question/suggestion: centralized custom filter/whitelist settings?

[jdsemma]

Background: I have a number of Chromebooks under managed enrollment in a Google Apps domain. I'd like to push uBlock Origin out to all of them (which we can easily do), but I'd also like to be able to create our own custom filter (actually mostly whitelists) and also push that out to all of the Chromebooks. If the app/extension is set up to support a config file, we can easily do that through Google Apps as well.

Can this be done, and if not currently, can it be put on the feature request list?

(Edited to add: more info on config files here: http://www.chromium.org/administrators/configuring-policy-for-extensions)

[gorhill]

If I understand correctly what you want to accomplish, it's already supported in Firefox. However for Chromium-based browsers, I have been waiting for such request so that I can test the code I need to hook to chrome.storage.managed.

I will let you know when I have something.

[jdsemma]

Yes, exactly. Thank you for considering this! And yes, obviously, for use on Chromebooks this is Chromium-based (although I have no idea where the config file is stores on ChromeOS.)

[gorhill]

Implemented in 1.3.2b2. I will need you to validate whether this works, I do not have the environment to test this.

[jdsemma]

I tested, but can't tell if my test config file isn't right (although it loads without error), or if this isn't working.

For a test config file, I went to uBlock options (after adding specific things to the whitelist) and did 'backup to file'. I then loaded that file into the Chrome App Management tool, and forced the app to auto-install to a specific testing user. The user gets the app just fine, but only with the default config. The config I installed isn't being pushed across.

Thinking after reading more that the config will only look for "adminSettings", I made a new config file like this:

{
"timeStamp": 1446240370977,
"version": "1.3.2",
"adminSettings": {"colorBlindFriendly": true }
}

That's it. I loaded that, no errors, but the config isn't being pushed out. Confirmed via chrome://policy that no policies are being loaded for uBlock Origin.

(Ideally I'd like to be able to push a custom netWhitelist addition, but I'll be satisfied with being able to add to externalLists.)

[gorhill]

Thinking after reading more that the config will only look for "adminSettings", I made a new config file like this:

That's not a valid backup file, it contains nothing of value for uBO. Try:

{
    "userSettings": {
        "colorBlindFriendly": true
    }
}

What I did is:

• Open a backup file created from clicking the uBO's "Backup to file".
• Remove all entries which are not to be overwritten.

Now, assign the resulting string (it must pass as a valid JSON string) to the entry adminSettings in the managed storage. That last part I am assuming admins know how to to this, I don't know myself, I just read from the managed storage (it's read-only from an extension's point of view).

[jdsemma]

I am guessing wildly as to how to set up the config file, based on the example given at http://www.chromium.org/administrators/configuring-policy-for-extensions.

I've tried

{ "adminSettings": { "Value": [ { "userSettings": [ {"colorBlindFriendly": true } ] } ] } }

(after running that through jsonlint to make sure it's valid), and.... no value is being assigned to adminSettings.

[gorhill]

The value of adminSettings is supposed to be a valid JSON string, I see it is set to an array of one object in your snippet. A valid JSON string of what you are trying is:

{ "userSettings": { "colorBlindFriendly": true } }

This must be used as a literal string, i.e. the type of Value needs to be string.

(there was a typo in my above example, I just fixed it).

[jdsemma]

So:

{ "adminSettings": { "Value": { "userSettings": {"colorBlindFriendly": true } } } }

?

Tried that, still says no policy set.

[gorhill]

Ok, I followed the doc for Linux at the link you posted above, and it worked here. I created a JSON policy file name ublock0.json in /etc/opt/chrome/policies/managed/, and this is the content of the file:

{
  "3rdparty": {
    "extensions": {
      "cjpalhdlnbpafiamejdnhcphjbkeiagm": {
        "adminSettings": "{ \"userSettings\": {\"colorBlindFriendly\": true } }"
      }
    }
  }
}

Then I restarted Chrome, and the "Color blind friendly" setting was checked. For other OS, I can't tell.

Notice how the value of adminSettings is a JSON string, for which double-quotes needed to be escaped -- because the string is itself used as a JSON string value.

This is what Chrome's chrome://policy showed after restart:

[gorhill]

Note that as mentioned, I rely on feedback to fine-tune this, and I think I will also offer the ability to encode the value as plain JSON -- not force a stringified JSON, to enable not having to escape double-quotes.

