Eaglercraft is a fully web-based Minecraft clone that can’t be easily blocked by web filtering solutions like GoGuardian and Securly.
Aside from the distraction of having students play Minecraft with one another during the school day, the Eaglercraft game has an internal web browser that can be used to gain unfiltered internet access on district-managed Chromebooks.
Multiple IT admins have contacted me asking for help in responding to this new, and very creative un-filtered game.
The Eaglercraft problem
Security risks aside, Eaglercraft features brilliant coding work that took years to develop. This full-featured Minecraft game can run as a 10 MB HTML file and doesn’t require an internet connection.
Eaglercraft was published as an open-source GitHub project which means anyone can copy and duplicate it, making it virtually impossible to block via traditional web filters.
Because Eaglercraft is such a small, portable file, students can easily email it to one another or share it via a USB drive; and because it can run locally and doesn’t require an internet connection, your web filter can’t see or block it.
Wow!
The Eaglercraft solution
Fortunately, there is a pretty simple solution to the Eaglercreaft problem that involves blocking Javascript on locally run files through the Google Admin Console.
Simply add “file:///*” to block Javascript from running on local files.
Path: Devices > Chrome > Settings > User & Browsers > Content > JavaScript
Note: that is NOT a typo…you need “///” for this policy to work correctly.
With this setting in place, Eaglercraft will open, but can’t proceed past the initial countdown screen.
Google Admin tips and resources
Eaglercraft is just the latest challenge for IT administrators. If you need to level up your use of the Google Admin console, add your name to the waitlist for the Google Admin Bootcamp and Chromebook Academy.
Felix says
This is not going to work. Now, students will start self-hosting the file, since the file:///* wildcard only blocks local files, not other URLs. They can host it on any web server, such as an always-on home computer with port forwarding and DDNS (in the likely event that their home Internet does not support static IP). If it gets blocked, they can simply change the domain name and/or ask the ISP to change the IP address. There is no easy way to prevent that without creating a whitelist of sites, which would be troubling for students doing actual research. You could hypothetically program an extension to deploy on the Chromebooks that logs all web requests and sends them in to a command-and-control server which then has a program which automatically downloads the JS file and checks if it is the same or equivalent to the Eaglercraft JS (using an algorithm similar to a code plagiarism checker), and if it’s equivalent, block that web address, but for that, students could just obfuscate the JS to make the comparison harder. Also, the logging may violate privacy protection laws. However, I’m more on the students’ side with this issue, and I think if students are smart enough to host a website on their home Internet and/or exploit vulnerabilities in the school computers by themselves, the school should embrace it and offer some programming classes or extracurricular activities such as a STEM club or CS club to explore their interests, hone their skills and become the IT admins or programmers of the future.
mike says
BRO WHATS YOUR PROBLEM MAN! for starters, eaglercraft DOES NOT HAVE AN INTERNAL BROWSER. 2nd of all, eaglercraft is just minecraft, and teachers let us play minecraft education anyways and minecraft education is way better! like bro i bet you haven’t even played the game
zac says
this wouldn’t work, my school tried something similar with stopping all sites and instead just used a whitelist and me and a couple other student just decided to ddos the go guardian server using around 400 tabs, over 3 Chromebooks and wifi switched them till go guardian got corrupted trying to reinstall itself. 🙂 fun times. they gave up and turned off go guardian for the rest of the year for me and that group. also, even if you stop files using the :/// block, you can bypass it using Canva and other school approved sites that are allowed to open links and run files that other sites are not. usually these sites are using edge to do so. also there’s a funny flash based app that just hard uninstalls go guardian.
John R. Sowash says
Thanks for sharing…
anonymous says
Just letting yall know goguardian weak we can get around it really easily
guest says
why would you do this? let students have their fun. what have they ever done to you
John R. Sowash says
IT admins are required to filter and monitor school owned devices.