medensqui
commented
9 years ago I TOLD YOU THAT A WHITELIST WAS THE BEST OPTION MWAHAHAHA.
Oh..Well that sucks
Open thatoddmailbox opened 9 years ago
medensqui
commented
9 years ago I TOLD YOU THAT A WHITELIST WAS THE BEST OPTION MWAHAHAHA.
Oh..Well that sucks
medensqui
commented
9 years ago Oops
thatoddmailbox
commented
9 years ago I'm trying to fool with Chrome and extension blacklists. I probably will post screenshots later today.
thatoddmailbox
commented
9 years ago @nywillb @medensqui I have an idea that lets us install CoursesPlus but blocks other extensions.
To disable Incognito mode, New Lab sets a "policy" on our computer to tell Chrome to remove that option. You can see a list of all the policies Chrome understands here. The policy disabling Incognito is the only one New Lab has set (you can check by going to chrome://policy), but there is nothing stopping them from putting more. Note that we cannot add/remove policies; only New Lab can.
Two policies that seem interesting are ExtensionInstallBlacklist and ExtensionInstallWhitelist.
To test these policies and get screenshots of how it works, I set up a (really tiny) Windows computer network, with two computers (really just virtual machines in the cloud): the server (which has a list of policies, running Windows Server 2012 R2 Datacenter) and a user's computer (running Windows 10 Enterprise).
Yes, it's running Windows, but it works the same on Mac OS X, it will just look different.
I set 3 policies for Chrome:
Installing extensions does not work...
...except for CoursesPlus!
This way, people can install CoursesPlus (or any other extensions New Lab wants to add to the list; ad blockers, password managers, etc.) directly from the Chrome Web Store, but everything else is blocked with a descriptive message. (the current message is something about moving extension data to profile, which might make people think it's a Chrome bug rather than a New Lab block.
Also, setting policies means that there is no easy way to work around the block. (unlike their current method).
We should ask them if they want to use this method instead, as it benefits both of us and is more effective. (maybe too late for this year, but next year?)
thatoddmailbox
commented
9 years ago @nywillb @medensqui I checked, and it seems like these policies cause Chrome to disable the ability to load unpacked extensions.
I am going to check if it is possible to re-enable this, but if it can't, do you think it's better to accept being unable to develop on student laptops or to go with the Java installer?
willbarkoff
commented
9 years ago @thatoddmailbox @medensqui What if the installer unlocked the folder, then asked the user to go to the Chrome Web Store and download CoursesPlus. Once it detected that CoursesPlus is installed, it re locks the extension folder. This would solve all the problems right?
thatoddmailbox
commented
9 years ago @nywillb No, because the user could just download something else.
This is because when the user uninstalls CoursesPlus, Chrome sees that it was automatically installed and puts it on a blacklist. Chrome then blocks future installs of CoursesPlus. This is reasonable, and means that malware can't install an extension right after a user removes it. However, that means that the installer won't work. :cry:
The workaround is to manually unlock the extensions folder, install CoursesPlus from the web store (removing it from the blacklist), uninstall CoursesPlus, re-lock the extensions folder, and run the installer again. If you try to install with a locked folder, it remains on the blacklist.
A better solution would be to have the New Lab set a policy on our computers (like they did to block Incognito mode) including an extension whitelist containing CoursesPlus.
The only other way to get CoursesPlus off the blacklist is to mess with Chrome's internal files (which I tried, but didn't work out).