public/cpp/bindings/pending_receiver.h"
 #include "mojo/public/cpp/bindings/remote.h"
 #include "services/cert_verifier/public/mojom/cert_verifier_service_factory.mojom-forward.h"
-#include "services/network/public/cpp/cookie_encryption_provider_impl.h"
 #include "services/network/public/mojom/host_resolver.mojom-forward.h"
 #include "services/network/public/mojom/network_context.mojom.h"
 #include "services/network/public/mojom/network_service.mojom.h"
@@ -303,7 +303,7 @@ class SystemNetworkContextManager {
   GssapiLibraryLoadObserver gssapi_library_loader_observer_{this};
 #endif  // BUILDFLAG(IS_LINUX)
 
-  std::unique_ptr<CookieEncryptionProviderImpl> cookie_encryption_provider_;
+  CookieEncryptionProviderImpl cookie_encryption_provider_;
 
   std::unique_ptr<CertVerifierServiceTimeUpdater> cert_verifier_time_updater_;
 };
diff --git a/components/cookie_config/BUILD.gn b/components/cookie_config/BUILD.gn
index e348b0d1a59470c5cf153ae02e420b9dd6bd1892..a7a51003386fe7b62aaf5b7008c63acefd428942 100644
--- a/components/cookie_config/BUILD.gn
+++ b/components/cookie_config/BUILD.gn
@@ -13,7 +13,7 @@ component("cookie_config") {
   public_deps = [ "//base" ]
 
   deps = [
-    "//components/os_crypt/async/browser",
+    "//components/os_crypt/sync",
     "//net:extras",
   ]
 }
diff --git a/components/cookie_config/DEPS b/components/cookie_config/DEPS
index 2c847bf159af83cd12bb343deff0cae9957a4183..a428c0b502bee622fbc7eff7d83a2e8500c058df 100644
--- a/components/cookie_config/DEPS
+++ b/components/cookie_config/DEPS
@@ -1,4 +1,4 @@
 include_rules = [
-  "+components/os_crypt/async",
+  "+components/os_crypt/sync",
   "+net/extras/sqlite",
 ]
diff --git a/components/cookie_config/cookie_store_util.cc b/components/cookie_config/cookie_store_util.cc
index 55742de998756cbcd686d13a77b2a695eda06884..e7efdfe3a5ecae3b5461bba469f0377b3c920b21 100644
--- a/components/cookie_config/cookie_store_util.cc
+++ b/components/cookie_config/cookie_store_util.cc
@@ -5,12 +5,8 @@
 #include "components/cookie_config/cookie_store_util.h"
 
 #include "base/functional/callback.h"
-#include "base/memory/scoped_refptr.h"
-#include "base/memory/weak_ptr.h"
-#include "base/task/sequenced_task_runner.h"
 #include "build/build_config.h"
-#include "components/os_crypt/async/browser/os_crypt_async.h"
-#include "components/os_crypt/async/common/encryptor.h"
+#include "components/os_crypt/sync/os_crypt.h"
 #include "net/extras/sqlite/cookie_crypto_delegate.h"
 
 namespace cookie_config {
@@ -19,123 +15,40 @@ namespace cookie_config {
     BUILDFLAG(IS_CHROMEOS)
 namespace {
 
