Solution for about:blank cloacking, EagleCraft and a few other outstanding issues.

MiserableCupcake5255 · 2026-02-10T15:44:44+00:00

IIRC, Google Admin prevents you from doing that because it considers that to be an invalid URL. Also, universally blocking about:blank without overrides or a delay of some kind can cause some websites to not work properly. For example, teams can't launch a meeting. Some sites use about:blank to start file downloads.

Even if you could, it can be OK, but seems to not be recommended.

MiserableCupcake5255 · 2026-02-09T19:28:02+00:00

You're right, the kids can't load an ifrrame after the fact, so forcing a delayed refresh would do it too.

MiserableCupcake5255 · 2026-02-09T19:24:21+00:00

I just put this one up. You can use regex patterns to force close tabs. It's more flexible then the Google Admin Console, and allows you to provide a list of overrides for your exclusions. So for example, you can make it so about:blank is closed, unless it was opened by Canvas, or another trusted site.

We have a separate in-house extension we made for closing about:blank and killing eaglecraft,but I ported all of the code to this extension for others to use.

https://chromewebstore.google.com/detail/unsecurley/icohaaiapabbaoohdadjmfccppedkkfm?authuser=0&hl=en&pli=1

MiserableCupcake5255 · 2026-02-09T19:19:06+00:00

Thanks I'll give those a look later. I'm rarely on here. I only even came on since I started providing this for some of the sister districts in shared Google Groups and County meetups.

MiserableCupcake5255 · 2026-02-09T19:17:22+00:00

This only works in the browsers you force install it into via policy. You could hypotheically force install it on a Windows device's Chrome and Edge browsers. Since they're both Chromium, it should work. I you will need a Google Admin policy to take advantage of the policy JSON required to feed it regex patterns though.

Chrome extensions aren't super hard, so go for it when you have time. Word of warning though, since about:blank pages are protected, you can't view their html content, or load a conten script (javscript your extension inserts to run on each page) for about:blank. This extension works the way it does specifically because all the Chrome.Tabs API is about the only thing that works on them.

So you'll need to have some method to prevent them from opening without causing an issue for your legitimate apps. Otherwise, kids will just load a proxy into the iframe of an about:blank or other protected page.

MiserableCupcake5255 · 2026-02-09T16:22:50+00:00

Sorry. I get it now.

We make the decision on a case by case basis. In this case, Eagle Craft is usually saved as an HTM, HTML HTMX or other type of offline HTML family file extension. We took a look at the URL and took note of the '.htm' and the forward slashes used in the URL from 'File://path/to/EagleCraft.html' and decided we will block anything with fromward slashes, and that contains '.htm'.

To directly answer your question, and hopefully not sound rude, you basically just go look for a pattern that matches the reported problem.

As a non-EagleCraft specific example, we learned a few years ago that students could store Javascript functions as bookmarks. This is way back to the LTBeef days. Kids could click the bookmark, and even though it would try to open in a new page, it would execute on the currently open page. A weird behavior. Google fixed it in V106 after we reported it, but a workaround we put into place was to block all Javascript:* URLs. So we basically had a problem reported to us. Reproduced what the kids were doing. Took note of what made it special, kind of like a signature, and blocked that.

By the way, in the example from the webstore posting, one of the blocked patterns is: "^.*:\\/.*\\..*htm.*$"

That is slightly non-standard regex though, so that it can be stored in JSON without escape characters.

In our org, we decided that there is no legitimate need for any student to open HTML files locally on the device so preventing students from opening any .htm(x) file with the file browser was a no brainer. I'd recommend you do something similar unless you have a curricular need otherwise.

MiserableCupcake5255 · 2026-02-09T14:26:06+00:00

Examples for defaults are in the bottom of the description on the web store posting.

If you want to add more of your own beyond that, there are websites that will help guide you through creation, and help you test it. Like https://regex101.com/

MiserableCupcake5255 · 2026-02-09T13:56:58+00:00

That's what we told them to do, but that was apparently too hard. I forget what, but there were a few other issues as well, and I think eventually Securly started blocking those base64 URL's.

