Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

question/suggestion: centralized custom filter/whitelist settings? #832

Closed
jdsemma opened this issue Oct 15, 2015 · 76 comments
Closed

question/suggestion: centralized custom filter/whitelist settings? #832

jdsemma opened this issue Oct 15, 2015 · 76 comments
Labels

Comments

@jdsemma
Copy link

jdsemma commented Oct 15, 2015

Background: I have a number of Chromebooks under managed enrollment in a Google Apps domain. I'd like to push uBlock Origin out to all of them (which we can easily do), but I'd also like to be able to create our own custom filter (actually mostly whitelists) and also push that out to all of the Chromebooks. If the app/extension is set up to support a config file, we can easily do that through Google Apps as well.

Can this be done, and if not currently, can it be put on the feature request list?

(Edited to add: more info on config files here: http://www.chromium.org/administrators/configuring-policy-for-extensions)

@gorhill
Copy link
Owner

gorhill commented Oct 15, 2015

If I understand correctly what you want to accomplish, it's already supported in Firefox. However for Chromium-based browsers, I have been waiting for such request so that I can test the code I need to hook to chrome.storage.managed.

I will let you know when I have something.

@jdsemma
Copy link
Author

jdsemma commented Oct 16, 2015

Yes, exactly. Thank you for considering this! And yes, obviously, for use on Chromebooks this is Chromium-based (although I have no idea where the config file is stores on ChromeOS.)

@gorhill
Copy link
Owner

gorhill commented Oct 21, 2015

Implemented in 1.3.2b2. I will need you to validate whether this works, I do not have the environment to test this.

a

@jdsemma
Copy link
Author

jdsemma commented Nov 2, 2015

I tested, but can't tell if my test config file isn't right (although it loads without error), or if this isn't working.

For a test config file, I went to uBlock options (after adding specific things to the whitelist) and did 'backup to file'. I then loaded that file into the Chrome App Management tool, and forced the app to auto-install to a specific testing user. The user gets the app just fine, but only with the default config. The config I installed isn't being pushed across.

Thinking after reading more that the config will only look for "adminSettings", I made a new config file like this:

{
"timeStamp": 1446240370977,
"version": "1.3.2",
"adminSettings": {"colorBlindFriendly": true }
}

That's it. I loaded that, no errors, but the config isn't being pushed out. Confirmed via chrome://policy that no policies are being loaded for uBlock Origin.

(Ideally I'd like to be able to push a custom netWhitelist addition, but I'll be satisfied with being able to add to externalLists.)

@gorhill
Copy link
Owner

gorhill commented Nov 2, 2015

Thinking after reading more that the config will only look for "adminSettings", I made a new config file like this:

That's not a valid backup file, it contains nothing of value for uBO. Try:

{
    "userSettings": {
        "colorBlindFriendly": true
    }
}

What I did is:

  • Open a backup file created from clicking the uBO's "Backup to file".
  • Remove all entries which are not to be overwritten.

Now, assign the resulting string (it must pass as a valid JSON string) to the entry adminSettings in the managed storage. That last part I am assuming admins know how to to this, I don't know myself, I just read from the managed storage (it's read-only from an extension's point of view).

@jdsemma
Copy link
Author

jdsemma commented Nov 3, 2015

I am guessing wildly as to how to set up the config file, based on the example given at http://www.chromium.org/administrators/configuring-policy-for-extensions.

I've tried

{ "adminSettings": { "Value": [ { "userSettings": [ {"colorBlindFriendly": true } ] } ] } }

(after running that through jsonlint to make sure it's valid), and.... no value is being assigned to adminSettings.

@gorhill
Copy link
Owner

gorhill commented Nov 3, 2015

The value of adminSettings is supposed to be a valid JSON string, I see it is set to an array of one object in your snippet. A valid JSON string of what you are trying is:

{ "userSettings": { "colorBlindFriendly": true } }

This must be used as a literal string, i.e. the type of Value needs to be string.

(there was a typo in my above example, I just fixed it).

