Option to Restrict Removal of Cookies, either globally, for specific sites or both
Reported by
andy.rog...@northside.qld.edu.au,
Oct 24 2016
|
||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
Platform: 8530.96.0
Steps to reproduce the problem:
Currently there is no way to restrict REMOVAL of Cookies on Managed Chrome Devices for Managed Chrome Users. A number of workarounds are not suitable for the various reasons below
What is the expected behavior?
This option is required to restrict the user's ability to log out of domain accounts and in to personal ones for various web pages. For sites like YouTube, additional Restricted Mode settings are enforced on domain accounts that are not present when logged out or signed in to personal accounts.
As soon as Cookies for YouTube are removed from the device, the page can be reloaded and no additional restrictions are in place, violating the policy set.
I expect to be able to set, for particular OUs, restrictions to stop this from happening. This could be a single global setting, an additional text field for URL patterns or both.
What went wrong?
NOTE: Both Workaround 2 and 3 have to do with the way the Settings app calls the blocked URLs. It seems like the Settings App HTML is overwritten on the fly in stead of calling a specific URL as I would expect.
Workaround 1:
Block the whole settings App
Reason it's not suitable:
Blocking the whole settings app is like using a hammer to pull a hair. There are so many additional options that our users should be able to control. Accessibility, Display, Network, etc.
Workaround 2:
Block the Chrome URLs for the various places to clear Cookies
Reason it's not suitable:
When these URL are navigated to manually or through the browser, the pages get blocked.
When the Settings app loads the content there is no block. This allows the user to remove cookies without issue.
Admin Console Settings:
1. Device Management > Chrome Management > User Settings > Content
2. URL Blacklist - "chrome://settings-frame/content
chrome://settings-frame/clearBrowserData
chrome://settings-frame/resetProfileSettings"
User Actions:
1. Log in to a Chrome Device as a domain user
2. Navigate to a site and log in as the domain user (e.g. YouTube)
3. Open Settings App
4. Scroll down, "Show Advanced Settings"
a. Content > Content Settings > All cookies and site data > Remove any YouTube or Google cookies
b. Content > Clear Browsing Data > Clear any or all data
c. Scroll to the bottom > Reset Settings > Reset
5. Reload the site you just logged in to, access restricted content at will.
Workaround 3:
Use Third-party filtering App to block Chrome URLs for the various places to clear Cookies
Reason it's not suitable:
When these URL are navigated to manually or through the browser, the pages get blocked.
When the Settings app loads the content there is no block. This allows the user to remove cookies without issue.
Workaround 4:
Force Allow Cookies to be Kept
Reason it's not suitable:
This setting whether it's global or for a specific pattern will stop the prompt to allow cookies, but not block removal of those already existing
Admin Console Settings:
1. Device Management > Chrome Management > User Settings > Content > Cookies
2. Allow Cookies options
a. Default Cookie Setting - Allow sites to set cookies
b. Allow Cookies for URL patterns - Insert whatever domains you wish
Workaround 5:
Force allow Session-only Cookies
Reason it's not suitable:
When the user first signs in, the settings work. Once the user signs out, the cookies are removed. When the user logs back in, they are not automatically logged back in to the site so they have no additional restrictions as per the policy.
Admin Console Settings:
1. Device Management > Chrome Management > User Settings > Content > Cookies
2. Allow Session-only Cookies options
a. Default Cookie Setting - Keep cookies for the duration of the session
b. Allow Session-only Cookies for URL patterns - Insert whatever domains you wish
Did this work before? No
Chrome version: 53.0.2785.143 Channel: stable
OS Version: 53.0.2785.154
Flash Version: Shockwave Flash 23.0 r0
I've been on the phone with Google for Work Support a number of times about this [#11225758] and no suitable workaround or setting was found. I believe a feature request has been created internally as well.
,
Oct 25 2016
Max to evaluate FR, Cyrus FYI
,
Oct 28 2016
Hi Krishna, what's going on with this one?
,
Oct 31 2016
FYI.
,
Oct 31 2016
Thanks for cc'ing me. I'll chime in. We already offer such a feature on Android - when deleting browsing data, the user can choose up to 10 "Important sites" that will be protected from deletion. The same backend can be reused, it's just a question of piping it to policies. More specifically, BrowsingDataRemover can be used with BLACKLIST OriginFilterBuilder/RegistrableDomainFilterBuilder to delete data from all sites except a given set of origins/eTLD+1. Note that this currently only works for cookies, site data, and cache.
