view-source/Save page cannot be blocked
Reported by
stepheng...@amplifiedit.com,
Oct 15
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; CrOS x86_64 11021.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.58 Safari/537.36 Platform: 11021.45.0 (Official Build) beta-channel samus Steps to reproduce the problem: 1. Set URL Blacklist to include view-source 2. Set DeveloperToolsDisabled to True 3. Login as account and press "Ctrl+U" on any page 4. Use Ctrl+F to locate desired information What is the expected behavior? Ctrl+U shortcut to view-source should not be available. What went wrong? nothing was blocked Did this work before? No Chrome version: 70.0.3538.58 Channel: beta OS Version: 11021.45.0 Flash Version: 31.0.0.122 /opt/google/chrome/pepper/libpepflashplayer.so With "view-source" in the URLBlacklist, the view-source:http://[URL] should not be available. With Schools using Google Forms as a testing platform, students are able to use this shortcut to search through the source of the page, and determine the correct answers.
,
Oct 15
If you have the ExtensionInstallForcelist you could in theory use a extension to block the view-source and the students would not be able to uninstall it. It whould be nice if Google would add a policy (something like "ViewSourceDisabled") to disable view-source.
,
Oct 16
,
Oct 17
Seems like a valid request, adding it to our queue.
,
Dec 3
Assigned for the Fixit this Q
,
Dec 5
Note for whoever may take this during the fixit: If the objective is to stop a user from being able to view the source, we may need to consider blocking access to dev tools as well.
,
Dec 5
Hi stephengale@amplifiedit.com, Can you provide more details on how users are able to use the page source to determine the correct answer? An alternative (and probably more robust) fix would be to stop Forms from having the correct answer discernible from the source. I created a quiz to test this, but looking at the page source when I view it, it's not clear to me how the correct answer is discernible, though I may be missing something obvious, or students may be more motivated than I am at finding it =) With that info, I can create a bug for the Forms team, which may be a better path to fixing this
,
Dec 5
We currently have the ability to block devtools in the cPannel. I've seen some LMS solutions (Edgunity, Odysseyware) as well as Google Forms, that have an indicator (such as a class or tag) in the source which option in a Multiple Choice item. In these other sources, the tag is used with JavaScript in order to provide instant feedback to users about their scores. I will see if I can get more information about what is being referenced in the Google form to indicate a correct answer, but it's not limited to only Google forms.
,
Dec 10
,
Dec 10
Available for Fixit
,
Dec 10
I can take a stab at this. It looks like Stephen is asking for 2 things (based on the bug title): (1) Blocking 'view-source:' URLs (2) Blocking 'Save as...' in the context menu I think (1) makes sense as a first step. Stephen, do you also need a policy to control what is described in (2)? We could make (1) a separate policy, or let admins put 'view-source:' in the existing URLBlacklist policy. bheenan@, do you have a preference either way?
,
Dec 10
The behavior described for a solution to (1) would work - Ideally would like to see it wrapped into an existing policy like DeveloperToolsAvailability, but understand the desire to keep separate. Might want to also permit blocking file: URLs as well since this can be used as well. (2) would still need to be addressed, although permitting the ability to block file: would create an additional step users would need to take to view the source.
,
Dec 30
noticed new possibly related regression: "view-source hotkey command+u does not work on mac" https://bugs.chromium.org/p/chromium/issues/detail?id=918262
,
Jan 17
(5 days ago)
Re-setting to Available since I haven't worked on this very much. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by michael_...@lovejoyisd.net
, Oct 15