-void OnOsCryptReadyOnUi(
-    base::OnceCallback<void(os_crypt_async::Encryptor)> callback,
-    scoped_refptr<base::SequencedTaskRunner> task_runner,
-    os_crypt_async::Encryptor encryptor) {
-  task_runner->PostTask(
-      FROM_HERE, base::BindOnce(std::move(callback), std::move(encryptor)));
-}
-
-void InitOnUi(base::OnceCallback<void(os_crypt_async::Encryptor)> callback,
-              os_crypt_async::OSCryptAsync* os_crypt_async,
-              scoped_refptr<base::SequencedTaskRunner> task_runner) {
-  os_crypt_async->GetInstance(
-      base::BindOnce(&OnOsCryptReadyOnUi, std::move(callback),
-                     std::move(task_runner)),
-      os_crypt_async::Encryptor::Option::kEncryptSyncCompat);
-}
-
 // Use the operating system's mechanisms to encrypt cookies before writing
 // them to persistent store.  Currently this only is done with desktop OS's
 // because ChromeOS and Android already protect the entire profile contents.
 class CookieOSCryptoDelegate : public net::CookieCryptoDelegate {
  public:
-  CookieOSCryptoDelegate(
-      os_crypt_async::OSCryptAsync* os_crypt_async,
-      scoped_refptr<base::SequencedTaskRunner> ui_task_runner);
-
-  CookieOSCryptoDelegate(const CookieOSCryptoDelegate&) = delete;
-  CookieOSCryptoDelegate& operator=(const CookieOSCryptoDelegate&) = delete;
-
-  ~CookieOSCryptoDelegate() override;
-
-  // net::CookieCryptoDelegate implementation:
   void Init(base::OnceClosure callback) override;
   bool EncryptString(const std::string& plaintext,
                      std::string* ciphertext) override;
   bool DecryptString(const std::string& ciphertext,
                      std::string* plaintext) override;
-
- private:
-  void OnOsCryptReady(os_crypt_async::Encryptor encryptor);
-
-  raw_ptr<os_crypt_async::OSCryptAsync> os_crypt_async_;
-  scoped_refptr<base::SequencedTaskRunner> ui_task_runner_;
-  std::optional<os_crypt_async::Encryptor> encryptor_;
-
-  bool initializing_ = false;
-  std::vector<base::OnceClosure> init_callbacks_;
-
-  base::WeakPtrFactory<CookieOSCryptoDelegate> weak_ptr_factory_{this};
 };
 
-CookieOSCryptoDelegate::CookieOSCryptoDelegate(
-    os_crypt_async::OSCryptAsync* os_crypt_async,
-    scoped_refptr<base::SequencedTaskRunner> ui_task_runner)
-    : os_crypt_async_(os_crypt_async), ui_task_runner_(ui_task_runner) {}
-
-CookieOSCryptoDelegate::~CookieOSCryptoDelegate() = default;
-
 void CookieOSCryptoDelegate::Init(base::OnceClosure callback) {
-  if (encryptor_.has_value()) {
-    std::move(callback).Run();
-    return;
-  }
-
-  init_callbacks_.emplace_back(std::move(callback));
-  if (initializing_) {
-    return;
-  }
-  initializing_ = true;
-
-  // PostTaskAndReplyWithResult can't be used here because
-  // OSCryptAsync::GetInstance() is async.
-  ui_task_runner_->PostTask(
-      FROM_HERE,
-      base::BindOnce(&InitOnUi,
-                     base::BindOnce(&CookieOSCryptoDelegate::OnOsCryptReady,
-                                    weak_ptr_factory_.GetWeakPtr()),
-                     os_crypt_async_,
-                     base::SequencedTaskRunner::GetCurrentDefault()));
-  os_crypt_async_ = nullptr;
+  std::move(callback).Run();
 }
 
 bool CookieOSCryptoDelegate::EncryptString(const std::string& plaintext,
                                            std::string* ciphertext) {
-  CHECK(encryptor_) << "EncryptString called before Init completed";
-  return encryptor_->EncryptString(plaintext, ciphertext);
+  return OSCrypt::EncryptString(plaintext, ciphertext);
 }
 
 bool CookieOSCryptoDelegate::DecryptString(const std::string& ciphertext,
                                            std::string* plaintext) {
-  CHECK(encryptor_) << "DecryptString called before Init completed";
-  return encryptor_->DecryptString(ciphertext, plaintext);
-}
-
-void CookieOSCryptoDelegate::OnOsCryptReady(
-    os_crypt_async::Encryptor encryptor) {
-  encryptor_ = std::move(encryptor);
-  initializing_ = false;
-  for (auto& callback : init_callbacks_) {
-    std::move(callback).Run();
-  }
-  init_callbacks_.clear();
+  return OSCrypt::DecryptString(ciphertext, plaintext);
 }
 
