New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 882651 link

Starred by 2 users
Status: WontFix
Owner:
naveenv@chromium.org
Last visit > 30 days ago
Closed: Dec 3
Cc:
ibezmenov@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Regression



Sign in to add a comment

extension able to bypass managed chromebook policy

Reported by matthew....@wf.catholic.edu.au, Sep 10 
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36
Platform: 10575.58.0 (ooficial build) stable-channel wolf

Steps to reproduce the problem:
1. In management console - disable Incognito mode
2. Install apps like Unblock Everything - https://chrome.google.com/webstore/detail/unblock-everything/ncmnhiijmdhplkmkpejmmbpjiojchefe
3. Able to open incognito mode

What is the expected behavior?
No extension should be able to bypass admin policy

What went wrong?
Students using this to bypass web filtering (Securly)

Did this work before? Yes 68.0.3440.118

Chrome version: 68.0.3440.118  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 30.0.0.113

Advice is to naturally block all extensions and apps and then whitelist - but this is not our preferred way to handle the issue. Ultimately this is an app type who's sole reason for existence is to bypass an admin policy.

Comment 1 by ibezmenov@chromium.org, Sep 14

Labels: Needs-Feedback
Hi, I wasn't able to repro this using Unblock Everything extension (see attached screenshot). When URL blacklist policy is set to block some URL, it doesn't allow to bypass the policy with this extension. The Incognito mode is also disabled.

Could you please provide more info about this problem (e.g. screenshots, policy JSON, logs).

Google Chrome	69.0.3497.95 (Official Build) beta (64-bit)
Platform	10895.56.0 (Official Build) beta-channel coral-unibuild
Screenshot 2018-09-14 at 10.41.14 AM.png
55.1 KB View Download

Comment 2 by matthew....@wf.catholic.edu.au, Sep 17 

Hi,
Sorry - should have been more specific. Unblock everything and it's brethren allow the user to open a browser window that is equivalent to an incognito window eg. no extensions installed.
It is used to bypass the setting "disable Incognito mode" to achieve the same functionality as an incognito window thus circumventing our intended use of this setting.
Thank you for showing that we can still use the URL blacklist feature of the admin console if required. In our case we use an extension to block websites  so this app allows an "incognito like" window to be opened with extensions disabled.
I guess you could say it does not circumvent the admin setting directly rather it circumvents it's purpose - so I would suggest that the manner in which it does this is a security bug which can hopefully be addressed.
Thanks
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 17

Cc: ibezmenov@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by atwilson@chromium.org, Sep 19

Owner: naveenv@chromium.org
This is working as intended - extensions are able to control how other extensions interact with them, so an extension like Unblock Everything can open a webview and control its behavior completely (including preventing content script injection, network traffic interception, etc).

Best practices are to block installation of arbitrary extensions for exactly this reason.

+naveen FYI in case there are any related feature requests you'd like to drive on behalf of EDU customers.

Comment 5 by kathrelk...@chromium.org, Dec 3

Status: WontFix (was: Unconfirmed)
As per #4, this is working as intended.

Sign in to add a comment