Prevent Chrome extensions from altering webpages

For administrators who manage Chrome policies from the Google Admin console.

As a Chrome administrator, you can protect your organization's web pages from being modified by Chrome apps and extensions. Modifications include script injection, cookie access, and web-request modifications. For example, if your developers host code in a third-party code repository, you can block the repository's webpage URL to make sure that Chrome extensions can't steal or modify that code.

Set policies in the Admin console

Can apply for signed-in users on any device, or enrolled browsers on Windows, Mac, or Linux. Learn more

You can allow or block all apps from modifying pages you specify. Or allow or block specific apps. Typically, admins set a combination of policies. For example, you might follow the first set of steps below to block apps in general from altering your web pages. Then follow the next steps to allow specific apps to alter them, as exceptions. 

Step 1: Prevent or allow all apps from altering pages

These steps control access to pages you specify, for apps and extensions in general. You can block apps from altering all pages in your domain (defined as Blocked URLs), except for specific pages you define as Allowed URLs.

These steps assume you're familiar with making Chrome settings in your Admin console.

  1. Follow standard steps to make Chrome User & browser settings:
    1. In your Admin console, go to Devicesand thenChrome managementand thenUser & browser settings.
    2. Select the organization containing the users or enrolled browsers you want to block apps for.

    For complete details, see Set a Chrome policy for multiple apps.

  2. Scroll to Apps and Extensions and enter webpage URLs as follows:
    • Blocked URLs—URLs to web pages that you want to prevent apps from altering.
    • Allowed URLs—URLs to pages that you want to allow apps to alter. Access is allowed even if the pages are also defined in Blocked URLs.
    • For URL syntax, see Syntax for Blocked or Allowed URLs (below).
  3. Click Save.
Step 2: Prevent or allow one app

These steps control whether a specific app or extension can alter web pages you specify. For example, you might block apps in general from altering your pages, as described above. Then follow these steps to allow a specific app to alter pages, as an exception.

These steps assume you're familiar with making Chrome settings in your Admin console. 

  1. Follow standard steps to set Chrome policies for one app or extension:
    1. In your Admin console, go to Devicesand thenChrome managementand thenApp management.
    2. Select the app you want to block or allow.
    3. Select a type of setting, such as User & browser settings or Public session settings.
    4. Select the organization containing the users or enrolled browsers you want to allow or block the app for.

    For complete details, see Set Chrome policies for one app.

  2. Under Block apps by permission, click Manage.
  3. Enter webpage URLs as follows:
    • Blocked URLs—URLs to pages that you want to prevent this app from altering.
    • Allowed URLs—URLs to pages that you want to allow this app to alter. Access is allowed even if the pages are also defined in Blocked URLs.
    • For URL syntax, see Syntax for Blocked or Allowed URLs (below).
  4. Click Save.
Syntax for Blocked or Allowed URLs

When following steps above, you enter host patterns to define Blocked URLs and Allowed URLs.

The format of host patterns is [http|https|ftp|*]://[subdomain|*].[hostname|*].[eTLD|*], where

  • [http|https|ftp|*], [hostname|*], and [eTLD|*] are required, and
  • [subdomain|*] is optional.
Valid host patterns Matches Doesn't match
 *://*.example.* http://example.com
https://test.example.co.uk
https://example.google.com
http://example.google.co.uk
http://example.* http://example.com http://example.ly https://example.com
http://test.example.com
http://example.com http://example.com https://example.com
http://test.example.co.uk
http://*.example.com http://example.com
http://test.example.com
http://t.t.example.com
https://example.com
https://test.example.com
http://example.co.* http://example.co.com
http://example.co.co.uk
http://example.co.uk
http://*.test.example.com http://t.test.example.com
http://test.example.com
http://not.example.com
*://* All Urls  

 

Invalid host patterns

  • http://t.*.example.com
  • http*://example.com
  • http://*example.com
  • http://example.com/
  • http://example.com/*

 

Examples

Here are some common use cases for the steps and syntax instructions shown above.

Use Google Translate for specific websites

Let's say you want to let users see translations of specific websites using Google Translate.

How to

  1. Follow steps above to prevent or allow one app to alter web pages. 
  2. Select the Google Translate Chrome app.
  3. For Blocked URLs, enter *://*
  4. For Allowed URLs, enter the URLs of specific websites you want users to be able to see in different languages. For syntax, see above: Syntax for Blocked or Allowed URLs
Allow only internal apps to modify pages in your domain

Let's say your organization has multiple domains, such as example.com, example.info, and example.co.uk. You want to prevent all Chrome apps and extensions from modifying pages in these domains, except for one internal app. 

How to

  1. Block apps and extensions in general, from altering pages in your domains:
    1. Follow the steps above to prevent or allow all apps to alter pages.
    2. For Blocked URLs, enter *://.example.*.
  2. Allow a specific app or extension:
    1. Follow steps above to prevent or allow one app to alter web pages.
    2. Select your organization’s private app.
    3. For Allowed URLs, enter *://*.
Customize what users can install and access

Let's say you want to validate any apps and extensions that your users install. You also want to specify certain webpages that apps or extensions can access, as follows:

  • Extension1 can only access transport layer security (TLS) secured pages on private.example.com.
  • Extension2 can access unencrypted pages on public.example.com.

How to

  1. Block apps and extensions in general, from altering any URLs:
    1. Follow steps above to prevent or allow all apps for everyone in your organization.
    2. For Blocked URLs, enter *://*
  2. Allow Extension1 to only access private.example.com:
    1. Follow steps above at prevent or allow one app, to configure Extension1
    2. For Blocked URLs, enter *://* 
    3. For Allowed URLs, enter https://private.example.com.
  3. Allow Extension2: to access public.example.com:
    1. Follow steps above at prevent or allow one app, to configure Extension2
    2. For Blocked URLs, enter *://* 
    3. For Allowed URLs, enter http://public.example.com. 

Related topics

Was this helpful?
How can we improve it?