Planning your return to office strategy? See how ChromeOS can help.

URL blocklist filter format

Applies to managed Chrome browsers and ChromeOS devices.

As an administrator, you can block and allow URLs so that users can only visit certain websites.

Filter format

The format of filters for the URLBlocklist and URLAllowlist policies is:


Field Details
scheme (optional)

This field is optional, and must be followed by ://. For details, see Schemes you can use.

Not case sensitive.

host (required)

A valid hostname or an IP address. It can also take the special * value. An optional . (dot) can prefix the host field to disable subdomain matching.

Not case sensitive.

port (optional) Must be a valid port value from 1 to 65535.
path (optional)

You can use any string here.

Case sensitive.

query (optional)

A set of key-value and key-only tokens delimited by &. The key-value tokens are separated by =. A query token can optionally end with * to indicate prefix match. Token order is ignored during matching.

Case sensitive.

Schemes you can use

You can use either a standard or a custom scheme. Supported standard schemes are:

  • about
  • blob
  • content
  • chrome
  • cid
  • data
  • file
  • filesystem
  • gopher
  • http
  • https
  • javascript
  • mailto
  • ws
  • wss

All other schemes are treated as custom schemes. Custom schemes are supported, but only the patterns scheme:* and scheme://* are allowed. They match all URLs with that scheme. The scheme and the host are case insensitive, but path and query are case sensitive. 

Example scheme formats

  • Supported standard schemes
    • matches HTTP://, http://example.COM and
    • doesn't match or but does match
  • Custom schemes
    • The patterns custom://* or custom:* are valid and match custom:app.
    • The patterns custom:app or custom://app are invalid.

Exceptions to URL format

The filters format is very similar to the URL format. The following exceptions apply:

  • You can include user:pass fields but they will be ignored. For example,
  • If you include a reference separator #, it is ignored along with everything that appears after it.
  • The host can be *. It can also have . (dot) as a prefix.
  • The host can have / or . (dot) as a suffix. If it is the case, that suffix is ignored.

Filter selection

The filter selected for a URL is the most specific match found.


  • Wildcards (*) are the last searched, and match all hosts. 
  • When both a block and allow filter apply at step 4 below, with the same path length and number of query tokens, the allow filter takes precedence. 
  • If a filter has . (dot) prefixing the host, only exact host matches are filtered. For example:
    • matches, and
    • only matches exactly

Filter selection process

  1. The filters with the longest host match are selected. Filters with a non-matching scheme or port are discarded.
  2. From these filters, the filters with the longest matching path are selected.
  3. From these filters, the filters with the longest set of query tokens are selected.
  4. If no valid filter is left at this stage, the host is reduced by removing the left-most subdomain, and starting again from step 1.
  5. If a filter is still available, the filter decision, to block or allow, is enforced. If no filter ever matches, the default is to allow the request.

URL blocklist examples

URL blocklist entry Result Denies all requests to,, and Denies all HTTP requests to and any of its subdomains, but allows HTTPS requests.
https://* Denies all HTTPS requests to any domain. Denies requests to but not to or Denies requests to but not its subdomains, like Denies requests to but not its subdomains
* Denies all requests except for those to blocklist exception URLs. This includes any URL scheme, such as,, and chrome://policy.
*:8080 Denies all requests to port 8080. Denies all requests to and its subdomains. Denies requests to this exact IP address.




Denies any request with the query ?video=100.

Denies any request with the following queries:




Denies youtube video with id xyz.

When you block, any occurrence of the key-value pair is sufficient.

When you allow, every occurrence of the key should have a matching value. 


Allowing does not allow It does allows

Search for a match for

  1. First find filters for, and go to step 2. If that fails, then try again with, com, and finally "".
  2. Among the current filters, remove those that have a scheme that is not http.
  3. Among the current filters, remove those that have an exact port number and it not 80.
  4. Among the current filters, remove those that don't have /mail/inbox as a prefix of the path.
  5. Pick the filter with the longest path prefix, and apply it. If no such filter exists, go back to step 1 and try the next subdomain.

Allow only a small set of sites

  1. Block *.
  2. Allow selected sites:,,

Block all access to a domain, except to the mail server using HTTPS and to the main page

  1. Block
  2. Allow
  3. Allow, and maybe

Block all access to youtube, except for selected videos.

  1. Block
  2. Allow
  3. Allow

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu