The web-filter provided to all schools in Ireland enabled, this September, a check on all web-searches to force users to enable SafeSearch in Google, YouTube and Bing. It didn’t enable it for them, just prevented searches when it wasn’t enabled, so when teachers and students tried to use “the Internet” I began to get calls telling me “the Internet’s not working”. In fairness to the PDST, the instructions were fairly (though not completely) clear on the error page. When asked to help people remove this warning, I had to creatively re-word the actual error message so as not to appear condescending when instructing them:
You have attempted to perform a search without enabling SafeSearch.
Click here to modify your search preferences ensuring that you click the Save button.
I say the message wasn’t completely clear because of the reference to YouTube when users were performing any search:
I printed out an explanation of what was happening and gave it out to many teachers, posted it on the noticeboards and shared it online. Still, I knew an extension could probably be written to fix it. There was one in the Chrome Web Store, SafeSearch ParentsAround.com, but it didn’t work to convince the PDST filter that SafeSearch was on. I believe it works by adding &safe=active and &vm=r to any search URLs. There’s also a Chrome Group Policy SafeSearch option that I tried but was ineffective:
The Chrome extension I wrote is available at https://chrome.google.com/webstore/detail/force-safesearch/obnpnngcaflompjfnafkfghiikokkapc
And its code is on GitHub at https://github.com/BrianHenryIE/EnableSafeSearchChrome
Its function is quite simple: in the background, it loads the settings page for each search engine, finds a unique id for the user, then sends that along with an ‘on’ setting back to the search engine which returns the necessary cookie. It was quite easy to determine what was going on by using the network tab of the Chrome developer tools.
To get the extension onto users PCs, assuming you have a Windows domain, use Group Policy to deploy the Google Chrome for Enterprise MSI, then add the policy templates (ADMX), and configure the ExtensionInstallForcelist setting with the value:
The first half is the extension id and the second half is the Chrome Web Store update address. Entering it in the GPO looks something like this:
If you’re already force-installing extensions like this, you’ll have to deploy both from the same GPO or only one will install (the first one encountered during Group Policy processing). I’ve filed a bug to report this, as it’s defeating the “group” part of Group Policy.
What this doesn’t do is lock SafeSearch which would require signing into a Google account in the browser, enabling SafeSearch and then logging out. It does load, i.e. re-enable, each time the browser is opened. Lock SafeSearch isn’t important in terms of the PDST block.
I think related to the PDST being unable to turn on SafeSearch was the “SSL search is off” notification that would accompany Google searches. I guess they were disabling SSL search so they could check for SafeSearch.
In October, Google published An update to SafeSearch options for network administrators which said it would be possible to require SafeSearch on SSL searches. A linked article explains a way to use DNS to use SafeSearch servers instead of the usual google.com searches:
To force SafeSearch for your network, you’ll need to update your DNS configuration. Set the DNS entry for http://www.google.com … to be a CNAME for forcesafesearch.google.com.
I think the PDST may be testing this, as I noticed the following message this week in one school:
Though, who’s using Bing on Chrome?! I did look into writing the extension for Internet Explorer, and that’s probably where it would be of most use, but didn’t get close! I tried a cross-browser extension development platform called CrossRider but it didn’t work in Internet Explorer when the same code was working in Chrome. I abandoned that approach to try and understand how to write a pure Internet Explorer extension, a Browser Helper Object (BHO). Unfortunately, I’ve no experience with Windows development and haven’t had the time to really attempt this. If anyone wants to try it some weekend, I might be up for it.
The reason I haven’t bothered with Firefox is because my users are more likely to be using Chrome. Also, Firefox isn’t enterprise friendly, relatively. There is a third-party MSI available but the lack of official support led me to believe it would be more difficult to get working and it would be useful to fewer people.
Once it was written and working for me (and deployed internally in one school which required setting up a web-server and extension update settings) I went to publish it in the Chrome Web Store. That required a small fee which took 8 hours to process. If this proves popular, I’ll updated the listing with the required promotional images. For now, the icons are from a Creative Commons search. I was looking for a safe but settled on a lock. I was also forced to select a language while configuring the entry in the store, even though there’s no UI!
That covers most of it. If it’s popular I’ll post some statistics in a few months.