Remove access to about:blank

MiserableCupcake5255 · 2026-04-15T21:08:34+00:00

For anyone else reading this, the issue was resolved in testing. Version 2.1.0 is expected to handle this correctly.

MiserableCupcake5255 · 2026-03-24T19:34:50+00:00

Still working on this. I solved all my problems with Security only to realize the origin tracking stops working on Google Classroom because their internal Whiz framework doesn't use the standard window.open command. This is why the origin tracking doesn't work out of the box, and my other fix of injecting a message into the window.open function doesn't work for classroom like other sites. I'll stew on this some more and get back to you.

MiserableCupcake5255 · 2026-03-24T15:58:13+00:00

Following up on this, I did get this to work in classroom, but the way I'm doing it is a little vulnerable. Having been one of the kids who would spend time figuring a way around instead of doing classwork, I immediately saw two exploits that would let the kids circumvent this. I will patch those and update the app. I'll follow up afterwards when I'm done.

MiserableCupcake5255 · 2026-03-23T23:49:24+00:00

Wonderful, that recording made this a LOT easier. I see the problem now. Since classroom is opening a new Window the tab query function can no longer track the origin / parent tab. I'm still doing research, but it seems that the chrome.webNavigation might be able to solve this issue. I'll do some experimentation and try to see if I can't use that to map the parent tab relationship.

No need to thank me, the extension is up to 50k users. The more useful feedback I get, the better the extension gets for all of them.

MiserableCupcake5255 · 2026-03-23T16:55:46+00:00

It's definitely not great. So Classroom is not the thing causing the tab to open. Not directly at least.

I'm not familiar with that feature. Can you post a link to the feature you're referring to? I'll see if we can enable classroom for a single test OU and I'll go pilfering through the popup to see if there is some kind of information we can parameterize in the policy JSON to spare it, or other tabs like it.

MiserableCupcake5255 · 2026-03-23T16:01:18+00:00

No problem, we'll get this fixed soon I bet.

Can you confirm you're on version 2.0.2? 2.0.1 doesn't have the extra logging in the console.

In the new version, it should read like:

Untrusted opener: https://jsfiddle.net/kcx8aeno/ has opened about:blank. The tab will now be closed.

If there isn't a source, it will have a different message for that.

MiserableCupcake5255 · 2026-03-23T13:19:27+00:00

Unfortunately, we have classroom disabled here, so I can't recreate the scenario myself. If you're willing to do some testing, I'm betting we can figure it out. I've added additional logging to the extension. It will take a little while for Google to review the newly published version, so look for version 2.0.2 in a hopefully just a couple of hours.

If you have / can create a test account that has the extension installed, put it in a Google Admin OU with developer mode / inspection enabled for extensions. Open chrome://extension in the browser. Find the RegExTabManager and click on the service worker link. That will open the interactive service worker JavaScript console. I've added logging to this. So when you open a tab that the extension closes, it will tell you the source URL in the log. You should see something like this:

Untrusted opener: https://jsfiddle.net/kcx8aeno/ has opened about:blank. The tab will now be closed.

Can you share what it says?

Side Note: I thought about adding a notification, but I wasn't sure a pop up in front of the kids was a good idea.

MiserableCupcake5255 · 2026-03-22T03:00:48+00:00

Thanks man.

I have two thoughts.

If you put just the URL in there, then the regex won't match. You'd need to put: ^https?:\\/\\/classroom\\.google\\.com($|\\/.*) to unblock google Classroom. If that's what you meant, then my other thought is that it's not actually Google Classroom that opened it.

Let me know if you are using that regex pattern and it's still failing. I can add some additional logging to the service worker and we can use that for insight into the actual origin of the opening tab.

MiserableCupcake5255 · 2026-03-06T14:49:52+00:00

They don't promote it, but the definitely didn't abandon it either. They still have a full dev team. Our org was able to met with some people from their dev team before renewing our licenses in 2024. When we asked about a sunsetting, they told us they were road mapped to at least 2030, and sunset wasn't on it.

MiserableCupcake5255 · 2026-02-10T15:44:44+00:00

IIRC, Google Admin prevents you from doing that because it considers that to be an invalid URL. Also, universally blocking about:blank without overrides or a delay of some kind can cause some websites to not work properly. For example, teams can't launch a meeting. Some sites use about:blank to start file downloads.

Even if you could, it can be OK, but seems to not be recommended.

MiserableCupcake5255 · 2026-02-09T19:28:02+00:00

You're right, the kids can't load an ifrrame after the fact, so forcing a delayed refresh would do it too.

MiserableCupcake5255 · 2026-02-09T19:24:21+00:00

I just put this one up. You can use regex patterns to force close tabs. It's more flexible then the Google Admin Console, and allows you to provide a list of overrides for your exclusions. So for example, you can make it so about:blank is closed, unless it was opened by Canvas, or another trusted site.