@jdsemma
Copy link
Author

jdsemma commented Nov 3, 2015

So:

{ "adminSettings": { "Value": { "userSettings": {"colorBlindFriendly": true } } } }

?

Tried that, still says no policy set.

@gorhill
Copy link
Owner

gorhill commented Nov 3, 2015

Ok, I followed the doc for Linux at the link you posted above, and it worked here. I created a JSON policy file name ublock0.json in /etc/opt/chrome/policies/managed/, and this is the content of the file:

{
  "3rdparty": {
    "extensions": {
      "cjpalhdlnbpafiamejdnhcphjbkeiagm": {
        "adminSettings": "{ \"userSettings\": {\"colorBlindFriendly\": true } }"
      }
    }
  }
}

Then I restarted Chrome, and the "Color blind friendly" setting was checked. For other OS, I can't tell.

Notice how the value of adminSettings is a JSON string, for which double-quotes needed to be escaped -- because the string is itself used as a JSON string value.

This is what Chrome's chrome://policy showed after restart:

a

@gorhill
Copy link
Owner

gorhill commented Nov 3, 2015

Note that as mentioned, I rely on feedback to fine-tune this, and I think I will also offer the ability to encode the value as plain JSON -- not force a stringified JSON, to enable not having to escape double-quotes.

@jdsemma
Copy link
Author

jdsemma commented Nov 3, 2015

Sounds like. I tried this:

{ "adminSettings": { "Value": { \"userSettings\": {\"colorBlindFriendly\": true } } } }

and still no dice.

@gorhill
Copy link
Owner

gorhill commented Nov 3, 2015

Your JSON does not pass validation.

Try:

{ "adminSettings": { "Value": "{ \"userSettings\": {\"colorBlindFriendly\": true } }" } }

@jdsemma
Copy link
Author

jdsemma commented Nov 4, 2015

Duh. :)

I tried that and..... almost success!

The policy is set, according to chrome://policy. The policy value, literally is

{ "userSettings": { "colorBlindFriendly": true }}

However, in uBlock's options, that setting is NOT set to true. It's still false.

@benwa
Copy link

benwa commented Nov 16, 2015

I just tried and got it to work. I am on Windows however and had to actually edit the registry.
image

Then I went to chrome:policy and clicked reload.
image

Refreshing the options page didn't do anything, I had to actually disable the extension and then reload it.
image

Is there an event listener for storage option changes? That would stop the need of reloading the extension.

Also, it seems these settings aren't actually mandatory (or at least the options page UI doesn't indicate it as you can uncheck and it will save).

@jdsemma
Copy link
Author

jdsemma commented Nov 19, 2015

I still can't get userSettings to be set, but I did successfully get a netWhitelist to stay. I loaded this:

{ "adminSettings": { "Value": "{ \"netWhitelist\": \"about-scheme\\nbehind-the-scene\\nchrome-extension-scheme\\nchrome-scheme\\nloopconversation.about-scheme\\nopera-scheme\\npastebin.com\\nMYDOMAIN.com\\MYOTHERDOMAIN.com\" }" } }

(domain names edited to protect the guilty). This did properly load.

@dXcess
Copy link

dXcess commented Dec 5, 2015

First and foremost - gorhill - thank you for your efforts with this, your contributions are amazing and its a huge help. I'm hoping that I can contribute to this somehow by creating a policy template for Windows users, that will make it easier to manage these settings from Windows.

benwa,
I've tried the same as you via the registry, and just cant seem to get it to work. The policies never load in chrome, no matter what I try. I'm using version 1.3.3. of UBO. Can you share the reg export for this key or help shed some light on what I might be missing?

image

image

@benwa
Copy link

benwa commented Dec 7, 2015

It could possibly be white space or different quote characters. Before I deployed via Group Policy Preferences, I wrote out the preferences here and then used Minify to set it all to one line.

@IRainman
Copy link

IRainman commented Mar 4, 2016

It is necessary .admx and .adml files for use in the GPO on Windows, without setting through the policy files in the Chrome settings do not work and do not apply :(

@killebrewj
Copy link

This is great! I was able to deploy a custom whitelist to some Chromebooks and Chrome browsers.

