feat: implement URL blocklist to restrict access to unauthorized sites (#14873) (#3429)

Ports upstream Puppeteer PR #14873 which adds a `BlockList` option to
`ConnectOptions` and `LaunchOptions`. When set, the browser will silently
detach from any already-open targets violating the patterns on initial
attachment, and fail network requests matching blocked URL patterns using
`Network.emulateNetworkConditionsByRule` (CDP only).

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: kblok

lib/PuppeteerSharp.Nunit/TestExpectations/TestExpectations.upstream.json

@@ -310,6 +310,66 @@
     ],
     "comment": "TODO: add a comment explaining why this expectation is required (include links to issues)"
   },
+  {
+    "testIdPattern": "[network_restrictions.spec] *",
+    "platforms": [
+      "darwin",
+      "linux",
+      "win32"
+    ],
+    "parameters": [
+      "firefox"
+    ],
+    "expectations": [
+      "SKIP"
+    ],
+    "comment": "CDP-specific feature, not supported in Firefox"
+  },
+  {
+    "testIdPattern": "[network_restrictions.spec] *",
+    "platforms": [
+      "darwin",
+      "linux",
+      "win32"
+    ],
+    "parameters": [
+      "webDriverBiDi"
+    ],
+    "expectations": [
+      "SKIP"
+    ],
+    "comment": "CDP-specific feature, not supported in WebDriver BiDi"
+  },
+  {
+    "testIdPattern": "[network_restrictions.spec] *",
+    "platforms": [
+      "darwin",
+      "linux",
+      "win32"
+    ],
+    "parameters": [
+      "chrome-headless-shell"
+    ],
+    "expectations": [
+      "SKIP"
+    ],
+    "comment": "Not supported by chrome-headless-shell"
+  },
+  {
+    "testIdPattern": "[network_restrictions.spec] Network Restrictions should detach from targets violating blocklist when connecting to a running browser",
+    "platforms": [
+      "darwin",
+      "linux",
+      "win32"
+    ],
+    "parameters": [
+      "pipe"
+    ],
+    "expectations": [
+      "SKIP"
+    ],
+    "comment": "Verifies URL blocklist enforcement when connecting to a browser via WebSocket, which is not applicable for pipe mode"
+  },
   {
     "testIdPattern": "[network.spec] network Page.setBypassServiceWorker *",
     "platforms": [

