# URL AllowList and BlockList

Beginning Browser version 2.2.x, you can now configure an allow list and block list to control browser navigation and restrict users from navigating to unauthorized websites. &#x20;

Use the URL blocklist and allowlist to:

* **Allow access to all URLs except the ones you block** - Use the blocklist to prevent users from visiting certain websites, while allowing them access to the rest of the web.&#x20;
* **Block access to all URLs except the ones you allow** - Use the blocklist to block access to all URLs. Then, use the allowlist to allow access to a limited list of URLs.&#x20;
* **Define exceptions to very restrictive blocklists**—Use the blocklist to block access to all URLs. Then, use the allowlist to let users access certain schemes, subdomains of other domains or ports.
* **Allow Browser to open apps directly on the device** - Allow specific external protocol handlers so that Browser can automatically open certain apps.

{% hint style="info" %}
If the block list is not set, users will have unrestricted access to websites, as your network allows.
{% endhint %}

The behavior for this configuration is as follows:

* If the block list is defined, Browser will attempt to match the URL with the items in the block list.
* If a URL is "blocked", Browser will attempt to match the URL with items in the allow list.   If a match is found in the allow list, access to the URL will be granted; otherwise the user will be redirected to an access denied page.

Both block list and allow list configurations use **Java Regular Expressions** to match URLs the user attempts to load.  Based on configured regular expression, Browser determines "matches" based on the following logic:

* If the filter contains a scheme, e.g. `chrome://.*`, Browser will perform a **regex match on the entire URL**.
* If the filter contains a host only, e.g. `play.google.com`, Browser will perform a regex match on the **host section only.**
* If the filter contains a port number, e.g. `:8080` or `192.168.1.3:8080`, the Browser will perform a regex match on the **host and the port number.**

## Use Cases

### Allow access to all URLs except blocked

If the user is allowed to access all sites except `facebook.com` and `twitter.com`, the configuration will be setup as follows:

```json
"browserRestrictions": {
    "blockList" : [
        ".*facebook.com",
        ".*twitter.com"
    ],
    "allowList" : []
} 
```

Since the `allowList` is unset, Browser will allow other sites, except for the ones that match in the `blockList`.  In the above example, facebook.com and all of its sub-domains will be blocked, and all of twitter.com and its subdomain will be blocked, while everything else will be allowed.

### Block access to all URLs except allowed

If the user will only be allowed to access URLs you define, the configuration setup will be as follows:

```json
"browserRestrictions": {
  "blockList" : [
    ".*"
  ],
  "allowList" : [    
    "chrome://.*"
    "^login.microsoftonline.com",
    "^play.google.com",
    ".*\.bluefletch.com"
  ]
}
```

The `blockList` is defined with an "all" regex pattern, so by default all websites will be marked to be blocked, except if they're defined in the `allowList` section.  In this example, the following sites will be permitted.

* sites that contain the protocol `chrome://`
* sites with hostnames starting with `login.microsoft.com`
* sites with hostnames starting with `play.google.com`
* sites from `bluefletch.com` or any of its subdomains, e.g. `support.bluefletch.com`&#x20;

## Logging

If using the Support Agent, Browser will log all attempted navigation to blocked URLs.&#x20;

{% hint style="info" %}
Feature requires Browser 2.2.1 or greater and Launcher 3.20.14 or greater.
{% endhint %}