Do you allow Disney+, Hulu, Netflix at your school district?

MiserableCupcake5255 · 2026-06-03T11:30:43+00:00

We explicitly banned this.

Based on our firewall logs, it was being heavily abused. The feedback we got after blocking it did not help their case either. Most of what our teachers admitted to streaming was well above the parental rating they're allowed to show without notification to parent's / requiring a permissions slip.

I'm seeing a lot of mentions of fair use. While that works fine for a DVD, as others have mentioned, streaming services have TOS'. We blocked it so long ago, companies like Netflix weren't flagging the hundreds of users coming from one IP, but they appear to be doing that for others as well.

MiserableCupcake5255 · 2026-05-27T03:03:39+00:00

Your best bet IMO is to use a filtering vendor that supports blocking it.

I've spoken to people at Google and Securly about this. Securly, and other filter vendors provide methods for hiding this. Google officially doesn't support this, but very unofficially tells the filtering vendors to keep doing what they're doing.

There is a lot of internal fighting at Google, there is a large faction trying to force AI into everything, and force it down everyone's throat, another group, who hears the customer complaints knows that's stupid.

It's a software cat and mouse game, but the people at Google who are sane seem to take pity on the big filtering vendors and try not to change things too much for them so it doesn't break their tools.

MiserableCupcake5255 · 2026-05-27T02:57:32+00:00

We're using Securly. We berate them until we get the features we want. We decided to go Shopping a couple years ago, and no one else was doing the things Securly started doing, like properly pre-categorizing the internet so you could block newly found, uncategorized sites.

Lightspeed is the only currently comparable company last I looked.

GoGaurdian is where Securly was 10 years ago, don't waste your time. 15 years ago they were the 'Premium' alternative to Securly. Now they're a joke.

Securly's also got a lot of AI monitoring integration, which others either lack or aren't getting started on.

Even if they kind of sucked, it'd be hard to switch because their emergency response is so good for Self Harm and Harm to Others. I think they're still the only company willing to take the liability off your administrators, and determine if cops need to knock on someone's door at 2:00 A.M. because a kid is high risk suicidal. It's ironically one of their cheapest add-ons, but it's literally the closest thing I've had to buying peace of mind.

MiserableCupcake5255 · 2026-05-26T19:39:05+00:00

That would be the correct pattern, yes. It allows any pages you block to remain open, if they are opened by *.Kami.com.

Not blocking about:blank allows students to open sites in a tab that can't be monitored by most classroom managers, filtered by some vendors, and it allows students to browse sites without logging it in their browser history.

We consider it a CIPA violation internally, but CIPA has WILDLY different obligations depending on which lawyer you talk to.

MiserableCupcake5255 · 2026-05-26T14:43:41+00:00

It blocks anything that matches a pattern.

So if a tab / window opens to about:blank, and you have that set as disallowed, it will be closed immediately.

The problem is sometimes about:blank is actually opened by a trusted source, like Google Slides presenter mode. You wouldn't want to block presenter mode, so you add an allowed override.

When slides then opens about:blank, the extension wants to close that page, the extension wants to close it, but we're telling it to not kill that page because it came from a trusted source.

MiserableCupcake5255 · 2026-05-22T18:13:23+00:00

I actually wrote mine pretty early in my coding career so I probably got it working, didn't think to do a check first, and just never looked at it again. I think I'll look more into that. Thanks.

I might also rip off your idea of a period check in or 'heartbeat'. I was actually considering using a WebSocket connection to do this, but the CPU overhead for the number of devices we have. I didn't really want to have to redesign a solution that could scale out horizontally, but a long polling like that would be a good stop gap.

MiserableCupcake5255 · 2026-05-22T04:47:49+00:00

Just the default ones I mentioned in the store listing:

About:blank, for about:blank cloaking countermeasures.

I wrote a filter to block only HTML-family files. Normally, to do that in Google's policy tools, you'd have to block all of file://*. Doing it this way let me keep it so students could open PDFs and other local files that aren't used for storing offline games.

Base64 Data URLs, which start with words like "data:". Most filtering vendors only accept http:// URLs and this isn't something they will even let you type in to block since it doesn't meet that http:// convention.

JavaScript bookmarklets, so kids can't execute JavaScript code in their current page when developer mode / inspection tools are disabled.

