We are using Chrome policy to set up URL blacklist. This works fine for top-level URLs (e.g. https://www.example.com), however if the blocked URL is invoked from an allowed URL (e.g. https://www.example.com/script.js is included from https://www.example.com), then it's still loaded.

If I put that URL into the address bar, then I get the correct message that it's blocked. Yet if it's loaded from an allowed page (as an image, script, css, AJAX, etc.), then it's successfully loaded.

The goal is to block specific scripts from specific domains while allowing the rest of the resources from those domains. How can I achieve this?