 }  // namespace
 
-std::unique_ptr<net::CookieCryptoDelegate> GetCookieCryptoDelegate(
-    os_crypt_async::OSCryptAsync* os_crypt_async,
-    scoped_refptr<base::SequencedTaskRunner> ui_task_runner) {
-  return std::make_unique<CookieOSCryptoDelegate>(os_crypt_async,
-                                                  ui_task_runner);
+std::unique_ptr<net::CookieCryptoDelegate> GetCookieCryptoDelegate() {
+  return std::make_unique<CookieOSCryptoDelegate>();
 }
 #else   // BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC) || BUILDFLAG(IS_LINUX) ||
         // BUILDFLAG(IS_CHROMEOS)
-std::unique_ptr<net::CookieCryptoDelegate> GetCookieCryptoDelegate(
-    os_crypt_async::OSCryptAsync* os_crypt_async,
-    scoped_refptr<base::SequencedTaskRunner> ui_task_runner) {
+std::unique_ptr<net::CookieCryptoDelegate> GetCookieCryptoDelegate() {
   return nullptr;
 }
 #endif  // BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC) || BUILDFLAG(IS_LINUX) ||
diff --git a/components/cookie_config/cookie_store_util.h b/components/cookie_config/cookie_store_util.h
index 9d142e9f13fb0d30d5795c2a82f2cbc5274d381c..1e1b7ebc234d7e3f981e023fe49cd0b13ed62c6e 100644
--- a/components/cookie_config/cookie_store_util.h
+++ b/components/cookie_config/cookie_store_util.h
@@ -8,28 +8,17 @@
 #include <memory>
 
 #include "base/component_export.h"
-#include "base/memory/scoped_refptr.h"
-
-namespace base {
-class SequencedTaskRunner;
-}
 
 namespace net {
 class CookieCryptoDelegate;
 }  // namespace net
 
-namespace os_crypt_async {
-class OSCryptAsync;
-}  // namespace os_crypt_async
-
 namespace cookie_config {
 
 // Factory method for returning a CookieCryptoDelegate if one is appropriate for
 // this platform.
 COMPONENT_EXPORT(COMPONENTS_COOKIE_CONFIG)
-std::unique_ptr<net::CookieCryptoDelegate> GetCookieCryptoDelegate(
-    os_crypt_async::OSCryptAsync* os_crypt_async,
-    scoped_refptr<base::SequencedTaskRunner> ui_task_runner);
+std::unique_ptr<net::CookieCryptoDelegate> GetCookieCryptoDelegate();
 
 }  // namespace cookie_config
 
diff --git a/components/os_crypt/sync/BUILD.gn b/components/os_crypt/sync/BUILD.gn
index bb308187837371ecfa2482affaf35ac7ed98c1f3..1e554fe95b0521a883ced83fc67f5d52a3d45759 100644
--- a/components/os_crypt/sync/BUILD.gn
+++ b/components/os_crypt/sync/BUILD.gn
@@ -12,7 +12,13 @@ component("sync") {
   visibility = [
     "//electron:*",
     "//chrome/browser",
+    "//chrome/browser/prefs:impl",
+    "//chrome/browser/ui",
+    "//chrome/browser/web_applications",
     "//chrome/test:test_support",
+    "//components/autofill/content/browser",
+    "//components/cookie_config",
+    "//components/gcm_driver",
     "//components/os_crypt/async/browser:dpapi_key_provider",
     "//components/os_crypt/async/browser:freedesktop_secret_key_provider",
     "//components/os_crypt/async/browser:keychain_key_provider",
@@ -22,18 +28,24 @@ component("sync") {
     "//components/os_crypt/async/common:unit_tests",
     "//components/os_crypt/sync:test_support",
     "//components/os_crypt/sync:unit_tests",
+    "//components/password_manager/core/browser",
+    "//components/password_manager/core/browser:hash_password_manager",
+    "//components/password_manager/core/browser:unit_tests",
+    "//components/password_manager/core/browser/password_store:password_store_impl",
+    "//components/password_manager/core/browser/password_store:unit_tests",
     "//components/signin/core/browser",
     "//components/sync:unit_tests",
     "//components/sync/nigori",
     "//components/sync/service",
+    "//components/trusted_vault",
+    "//components/trusted_vault:unit_tests",
+    "//content/browser",
     "//headless:headless_non_renderer",
+    "//headless:headless_shell_lib",
     "//ios/chrome/browser/web/model:web_internal",
     "//services/network:network_service",
     "//services/test/echo:lib",
   ]
-  if (is_mac) {
-    visibility += [ "//headless:headless_shell_lib" ]
-  }
 