lib/PuppeteerSharp.Tests/NetworkRestrictionTests/NetworkRestrictionsTests.cs

@@ -0,0 +1,174 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using NUnit.Framework;
+using PuppeteerSharp.Nunit;
+
+namespace PuppeteerSharp.Tests.NetworkRestrictionTests;
+
+public class NetworkRestrictionsTests : PuppeteerBaseTest
+{
+    [Test, PuppeteerTest("network_restrictions.spec", "Network Restrictions", "should block page.goto when the destination is in the blocklist")]
+    public async Task ShouldBlockPageGotoWhenDestinationIsInBlocklist()
+    {
+        var options = TestConstants.DefaultBrowserOptions();
+        options.BlockList = ["*://*:*/empty.html"];
+
+        await using var browser = await Puppeteer.LaunchAsync(options, TestConstants.LoggerFactory);
+        await using var page = await browser.NewPageAsync();
+
+        var allowedUrl = TestConstants.ServerUrl + "/title.html";
+        var blockedUrl = TestConstants.ServerUrl + "/empty.html";
+
+        await page.GoToAsync(allowedUrl);
+
+        Exception error = null;
+        await page.GoToAsync(blockedUrl).ContinueWith(t =>
+        {
+            if (t.IsFaulted)
+            {
+                error = t.Exception?.InnerException ?? t.Exception;
+            }
+
+            return t;
+        });
+
+        Assert.That(error, Is.Not.Null);
+        Assert.That(error.Message, Does.Contain("net::ERR_INTERNET_DISCONNECTED"));
+    }
+
+    [Test, PuppeteerTest("network_restrictions.spec", "Network Restrictions", "should block window.location.href navigation to URLs in the blocklist")]
+    public async Task ShouldBlockWindowLocationHrefNavigationToUrlsInBlocklist()
+    {
+        var options = TestConstants.DefaultBrowserOptions();
+        options.BlockList = ["*://*:*/empty.html"];
+
+        await using var browser = await Puppeteer.LaunchAsync(options, TestConstants.LoggerFactory);
+        await using var page = await browser.NewPageAsync();
+
+        var allowedUrl = TestConstants.ServerUrl + "/title.html";
+        var blockedUrl = TestConstants.ServerUrl + "/empty.html";
+
+        await page.GoToAsync(allowedUrl);
+
+        var navTask = page.WaitForNavigationAsync(new NavigationOptions { Timeout = 2000 }).ContinueWith(t => t.IsFaulted ? null : t.Result);
+        await page.EvaluateFunctionAsync("url => { window.location.href = url; }", blockedUrl);
+        await navTask;
+
+        var finalUrl = page.Url;
+        Assert.That(finalUrl, Is.Not.EqualTo(blockedUrl));
+    }
+
+    [Test, PuppeteerTest("network_restrictions.spec", "Network Restrictions", "should fail fetch requests to URLs in the blocklist")]
+    public async Task ShouldFailFetchRequestsToUrlsInBlocklist()
+    {
+        var options = TestConstants.DefaultBrowserOptions();
+        options.BlockList = ["*://*:*/empty.html"];
+
+        await using var browser = await Puppeteer.LaunchAsync(options, TestConstants.LoggerFactory);
+        await using var page = await browser.NewPageAsync();
+
+        var allowedUrl = TestConstants.ServerUrl + "/title.html";
+        var blockedUrl = TestConstants.ServerUrl + "/empty.html";
+
+        await page.GoToAsync(allowedUrl);
+
+        var fetchError = await page.EvaluateFunctionAsync<string>(
+            @"async (url) => {
+                try {
+                    await fetch(url);
+                    return null;
+                } catch (e) {
+                    return e.message;
+                }
+            }",
+            blockedUrl);
+
+        Assert.That(fetchError, Is.Not.Null.And.Not.Empty);
+        Assert.That(fetchError, Does.Contain("Failed to fetch"));
+    }
+
+    [Test, PuppeteerTest("network_restrictions.spec", "Network Restrictions", "should prevent loading of blocklisted subresources (e.g., images)")]
+    public async Task ShouldPreventLoadingOfBlocklistedSubresources()
+    {
+        var options = TestConstants.DefaultBrowserOptions();
+        options.BlockList = ["*://*:*/pptr.png"];
+
+        await using var browser = await Puppeteer.LaunchAsync(options, TestConstants.LoggerFactory);
+        await using var page = await browser.NewPageAsync();
+
+        var allowedUrl = TestConstants.ServerUrl + "/one-style.css";
+        var blockedUrl = TestConstants.ServerUrl + "/pptr.png";
+
+        var failedRequests = new Dictionary<string, string>();
+        var finishedRequests = new HashSet<string>();
+
+        page.RequestFailed += (_, e) =>
+        {
+            failedRequests[e.Request.Url] = e.Request.FailureText;
+        };
+        page.RequestFinished += (_, e) =>
+        {
+            finishedRequests.Add(e.Request.Url);
+        };
+
+        await page.GoToAsync(TestConstants.EmptyPage);
+
+        await page.SetContentAsync(
+            $@"<img src=""{blockedUrl}"" />
+               <link rel=""stylesheet"" href=""{allowedUrl}"" />",
+            new NavigationOptions { WaitUntil = [WaitUntilNavigation.Networkidle0] });
+
+        Assert.That(failedRequests.ContainsKey(blockedUrl), Is.True);
+        Assert.That(failedRequests[blockedUrl], Does.Contain("net::ERR_INTERNET_DISCONNECTED"));
+        Assert.That(finishedRequests.Contains(allowedUrl), Is.True);
+    }
+
+    [Test, PuppeteerTest("network_restrictions.spec", "Network Restrictions", "should detach from targets violating blocklist when connecting to a running browser")]
+    public async Task ShouldDetachFromTargetsViolatingBlocklistWhenConnectingToRunningBrowser()
+    {
+        await using var originalBrowser = await Puppeteer.LaunchAsync(TestConstants.DefaultBrowserOptions(), TestConstants.LoggerFactory);
+        var blockedUrl = TestConstants.ServerUrl + "/empty.html";
+
+        var page = await originalBrowser.NewPageAsync();
+        await page.GoToAsync(blockedUrl);
+
+        var wsEndpoint = originalBrowser.WebSocketEndpoint;
+
+        IBrowser connectedBrowser = null;
+        try
+        {
+            connectedBrowser = await Puppeteer.ConnectAsync(new ConnectOptions
+            {
+                BrowserWSEndpoint = wsEndpoint,
+                BlockList = ["*://*:*/empty.html"],
+            });
+
+            var targets = connectedBrowser.Targets();
+            var blockedTarget = Array.Find(targets, t => t.Url == blockedUrl);
+
+            Assert.That(blockedTarget, Is.Null);
+        }
+        finally
+        {
+            connectedBrowser?.Disconnect();
+            await page.CloseAsync();
+        }
+    }
+
+    [Test, PuppeteerTest("network_restrictions.spec", "Network Restrictions", "should not block chrome://version/ even if it matches blocklist")]
+    public async Task ShouldNotBlockChromeVersionEvenIfItMatchesBlocklist()
+    {
+        const string chromeUrl = "chrome://version/";
+        var options = TestConstants.DefaultBrowserOptions();
+        options.BlockList = [chromeUrl];
+
+        await using var browser = await Puppeteer.LaunchAsync(options, TestConstants.LoggerFactory);
+        await using var page = await browser.NewPageAsync();
+
+        await page.GoToAsync(chromeUrl);
+
+        // Navigation should succeed as chrome:// URLs usually bypass the network
+        Assert.That(page.Url, Is.EqualTo(chromeUrl));
+    }
+}

lib/PuppeteerSharp/Cdp/CdpBrowser.cs

@@ -52,7 +52,8 @@ internal CdpBrowser(
         Func<Target, bool> isPageTargetFunc = null,
         bool handleDevToolsAsPage = false,
         bool networkEnabled = true,
-        bool issuesEnabled = true)
+        bool issuesEnabled = true,
+        string[] blockList = null)
     {
         BrowserType = browser;
         DefaultViewport = defaultViewport;
@@ -85,7 +86,8 @@ internal CdpBrowser(
             TargetManager = new ChromeTargetManager(
                 connection,
                 CreateTarget,
-                targetFilterCallback);
+                targetFilterCallback,
+                blockList);
         }
     }
 
@@ -264,7 +266,8 @@ internal static async Task<CdpBrowser> CreateAsync(
         Action<IBrowser> initAction = null,
         bool handleDevToolsAsPage = false,
         bool networkEnabled = true,
-        bool issuesEnabled = true)
+        bool issuesEnabled = true,
+        string[] blockList = null)
     {
         var browser = new CdpBrowser(
             browserToCreate,
@@ -277,7 +280,8 @@ internal static async Task<CdpBrowser> CreateAsync(
             isPageTargetCallback,
             handleDevToolsAsPage,
             networkEnabled,
-            issuesEnabled);
+            issuesEnabled,
+            blockList);
 
         try
         {