For administrators who manage Chrome policies from the Google Admin console.
As a Chrome Enterprise admin, you can protect your organization's webpages from being modified by Chrome apps and extensions. Modifications include script injection, cookie access, and web-request modifications. For example, if your developers host code in a third-party code repository, you can block the repository's webpage URL to make sure that Chrome extensions can't steal or modify that code.
Note: You can only block or allow up to 100 URLs. To make settings for a specific group of users or enrolled Chrome browsers, put the user accounts or browsers in a group or organizational unit. Only user accounts can be added to groups. For details, see Groups and Add an organizational unit.
Set policies in the Admin console
Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.
You can allow or block all apps from modifying webpages that you specify. Or, you can allow or block specific apps. Typically, admins set a combination of policies. For example, you might follow the first set of steps below to block apps in general from altering your webpages. Then, follow the next steps to allow specific apps to alter them as exceptions.
Step 1: Prevent or allow all apps from altering pagesYou can block apps from altering all pages in your domain (defined as Blocked URLs), except for specific pages you define as Allowed URLs.
These steps assume you're familiar with configuring Chrome settings in your Admin console.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Devices > Chrome > Apps & extensions > Users & browsers.
If you signed up for Chrome Browser Cloud Management, go to Menu
Chrome browser > Apps & extensions > Users & browsers.
- (Users only) To apply the setting to a group, do the following:
- Select Groups.
- Select the group to which you want to apply the setting.
- To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- On the far right, click Additional settings
.
- Go to Additional application settings.
- For Permissions and URLs, enter up to 100 webpage URLs as follows:
- Runtime blocked hosts—URLs to pages that you want to prevent apps from altering.
- Runtime allowed hosts—URLs to pages that you want to allow apps to alter. Access is allowed even if the pages are also defined in Blocked URLs.
For URL syntax, see Syntax for Blocked or Allowed URLs (below).
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
.These steps assume you're familiar with configuring Chrome settings in your Admin console.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
If you signed up for Chrome Browser Cloud Management, go to Menu
Chrome browser > Apps & extensions.
- Click Users & browsers or Managed guest sessions.
- (Users only) To apply the setting to a group, do the following:
- Select Groups.
- Select the group to which you want to apply the setting.
- To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- In the App list, browse for and click the app that you want to configure policies for.
If the app is not in the list, add it. For details, see Add apps. - On the right, for Permissions and URL access, enter up to 100 webpage URLs as follows:
- Blocked hosts—URLs to pages that you want to prevent apps from altering.
- Allowed hosts—URLs to pages that you want to allow apps to alter. Access is allowed even if the pages are also defined in Blocked URLs.
For URL syntax, see Syntax for Blocked or Allowed URLs (below).
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
When following the steps above, you enter host patterns to define Blocked URLs and Allowed URLs.
The format of host patterns is [http|https|*]://[subdomain|*].[hostname|*].[eTLD|*], where
- [http|https|*], [hostname|*], and [eTLD|*] are required
- [subdomain|*] is optional.
| Valid host patterns | Matches | Doesn't match |
|---|---|---|
| *://*.example.* | http://example.com https://test.example.co.uk |
https://example.google.com http://example.google.co.uk |
| http://example.* | http://example.com http://example.ly | https://example.com http://test.example.com |
| http://example.com | http://example.com | https://example.com http://test.example.co.uk |
| http://*.example.com | http://example.com http://test.example.com http://t.t.example.com |
https://example.com https://test.example.com |
| http://example.co.* | http://example.co.com http://example.co.co.uk |
http://example.co.uk |
| http://*.test.example.com | http://t.test.example.com http://test.example.com |
http://not.example.com |
| *://* | All Urls |
Invalid host patterns
- http://t.*.example.com
- http*://example.com
- http://*example.com
- http://example.com/
- http://example.com/*
Examples
Here are some common use cases for the steps and syntax instructions shown above.
Use Google Translate for specific websitesLet's say you want to let users see translations of specific websites using Google Translate.
How to
- Follow the steps to prevent or allow one app to alter web pages.
- Select the Google Translate Chrome app.
- For Blocked URLs, enter *://*.
- For Allowed URLs, enter the URLs of specific websites you want users to be able to see in different languages. For syntax, see above: Syntax for Blocked or Allowed URLs
Let's say your organization has multiple domains, such as example.com, example.info, and example.co.uk. You want to prevent all Chrome apps and extensions from modifying pages in these domains, except for one internal app.
How to
- Block apps and extensions in general from altering pages in your domains:
- Follow the steps to prevent or allow all apps to alter pages.
- For Blocked URLs, enter *://.example.*.
- Allow a specific app or extension:
- Follow the steps to prevent or allow one app to alter web pages.
- Select your organization’s private app.
- For Allowed URLs, enter *://*.
Let's say you want to validate any apps and extensions that your users install. You also want to specify certain webpages that apps or extensions can access, as follows:
- Extension1 can only access transport layer security (TLS) secured pages on private.example.com.
- Extension2 can access unencrypted pages on public.example.com.
How to
- Block apps and extensions in general from altering any URLs:
- Follow the steps to prevent or allow all apps for everyone in your organization.
- For Blocked URLs, enter *://*.
- Allow Extension1 to only access private.example.com:
- Follow the steps to prevent or allow one app, to configure Extension1.
- For Blocked URLs, enter *://*.
- For Allowed URLs, enter https://private.example.com.
- Allow Extension2: to access public.example.com:
- Follow the steps to prevent or allow one app, to configure Extension2.
- For Blocked URLs, enter *://*.
- For Allowed URLs, enter http://public.example.com.