   sources = [
     "os_crypt.h",
diff --git a/headless/BUILD.gn b/headless/BUILD.gn
index 0d07069219883d28af7add90ad4509a94109603f..b732da23aa014aaa3525bbadaec97178d7844e04 100644
--- a/headless/BUILD.gn
+++ b/headless/BUILD.gn
@@ -373,7 +373,6 @@ component("headless_non_renderer") {
     "//components/keyed_service/content",
     "//components/origin_trials:browser",
     "//components/origin_trials:common",
-    "//components/os_crypt/async/browser",
     "//components/os_crypt/sync",
     "//components/policy:generated",
     "//components/policy/content",
diff --git a/headless/lib/browser/DEPS b/headless/lib/browser/DEPS
index 75d0960a5964fabf518d0b8b2f67e29e9b3d6fe6..8261f1ab27597459726063cc6faa2a5ed0bfce17 100644
--- a/headless/lib/browser/DEPS
+++ b/headless/lib/browser/DEPS
@@ -44,7 +44,6 @@ specific_include_rules = {
   "headless_browser_impl.*": [
     "+services/device/public/cpp/geolocation/system_geolocation_source_apple.h",
     "+services/device/public/cpp/geolocation/geolocation_system_permission_manager.h",
-    "+components/os_crypt/async",
     "+components/password_manager/core/browser/password_manager_switches.h",
     "+components/policy",
     "+components/prefs",
@@ -53,9 +52,6 @@ specific_include_rules = {
     "+components/metrics",
     "+components/variations",
   ],
-  "headless_request_context_manager.cc": [
-    "+components/os_crypt/async/browser",
-  ],
   "headless_browser_impl_unittest.cc": [
     "+third_party/blink/public/common/features.h",
   ],
diff --git a/headless/lib/browser/headless_browser_context_impl.cc b/headless/lib/browser/headless_browser_context_impl.cc
index f664e9994a3c38ef2aa30773f6ca4668451dd76c..ad83a721a8bf17225af7d2c5954ecdd82cf8e1dc 100644
--- a/headless/lib/browser/headless_browser_context_impl.cc
+++ b/headless/lib/browser/headless_browser_context_impl.cc
@@ -77,7 +77,7 @@ HeadlessBrowserContextImpl::HeadlessBrowserContextImpl(
           ? base::FilePath()
           : path_;
   request_context_manager_ = std::make_unique<HeadlessRequestContextManager>(
-      context_options_.get(), user_data_path, browser->os_crypt_async());
+      context_options_.get(), user_data_path);
   profile_metrics::SetBrowserProfileType(
       this, IsOffTheRecord() ? profile_metrics::BrowserProfileType::kIncognito
                              : profile_metrics::BrowserProfileType::kRegular);
diff --git a/headless/lib/browser/headless_browser_impl.cc b/headless/lib/browser/headless_browser_impl.cc
index f0c79ccd63e102c4ef51535f476ceddc6c5156a9..c1e9430b3f5b67338f204ca5563a02c2da87cd49 100644
--- a/headless/lib/browser/headless_browser_impl.cc
+++ b/headless/lib/browser/headless_browser_impl.cc
@@ -16,8 +16,6 @@
 #include "base/task/single_thread_task_runner.h"
 #include "build/config/linux/dbus/buildflags.h"
 #include "components/embedder_support/user_agent_utils.h"
-#include "components/os_crypt/async/browser/os_crypt_async.h"
-#include "components/os_crypt/async/common/encryptor.h"
 #include "components/version_info/version_info.h"
 #include "content/public/browser/browser_task_traits.h"
 #include "content/public/browser/browser_thread.h"
@@ -212,8 +210,7 @@ void HeadlessBrowserImpl::SetDefaultBrowserContext(
   if (default_browser_context_ && !system_request_context_manager_) {
     system_request_context_manager_ =
         HeadlessRequestContextManager::CreateSystemContext(
-            HeadlessBrowserContextImpl::From(browser_context)->options(),
-            os_crypt_async());
+            HeadlessBrowserContextImpl::From(browser_context)->options());
   }
 }
 
