Chrome/Edge policy will allow admins to block viewing page source code, aimed at edu

Kyle Bradshaw | Nov 11 2021 - 12:05 pm PT

To fix a longstanding bug that could view restricted URLs and sometimes reveal test answers, IT administrators will soon be able to block Google Chrome and Microsoft Edge from viewing the source code of webpages.

Before we dive into what this policy can do and whether or not it’s a good solution, one thing needs to be made clear up front. This article discusses an enterprise policy, which can be thought of as an option available only to administrators of devices/accounts owned by a company or organization. Unless you use a school/company-owned Chromebook or use Chrome Enterprise, this enterprise policy will not directly affect you.

As a quick and simple explanation, when you navigate to a website, your browser receives the page’s HTML, CSS, and JavaScript code from the server. Your browser will then interpret and render that code into a proper webpage.

Even after all of that rendering work, you can still view the raw code of a page by pressing Ctrl-U (or right-clicking somewhere on the page and clicking “View page source”). Or you can even get an interactive view of the page’s code using Chrome’s DevTools by pressing F12 or Ctrl-Shift-I. These tools are especially useful for web developers (from absolute beginners to experts) to debug issues with their own sites or simply learn more about how their favorite sites were made.

In 2018, it was reported to Google via the Chromium Bug Tracker that one of Chrome Enterprise’s existing policies — a URL blocklist — was unable to block requests to “view-source:” addresses. For example, a company could block access to “https://9to5google.com” but not to “view-source:https://9to5google.com.” This would allow a simple bypass of Chrome Enterprise’s address blocking methods, assuming one was willing to read a page’s source code or paste the code into a HTML preview tool.

Moreover, some school IT administrators found that some online test-taking tools — reportedly including Google Forms — would in some cases leak the correct answers to test questions via the page source code. Due to that page-related issue, IT admins wanted to block viewing the source code of those pages or perhaps block viewing source code altogether.

Members of the Chromium team have looked at fixing this issue a few times over the years, but had not yet taken any decisive action. As posted to the Hacker News forum, Microsoft — who now has a vested interest in Chromium, with Microsoft Edge being powered by Chromium — has now stepped in with a solution that correctly blocks the ability to view source code if a particular website is on an organization’s blocklist.

The solution is also capable of blocking all ability to view a page’s source code. This is designed to be paired with another, existing policy that can block use of Chrome’s DevTools altogether.

Unsurprisingly, giving administrators the ability to block viewing the source code of every website has struck a nerve with enthusiasts, especially on Hacker News, where developers are sharing stories of how viewing various pages’ source code was a necessary step in their journey to becoming a developer.

Many of the best people in IT are there today, because they got curious about how stuff worked, experimented with it, broke the rules, and learned from that. This curiosity needs to be encouraged, not stopped.
— kuschku

One could argue that administrators are within their right to disable certain features of the devices they give to students/employees, but for some children, the Chromebook they get from school may be the only computer to which they have access. In that situation, a full block of the ability to view source code could be seen as potentially stifling a child’s curiosity about how the internet works.

Blocking malicious use of viewing source code — circumventing blocklists or cheating on a test — is acceptable, but in this author’s opinion, an administrator allowing the blocking source code altogether is a step too far. That said, it’s up to each school/company’s IT administrator to decide what to block on their computers.

As the relevant code change has only just been added to the Chromium source code in the last few days, this enterprise policy change won’t take effect until Chrome/Edge version 98.