The only thing is if I change the policy and the browser receives the new policy, uBlock doesn't actually use the new settings until the next time the browser starts up or you can force it by reloading the extension (as benwa said). Is there any way to have it periodically check and apply the currently loaded policy?

Or is it possible I was just being too impatient?

@edlisten
Copy link

I am a GAFE admin with managed Chromebooks that I would like to deploy uBlock Origin to. I have pushed the extension out to users, and created the custom JSON file, but I am missing how do I distribute the JSON file out to all the users?

@gorhill
Copy link
Owner

gorhill commented May 26, 2016

I have a Chrome dev version for testing, and I use a policy on it to validate that policy settings work:

a

I actually forgot how I created this entry... You are probably better placed than me to figure this. But as you can see, the value is adminSettings, and the value must be a JSON-valid string which matches the output you get when creating a backup of the settings, minus the entries which you do not want to enforce on all users.

@killebrewj
Copy link

If you're using Google Apps, you need to deploy the extension to your users by navigating to Device management > Chrome > Chrome App Management

image

Once added, click the app and expand User settings. Pick the OU, Force Install and click UPLOAD CONFIGURATION FILE and then select the text file containing the json configuration.

image

The json is not necessarily a full config dumped from uBlock. Ours is just a simple whitelist. This is the full content of our configuration file. It's a bit ugly having to nest json inside json and it might get messy with a large whitelist.

{ "adminSettings": { "Value": "{ "netWhitelist": "about-scheme\nbehind-the-scene\nchrome-extension-scheme\nchrome-scheme\nloopconversation.about-scheme\nopera-scheme\ndomain.com\nanotherdomain.org\ndomain.ca.us" }" } }

@edlisten
Copy link

Ahh, the missing link. I was installing the extension from the user
settings and never even knew about chrome app management. Thank you.
On May 26, 2016 7:08 PM, "killebrewj" [email protected] wrote:

If you're using Google Apps, you need to deploy the extension to your
users by navigating to Device management > Chrome > Chrome App Management

[image: image]
https://cloud.githubusercontent.com/assets/15217481/15592725/f67f8bf2-235a-11e6-94bd-b3374e2bfbe2.png

Once added, click the app and expand User settings. Pick the OU, Force
Install and click UPLOAD CONFIGURATION FILE and then select the text file
containing the json configuration.

[image: image]
https://cloud.githubusercontent.com/assets/15217481/15592789/6e054342-235b-11e6-8724-58b01568c20f.png

The json is not necessarily a full config dumped from uBlock. Ours is just
a simple whitelist. This is the full content of our configuration file.
It's a bit ugly having to nest json inside json and it might get messy with
a large whitelist.

{ "adminSettings": { "Value": "{ "netWhitelist":
"about-scheme\nbehind-the-scene\nchrome-extension-scheme\nchrome-scheme\nloopconversation.about-scheme\nopera-scheme
ndomain.com\nanotherdomain.org\ndomain.ca.us" }" } }


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#832 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/AGgLT_c9PRw64Hgp09qURWzrgD6ZJ1cpks5qFigCgaJpZM4GPsyO
.

@edlisten
Copy link

@killebrewj I am almost there. I was able to create a JSON, file upload it and have it show up in chrome://policies. I have restarted the Chromebook and reloaded the extension, but I don't see any of the sites I have added in the whitelist of uBlock Origin.

@gorhill
Copy link
Owner

gorhill commented May 31, 2016

Did you check your JSON string with a JSON validator[1] to be sure it's properly formed?

[1] http://jsonlint.com/, http://codebeautify.org/jsonvalidate, etc.

@edlisten
Copy link

The JSON file appears to be working: And we did get colorblind setting to
work.