@@ -269,8 +266,6 @@ bool HeadlessBrowserImpl::ShouldStartDevToolsServer() {
 }
 
 void HeadlessBrowserImpl::PreMainMessageLoopRun() {
-  CreateOSCryptAsync();
-
   platform_delegate_->Initialize(options_.value());
 
   // We don't support the tethering domain on this agent host.
@@ -287,7 +282,6 @@ void HeadlessBrowserImpl::WillRunMainMessageLoop(base::RunLoop& run_loop) {
 }
 
 void HeadlessBrowserImpl::PostMainMessageLoopRun() {
-  os_crypt_async_.reset();
 #if defined(HEADLESS_USE_PREFS)
   if (local_state_) {
     local_state_->CommitPendingWrite();
diff --git a/headless/lib/browser/headless_browser_impl.h b/headless/lib/browser/headless_browser_impl.h
index 1d9ba1861de0065cb059710fab7b619c0df55216..69056c94a348566e2d080307c794e5dd28322dff 100644
--- a/headless/lib/browser/headless_browser_impl.h
+++ b/headless/lib/browser/headless_browser_impl.h
@@ -31,9 +31,11 @@ class PolicyService;
 class PrefService;
 #endif
 
-namespace os_crypt_async {
-class OSCryptAsync;
-}
+#if BUILDFLAG(IS_MAC)
+namespace device {
+class GeolocationSystemPermissionManager;
+}  // namespace device
+#endif
 
 namespace ui {
 class Compositor;
@@ -99,10 +101,6 @@ class HEADLESS_EXPORT HeadlessBrowserImpl : public HeadlessBrowser {
 
   int exit_code() const { return exit_code_; }
 
-  os_crypt_async::OSCryptAsync* os_crypt_async() {
-    return os_crypt_async_.get();
-  }
-
 #if defined(HEADLESS_USE_PREFS)
   void CreatePrefService();
   PrefService* GetPrefs();
@@ -121,8 +119,6 @@ class HEADLESS_EXPORT HeadlessBrowserImpl : public HeadlessBrowser {
 
   int exit_code_ = 0;
 
-  std::unique_ptr<os_crypt_async::OSCryptAsync> os_crypt_async_;
-
   base::flat_map<std::string, std::unique_ptr<HeadlessBrowserContextImpl>>
       browser_contexts_;
   raw_ptr<HeadlessBrowserContext, AcrossTasksDanglingUntriaged>
diff --git a/headless/lib/browser/headless_request_context_manager.cc b/headless/lib/browser/headless_request_context_manager.cc
index 6c4ce0a6fa6624cace08bfdb2c62b12836a744fa..fe1a11f94a709400434fb41a5bdcdb8f4d47a959 100644
--- a/headless/lib/browser/headless_request_context_manager.cc
+++ b/headless/lib/browser/headless_request_context_manager.cc
@@ -11,7 +11,6 @@
 #include "base/task/single_thread_task_runner.h"
 #include "build/build_config.h"
 #include "components/embedder_support/switches.h"
-#include "components/os_crypt/async/browser/os_crypt_async.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/network_service_instance.h"
 #include "headless/lib/browser/headless_browser_context_options.h"
@@ -138,10 +137,9 @@ class HeadlessProxyConfigMonitor
 // static
 std::unique_ptr<HeadlessRequestContextManager>
 HeadlessRequestContextManager::CreateSystemContext(
-    const HeadlessBrowserContextOptions* options,
-    os_crypt_async::OSCryptAsync* os_crypt_async) {
+    const HeadlessBrowserContextOptions* options) {
   auto manager = std::make_unique<HeadlessRequestContextManager>(
-      options, base::FilePath(), os_crypt_async);
+      options, base::FilePath());
 
   base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
   auto auth_params = ::network::mojom::HttpAuthDynamicParams::New();
@@ -172,8 +170,7 @@ HeadlessRequestContextManager::CreateSystemContext(
 
