Education institutions may use content filtering solutions to control access to content on managed Chromebooks. These Android and Chrome App recommendations aim to help developers ensure their apps work well with content filtering solutions.
If your app uses WebViews to allow students to login to your service or to display documentation, it may enable students to browse the web without the content filtering protections provided by their schools. Some popular content filtering products used by schools on Chromebooks are deployed as Chrome extensions, which can only see traffic within browser tabs…
By reducing the amount of browser based content shown in your application, you can reduce the likelihood of unwanted content being accessible within your application. If this is impossible, then ensure your WebView only serves content you want and does not link out to a search engine or the open web.
If your app requires a WebView, you can limit the websites users can visit from your applications. This can be done by modifying the WebView client to override loading certain URLs via an allowlist on Android or by manually parsing through your site and validating that the links do not link out to third party content that you cannot control. For Chrome Apps, you can use the WebRequestEventInterface to also modify requests and validate that they are allowed to navigate to your allowed list of sites.
You can reduce the risk of users getting past content filtering if you open web content in their built-in web browsers.
In Android apps, consider using Chrome Custom Tabs instead of WebViews. On Android, the custom tab will open a browser tab that is themed like your application. For ChromeOS, this will launch the normal browser and allow users to navigate within the page as normal. Because it’s their normal browser, it will allow the schools to apply their existing enforcement of browser policies on the content. This means that the content that would be displayed would be visible to content filtering extensions running on the browser. This is especially useful for third party identity providers that rely on implementing OAuth in a WebView.
In Chrome Apps, links to content not owned by you should be opened in a new tab rather than within the WebView that is running. To open a new tab from your Chrome App, you can modify your anchor tags to set the target attribute to point to
_blank which will allow the link to open in a new tab.
If your application only uses Google Sign in, do not use a WebView to sign in. Instead, handle it with the One Tap sign-in and sign-up flow. Links in this sign-in flow start from the browser instead of an embedded WebView, which may not have the same filtering controls applied to it.