[jdsemma]

Sounds like. I tried this:

{ "adminSettings": { "Value": { \"userSettings\": {\"colorBlindFriendly\": true } } } }

and still no dice.

[gorhill]

Your JSON does not pass validation.

Try:

{ "adminSettings": { "Value": "{ \"userSettings\": {\"colorBlindFriendly\": true } }" } }

[jdsemma]

Duh. :)

I tried that and..... almost success!

The policy is set, according to chrome://policy. The policy value, literally is

{ "userSettings": { "colorBlindFriendly": true }}

However, in uBlock's options, that setting is NOT set to true. It's still false.

[benwa]

I just tried and got it to work. I am on Windows however and had to actually edit the registry.

Then I went to chrome:policy and clicked reload.

Refreshing the options page didn't do anything, I had to actually disable the extension and then reload it.

Is there an event listener for storage option changes? That would stop the need of reloading the extension.

Also, it seems these settings aren't actually mandatory (or at least the options page UI doesn't indicate it as you can uncheck and it will save).

[jdsemma]

I still can't get userSettings to be set, but I did successfully get a netWhitelist to stay. I loaded this:

{ "adminSettings": { "Value": "{ \"netWhitelist\": \"about-scheme\\nbehind-the-scene\\nchrome-extension-scheme\\nchrome-scheme\\nloopconversation.about-scheme\\nopera-scheme\\npastebin.com\\nMYDOMAIN.com\\MYOTHERDOMAIN.com\" }" } }

(domain names edited to protect the guilty). This did properly load.

[dXcess]

First and foremost - gorhill - thank you for your efforts with this, your contributions are amazing and its a huge help. I'm hoping that I can contribute to this somehow by creating a policy template for Windows users, that will make it easier to manage these settings from Windows.

benwa,
I've tried the same as you via the registry, and just cant seem to get it to work. The policies never load in chrome, no matter what I try. I'm using version 1.3.3. of UBO. Can you share the reg export for this key or help shed some light on what I might be missing?

[benwa]

It could possibly be white space or different quote characters. Before I deployed via Group Policy Preferences, I wrote out the preferences here and then used Minify to set it all to one line.

[IRainman]

It is necessary .admx and .adml files for use in the GPO on Windows, without setting through the policy files in the Chrome settings do not work and do not apply :(

[killebrewj]

This is great! I was able to deploy a custom whitelist to some Chromebooks and Chrome browsers.

The only thing is if I change the policy and the browser receives the new policy, uBlock doesn't actually use the new settings until the next time the browser starts up or you can force it by reloading the extension (as benwa said). Is there any way to have it periodically check and apply the currently loaded policy?

Or is it possible I was just being too impatient?

[edlisten]

I am a GAFE admin with managed Chromebooks that I would like to deploy uBlock Origin to. I have pushed the extension out to users, and created the custom JSON file, but I am missing how do I distribute the JSON file out to all the users?

[gorhill]

I have a Chrome dev version for testing, and I use a policy on it to validate that policy settings work:

I actually forgot how I created this entry... You are probably better placed than me to figure this. But as you can see, the value is adminSettings, and the value must be a JSON-valid string which matches the output you get when creating a backup of the settings, minus the entries which you do not want to enforce on all users.

[killebrewj]

If you're using Google Apps, you need to deploy the extension to your users by navigating to Device management > Chrome > Chrome App Management

Once added, click the app and expand User settings. Pick the OU, Force Install and click UPLOAD CONFIGURATION FILE and then select the text file containing the json configuration.

The json is not necessarily a full config dumped from uBlock. Ours is just a simple whitelist. This is the full content of our configuration file. It's a bit ugly having to nest json inside json and it might get messy with a large whitelist.

{ "adminSettings": { "Value": "{ "netWhitelist": "about-scheme\nbehind-the-scene\nchrome-extension-scheme\nchrome-scheme\nloopconversation.about-scheme\nopera-scheme\ndomain.com\nanotherdomain.org\ndomain.ca.us" }" } }

[edlisten]

Ahh, the missing link. I was installing the extension from the user
settings and never even knew about chrome app management. Thank you.
On May 26, 2016 7:08 PM, "killebrewj" notifications@github.com wrote:

If you're using Google Apps, you need to deploy the extension to your
users by navigating to Device management > Chrome > Chrome App Management

[image: image]
https://cloud.githubusercontent.com/assets/15217481/15592725/f67f8bf2-235a-11e6-94bd-b3374e2bfbe2.png

Once added, click the app and expand User settings. Pick the OU, Force
Install and click UPLOAD CONFIGURATION FILE and then select the text file
containing the json configuration.

