Prevent Chrome extensions from altering webpages

For administrators who manage Chrome policies from the Google Admin console.

As a Chrome administrator, you can protect your organization's web pages from being modified by Chrome apps and extensions. Modifications include script injection, cookie access, and web-request modifications. For example, if your developers host code in a third-party code repository, you can block the repository's webpage URL to make sure that Chrome extensions can't steal or modify that code.

Set policies in the Admin console

Can apply for signed-in users on any device, or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply

You can allow or block all apps from modifying pages you specify. Or allow or block specific apps. Typically, admins set a combination of policies. For example, you might follow the first set of steps below to block apps in general from altering your web pages. Then follow the next steps to allow specific apps to alter them, as exceptions. 

Step 1: Prevent or allow all apps from altering pages

These steps control access to pages you specify, for apps and extensions in general. You can block apps from altering all pages in your domain (defined as Blocked URLs), except for specific pages you define as Allowed URLs.

These steps assume you're familiar with making Chrome settings in your Admin console.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome management.

    If you don't see Devices on the Home page, click More controls at the bottom.

  3. Click Apps & extensions.
  4. On the left, select the organizational unit where you want to configure settings.
    For all users, select the top-level organization. Otherwise, select a child organization. Initially, an organizational unit inherits the settings of its parent.
  5. At the top, click Users & Browsers.
  6. On the far right, click Additional settings Settings. For complete details, see Set a Chrome policy for multiple apps.
  7. For Permissions and URLs, enter webpage URLs as follows:
    • Runtime blocked hosts—URLs to pages that you want to prevent apps from altering.
    • Runtime allowed hosts—URLs to pages that you want to allow apps to alter. Access is allowed even if the pages are also defined in Blocked URLs.
      For URL syntax, see Syntax for Blocked or Allowed URLs (below).
  8. Click Save.
Step 2: Prevent or allow one app

These steps control whether a specific app or extension can alter web pages you specify. For example, you might block apps in general from altering your pages, as described above. Then follow these steps to allow a specific app to alter pages, as an exception.

These steps assume you're familiar with making Chrome settings in your Admin console.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome management.

    If you don't see Devices on the Home page, click More controls at the bottom.

  3. Click Apps & extensions.
  4. On the left, select the organizational unit where you want to configure settings.
    For all users, select the top-level organization. Otherwise, select a child organization. Initially, an organizational unit inherits the settings of its parent.
  5. At the top, click Users & Browsers or Managed Guest Sessions.
  6. Find and click the app you want to configure policies for.
  7. In the panel on the right, for Permissions and URLs, enter webpage URLs as follows:
    • Runtime blocked hosts—URLs to pages that you want to prevent apps from altering.
    • Runtime allowed hosts—URLs to pages that you want to allow apps to alter. Access is allowed even if the pages are also defined in Blocked URLs.
      For URL syntax, see Syntax for Blocked or Allowed URLs (below).
  8. Click Save.
Syntax for Blocked or Allowed URLs

When following steps above, you enter host patterns to define Blocked URLs and Allowed URLs.

The format of host patterns is [http|https|ftp|*]://[subdomain|*].[hostname|*].[eTLD|*], where

  • [http|https|ftp|*], [hostname|*], and [eTLD|*] are required, and
  • [subdomain|*] is optional.
Valid host patterns Matches Doesn't match
 *://*.example.* http://example.com
https://test.example.co.uk
https://example.google.com
http://example.google.co.uk
http://example.* http://example.com http://example.ly https://example.com
http://test.example.com
http://example.com http://example.com https://example.com
http://test.example.co.uk
http://*.example.com http://example.com
http://test.example.com
http://t.t.example.com
https://example.com
https://test.example.com
http://example.co.* http://example.co.com
http://example.co.co.uk
http://example.co.uk
http://*.test.example.com http://t.test.example.com
http://test.example.com
http://not.example.com
*://* All Urls  

 

Invalid host patterns

  • http://t.*.example.com
  • http*://example.com
  • http://*example.com
  • http://example.com/
  • http://example.com/*

Examples

Here are some common use cases for the steps and syntax instructions shown above.

Use Google Translate for specific websites

Let's say you want to let users see translations of specific websites using Google Translate.

How to

  1. Follow steps above to prevent or allow one app to alter web pages. 
  2. Select the Google Translate Chrome app.
  3. For Blocked URLs, enter *://*
  4. For Allowed URLs, enter the URLs of specific websites you want users to be able to see in different languages. For syntax, see above: Syntax for Blocked or Allowed URLs
Allow only internal apps to modify pages in your domain

Let's say your organization has multiple domains, such as example.com, example.info, and example.co.uk. You want to prevent all Chrome apps and extensions from modifying pages in these domains, except for one internal app. 

How to

  1. Block apps and extensions in general, from altering pages in your domains:
    1. Follow the steps above to prevent or allow all apps to alter pages.
    2. For Blocked URLs, enter *://.example.*.
  2. Allow a specific app or extension:
    1. Follow steps above to prevent or allow one app to alter web pages.
    2. Select your organization’s private app.
    3. For Allowed URLs, enter *://*.
Customize what users can install and access

Let's say you want to validate any apps and extensions that your users install. You also want to specify certain webpages that apps or extensions can access, as follows:

  • Extension1 can only access transport layer security (TLS) secured pages on private.example.com.
  • Extension2 can access unencrypted pages on public.example.com.

How to

  1. Block apps and extensions in general, from altering any URLs:
    1. Follow steps above to prevent or allow all apps for everyone in your organization.
    2. For Blocked URLs, enter *://*
  2. Allow Extension1 to only access private.example.com:
    1. Follow steps above at prevent or allow one app, to configure Extension1
    2. For Blocked URLs, enter *://* 
    3. For Allowed URLs, enter https://private.example.com.
  3. Allow Extension2: to access public.example.com:
    1. Follow steps above at prevent or allow one app, to configure Extension2
    2. For Blocked URLs, enter *://* 
    3. For Allowed URLs, enter http://public.example.com. 

Related topics

Was this helpful?
How can we improve it?