 HeadlessRequestContextManager::HeadlessRequestContextManager(
     const HeadlessBrowserContextOptions* options,
-    base::FilePath user_data_path,
-    os_crypt_async::OSCryptAsync* os_crypt_async)
+    base::FilePath user_data_path)
     :
 // On Windows, Cookie encryption requires access to local_state prefs.
 #if BUILDFLAG(IS_WIN) && !defined(HEADLESS_USE_PREFS)
@@ -183,7 +180,6 @@ HeadlessRequestContextManager::HeadlessRequestContextManager(
           !base::CommandLine::ForCurrentProcess()->HasSwitch(
               switches::kDisableCookieEncryption)),
 #endif
-      os_crypt_async_(os_crypt_async),
       user_data_path_(std::move(user_data_path)),
       disk_cache_dir_(options->disk_cache_dir()),
       accept_language_(options->accept_language()),
@@ -192,10 +188,6 @@ HeadlessRequestContextManager::HeadlessRequestContextManager(
           options->proxy_config()
               ? std::make_unique<net::ProxyConfig>(*options->proxy_config())
               : nullptr) {
-  if (cookie_encryption_enabled_) {
-    cookie_encryption_provider_ =
-        std::make_unique<CookieEncryptionProviderImpl>(os_crypt_async_.get());
-  }
   if (!proxy_config_) {
     base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
     if (command_line->HasSwitch(switches::kNoSystemProxyConfigService)) {
@@ -240,10 +232,6 @@ void HeadlessRequestContextManager::ConfigureNetworkContextParamsInternal(
 
   if (!user_data_path_.empty()) {
     context_params->enable_encrypted_cookies = cookie_encryption_enabled_;
-    if (cookie_encryption_enabled_) {
-      context_params->cookie_encryption_provider =
-          cookie_encryption_provider_->BindNewRemote();
-    }
     context_params->file_paths =
         ::network::mojom::NetworkContextFilePaths::New();
     context_params->file_paths->data_directory =
diff --git a/headless/lib/browser/headless_request_context_manager.h b/headless/lib/browser/headless_request_context_manager.h
index 91d74eaadd9f4d451e809b38a2f999b298068820..e45427ce90f909e609688ab59f4581b185b6757e 100644
--- a/headless/lib/browser/headless_request_context_manager.h
+++ b/headless/lib/browser/headless_request_context_manager.h
@@ -13,13 +13,8 @@
 #include "content/public/browser/browser_context.h"
 #include "mojo/public/cpp/bindings/pending_remote.h"
 #include "services/cert_verifier/public/mojom/cert_verifier_service_factory.mojom-forward.h"
-#include "services/network/public/cpp/cookie_encryption_provider_impl.h"
 #include "services/network/public/mojom/network_context.mojom.h"
 
-namespace os_crypt_async {
-class OSCryptAsync;
-}
-
 namespace headless {
 
 class HeadlessBrowserContextOptions;
@@ -28,12 +23,10 @@ class HeadlessProxyConfigMonitor;
 class HeadlessRequestContextManager {
  public:
   static std::unique_ptr<HeadlessRequestContextManager> CreateSystemContext(
-      const HeadlessBrowserContextOptions* options,
-      os_crypt_async::OSCryptAsync* os_crypt_async);
+      const HeadlessBrowserContextOptions* options);
 
   HeadlessRequestContextManager(const HeadlessBrowserContextOptions* options,
-                                base::FilePath user_data_path,
-                                os_crypt_async::OSCryptAsync* os_crypt_async);
+                                base::FilePath user_data_path);
 