[image: image]
https://cloud.githubusercontent.com/assets/15217481/15592789/6e054342-235b-11e6-8724-58b01568c20f.png

The json is not necessarily a full config dumped from uBlock. Ours is just
a simple whitelist. This is the full content of our configuration file.
It's a bit ugly having to nest json inside json and it might get messy with
a large whitelist.

{ "adminSettings": { "Value": "{ "netWhitelist":
"about-scheme\nbehind-the-scene\nchrome-extension-scheme\nchrome-scheme\nloopconversation.about-scheme\nopera-scheme
ndomain.com\nanotherdomain.org\ndomain.ca.us" }" } }

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#832 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/AGgLT_c9PRw64Hgp09qURWzrgD6ZJ1cpks5qFigCgaJpZM4GPsyO
.

[edlisten]

@killebrewj I am almost there. I was able to create a JSON, file upload it and have it show up in chrome://policies. I have restarted the Chromebook and reloaded the extension, but I don't see any of the sites I have added in the whitelist of uBlock Origin.

[gorhill]

Did you check your JSON string with a JSON validator^[1] to be sure it's properly formed?

[1] http://jsonlint.com/, http://codebeautify.org/jsonvalidate, etc.

[edlisten]

The JSON file appears to be working: And we did get colorblind setting to
work.

{ "adminSettings": { "Value": "{ "netWhitelist":
"about-scheme\nbehind-the-scene\nchrome-extension-scheme\nchrome-scheme\nloopconversation.about-scheme\nopera-scheme\nforbes.com\nespn.go.com"
}" } }

Bjorn Behrendt M.Ed ~ Never Stop Learning

• bj@edlisten.com bj@edlisten.com | **Blog: *Edlisten.com
  http://edlisten.com/

On Tue, May 31, 2016 at 9:07 AM, Raymond Hill notifications@github.com
wrote:

Did you check your JSON string with a JSON validator[1] to be sure it's
properly formed?

[1] http://jsonlint.com/, http://codebeautify.org/jsonvalidate, etc.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#832 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/AGgLT75Oz6n8_F3Oi0odP2lRn6tRdy16ks5qHDJ8gaJpZM4GPsyO
.

[gorhill]

Probably the \n in the inner JSON should be \\n. Double-encoding a JSON string is tricky.

[guygg]

Just stumbled upon this thread while implementing policy settings to start pushing out uBlock to replace ABP across all our Chromebooks. With a little fiddling, was able to push multiple settings and the netWhitelist with multiple domains. One question, though, is if there's a way to push out whitelist domains that doesn't replace the user's whitelist settings? When I push out a couple domains via the netWhitelist value, it replaces the entire list rather than appending/updating existing ones. For anybody else's benefit, here's the JSON I'm using in testing that has a couple user settings as well as a couple example whitelist domains:

{ "adminSettings": { "Value": "{ \"userSettings\": {\"colorBlindFriendly\": true, \"cloudStorageEnabled\": true }, \"netWhitelist\": \"hellointernet.fm\\nwikipedia.com\" }" } }

[gorhill]

Please use the encoder tool to avoid mistakes. Your string is not correct, the filterLists property is not a member of the userSettings property (look in a backup file), you removed too many curly brackets (the tool won't catch that though) -- it just validates JSON):

{
  "userSettings": {
    "autoUpdate": true,
    "colorBlindFriendly": true,
    "filterLists": {
      "assets/thirdparties/easylist-downloads.adblockplus.org/easyprivacy.txt": {
        "off": true
      }
    }
  }
}

Try:

{"filterLists":{"assets/ublock/experimental.txt":{"off":true},"assets/thirdparties/easylist-downloads.adblockplus.org/easyprivacy.txt":{"off":true}}}

Which decoded is:

{
  "filterLists": {
    "assets/ublock/experimental.txt": {
      "off": true
    },
    "assets/thirdparties/easylist-downloads.adblockplus.org/easyprivacy.txt": {
      "off": true
    }
  }
}

[JPT62089]

Ha! I did not see that tool! Thank you, @gorhill! Much appreciated. Unsurprisingly, it works now :D

[NoSubstitute]

Sorry for maybe asking in the wrong place, but is there some guide anywhere how to export the settings and then push them to users? I don't want to whitelist anything (right now), but I do want to enable Dan Pollock's host file for everyone. I found where to export settings from one browser, but do I really need to push all that? Isn't it enough to push the diff from the default settings?