{ "adminSettings": { "Value": "{ "netWhitelist":
"about-scheme\nbehind-the-scene\nchrome-extension-scheme\nchrome-scheme\nloopconversation.about-scheme\nopera-scheme\nforbes.com\nespn.go.com"
}" } }

Bjorn Behrendt M.Ed ~ Never Stop Learning

On Tue, May 31, 2016 at 9:07 AM, Raymond Hill [email protected]
wrote:

Did you check your JSON string with a JSON validator[1] to be sure it's
properly formed?

[1] http://jsonlint.com/, http://codebeautify.org/jsonvalidate, etc.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#832 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/AGgLT75Oz6n8_F3Oi0odP2lRn6tRdy16ks5qHDJ8gaJpZM4GPsyO
.

@gorhill
Copy link
Owner

gorhill commented May 31, 2016

Probably the \n in the inner JSON should be \\n. Double-encoding a JSON string is tricky.

@guygg
Copy link

guygg commented Sep 19, 2016

Just stumbled upon this thread while implementing policy settings to start pushing out uBlock to replace ABP across all our Chromebooks. With a little fiddling, was able to push multiple settings and the netWhitelist with multiple domains. One question, though, is if there's a way to push out whitelist domains that doesn't replace the user's whitelist settings? When I push out a couple domains via the netWhitelist value, it replaces the entire list rather than appending/updating existing ones. For anybody else's benefit, here's the JSON I'm using in testing that has a couple user settings as well as a couple example whitelist domains:

{ "adminSettings": { "Value": "{ \"userSettings\": {\"colorBlindFriendly\": true, \"cloudStorageEnabled\": true }, \"netWhitelist\": \"hellointernet.fm\\nwikipedia.com\" }" } }

@gorhill
Copy link
Owner

gorhill commented Nov 8, 2016

Please use the encoder tool to avoid mistakes. Your string is not correct, the filterLists property is not a member of the userSettings property (look in a backup file), you removed too many curly brackets (the tool won't catch that though) -- it just validates JSON):

{
  "userSettings": {
    "autoUpdate": true,
    "colorBlindFriendly": true,
    "filterLists": {
      "assets/thirdparties/easylist-downloads.adblockplus.org/easyprivacy.txt": {
        "off": true
      }
    }
  }
}

Try:

{"filterLists":{"assets/ublock/experimental.txt":{"off":true},"assets/thirdparties/easylist-downloads.adblockplus.org/easyprivacy.txt":{"off":true}}}

Which decoded is:

{
  "filterLists": {
    "assets/ublock/experimental.txt": {
      "off": true
    },
    "assets/thirdparties/easylist-downloads.adblockplus.org/easyprivacy.txt": {
      "off": true
    }
  }
}

@JPT62089
Copy link

JPT62089 commented Nov 8, 2016

Ha! I did not see that tool! Thank you, @gorhill! Much appreciated. Unsurprisingly, it works now :D

@NoSubstitute
Copy link

Sorry for maybe asking in the wrong place, but is there some guide anywhere how to export the settings and then push them to users? I don't want to whitelist anything (right now), but I do want to enable Dan Pollock's host file for everyone. I found where to export settings from one browser, but do I really need to push all that? Isn't it enough to push the diff from the default settings?

@gorhill
Copy link
Owner

gorhill commented Jan 23, 2017

how to export the settings and then push them to users?

On top of the existing settings or to replace the existing settings?

@NoSubstitute
Copy link

NoSubstitute commented Jan 23, 2017 via email

@gorhill
Copy link
Owner

gorhill commented Jan 23, 2017

Entries in adminSettings will replace current settings, but every time the extension starts -- is this what you need?

@benwa
Copy link

benwa commented Jan 23, 2017

Personally, I prefer the approach of if it's not defined in the policy, use defaults or user settings. That follows in line with Chrome's (and Group Policy-like systems) methods.

@gorhill
Copy link
Owner

gorhill commented Jan 23, 2017

There is this: https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin.

With 1.11.0, selecting filter lists will be much more simple -- it will be the selectedFilterLists array entry in the backup file.