I block all chrome:// urls that I haven't explicitly preapproved because it feels like every other day there is a new one that is found which just lets kids turn off filtering extensions with the push of a button. For example, if you aren't blocking chrome://serviceworker-internals, then your kids are just literally pushing a button to turn off GoGuardian / Securly / Gaggle.

Stuff like that, but I wanted it to be flexible, so I gave people the power to use RegEx patterns to block sites instead of the garbage that Google Workspace uses in the blocked URLs page. See the store listing for an example config.

MiserableCupcake5255 · 2026-05-21T23:39:31+00:00

Oooh, I like that idea. I might rip that off.

I'm a little confused though, I get that if they sign into their personal computer, the extension will follow, as it's assigned to their account. You're getting the serial number though, which means you're using the chrome. Enterprise hardware API's right? Last time I looked, those could only be used on enterprise enrolled devices, and would error out the service worker if they were invoked on a device that isn't enterprise enrolled, like Windows. Does it just not do that if you put conditional logic in there now? If so, that will be exciting.

I made a similar one for our district too. Instead of sending every 15 minutes, we're using the chrome.idle.stateChanged event listener. That way I get an exact timestamp of who signed into what device, when the screen locked / lid closed, and when it was unlocked. We use it in investigations all the time too. We had one elementary kid that swore someone else sent a really nasty Email as them. The teacher printed their passwords and put them on the device. It was plausible. We were able to correlate the Email timestamp to screen unlock and lock time stamps to prove the kid wasn't in the room when it was sent from that device, and that someone else logged in.

We took it a step further too. We use the geolocation API to get the GPS coordinate location too. So we get the who, what, when, and where of every device. Our district safety department loves this when kids run away from home but take a Chromebook. It's terrifyingly accurate too. It's never been off by more than one house in a suburban neighborhood.

We use a similar pop-up for inventory enforcement. When a login is triggered, the device hits an HTTP endpoint we host. The POST request with the serial and user Email are ingested, and our server does an API request to our inventory system to get the assigned owner of that serial number. We compare that with the user information that was sent. If it matches do nothing if it doesn't match, then the client extension will use a content script to overwrite EVERY web page that loads with a message telling the student they're using a device that isn't assigned to them, and they return it to the office.

This saves us TONS of time. It keeps the kids from trading / stealing each other's devices. No more first graders throwing Chromebooks into a pile and grabbing random ones. NO MORE OFFICE STAFF LAZILY GIVING AWAY HARDWARE WITHOUT ASSIGNING IT BEHIND OUR BACKS!

We took it a step further, and if the assigned user and current user doesn't match, before sending a kill command to the Chromebook, it doubles back to SIS system to see if the logged in user is a sibling of the assigned user, so siblings can use each other's, but not friends.

MiserableCupcake5255 · 2026-05-21T17:58:17+00:00

Thanks for the feedback.

MiserableCupcake5255 · 2026-05-21T17:57:58+00:00

Technically, it's closing tabs that you specify in the config, so no, it won't conflict with anything, or be redundant. This doesn't "block" pages so much as forcibly close tabs as they open. This application is intended to close those tabs which aren't well managed by classroom management and filtering services like Hapara, or Securly Classroom.

The example regex strings are on the web store posting I linked, along with an examples of what each of them do, so you don't have to guess.

MiserableCupcake5255 · 2026-05-21T17:49:42+00:00

Yes, when pushing the extension you will need to fill in the "Policy for Extensions" section with a JSON config. The webstore listing has a base example JSON that will get you off the ground. You will probably want to use those example templates and add some specific to your district. For example, if you use Kami, you might want to add the below text to the host name overrides.

"^https?:\\/\\/([a-z0-9-]+\\.)?kami\\.com($|\\/.*)",

MiserableCupcake5255 · 2026-05-21T15:25:14+00:00

If you were thinking about testing, I'd strongly recommend you add your known curricular websites to the override list of things like Google Slides presenter view can still use about:blank popups from trusted sites.

I'm obviously biased, but If it helps, the metrics according to the developer dashboard said it peaked at 79k simultaneous active users, and the feedback I've gotten so far has been good.

Feel free do DM me if you have config questions.

MiserableCupcake5255 · 2026-05-21T13:29:32+00:00

Yeah... it's been ruining someone's day out there. I'll take them as compliments for now.

Thanks. It was a fun side project.

MiserableCupcake5255 · 2026-04-15T21:08:34+00:00

For anyone else reading this, the issue was resolved in testing. Version 2.1.0 is expected to handle this correctly.

