URL pattern for Site Restrictions
URL patterns must be defined for multiple policies to indicate their applicable URLs. These patterns adhere to the following rules.
Valid patterns
1. “*”
This pattern matches any URL, with any scheme, port, and path.
2. “scheme://domains:port/path”
- The supported schemes are “http” and “https”.
- The scheme can be left out, along with the scheme separator “://” to match any scheme. Alternatively, a wildcard “*” can be used to the same effect.
- The domain is followed by a top-level domain and may be prefixed by one or more subdomains. Alternatively, a host (such as localhost) can be used instead.
- A domain can be prefixed by a wildcard “[*.]” to match the domain or any of its subdomains. The domain in question can be a subdomain of any level. Note the fact that the wildcard “[*.]” isn’t followed by a dot and should be prefixed directly to the domain/subdomain.
- A domain without the wildcard prefix will only match that exact domain and not any subdomains.
- The port is a number in the range 0-65535. It can be left out along with the port separator “:” or replaced by a wildcard “*” to match any port.
- Similarly, the path can be left out along with the part separator “/” or replaced by a wildcard “*” to match any path.
- Wildcards cannot be used for partially matching a scheme, domain, host, port, or path.
- Using multiple wildcards in the same pattern (e.g. *://google.com:*/*) is supported.
3. “scheme://a.b.c.d:port/path”
- Instead of a domain, an IPv4 address in the form “a.b.c.d” can be used. While the rules for schemes, ports and paths remain the same as for domain URLs, wildcards cannot be used at all for IP addresses.
4. “scheme://[a:b:c:d:e:f:g:h]:port/path”
An IPv6 address can also be used in the form “[a:b:c:d:e:f:g:h]”. The brackets are mandatory. Just like with IPv4 addresses, wildcards are not supported. Rules for schemes, ports, and paths remain the same as for domain URLs and IPv4 addresses.
5. “file://path”
- If the “file” scheme is used, the path has to start with a “/”, therefore “file://dir/myfile.html” is an invalid pattern. “file:///dir/myfile.html” (with three forward slashes after “file:”) needs to be used instead. The only valid file URL wildcard format is “file:///*”, which matches any valid file URL.
- The domain part of a file URL needs to be empty, and will match any domain (or localhost). For example, “file:///file.html” will match “file://localhost/file.html” and “file://mysite.com/file.html”.
- Ports cannot be used.
Invalid patterns
- [*.].abc.com is invalid (notice the dot before “mysite”).
- file://abc.com/somefile.html is invalid as the domain is non-empty (not allowed in file URLs).
- file://somefile.html is invalid (only two forward slashes instead of three).
- As is file://somefile.*. (the only valid file URL that contains a wildcard is file:///*)
- [*.]127.0.0.1 is invalid (using subdomains or subdomain wildcards with IP addresses is invalid).
Example patterns
- [*.]abc.com will match both abc.com and subdomain.abc.com. It will also match any scheme, port, and path.
- [*.]oogle.com will not match google.com. It will, however, match subdomain.oogle.com.
- file:///foo/bar.html will match file://localhost/foo/bar.html and file://mysite.com/foo/bar.html.
- file:///* is valid and will match any file:// URL.
- Schemes, ports and paths can be used with IP addresses, for example https://[::1]:8080/myfile.html is valid.
URL blocklist examples
URL Blocklist entry
Result
abc.com Denies all requests to abc.com, www.abc.com, and sub.www.abc.com.
http://abc.com Denies all HTTP requests to abc.com and any of its subdomains, but allows HTTPS requests.
https://* Denies all HTTPS requests to any domain. mail.abc.com Denies requests to mail.abc.com but not to www.abc.com or abc.com. .abc.com Denies requests to abc.com but not its subdomains, like abc.com/docs. .www.abc.com Denies requests to www.abc.com but not its subdomains. * Denies all requests except for those to blocklist exception URLs. This includes any URL scheme, such as http://google.com, https://gmail.com, and chrome://policy. :8080 Denies all requests to port 8080. abc.com/stuff Denies all requests to abc.com/stuff and its subdomains. 192.0.2.1 Denies requests to this exact IP address. ?v*?abc*
*?abc=*
*?abc=100* Denies any request with the query ?abc=100. ?b=2&a=1 Denies any request with the following queries: ?b=2&a=1 ?a=1&b=2 Denies any request with the following queries: ?a=1&b=2 ?a=1&c=3&b=2 Denies any request with the following queries: ?a=1&c=3&b=2 youtube.com/watch?v=abc Denies youtube video with id abc.
| URL Blocklist entry | Result |
| abc.com | Denies all requests to abc.com, www.abc.com, and sub.www.abc.com. |
| http://abc.com | Denies all HTTP requests to abc.com and any of its subdomains, but allows HTTPS requests. |
| https://* | Denies all HTTPS requests to any domain. |
| mail.abc.com | Denies requests to mail.abc.com but not to www.abc.com or abc.com. |
| .abc.com | Denies requests to abc.com but not its subdomains, like abc.com/docs. |
| .www.abc.com | Denies requests to www.abc.com but not its subdomains. |
| * | Denies all requests except for those to blocklist exception URLs. This includes any URL scheme, such as http://google.com, https://gmail.com, and chrome://policy. |
| :8080 | Denies all requests to port 8080. |
| abc.com/stuff | Denies all requests to abc.com/stuff and its subdomains. |
| 192.0.2.1 | Denies requests to this exact IP address. |
?v *?abc* *?abc=* *?abc=100* | Denies any request with the query ?abc=100. |
| ?b=2&a=1 | Denies any request with the following queries: ?b=2&a=1 |
| ?a=1&b=2 | Denies any request with the following queries: ?a=1&b=2 |
| ?a=1&c=3&b=2 | Denies any request with the following queries: ?a=1&c=3&b=2 |
| youtube.com/watch?v=abc | Denies youtube video with id abc. |
For any additional queries or assistance reach us at https://ulaabrowser.zohodesk.com/portal/en/newticket
Want to share your feedback? Write to us at https://ulaa.com/feedback
Related Articles
Site Restrictions – What is it?
Site Restrictions allow organizations to control and manage user access to websites. Administrators can block specific sites to improve security, enforce company policies, and boost productivity. They can also create exceptions to grant access to ...How to add sites to the Exceptions List in Site Restrictions?
The Exceptions List allows access to specific websites, even if they are blocked under Site Restrictions. Follow the steps below to add sites to the Exceptions List. Sign in to your Ulaa Admin Console. Click Switch to the Organization in the top ...How to add sites to the Blocked List in Site Restrictions?
Follow the steps below to add sites to the Blocked List. It allows you to block access to specific websites for users in your organization. Sign in to your Ulaa Admin Console. Click Switch to the Organization in the top right corner (skip this step ...How to add sites to the Blocked List in Cookie Restrictions?
Block cookies for specific websites by adding them to the blocked list under Cookie Restrictions. To add sites, follow the steps given below: Sign in to your Ulaa Admin Console. Click Switch to the Organization on the top right corner (skip this step ...How to add sites to the Exceptions List in Cookie Restrictions?
Allow cookies for specific websites by adding them to the exception list, even if cookie blocking is enabled. Sign in to your Ulaa Admin Console. Click Switch to the Organization on the top right corner (skip this step if you're already in the ...