   HeadlessRequestContextManager(const HeadlessRequestContextManager&) = delete;
   HeadlessRequestContextManager& operator=(
@@ -56,15 +49,12 @@ class HeadlessRequestContextManager {
 
   const bool cookie_encryption_enabled_;
 
-  const raw_ptr<os_crypt_async::OSCryptAsync> os_crypt_async_;
-
   base::FilePath user_data_path_;
   base::FilePath disk_cache_dir_;
   std::string accept_language_;
   std::string user_agent_;
   std::unique_ptr<net::ProxyConfig> proxy_config_;
   std::unique_ptr<HeadlessProxyConfigMonitor> proxy_config_monitor_;
-  std::unique_ptr<CookieEncryptionProviderImpl> cookie_encryption_provider_;
 
   mojo::PendingRemote<::network::mojom::NetworkContext> system_context_;
 };
diff --git a/services/network/network_context.cc b/services/network/network_context.cc
index f9e704f9dc76f802b330487238717a6df3ba7b36..1702b7f7603d98e2f08a8af7310daa1fb3250d54 100644
--- a/services/network/network_context.cc
+++ b/services/network/network_context.cc
@@ -3274,12 +3274,7 @@ NetworkContext::MakeSessionCleanupCookieStore() const {
       crypto_delegate = std::make_unique<CookieOSCryptAsyncDelegate>(
           std::move(params_->cookie_encryption_provider));
     } else {
-#if !BUILDFLAG(IS_ANDROID)
-      // A cookie crypto delegate should not be created on Android to
-      // match the behavior of cookie_config::GetCookieCryptoDelegate().
-      // See https://crbug.com/449652881
-      NOTREACHED();
-#endif
+      crypto_delegate = cookie_config::GetCookieCryptoDelegate();
     }
   }
 
diff --git a/services/network/public/cpp/BUILD.gn b/services/network/public/cpp/BUILD.gn
index eb6d8e40d27b7d1027e9afcace37aad487c333d7..3916ffd9787183bdd1e04dce1fe8e9dafd16b338 100644
--- a/services/network/public/cpp/BUILD.gn
+++ b/services/network/public/cpp/BUILD.gn
@@ -69,8 +69,6 @@ component("cpp") {
     "content_decoding_interceptor.h",
     "content_language_parser.cc",
     "content_language_parser.h",
-    "cookie_encryption_provider_impl.cc",
-    "cookie_encryption_provider_impl.h",
     "cors/cors.cc",
     "cors/cors.h",
     "cors/origin_access_list.cc",
@@ -191,8 +189,6 @@ component("cpp") {
   deps = [
     "//base",
     "//components/link_header_util",
-    "//components/os_crypt/async/browser",
-    "//components/os_crypt/async/common",
     "//components/prefs",
     "//ipc",
     "//net",
diff --git a/services/network/public/mojom/network_context.mojom b/services/network/public/mojom/network_context.mojom
index 0a837fbd18a0e597805b418a7f3022c499fb0c41..e511f65399c20cb9889c56a1c2c9e97eb84b3bf2 100644
--- a/services/network/public/mojom/network_context.mojom
+++ b/services/network/public/mojom/network_context.mojom
@@ -576,9 +576,10 @@ struct NetworkContextParams {
   bool acam_preflight_spec_conformant = true;
 
   // Sets the cookie encryption provider to be used by this network context if
-  // `enable_encrypted_cookies` is enabled.
-  // The `GetEncryptor` method on the supplied `cookie_encryption_provider` is
-  // called to obtain a valid set of keys for cookie encryption.
+  // `enable_encrypted_cookies` is also enabled.
+  // If both are set then the `GetEncryptor` method on the supplied
+  // `cookie_encryption_provider` is called to obtain a valid set of keys for
+  // cookie encryption.
   pending_remote<CookieEncryptionProvider>? cookie_encryption_provider;
 
   // Enables Device Bound Session Credential for this network context.