browser - Preventing the installation of Chrome Addons

06
2014-04
  • Oxinabox

    Every time I visit home (only twice a year), I find my younger (teenaged) sister, has managed to give her computer a "virus". Almost inevitably this isn't true virus, but is a malicious browser extension adware. They have popups, and change the search provider and homepage.

    Most recently is was ShopperPro, I believe these are largely being installed by her installing freeware that bundles them "Free" extras. and installed them as part of its installer. Similar to the Free Tool bar plague that was (still is?) common back with IE6.

    Is there a method I can use to block the installation of Browser Extensions? My sister is not a technically adept person, she's never used a browser extension intentionally, and probably never will.

    I would rather not give her a restricted account, on her own computer. I have no desire to be her full time system administrator, just to reduce my work when I visit. Possibly a extension exists which makes all other extentions installed, be initially set to disabled?

    My current idea is to rename the Chrome (Safe-Mode), to Chrome so that she can only start it in safe mode, but not being a chrome user myself I don't know if that will have other side effects.

  • Answers
  • Rob W

    You can prevent Chrome from loading existing extensions, or installing new extensions by appending the --disable-extensions flag to the command that launches Chrome (e.g. via the properties of the shortcut icon):

    chrome.exe --disable-extensions
    

    To override the homepage, you could append the --homepage=<URL> flag:

    chrome.exe --disable-extensions --homepage=https://encrypted.google.com
    

    You could also try to set up an administrative policy to disable extensions (see documentation). It might be more flexible, but I can imagine that malware developers would modify these policies themselves.

    Your sister has probably more to worry about if she blindly installs adware/malware. Some education about the risks of her behavior might be more effective than disabling extensions in Chrome.

  • Andalur

    You could use Spybot: Search & Destroy, which has a browser protection feature. It also protects the start page from being changed. You could also use Ninite to install and update some of the most popular freeware and open-source software adware-free.

    I think the best way would be to change to firefox, since the opt-in feature is relatively foolproof (this window appears every time a external application installed an addon and if the user doesn't opt in the addon gets deleted): firefox addon confirmation dialogue However I've heard that some malicious adware manipulates this dialogue, but this seems to be quite rare.

  • Minh Triet Pham Tran

    I would use Windows Access Control and Permission to prevent installation of Chrome extensions to Chrome's folder by removing the Write and Modify permissions of user accounts to this folder:

    In Windows Vista/7/8, the folder is at this path:

    %userprofile%\AppData\Local\Google\Chrome\User Data\Default\Extensions


  • Related Question

    browser - Is there a NoScript alternative for Google Chrome?
  • Steve Wright

    I love using Google Chrome, but I don't like visiting sites that have embedded ads/pages that could have malicious JavaScript. Is there something like the Firefox extension, NoScript, for Google Chrome?


  • Related Answers
  • David Pearce

    Check out Privoxy. Lifehacker has a great guide on how to set it up.

    Privoxy supports stripping ads, Javascript and nasty pieces of HTML, as well as string-replacement for any web browser. I have used it in the past and I did not notice a speed difference.

  • Costin Gușă

    ScriptSafe has come out recently, and beats NotScripts.

    A simple extension that brings some of NoScript's functionality to Chrome while emphasizing simplicity and intuitiveness (no affiliation to NoScript):

    • whitelisting/blacklisting functionality and granular control
    • actually speeds up browsing because it removes a lot of unwanted content
    • ability to remove <SCRIPT>, <OBJECT>, <EMBED>, <IFRAME>, <FRAME>, <APPLET>, <AUDIO>, <VIDEO>, <NOSCRIPT>, and <IMG> elements, as well as webbugs
    • ability to block unwanted content (MVPS HOSTS, hpHOSTS (ad / tracking servers only), Peter Lowe's HOSTS Project, MalwareDomainList.com, and DNS-BH – Malware Domain Blocklist are integrated!)
    • ability to block click-through referrer data
    • "intuitive" icon that changes based on whether or not a page is whitelisted/blacklisted/bypassed
    • shows number of blocked/removed items in toolbar
    • shows blocked/allowed items in tab details popup (along with item type)
    • bulk import domains into whitelist and blacklist
    • option to temporarily allow a page/temporarily allow all blocked items
    • choose the default mode (Block All or Allow All)
    • option to preserve same-domain elements
    • option to disable automatic refresh of pages after whitelisting/blacklisting/temp. bypassing a page

    EDIT: It now takes advantage of the new Content Blocking API in Chrome 17 to block accurately and very, very fast. The above feature set is old, BTW, but I can't be bothered to update it. ;)

  • Rafal

    There's a great extension called NotScripts that is based on FF NoScripts

  • zmee

    Check out the response from the NoScript developer as to why NoScript has not been ported to Chrome:

    The reason is very simple: Chrome is still lacking the required infrastructure for selective script disablement and object blocking.

    As a result, you can either block ads or turn off all scripting/plugins - there is no way to white list some sites for scripting/plugins and block others.

  • MESLewis

    You can use a startup parameter for your shortcut to block java, java script, images, and plugins by appending one of the following to the end of your google chrome shortcut:

    Java : "-disable-java"

    Java script : "-disable-javascript"

    Plugins : "-disable-plugins"

    Images : "-disable-images"

    Taken from Lifehacker here.