[gorhill]

how to export the settings and then push them to users?

On top of the existing settings or to replace the existing settings?

[NoSubstitute]

Since this will be for people who have never before used it, the primary objective would be replace. If it has to be done again, some time in the future, I think I still feel replace would be the proper approach. Don't you?

[gorhill]

Entries in adminSettings will replace current settings, but every time the extension starts -- is this what you need?

[benwa]

Personally, I prefer the approach of if it's not defined in the policy, use defaults or user settings. That follows in line with Chrome's (and Group Policy-like systems) methods.

[gorhill]

There is this: https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin.

With 1.11.0, selecting filter lists will be much more simple -- it will be the selectedFilterLists array entry in the backup file.

[KTac]

Can someone help me please. I'm losing my mind trying to get this working on Windows. I am not using Group Policy and I do not currently have the Chrome administrative template installed. I'm unclear if this is required but I wouldn't think so. This is for a local machine that will be accessed by many users. I have manually set the necessary registry entries like so.

The extension installs automatically just fine but for my life I can't get the policy to take effect. I tried a much more detailed set of settings at first but after I couldn't get those to work I decided to just try one non-default setting which is what you see above.

The string I used for adminSettings is:
{"userSettings":{"colorBlindFriendly":false}}

I ran the original code through a JSON validator and then ran it through @gorhill's encoder tool to get it to a single line, so I'm pretty sure the formatting of the string is not the problem. What am I missing?

[gorhill]

The string I used for adminSettings is:
{"userSettings":{"colorBlindFriendly":false}}

The default value for colorBlindFriendly is false, so your adminSettings won't change anything.

[KTac]

Wow, I can't believe I did that. I changed the value to true and still nothing. Either way, shouldn't the fact that the extension is installed and the properly formatted registry value exists cause the policy to show up as enabled under chrome://policy?

[gorhill]

Yes, it should show in chrome://policy. I am not in a position to help here, I do not have Windows and can't test stuff. According to this comment above, I can't see anything wrong in your screenshot.

[gorhill]

Actually, the user who succeeded in making it work is using HKEY_CURRENT_USER while I see you are using HKEY_LOCAL_MACHINE.

[NoSubstitute]

I think he's using HKEY_LOCAL_MACHINE because he wants the policy to run for all local users.

[pcurb23]

Thank you so much for implementing this for us poor overworked security conscious admins. It worked flawlessly on the first try after following the writeup @ https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin
We deployed a reg key to HKLM and used the handy tool here to convert the string to JSON.

[najamss]

Hi @benwa,

I know, it's an old post but do you know how can I do the same for Privacy Badger, what you suggested for UBlock Origin via GPO?

[benwa]

@najamss With a quick look at chrome://policy, it doesn't seem like Privacy Badger supports policies. If you want them to, I'd file an issue here. If you need to implement now, I'm fairly certain uBlock Origin will accomplish the same thing.

[najamss]

@benwa

Thanks a heap for looking in to it. In fact, we have deployed both Privacy Badger and UBlock Origin. They both are blocking AddThis share buttons on our websites; therefore, I wanted to add our required domains to their whitelist domains

[joavaran]

@gorhill: How would you do the same adminsettings for MACos with plist? Is there a converter I can use?
So in ublock backutp to file and use a converter? or use a reg -> plist converter?

[Alcon835]

First: this thread has been a HUGE help! I still have an issue related to this:

If I "pause" uBlock Origin on a page and then reset chrome, the policy settings will overwrite whatever pages I've paused. If I don't have the adminSettings registry item, it won't overwrite the pages I've paused.

Is this expected behavior and is there a work around that allows me to push the whitelist to all computers without overwriting a user's personal pause/white list?