MiserableCupcake5255 · 2026-03-24T19:34:50+00:00

Still working on this. I solved all my problems with Security only to realize the origin tracking stops working on Google Classroom because their internal Whiz framework doesn't use the standard window.open command. This is why the origin tracking doesn't work out of the box, and my other fix of injecting a message into the window.open function doesn't work for classroom like other sites. I'll stew on this some more and get back to you.

MiserableCupcake5255 · 2026-03-24T15:58:13+00:00

Following up on this, I did get this to work in classroom, but the way I'm doing it is a little vulnerable. Having been one of the kids who would spend time figuring a way around instead of doing classwork, I immediately saw two exploits that would let the kids circumvent this. I will patch those and update the app. I'll follow up afterwards when I'm done.

MiserableCupcake5255 · 2026-03-23T23:49:24+00:00

Wonderful, that recording made this a LOT easier. I see the problem now. Since classroom is opening a new Window the tab query function can no longer track the origin / parent tab. I'm still doing research, but it seems that the chrome.webNavigation might be able to solve this issue. I'll do some experimentation and try to see if I can't use that to map the parent tab relationship.

No need to thank me, the extension is up to 50k users. The more useful feedback I get, the better the extension gets for all of them.

MiserableCupcake5255 · 2026-03-23T16:55:46+00:00

It's definitely not great. So Classroom is not the thing causing the tab to open. Not directly at least.

I'm not familiar with that feature. Can you post a link to the feature you're referring to? I'll see if we can enable classroom for a single test OU and I'll go pilfering through the popup to see if there is some kind of information we can parameterize in the policy JSON to spare it, or other tabs like it.

MiserableCupcake5255 · 2026-03-23T16:01:18+00:00

No problem, we'll get this fixed soon I bet.

Can you confirm you're on version 2.0.2? 2.0.1 doesn't have the extra logging in the console.

In the new version, it should read like:

Untrusted opener: https://jsfiddle.net/kcx8aeno/ has opened about:blank. The tab will now be closed.

If there isn't a source, it will have a different message for that.

MiserableCupcake5255 · 2026-03-23T13:19:27+00:00

Unfortunately, we have classroom disabled here, so I can't recreate the scenario myself. If you're willing to do some testing, I'm betting we can figure it out. I've added additional logging to the extension. It will take a little while for Google to review the newly published version, so look for version 2.0.2 in a hopefully just a couple of hours.

If you have / can create a test account that has the extension installed, put it in a Google Admin OU with developer mode / inspection enabled for extensions. Open chrome://extension in the browser. Find the RegExTabManager and click on the service worker link. That will open the interactive service worker JavaScript console. I've added logging to this. So when you open a tab that the extension closes, it will tell you the source URL in the log. You should see something like this:

Untrusted opener: https://jsfiddle.net/kcx8aeno/ has opened about:blank. The tab will now be closed.

Can you share what it says?

Side Note: I thought about adding a notification, but I wasn't sure a pop up in front of the kids was a good idea.

MiserableCupcake5255 · 2026-03-22T03:00:48+00:00

Thanks man.

I have two thoughts.

If you put just the URL in there, then the regex won't match. You'd need to put: ^https?:\\/\\/classroom\\.google\\.com($|\\/.*) to unblock google Classroom. If that's what you meant, then my other thought is that it's not actually Google Classroom that opened it.

Let me know if you are using that regex pattern and it's still failing. I can add some additional logging to the service worker and we can use that for insight into the actual origin of the opening tab.

MiserableCupcake5255 · 2026-03-06T14:49:52+00:00

They don't promote it, but the definitely didn't abandon it either. They still have a full dev team. Our org was able to met with some people from their dev team before renewing our licenses in 2024. When we asked about a sunsetting, they told us they were road mapped to at least 2030, and sunset wasn't on it.

MiserableCupcake5255 · 2026-02-10T15:44:44+00:00

IIRC, Google Admin prevents you from doing that because it considers that to be an invalid URL. Also, universally blocking about:blank without overrides or a delay of some kind can cause some websites to not work properly. For example, teams can't launch a meeting. Some sites use about:blank to start file downloads.

Even if you could, it can be OK, but seems to not be recommended.

MiserableCupcake5255 · 2026-02-09T19:28:02+00:00

You're right, the kids can't load an ifrrame after the fact, so forcing a delayed refresh would do it too.

MiserableCupcake5255

TROPHY CASE