,
Nov 1 2016
Hi there, Thanks for the update. I'm not sure that I'm understanding how I can actually enforce that policy set and then define what sites have the removal blocked or not. Can you elaborate more?
,
Nov 1 2016
andy.rogers@, I was just commenting on the technical complexity of adding the policy you suggest. We don't have it (yet). As I mentioned, it's already possible to protect some cookies from deletion on Android, but there it's a user choice - not the admin's.
,
Nov 1 2016
Oh ok, I misunderstood that. It's definitely a feature that would be useful, even if it was for up to a maximum of ten URLS. For any site that uses any kind of SSO, many organisations would be wanting to prevent getting out of that environment. I used YouTube as an example here, but it would help with lots of sites.
,
Apr 10 2017
I wanted to follow up and see if any plans, or progress, has been made on this feature? We would also love to keep users from using personal Google accounts instead of the given domain account we assign them and force them to use to initially log into the chromebook.
,
Jul 5 2017
bulk-edit of Unconfirmed feature requests
,
Oct 2 2017
I'd really like to see this feature added in the Google Admin console.
,
Dec 7 2017
I would like to second this feature request. I am seeing students who are supposed to be locked into their Google Education accounts deleting session cookies to use private accounts with Gmail, Hangouts, and Youtube. Deleting session cookies has mainly been an issue with investigating students using Google Hangouts to bully others. Word is starting to get around ... https://www.youtube.com/watch?v=3o24mlUPjsc https://www.youtube.com/watch?v=FakKsQglSrM&t=188s
,
Dec 7 2017
owner->assigned +atwilson@
,
Dec 8 2017
A few things: 1) We're rolling out a change that will prevent signing in to secondary Google Accounts, so blocking cookie deletion will not be needed to address this use case. 2) In general, relying on Google Accounts settings to configure things like YouTube restrictions is dangerous, because users can often change their password or other account settings to revoke their account credentials, allowing them to revert to a non-signed-in state. So, for example, if you want to configure YouTube, you will likely want to set the "Restricted mode for YouTube" policy in CPanel rather than relying on the user to remain signed in. 3) There are lots of ways to clear cookies, including using a javascript bookmarklet like (https://ostermiller.org/bookmarklets/cookies.html), and sometimes the Google Accounts backend itself will decide to invalidate its own cookies. So any management solution relying on cookies is likely to be relatively fragile, and we should attempt to address these use cases through other means. Max: no objections to adding some kind of admin controls for "clear browsing data", but it probably won't actually solve the problems that admins are hoping it will solve. We should isolate their use cases and solve them directly (for example, by blocking secondary account signin).
,
Dec 9 2017
#14 - in order for schools to use the whitelist within YouTube, YouTube accounts need to be enabled. In the recent past (haven't checked in the last month) if a user creates a Branded account, they are bypassed on Network based restrictions, and able to view all content. Though I agree that relying on cookies to keep users on task is less than ideal - until the AllowedDomainsForApps policy is available for Chromebooks, it's the best solution schools have. Many schools have been waiting for the AllowedDOmainsForApps policy since v51 when it was introduced. Where it's a mostly functional feature, you can understand the frustration which schools are experiencing having to wait for such a delay to get it right when so many other things have shown up to break the other workarounds that are in place to stop users (read students) from straying.
,
Dec 11 2017
@atwilson Thanks for the continued followup, even after a fair while with no action. I've got a couple of questions and points regarding our specific situation. Primarily I'm interested in making YouTube restrictions more reliable and less trivial to bypass. "1) We're rolling out a change that will prevent signing in to secondary Google Accounts, so blocking cookie deletion will not be needed to address this use case." - Is this referring to new Admin Console for the YouTube App specifically? If YouTube requires a user to be logged in on a Chrome Device AND we can whitelist login domains, that would be great! Otherwise, yes. I agree with the rest of your points. The CPanel options really wouldn't help our use case as we want Strict Restrictions regardless of location and network on our Chromebook devices. So that's fine for on campus with the networks that we control, not so much when a student goes to a friend's house or uses free wifi somewhere.