[kingio]

I did the same as @KTac second screen on W10 Home Edition and didn't work. I don't know why nobody is sharing a reg file to make things easier, so i'm sharing the one that i'm doing:
ublock.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm\policy]
"adminSettings"="{\"userSettings\":{\"colorBlindFriendly\":true}}"

[miruser]

hey kingio

it is very easy. use ublock backup to file function with the settings you want to have.
then use http://raymondhill.net/ublock/adminSetting.html + JSON-encoded settings to be used for adminSettings as a plain string value. Voila... Took me weeks to find this out! Have fun

[kingio]

@miruser i already did that without success (ublock policy space appears in chrome://policy but empty). Could you please export your adminSettings from registry and share it? By selecting the key and then clicking on File -> Export you will have the .reg file that can be opened with notepad itself.

[miruser]

hey kingio..

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm\policy]
"adminSettings"="{"timeStamp":1507099983095,"version":"1.14.8","userSettings":{"advancedUserEnabled":false,"alwaysDetachLogger":false,"autoUpdate":true,"cloudStorageEnabled":false,"collapseBlocked":true,"colorBlindFriendly":true,"contextMenuEnabled":true,"dynamicFilteringEnabled":false,"externalLists":"","firewallPaneMinimized":true,"hyperlinkAuditingDisabled":true,"ignoreGenericCosmeticFilters":false,"largeMediaSize":50,"parseAllABPHideFilters":true,"prefetchingDisabled":true,"requestLogMaxEntries":1000,"showIconBadge":true,"tooltipsDisabled":false,"webrtcIPAddressHidden":false},"selectedFilterLists":["plowe-0","malware-1","malware-0","easyprivacy","easylist","ublock-unbreak","ublock-privacy","ublock-badware","ublock-filters","user-filters"],"hiddenSettingsString":"assetFetchTimeout 30\nautoUpdateAssetFetchPeriod 120\nautoUpdatePeriod 1\nignoreRedirectFilters false\nignoreScriptInjectFilters false\nmanualUpdateAssetFetchPeriod 2000\npopupFontSize unset\nsuspendTabsUntilReady false\nuserResourcesLocation unset","netWhitelist":"","dynamicFilteringString":"behind-the-scene * 3p-frame noop\nbehind-the-scene * 3p noop","urlFilteringString":"","hostnameSwitchesString":"","userFilters":"","filterLists":{"assets/thirdparties/pgl.yoyo.org/as/serverlist":{"off":false},"assets/thirdparties/mirror1.malwaredomains.com/files/justdomains":{"off":false},"assets/thirdparties/www.malwaredomainlist.com/hostslist/hosts.txt":{"off":false},"assets/thirdparties/easylist-downloads.adblockplus.org/easyprivacy.txt":{"off":false},"assets/thirdparties/easylist-downloads.adblockplus.org/easylist.txt":{"off":false},"assets/ublock/unbreak.txt":{"off":false},"assets/ublock/privacy.txt":{"off":false},"assets/ublock/badware.txt":{"off":false},"assets/ublock/filters.txt":{"off":false},"assets/user/filters.txt":{"off":false},"assets/ublock/experimental.txt":{"off":true}}}"

[mcgituser]

hey gorhill,

Thanks for all the hard work and info here. I was wondering if you've had a chance to work on merging the user's setting and the adminSettings?

We are looking to push an initial set of sites for whitelisting and then let the users add to it as they please going forward. Can you think of a good what to do that? I was thinking perhaps if there was a local configuration file that we can modify and push out during the deployment that contains a set of predefined whitelists and can be added to the users, that would work. Let me know your thoughts.

Thanks again

[jhavens12]

I've read all these comments and am still having issues uploading a simple whitelist to GAFE for my users. This is the string I'm trying to use:

"{ \"netWhitelist\": \"https://www.pbisassessment.org\" }"

Am I missing something here?

[Bangaio65]

On Chromium Edge, the registry location is:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Edge\3rdparty\extensions\odfafepnkmbhccpbejgmiehpchacaeak\policy
(It seems to get ignored if set in HKLM)
EDIT: actually it works on HKLM, it's just for some reason you need to open Edge, close it, then re-open it once more for these settings to apply (or at least show up in uBlock's GUI)

Now a question: is there a way to have the settings stored in a file like in Firefox? So I could point to that file (stored in the network) and not have to edit settings in two places in case I want to change a setting.