URL AllowList and BlockList

Beginning Browser version 2.2.x, you can now configure an allow list and block list to control browser navigation and restrict users from navigating to unauthorized websites.

Use the URL blocklist and allowlist to:

Allow access to all URLs except the ones you block - Use the blocklist to prevent users from visiting certain websites, while allowing them access to the rest of the web.
Block access to all URLs except the ones you allow - Use the blocklist to block access to all URLs. Then, use the allowlist to allow access to a limited list of URLs.
Define exceptions to very restrictive blocklists—Use the blocklist to block access to all URLs. Then, use the allowlist to let users access certain schemes, subdomains of other domains or ports.
Allow Browser to open apps directly on the device - Allow specific external protocol handlers so that Browser can automatically open certain apps.

If the block list is not set, users will have unrestricted access to websites, as your network allows.

The behavior for this configuration is as follows:

If the block list is defined, Browser will attempt to match the URL with the items in the block list.
If a URL is "blocked", Browser will attempt to match the URL with items in the allow list. If a match is found in the allow list, access to the URL will be granted; otherwise the user will be redirected to an access denied page.

Both block list and allow list configurations use Java Regular Expressions to match URLs the user attempts to load. Based on configured regular expression, Browser determines "matches" based on the following logic:

If the filter contains a scheme, e.g. chrome://.*, Browser will perform a regex match on the entire URL.
If the filter contains a host only, e.g. play.google.com, Browser will perform a regex match on the host section only.
If the filter contains a port number, e.g. :8080 or 192.168.1.3:8080, the Browser will perform a regex match on the host and the port number.

Use Cases

Allow access to all URLs except blocked

If the user is allowed to access all sites except facebook.com and twitter.com, the configuration will be setup as follows:

"blockList" : [
    ".*facebook.com",
    ".*twitter.com"
],
"allowList" : []   //leave unset

Since the allowList is unset, Browser will allow other sites, except for the ones that match in the blockList. In the above example, facebook.com and all of its sub-domains will be blocked, and all of twitter.com and its subdomain will be blocked, while everything else will be allowed.

Block access to all URLs except allowed

If the user will only be allowed to access URLs you define, the configuration setup will be as follows:

"blockList" : [
    ".*"
],
"allowList" : [    
   "chrome://.*"
   "^login.microsoftonline.com",
    "^play.google.com",
    ".*\.bluefletch.com"
]

The blockList is defined with an "all" regex pattern, so by default all websites will be marked to be blocked, except if they're defined in the allowList section. In this example, the following sites will be permitted.

sites that contain the protocol chrome://
sites with hostnames starting with login.microsoft.com
sites with hostnames starting with play.google.com
sites from bluefletch.com or any of its subdomains, e.g. support.bluefletch.com

Logging

If using the Support Agent, Browser will log all attempted navigation to blocked URLs.

Feature requires Browser 2.2.1 or greater and Launcher 3.20.14 or greater.

PreviousFIDO2 / Webauthn Support NextTechnical Guide

Last updated 1 year ago