,
Dec 11 2017
Re #16 - great question, what my team is building is the ability to block the UI to sign out of the primary google account as well as the UI to sign in to an additional account. Max/Kushagra, we should test this with YouTube to make sure this also blocks YouTube signin/signout. Re: the cpanel options, are you saying the cpanel-enforced restrictions aren't restrictive enough? Because when applied via policy, they should set a header on all youtube requests from the device which should tell the youtube service to enforce the relevant restrictions no matter what network the device is connected to.
,
Dec 11 2017
@atwilson@chromium.org Blocking the Login/Logout UI for Google Services will definitely help. As long as students cannot switch to a personal account for Google Hangouts/Youtube, I am indifferent to how this is achieved.
,
Dec 11 2017
Re #17 - Ah ok, yes that would definitely be useful. Particularly for GMail. I know that students clear their browsing data, then reload GMail and log in to get access to Hangouts, GMail, etc. For YouTube though it's not quite enough. Because the service is available without log in, we need some method to restrict the logged out content or force the service to only be used while logged in to a domain user. Unless I'm misunderstanding, the CPanel restrictions will only take effect on the college campus networks. The Chromebooks are used extensively by the students offsite, so the ability to enforce strict restrictions on our devices needs to be extended beyond the campus.
,
Dec 11 2017
Re: #19 CPanel policies are applied regardless of the network. If the user logs in as the primary account first, the policy will be applied. To prevent them logging in as a secondary account first, you can enable blocking of Multiple sign-in access or Restrict Login to the device as a device setting.
,
Dec 12 2017
Count me in as someone who would like to see this changed. I'm interested in what the possible solution is.
,
Jan 15 2018
Still awaiting a solution.
,
Feb 2 2018
Is there an update on when the feature that will prevent signing in to secondary Google Accounts? It is becoming a big enough problem that we may have to completely block Google Hangouts in my environment.
,
Feb 4 2018
Please follow along at crbug.com/547933 for that. If no one objects, I will just close this as a duplicate of that, since it seems like most people commenting here are most concerned about account controls rather than cookies generally.
,
Feb 6 2018
maxkirsch, I agree this issue can be closed, as crbug.com/547933 fulfills this need.
,
Feb 6 2018
I disagree. Clearing the cookies will result in the user being not logged in. This would allow users to access pages (like YouTube) as a guest user instead of the signed in user.
,
Feb 6 2018
Stephen, you're right... I didn't read this carefully enough. My mistake. crbug.com/547933 does not fulfill the need for Issue 658620. Please disregard my previous comment.
,
Feb 6 2018
We are planning to address the clear-cookies-to-sign-out use case specifically. Aside from sign in/out, are there other reasons to block cookie clearing generally?
,
Nov 7
@Max - With the new policy to prevent secondary accounts (https://www.chromium.org/administrators/policy-list-3#SecondaryGoogleAccountSigninAllowed) there is a note about cookies: "Note that users will be able to access Google services in an unauthenticated state by blocking their cookies." I'm pretty sure that we're wanting to disallow this for Schools (especially students). The main Google Service that has been a consistent concern is YouTube since it behaves unlike any other service, allowing the user to act as a consumer when not signed in rather than showing a Service Blocked page.
,
Nov 8
Keep in mind that there are multiple ways to clear cookies - for example: https://github.com/timothybrady/Clear-cookies-bookmarklet. For google/youtube accounts, the plan is to regenerate cookies if they ever get cleared. I think this will address the usecases above re: google accounts better than trying to block all of the ways that users can clear cookies.
,
Nov 28
RE: comment 28 and 30 - YouTube is our concern as well - I came to this thread because we enforce Restricted Mode for our Students on YouTube, and we noticed that although we blocked the chrome://settings pane for cookies, a student can still access it by clicking on the "secure connection" lock icon in the address bar of Chrome, then clicking on "Cookies", where they can just select youtube.com and then select block. Once the page is reloaded, they're signed out and there's no restricted mode. They can't sign back into their account either, unless they clear the block on the Youtube cookies, but that won't matter to students using this to get around our restrictions. If students are able to actually block the cookies from being accepted, I'm not sure the solution that you're proposing will work, at least for the case we're dealing with. The block would just stay in place until someone releases it. This block still occurs for the user even if their profile is removed from the device. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by krishna...@chromium.org
, Oct 25 2016Labels: -Type-Bug Type-Feature
Owner: saswat@chromium.org