Prevent Chrome extensions from altering webpages

For administrators who manage Chrome policies from the Google Admin console.

As a Chrome Enterprise admin, you can protect your organization's webpages from being modified by Chrome apps and extensions. Modifications include script injection, cookie access, and web-request modifications. For example, if your developers host code in a third-party code repository, you can block the repository's webpage URL to make sure that Chrome extensions can't steal or modify that code.

Set policies in the Admin console

Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.

You can allow or block all apps from modifying webpages that you specify. Or, you can allow or block specific apps. Typically, admins set a combination of policies. For example, you might follow the first set of steps below to block apps in general from altering your webpages. Then, follow the next steps to allow specific apps to alter them as exceptions. 

Step 1: Prevent or allow all apps from altering pages

You can block apps from altering all pages in your domain (defined as Blocked URLs), except for specific pages you define as Allowed URLs.

These steps assume you're familiar with making Chrome settings in your Admin console.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome management.

    If you don't see Devices on the Home page, click More controls at the bottom.

  3. Click Apps & extensions.
  4. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. At the top, click Users & Browsers.
  6. On the far right, click Settings Settings.
  7. For Permissions and URLs, enter the webpage URLs as follows:
    • Runtime blocked hosts—URLs to pages that you want to prevent apps from altering.
    • Runtime allowed hosts—URLs to pages that you want to allow apps to alter. Access is allowed even if the pages are also defined in Blocked URLs.
      For URL syntax, see Syntax for Blocked or Allowed URLs (below).
  8. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Step 2: Prevent or allow one app

These steps assume you're familiar with making Chrome settings in your Admin console.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devicesand thenChrome management.

    If you don't see Devices on the Home page, click More controls at the bottom.

  3. Click Apps & extensions.
  4. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. At the top, click Users & Browsers or Managed Guest Sessions.
  6. Find and click the app that you want to configure policies for.
  7. On the right, for Permissions and URLs, enter the webpage URLs as follows:
    • Runtime blocked hosts—URLs to pages that you want to prevent apps from altering.
    • Runtime allowed hosts—URLs to pages that you want to allow apps to alter. Access is allowed even if the pages are also defined in Blocked URLs.
      For URL syntax, see Syntax for Blocked or Allowed URLs (below).
  8. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Syntax for Blocked or Allowed URLs

When following the steps above, you enter host patterns to define Blocked URLs and Allowed URLs.

The format of host patterns is [http|https|ftp|*]://[subdomain|*].[hostname|*].[eTLD|*], where

  • [http|https|ftp|*], [hostname|*], and [eTLD|*] are required
  • [subdomain|*] is optional.
Valid host patterns Matches Doesn't match
 *://*.example.* http://example.com
https://test.example.co.uk
https://example.google.com
http://example.google.co.uk
http://example.* http://example.com http://example.ly https://example.com
http://test.example.com
http://example.com http://example.com https://example.com
http://test.example.co.uk
http://*.example.com http://example.com
http://test.example.com
http://t.t.example.com
https://example.com
https://test.example.com
http://example.co.* http://example.co.com
http://example.co.co.uk
http://example.co.uk
http://*.test.example.com http://t.test.example.com
http://test.example.com
http://not.example.com
*://* All Urls  

 

Invalid host patterns

  • http://t.*.example.com
  • http*://example.com
  • http://*example.com
  • http://example.com/
  • http://example.com/*

Examples

Here are some common use cases for the steps and syntax instructions shown above.

Use Google Translate for specific websites

Let's say you want to let users see translations of specific websites using Google Translate.

How to

  1. Follow the steps to prevent or allow one app to alter web pages. 
  2. Select the Google Translate Chrome app.
  3. For Blocked URLs, enter *://*
  4. For Allowed URLs, enter the URLs of specific websites you want users to be able to see in different languages. For syntax, see above: Syntax for Blocked or Allowed URLs
Allow only internal apps to modify pages in your domain

Let's say your organization has multiple domains, such as example.com, example.info, and example.co.uk. You want to prevent all Chrome apps and extensions from modifying pages in these domains, except for one internal app. 

How to

  1. Block apps and extensions in general from altering pages in your domains:
    1. Follow the steps to prevent or allow all apps to alter pages.
    2. For Blocked URLs, enter *://.example.*.
  2. Allow a specific app or extension:
    1. Follow the steps to prevent or allow one app to alter web pages.
    2. Select your organization’s private app.
    3. For Allowed URLs, enter *://*.
Customize what users can install and access

Let's say you want to validate any apps and extensions that your users install. You also want to specify certain webpages that apps or extensions can access, as follows:

  • Extension1 can only access transport layer security (TLS) secured pages on private.example.com.
  • Extension2 can access unencrypted pages on public.example.com.

How to

  1. Block apps and extensions in general from altering any URLs:
    1. Follow the steps to prevent or allow all apps for everyone in your organization.
    2. For Blocked URLs, enter *://*.
  2. Allow Extension1 to only access private.example.com:
    1. Follow the steps to prevent or allow one app, to configure Extension1
    2. For Blocked URLs, enter *://*.
    3. For Allowed URLs, enter https://private.example.com.
  3. Allow Extension2: to access public.example.com:
    1. Follow the steps ;at prevent or allow one app, to configure Extension2
    2. For Blocked URLs, enter *://*.
    3. For Allowed URLs, enter http://public.example.com

Related topics

Was this helpful?
How can we improve it?