Prevent Chrome extensions from altering webpages

For administrators who manage Chrome policies from the Google Admin console.

As a Chrome Enterprise admin, you can protect your organization's webpages from being modified by Chrome apps and extensions. Modifications include script injection, cookie access, and web-request modifications. For example, if your developers host code in a third-party code repository, you can block the repository's webpage URL to make sure that Chrome extensions can't steal or modify that code. 

Note: You can only block or allow up to 100 URLs. To make settings for a specific group of users or enrolled Chrome browsers, put the user accounts or browsers in a group or organizational unit. Only user accounts can be added to groups. For details, see Groups and Add an organizational unit.

Set policies in the Admin console

Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.

You can allow or block all apps from modifying webpages that you specify. Or, you can allow or block specific apps. Typically, admins set a combination of policies. For example, you might follow the first set of steps below to block apps in general from altering your webpages. Then, follow the next steps to allow specific apps to alter them as exceptions. 

Step 1: Prevent or allow all apps from altering pages

You can block apps from altering all pages in your domain (defined as Blocked URLs), except for specific pages you define as Allowed URLs.

These steps assume you're familiar with configuring Chrome settings in your Admin console.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensionsand thenUsers & browsers.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenApps & extensionsand thenUsers & browsers.

  3. (Users only) To apply the setting to a group, do the following:
    1. Select Groups.
    2. Select the group to which you want to apply the setting. 
  4. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. On the far right, click Additional settings Settings.
  6. Go to Additional application settings.
  7. For Permissions and URLs, enter up to 100 webpage URLs as follows:
    • Runtime blocked hosts—URLs to pages that you want to prevent apps from altering.
    • Runtime allowed hosts—URLs to pages that you want to allow apps to alter. Access is allowed even if the pages are also defined in Blocked URLs.
      For URL syntax, see Syntax for Blocked or Allowed URLs (below).
  8. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

Step 2: Prevent or allow one app

These steps assume you're familiar with configuring Chrome settings in your Admin console.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensions. The Overview page opens by default.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenApps & extensions.

  3. Click Users & browsers or Managed guest sessions.
  4. (Users only) To apply the setting to a group, do the following:
    1. Select Groups.
    2. Select the group to which you want to apply the setting. 
  5. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. In the App list, browse for and click the app that you want to configure policies for. 
    If the app is not in the list, add it. For details, see Add apps.
  7. On the right, for Permissions and URL access, enter up to 100 webpage URLs as follows:
    • Blocked hosts—URLs to pages that you want to prevent apps from altering.
    • Allowed hosts—URLs to pages that you want to allow apps to alter. Access is allowed even if the pages are also defined in Blocked URLs.
      For URL syntax, see Syntax for Blocked or Allowed URLs (below).
  8. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

Syntax for Blocked or Allowed URLs

When following the steps above, you enter host patterns to define Blocked URLs and Allowed URLs.

The format of host patterns is [http|https|*]://[subdomain|*].[hostname|*].[eTLD|*], where

  • [http|https|*], [hostname|*], and [eTLD|*] are required
  • [subdomain|*] is optional.
Valid host patterns Matches Doesn't match
 *://*.example.* http://example.com
https://test.example.co.uk
https://example.google.com
http://example.google.co.uk
http://example.* http://example.com http://example.ly https://example.com
http://test.example.com
http://example.com http://example.com https://example.com
http://test.example.co.uk
http://*.example.com http://example.com
http://test.example.com
http://t.t.example.com
https://example.com
https://test.example.com
http://example.co.* http://example.co.com
http://example.co.co.uk
http://example.co.uk
http://*.test.example.com http://t.test.example.com
http://test.example.com
http://not.example.com
*://* All Urls  

 

Invalid host patterns

  • http://t.*.example.com
  • http*://example.com
  • http://*example.com
  • http://example.com/
  • http://example.com/*

Examples

Here are some common use cases for the steps and syntax instructions shown above.

Use Google Translate for specific websites

Let's say you want to let users see translations of specific websites using Google Translate.

How to

  1. Follow the steps to prevent or allow one app to alter web pages. 
  2. Select the Google Translate Chrome app.
  3. For Blocked URLs, enter *://*
  4. For Allowed URLs, enter the URLs of specific websites you want users to be able to see in different languages. For syntax, see above: Syntax for Blocked or Allowed URLs
Allow only internal apps to modify pages in your domain

Let's say your organization has multiple domains, such as example.com, example.info, and example.co.uk. You want to prevent all Chrome apps and extensions from modifying pages in these domains, except for one internal app. 

How to

  1. Block apps and extensions in general from altering pages in your domains:
    1. Follow the steps to prevent or allow all apps to alter pages.
    2. For Blocked URLs, enter *://.example.*.
  2. Allow a specific app or extension:
    1. Follow the steps to prevent or allow one app to alter web pages.
    2. Select your organization’s private app.
    3. For Allowed URLs, enter *://*.
Customize what users can install and access

Let's say you want to validate any apps and extensions that your users install. You also want to specify certain webpages that apps or extensions can access, as follows:

  • Extension1 can only access transport layer security (TLS) secured pages on private.example.com.
  • Extension2 can access unencrypted pages on public.example.com.

How to

  1. Block apps and extensions in general from altering any URLs:
    1. Follow the steps to prevent or allow all apps for everyone in your organization.
    2. For Blocked URLs, enter *://*.
  2. Allow Extension1 to only access private.example.com:
    1. Follow the steps to prevent or allow one app, to configure Extension1
    2. For Blocked URLs, enter *://*.
    3. For Allowed URLs, enter https://private.example.com.
  3. Allow Extension2: to access public.example.com:
    1. Follow the steps to prevent or allow one app, to configure Extension2
    2. For Blocked URLs, enter *://*.
    3. For Allowed URLs, enter http://public.example.com

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
15155471515063887013
true
Search Help Center
true
true
true
true
true
410864
false
false