Deploying an extension using blocking webRequest without GPO

[Adrien C.]

Hello,

We have developed an extension that make use of blocking webRequest (needed to fix page CSPs) and I have question about how our clients can deploy it without GPO.

Some of our clients deploy it using GPO's ExtensionInstallForceList and it works fine, however not all our clients can use that GPO.

We keep a Manifest v2 version of our extension on the Chrome Web Store so that those clients are currently installing it using Registry's HKLM/SOFTWARE/Google/Chrome/Extensions/<id> but Manifest v2 extensions are being phased out and, due to limitation in Manifest v3 API, most of our clients will need a customized version of the extension, which means the extensions will have to be put out of the Chrome Web Store (due to code being mostly the same between each extensions and the CWS policy to not allow too similar extensions).

What is the best way to deploy a Manifest v3 extension, using blocking webRequests, without ExtensionInstallForceList ? (some of our clients may be able to set ExtensionInstallAllowList and ExtensionInstallSources via GPO, others would need to do it via registry).

Are settings pushed via Microsoft Intune considered by Chrome to be at the same level as those set via GPO? (I am thinking about ExtensionInstallForceList that cannot install self-hosted extensions when it is set by hand via regedit).

I cannot experiment with GPOs at work, only with the registry, and so far I haven't found a way: either the extension is installed but deactivated (meaning no more than 5% of the users will find it and activate it) or it fails because of the blocking webRequest...

Best regard

[Peter Bloomfield]

Our extension uses blocking webRequest as well. We've got lots of customers who deploy it successfully via Intune on Windows devices, using the "ExtensionInstallForcelist" key in the registry (note that "list" is lowercase -- it's case sensitive!).

It doesn't matter how the registry key is set. It's entirely possible to do it manually via scripts or regedit, which is what I do quite often during development. However, your device has to be enterprise managed. On Windows, that typically means it has to be domain joined in Active Directory, or enroled in Azure Active Directory.

For unmanaged devices, there may be an alternative approach, depending on your situation. There is a command line option for Chrome which can grant an mv3 extension access to blocking webRequest. You can use it like this:

```

chrome.exe --allowlisted-extension-id=EXTENSION-ID

```

Replace "EXTENSION-ID" with the ID of the extension you're using.

It isn't a permanent setting though. You need to specify that option every time you launch Chrome. Also, I think you probably need to close all existing Chrome windows (and ensure it isn't running in the background) before using it.

[Adrien C.]

Peter,

Thank you for your answer !

Does it also work when installing via HKLM/SOFTWARE/Google/Chrome/Extensions/<id> ? Some clients have extensions installed globally but then only want ours to be installed for a few selected people who have downloaded a specific software from their internal app store, I guess Intune cannot handle that case but if HKLM/SOFTWARE/Google/Chrome/Extensions/<id> works then it is great. Does anybody knows if it works when domain joined ?

Some clients are normally not domain joined, I'll see if setting up a new alias to Chrome may be possible for them...

Best regards

[Peter Bloomfield]

I'm not sure about the "HKLM/SOFTWARE/Google/Chrome/Extensions/<id>" registry key. However, I believe the " --allowlisted-extension-id" command line option for Chrome will work for any extension, regardless of how it was deployed. I regularly use it for extensions which are loaded unpacked during development and testing.

For clients managed by Intune, try looking into a feature called "Intune Company Portal". It provides a way for end-users to install optional software and configuration on-demand, instead of deploying it automatically. I've never used it to manage extensions myself, but I imagine it work would. It could perhaps run a Powershell script which writes the force-install registry entries on-demand.