Background

Recently I enabled Safe Search Enforcement on a Palo Alto firewall. This blocks search results from Google, Bing, Yahoo, YouTube, and Yandex if their respective versions of safe search aren’t enabled. By using the JavaScript code that Palo Alto provides (you can see it in the Administrator’s Guide PDF, page 414) you can automatically redirect three of these sites to the safe search version: Google, Bing and Yahoo.

Since a number of our users needed YouTube access, and YouTube defaults to having “Restricted Mode” (Safe Search) off, I needed a way to automatically enable it so users don’t have to manually set it up - unfortunately this is more difficult than the three searches supported by the Palo Alto provided code (which simply added a query string). YouTube requires us instead to set a cookie - fortunately this is something that can be done with JavaScript. The basics of this approach should be adaptable to any situation where you can use JavaScript from the page in question.

As a quick example of the impact Restricted Mode has on YouTube, take a look at the before and after screenshots below.

Before script is applied - restricted mode is off This first image is the highlighted videos when Restricted Mode is off. You’ll notice that the most prominent video is a Saturday Night Live video.

After script is applied - restricted mode is on This second image is the highlighted videos after Restricted Mode was turned on. Notice that the Saturday Night Live video is entirely gone, as are two other videos.

The Pieces

First we need to check if the Search Blocked page we are on is YouTube. We’ll use the approach taken by the Palo Alto script, by checking our current page and using regex to determine if the URL has “youtube” in it. I’ve changed the variable names to make them more clear.

var url = location.href;
var is_youtube = /^.*\/\/(.+\.youtube\..+?)\//.exec(url)

While not actually a Boolean, is_youtube should only evaluate to true in an if statement if the page has YouTube in it (the regex might evaluate for other URLs - but since only a handful of domains will be blocked under this page we’ll work with it as is. Now that we can test if the page is YouTube, let’s open our if statement.

if (is_youtube) {

Inside this if statement, we need to add f2=8000000 to the PREF key in the cookie. We’ll set it to expire in 12 hours, so that any guest users aren’t stuck in restricted mode permanently - we have to set the expiration date since Firefox will remember session cookies if the user restores their tabs. First we have to calculate the expiration date. Basically we create a new Date object (which gets initialized to the current time), then set its time to 12 hours plus it’s starting time.

var expiration = new Date();
expiration.setTime(expiration.getTime()+(12*60*60*1000));

Now we need to set the cookie, putting in the full value of PREF (by default it is f5=30&f4=4000000, we add f2=8000000 for safe mode. I don’t know what the other PREF elements do - so it may be necessary for you to retrieve the correct ones for your user from JavaScript and add to them, rather than replacing them outright. We also make sure to put the expiration time we calculated in.

document.cookie = "PREF=f2=8000000&f5=30&f4=4000000; expires=" + expiration.toGMTString() + "; path=/;";

Now just redirect the page on to the original URL (and close the bracket from the if statement), and YouTube should load with the original page.

window.location.replace(url);
}

Putting It All Together

Now that we’ve got the parts figured out, let’s put it all together. It will need some tweaking to fit in with the variables of the aforementioned Admin Guide, but the basics should work. I’ve taken the liberty of updating the java_off paragraph element that the Palo Alto script updates.

// Change url to s_u for the Palo Alto version
var url = location.href;
var is_youtube = /^.*\/\/(.+\.youtube\..+?)\//.exec(url)

if (is_youtube) {
    var expiration = new Date();
    expiration.setTime(expiration.getTime()+(12*60*60*1000));
    document.cookie = "PREF=f2=8000000&f5=30&f4=4000000; expires=" + expiration.toGMTString() + "; path=/;";
    window.location.replace(url);
    
    // Add this to completely emulate the Palo Alto script - comment it out if running in a JavaScript console
    // Hopefully the redirect will already have happened before the user can read this
    document.getElementById("java_off").innerHTML = 'You are being redirected to a safer YouTube!';
}

Verifying It Works

Before testing the code, go to YouTube and scroll down to the bottom of the page. In the footer, there will be a button labeled “Restricted Mode: Off”, as shown.

Footer before script is applied - restricted mode is off

Once you run the code - either by adding it to your Palo Alto search block page or in the JavaScript console of your browser - the label should show “Restricted Mode: On”, as shown below.

Before script is applied - restricted mode is on

If you go to a restricted video after this script has run, you should see a notice that the video is unavailable due to restricted mode.

A blocked video

With this code added to the Palo Alto block page for search results, your Palo Alto should transparently handle YouTube Restrictive Mode enforcement - it likely isn’t the best solution (JavaScript isn’t my forte), but hopefully it at least makes a good starting point. If time allows, I’ll figure out and write up code to handle the last of the supported sites for safe search enforcement - Yandex.

A Word of Caution

While this script has been consistently able to put YouTube into Restricted Mode, I’m finding that the cookie doesn’t expire the way I want it to sometimes. I suspect that YouTube is refreshing it with the Restricted Mode preference set, requiring it to be manually turned back off. With that in mind, you may not want to employ this script on a guest network (if you enforce safe search there at all).