Skip to main content

HSTS (Cisco, iBoss)

If a blocking system requires both an extension and a Chrome App to function, the extension may communicate with the Chrome App over HTTP on the lo (local) network interface. If that's the case, HSTS can most likely be used to bypass it.

Requirements
  • chrome://net-internals unblocked
  • A Chrome Extension that comes with a helper Chrome App

Steps

  1. Verify that you have an extension that's affected (if you don't, it doesn't hurt to go for it anyways, because this is easy to undo).
  2. Open chrome://net-internals on your school device.
  3. go to the Domain Security Policy tab.
  4. Put 127.0.0.1 in the Add HSTS domain's Domain text box.
  5. Click Add.
  6. Repeat Steps 4 and 5, but use localhost instead of 127.0.0.1.
  7. Open chrome://restart.

Known Working Extensions

  • Cisco Umbrella
  • iBoss

Known Not Working Extensions

  • Securly
  • GoGuardian
  • Anything that doesn't have both a Chrome App and Extension
Issues
  • If you have a force-installed extension and have a Chrome App from the same developer force-installed, it's worth giving this a try.
  • If you discover another filter this works with, reply with the name.
  • If you want someone to check whether an extension is exploitable, just send the application's and extension's Chrome Web Store URLs in a reply.
  • You might have to log out and back in for this to work with certain extensions (this may apply to iBoss).

How this works

Most websites use HTTPS, but that's impossible on localhost, so they have to use HTTP (since they can't get a TLS certicate). Of course, when you start talking HTTPS with an HTTP server, it can't understand, so if you use this, the extension and the app are effectively firewalled from each other, so the extension can't ask the app whether a site should be blocked or not.