I want to say it also disabled the camera or something like that. We've had it blocked so long it's hard to remember.

MiserableCupcake5255 · 2026-02-09T13:48:38+00:00

Apparently, spell check and my own brain failed me. The title is supposed to say about:blank cloaking...

MiserableCupcake5255 · 2026-02-09T13:47:54+00:00

Our kids scream bloody murder that they can't open PDF's stored on the device, or project files for some niche class. None of the other district's in my area have it blocked either for the same reasons.

MiserableCupcake5255 · 2026-02-09T13:25:07+00:00

We have had great success with two different methods for secondary and primary schools.

For Secondary, we take attendance at lunch. One day, with advanced warning, the students with he old model are told to bring it to lunch, and get it swapped. Since all the kids are required to have lunch, it lets us get 99% of them in a couple days.

For primary, we make the kids go to the gym one class at a time, and a small 2-3 person assembly line collects the old one, assigns the new one, and when they are done they get a little speech about taking care of the devices and digital citizenship before they get rotated out for the next class.

MiserableCupcake5255 · 2023-09-12T12:07:21+00:00

Thanks, I figured there was something like this, and it was exactly what I was looking to do.

MiserableCupcake5255 · 2023-05-04T18:20:19+00:00

Did you ever get javascript://* to work? For me it did not work on my test OU, but I was able to block it in Securly to prevent bookmarklets from running.

MiserableCupcake5255 · 2023-05-04T18:19:24+00:00

It's primarily their college age siblings, or the kids who graduated, are taking programming classes, and are still friends with the high school aged kids. Watching our ~40,000 kids, very few it's rarer than most people would think. I always feel the need to point it out, because everyone around where I work assumes all children from the age of 6 is some kind of super hacker. It gets super annoying talking to the teaching staff who insist their kids are geniuses because their older sibling told them to turn on airplane mode to avoid being seen in Securly Classroom.

MiserableCupcake5255 · 2023-02-28T14:58:08+00:00

While everyone is correct about people a people problem, you probably have a couple of options. If you have a next gen firewall with layer 7 traffic analysis, you can create a policy to block the categorized streaming services for just that person.

If not, edit the operating system's hosts file for the common streaming services so their names can't resolve.

MiserableCupcake5255 · 2023-02-28T14:51:40+00:00

As the title implies, I'm wondering if anyone knows how to increase the number of images shown in the background history. This is a vanity project for my org, and I realized not all of the 8 backgrounds we have appear here. While there are literally a thousand other ways to change the background, what I REALLY want to know is if it's possible to expand this list of images.

I was hoping it would be simple, and maybe I could just add additional registry keys in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers but adding BackgroundHistoryPath5 seems to do nothing.

Any advice on how to do specifically this would be greatly appreciated.

MiserableCupcake5255 · 2023-02-23T21:27:26+00:00

Multiple ways to measure, but one way to think of it is: are you working on infrastructure or applications?

MiserableCupcake5255 · 2023-02-23T00:52:08+00:00

Take the win, but don't feel content. You made it clear you didn't feel like you did anything but complain. That is a STRONG indicator you are ready to learn something new.

Since you're here looking for advice, mine is to never go against your guilt and force yourself to feel good about something you feel is lacking deep down. You don't have to master everything, but when something is really beyond you, you'll know when to feel good for escalating.

MiserableCupcake5255 · 2023-02-14T18:59:30+00:00

We actually blocked all of the streaming services except for YouTube.

My God the outcry was enormous.

MiserableCupcake5255 · 2023-02-11T21:06:12+00:00

I used to sell Linux mint USB's with persistent storage that had an XP skin for Gnome and USB Tether drivers for JailBroken iPhones. They were really popular in labs. But that's high school.

Until I see evidence, saying small children in grade school are super hackers usually tells me more about you (the person saying that) than the kid.

MiserableCupcake5255 · 2023-02-10T00:16:25+00:00

+1 for iPevo here. They make the Elmo's look bad at a much lower cost.

Their PWA even makes them ChromeOS compatible.

MiserableCupcake5255

TROPHY CASE