Skip to main content
Governance rules use Chrome’s Declarative Net Request (DNR) API to enforce compliance policies at the network level. These rules cannot be bypassed by agents and apply automatically during agent sessions.

Overview

Governance rules are stored as a simple object with boolean flags. When enabled, they create network-level blocking rules that prevent specific types of navigation or requests.

Available Rules

Disallow Clickable URLs

Prevents agents from navigating to any URL by clicking links. This forces agents to only use URLs explicitly provided in prompts. Use case: Ensure agents don’t follow external links that might lead to unintended domains.

Disallow Query Parameters

Blocks navigation to any URL containing query parameters (URLs with ? in them). Use case: Prevent agents from accessing dynamic URLs that might expose sensitive data through URL parameters.

Storage Structure

Governance rules are stored in chrome.storage.local under the key governanceRules: 
{
  "disallow_clickable_urls": true,
  "disallow_query_params": false
}

Implementation Details

Rule IDs

Each governance rule is assigned a unique DNR rule ID:
background.js:465-468
const DNR_RULE_IDS = {
  DISALLOW_CLICKABLE_URLS: 1000,
  DISALLOW_QUERY_PARAMS: 1001
};

Disallow Clickable URLs Rule

When enabled, creates a DNR rule that blocks all HTTP/HTTPS navigation from the extension:
background.js:479-490
if (governanceRules.disallow_clickable_urls) {
  if (!existingRuleIds.has(DNR_RULE_IDS.DISALLOW_CLICKABLE_URLS)) {
    rulesToAdd.push({
      id: DNR_RULE_IDS.DISALLOW_CLICKABLE_URLS,
      priority: 1,
      action: { type: "block" },
      condition: {
        initiatorDomains: ["fcoeoabgfenejglbffodgkkbkcdhcgfn"],
        resourceTypes: ["main_frame"],
        regexFilter: "^https?://"
      }
    });
  }
}

Disallow Query Parameters Rule

When enabled, blocks all URLs containing query strings:
background.js:498-511
if (governanceRules.disallow_query_params) {
  if (!existingRuleIds.has(DNR_RULE_IDS.DISALLOW_QUERY_PARAMS)) {
    rulesToAdd.push({
      id: DNR_RULE_IDS.DISALLOW_QUERY_PARAMS,
      priority: 1,
      action: {
        type: 'block'
      },
      condition: {
        initiatorDomains: ["fcoeoabgfenejglbffodgkkbkcdhcgfn"],
        resourceTypes: ['main_frame'],
        urlFilter: '|http*://*?*'
      }
    });
  }
}
The initiatorDomains field contains the extension ID, ensuring these rules only apply to navigation initiated by the extension itself.

How to Configure

1

Access Dashboard

Open the ContextFort dashboard by clicking the extension icon.
2

Navigate to Rules

Go to the “Governance Rules” section in the dashboard.
3

Toggle Rules

Enable or disable rules using the toggle switches. Changes apply immediately.
4

Test in Agent Mode

Start an agent session to verify the rules are working as expected.

Updating Rules

Rules are updated via message passing from the dashboard:
background.js:263-267
else if (message.type === 'RELOAD_GOVERNANCE_RULES') {
  governanceRules = message.rules || {};
  updateDNRRules();
  return;
}
The updateDNRRules() function efficiently manages rule changes:
  • Only adds rules that don’t exist
  • Only removes rules that should be disabled
  • Skips updates if no changes are needed
background.js:470-529
async function updateDNRRules() {
  try {
    const existingRules = await chrome.declarativeNetRequest.getDynamicRules();
    const existingRuleIds = new Set(existingRules.map(r => r.id));

    const rulesToAdd = [];
    const ruleIdsToRemove = [];

    // Check each governance rule...
    
    // Only update if there are changes
    if (rulesToAdd.length > 0 || ruleIdsToRemove.length > 0) {
      await chrome.declarativeNetRequest.updateDynamicRules({
        removeRuleIds: ruleIdsToRemove,
        addRules: rulesToAdd
      });
    }
  } catch (error) {
    console.error('[DNR] Failed to update rules:', error);
  }
}

Loading on Startup

Governance rules persist across extension restarts:
background.js:360-379
(async () => {
  const result = await chrome.storage.local.get([
    'urlBlockingRules', 
    'urlPairBlockingRules', 
    'blockedActions', 
    'governanceRules', 
    'sessions'
  ]);

  // ... other rules ...

  if (result.governanceRules) {
    governanceRules = result.governanceRules;
    await updateDNRRules();
  }
})();
Governance rules use network-level blocking and cannot be bypassed. Test carefully before enabling in production environments.

Best Practices

  1. Test First: Enable rules in a test environment before deploying to users
  2. Document Policies: Keep a record of which rules are enabled and why
  3. Combine with URL Blocking: Use governance rules alongside URL blocking for defense in depth
  4. Monitor Agent Behavior: Check session logs to ensure rules aren’t blocking legitimate agent actions

Build docs developers (and LLMs) love

Get started for freeTalk to us