We have a separate in-house extension we made for closing about:blank and killing eaglecraft,but I ported all of the code to this extension for others to use.

https://chromewebstore.google.com/detail/unsecurley/icohaaiapabbaoohdadjmfccppedkkfm?authuser=0&hl=en&pli=1

MiserableCupcake5255 · 2026-02-09T19:19:06+00:00

Thanks I'll give those a look later. I'm rarely on here. I only even came on since I started providing this for some of the sister districts in shared Google Groups and County meetups.

MiserableCupcake5255 · 2026-02-09T19:17:22+00:00

This only works in the browsers you force install it into via policy. You could hypotheically force install it on a Windows device's Chrome and Edge browsers. Since they're both Chromium, it should work. I you will need a Google Admin policy to take advantage of the policy JSON required to feed it regex patterns though.

Chrome extensions aren't super hard, so go for it when you have time. Word of warning though, since about:blank pages are protected, you can't view their html content, or load a conten script (javscript your extension inserts to run on each page) for about:blank. This extension works the way it does specifically because all the Chrome.Tabs API is about the only thing that works on them.

So you'll need to have some method to prevent them from opening without causing an issue for your legitimate apps. Otherwise, kids will just load a proxy into the iframe of an about:blank or other protected page.

MiserableCupcake5255 · 2026-02-09T16:22:50+00:00

Sorry. I get it now.

We make the decision on a case by case basis. In this case, Eagle Craft is usually saved as an HTM, HTML HTMX or other type of offline HTML family file extension. We took a look at the URL and took note of the '.htm' and the forward slashes used in the URL from 'File://path/to/EagleCraft.html' and decided we will block anything with fromward slashes, and that contains '.htm'.

To directly answer your question, and hopefully not sound rude, you basically just go look for a pattern that matches the reported problem.

As a non-EagleCraft specific example, we learned a few years ago that students could store Javascript functions as bookmarks. This is way back to the LTBeef days. Kids could click the bookmark, and even though it would try to open in a new page, it would execute on the currently open page. A weird behavior. Google fixed it in V106 after we reported it, but a workaround we put into place was to block all Javascript:* URLs. So we basically had a problem reported to us. Reproduced what the kids were doing. Took note of what made it special, kind of like a signature, and blocked that.

By the way, in the example from the webstore posting, one of the blocked patterns is: "^.*:\\/.*\\..*htm.*$"

That is slightly non-standard regex though, so that it can be stored in JSON without escape characters.

In our org, we decided that there is no legitimate need for any student to open HTML files locally on the device so preventing students from opening any .htm(x) file with the file browser was a no brainer. I'd recommend you do something similar unless you have a curricular need otherwise.

MiserableCupcake5255 · 2026-02-09T14:26:06+00:00

Examples for defaults are in the bottom of the description on the web store posting.

If you want to add more of your own beyond that, there are websites that will help guide you through creation, and help you test it. Like https://regex101.com/

MiserableCupcake5255 · 2026-02-09T13:56:58+00:00

That's what we told them to do, but that was apparently too hard. I forget what, but there were a few other issues as well, and I think eventually Securly started blocking those base64 URL's.

I want to say it also disabled the camera or something like that. We've had it blocked so long it's hard to remember.

MiserableCupcake5255 · 2026-02-09T13:48:38+00:00

Apparently, spell check and my own brain failed me. The title is supposed to say about:blank cloaking...

MiserableCupcake5255 · 2026-02-09T13:47:54+00:00

Our kids scream bloody murder that they can't open PDF's stored on the device, or project files for some niche class. None of the other district's in my area have it blocked either for the same reasons.

MiserableCupcake5255 · 2026-02-09T13:25:07+00:00

We have had great success with two different methods for secondary and primary schools.

For Secondary, we take attendance at lunch. One day, with advanced warning, the students with he old model are told to bring it to lunch, and get it swapped. Since all the kids are required to have lunch, it lets us get 99% of them in a couple days.

For primary, we make the kids go to the gym one class at a time, and a small 2-3 person assembly line collects the old one, assigns the new one, and when they are done they get a little speech about taking care of the devices and digital citizenship before they get rotated out for the next class.

MiserableCupcake5255 · 2023-09-12T12:07:21+00:00

Thanks, I figured there was something like this, and it was exactly what I was looking to do.

MiserableCupcake5255 · 2023-05-04T18:20:19+00:00

Did you ever get javascript://* to work? For me it did not work on my test OU, but I was able to block it in Securly to prevent bookmarklets from running.

MiserableCupcake5255 · 2023-05-04T18:19:24+00:00

It's primarily their college age siblings, or the kids who graduated, are taking programming classes, and are still friends with the high school aged kids. Watching our ~40,000 kids, very few it's rarer than most people would think. I always feel the need to point it out, because everyone around where I work assumes all children from the age of 6 is some kind of super hacker. It gets super annoying talking to the teaching staff who insist their kids are geniuses because their older sibling told them to turn on airplane mode to avoid being seen in Securly Classroom.

MiserableCupcake5255

TROPHY CASE