@KTac
Copy link

KTac commented Feb 16, 2017

Can someone help me please. I'm losing my mind trying to get this working on Windows. I am not using Group Policy and I do not currently have the Chrome administrative template installed. I'm unclear if this is required but I wouldn't think so. This is for a local machine that will be accessed by many users. I have manually set the necessary registry entries like so.

image

image

The extension installs automatically just fine but for my life I can't get the policy to take effect. I tried a much more detailed set of settings at first but after I couldn't get those to work I decided to just try one non-default setting which is what you see above.

The string I used for adminSettings is:
{"userSettings":{"colorBlindFriendly":false}}

I ran the original code through a JSON validator and then ran it through @gorhill's encoder tool to get it to a single line, so I'm pretty sure the formatting of the string is not the problem. What am I missing?

@gorhill
Copy link
Owner

gorhill commented Feb 16, 2017

The string I used for adminSettings is:
{"userSettings":{"colorBlindFriendly":false}}

The default value for colorBlindFriendly is false, so your adminSettings won't change anything.

@KTac
Copy link

KTac commented Feb 16, 2017

Wow, I can't believe I did that. I changed the value to true and still nothing. Either way, shouldn't the fact that the extension is installed and the properly formatted registry value exists cause the policy to show up as enabled under chrome://policy?

@gorhill
Copy link
Owner

gorhill commented Feb 16, 2017

Yes, it should show in chrome://policy. I am not in a position to help here, I do not have Windows and can't test stuff. According to this comment above, I can't see anything wrong in your screenshot.

@gorhill
Copy link
Owner

gorhill commented Feb 16, 2017

Actually, the user who succeeded in making it work is using HKEY_CURRENT_USER while I see you are using HKEY_LOCAL_MACHINE.

@NoSubstitute
Copy link

NoSubstitute commented Feb 19, 2017 via email

@pcurb23
Copy link

pcurb23 commented Feb 25, 2017

Thank you so much for implementing this for us poor overworked security conscious admins. It worked flawlessly on the first try after following the writeup @ https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin
We deployed a reg key to HKLM and used the handy tool here to convert the string to JSON.

@najamss
Copy link

najamss commented Mar 20, 2017

Hi @benwa,

I know, it's an old post but do you know how can I do the same for Privacy Badger, what you suggested for UBlock Origin via GPO?

@benwa
Copy link

benwa commented Mar 20, 2017

@najamss With a quick look at chrome://policy, it doesn't seem like Privacy Badger supports policies. If you want them to, I'd file an issue here. If you need to implement now, I'm fairly certain uBlock Origin will accomplish the same thing.

@najamss
Copy link

najamss commented Mar 20, 2017

@benwa

Thanks a heap for looking in to it. In fact, we have deployed both Privacy Badger and UBlock Origin. They both are blocking AddThis share buttons on our websites; therefore, I wanted to add our required domains to their whitelist domains

@joavaran
Copy link

joavaran commented Jul 3, 2017

@gorhill: How would you do the same adminsettings for MACos with plist? Is there a converter I can use?
So in ublock backutp to file and use a converter? or use a reg -> plist converter?

@Alcon835
Copy link

Alcon835 commented Aug 7, 2017

First: this thread has been a HUGE help! I still have an issue related to this:

If I "pause" uBlock Origin on a page and then reset chrome, the policy settings will overwrite whatever pages I've paused. If I don't have the adminSettings registry item, it won't overwrite the pages I've paused.

Is this expected behavior and is there a work around that allows me to push the whitelist to all computers without overwriting a user's personal pause/white list?

@kingio
Copy link

kingio commented Sep 29, 2017

I did the same as @KTac second screen on W10 Home Edition and didn't work. I don't know why nobody is sharing a reg file to make things easier, so i'm sharing the one that i'm doing:
ublock.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm\policy]
"adminSettings"="{\"userSettings\":{\"colorBlindFriendly\":true}}"

@miruser
Copy link

miruser commented Oct 3, 2017

hey kingio

it is very easy. use ublock backup to file function with the settings you want to have.
then use http://raymondhill.net/ublock/adminSetting.html + JSON-encoded settings to be used for adminSettings as a plain string value. Voila... Took me weeks to find this out! Have fun

@kingio
Copy link

kingio commented Oct 3, 2017

@miruser i already did that without success (ublock policy space appears in chrome://policy but empty). Could you please export your adminSettings from registry and share it? By selecting the key and then clicking on File -> Export you will have the .reg file that can be opened with notepad itself.

@miruser
Copy link

miruser commented Oct 4, 2017

hey kingio..

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm\policy]
"adminSettings"="{"timeStamp":1507099983095,"version":"1.14.8","userSettings":{"advancedUserEnabled":false,"alwaysDetachLogger":false,"autoUpdate":true,"cloudStorageEnabled":false,"collapseBlocked":true,"colorBlindFriendly":true,"contextMenuEnabled":true,"dynamicFilteringEnabled":false,"externalLists":"","firewallPaneMinimized":true,"hyperlinkAuditingDisabled":true,"ignoreGenericCosmeticFilters":false,"largeMediaSize":50,"parseAllABPHideFilters":true,"prefetchingDisabled":true,"requestLogMaxEntries":1000,"showIconBadge":true,"tooltipsDisabled":false,"webrtcIPAddressHidden":false},"selectedFilterLists":["plowe-0","malware-1","malware-0","easyprivacy","easylist","ublock-unbreak","ublock-privacy","ublock-badware","ublock-filters","user-filters"],"hiddenSettingsString":"assetFetchTimeout 30\nautoUpdateAssetFetchPeriod 120\nautoUpdatePeriod 1\nignoreRedirectFilters false\nignoreScriptInjectFilters false\nmanualUpdateAssetFetchPeriod 2000\npopupFontSize unset\nsuspendTabsUntilReady false\nuserResourcesLocation unset","netWhitelist":"","dynamicFilteringString":"behind-the-scene * 3p-frame noop\nbehind-the-scene * 3p noop","urlFilteringString":"","hostnameSwitchesString":"","userFilters":"","filterLists":{"assets/thirdparties/pgl.yoyo.org/as/serverlist":{"off":false},"assets/thirdparties/mirror1.malwaredomains.com/files/justdomains":{"off":false},"assets/thirdparties/www.malwaredomainlist.com/hostslist/hosts.txt":{"off":false},"assets/thirdparties/easylist-downloads.adblockplus.org/easyprivacy.txt":{"off":false},"assets/thirdparties/easylist-downloads.adblockplus.org/easylist.txt":{"off":false},"assets/ublock/unbreak.txt":{"off":false},"assets/ublock/privacy.txt":{"off":false},"assets/ublock/badware.txt":{"off":false},"assets/ublock/filters.txt":{"off":false},"assets/user/filters.txt":{"off":false},"assets/ublock/experimental.txt":{"off":true}}}"

@mcgituser
Copy link

hey gorhill,

Thanks for all the hard work and info here. I was wondering if you've had a chance to work on merging the user's setting and the adminSettings?

We are looking to push an initial set of sites for whitelisting and then let the users add to it as they please going forward. Can you think of a good what to do that? I was thinking perhaps if there was a local configuration file that we can modify and push out during the deployment that contains a set of predefined whitelists and can be added to the users, that would work. Let me know your thoughts.

Thanks again

@jhavens12
Copy link

I've read all these comments and am still having issues uploading a simple whitelist to GAFE for my users. This is the string I'm trying to use:

"{ \"netWhitelist\": \"https://www.pbisassessment.org\" }"

Am I missing something here?

@Bangaio65
Copy link

Bangaio65 commented Oct 11, 2020

On Chromium Edge, the registry location is:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Edge\3rdparty\extensions\odfafepnkmbhccpbejgmiehpchacaeak\policy
(It seems to get ignored if set in HKLM)
EDIT: actually it works on HKLM, it's just for some reason you need to open Edge, close it, then re-open it once more for these settings to apply (or at least show up in uBlock's GUI)

Now a question: is there a way to have the settings stored in a file like in Firefox? So I could point to that file (stored in the network) and not have to edit settings in two places in case I want to change a setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests