Abstract: The implementation of application layer-based and transport-layer based security rules via a reverse proxy server chain is described. Each reverse proxy server in the chain is configured to perform a particular function with respect to client messages intended for a destination server and/or convey contextual information pertaining to the messages to a subsequent reverse proxy server in the chain. For instance, a first reverse proxy server in the chain is configured to include client-specific metadata in the transport layer of the message. A second reverse proxy server in the chain enforces transport layer-based policy rules based on the metadata. This enables the second reverse proxy server to manage transport layer connections on a client-by-client basis, thereby enabling the second reverse proxy server to block unauthorized clients, while maintaining the transport layer connections for authorized clients. A third reverse proxy server in the chain enforces application layer-based policy rules.

Abstract: A file is enabled to be downloaded from a web server on behalf of a client browser, via an isolated browser of an RBI server. An isolated browser engine detects the file download and notifies an isolated browser controller. The isolated browser controller determines whether the file download is permitted. Responsive to determining that the file download is not permitted, the file is deleted at the RBI server and a policy event is transmitted to the client browser. Responsive to determining that the file download is permitted, the file is transmitted to the client browser. The file may be streamed to the client browser, or it may be published via an independent web server and a notification is transmitted to the client browser. The client browser is controlled to issue a request to the independent web server to download the file to the client browser.

Abstract: The disclosure is directed towards proxy services for the secure uploading of file-system tree structures. A method includes receiving, at a web security service, an indication that client device to upload content to a storage cloud provider. The proxy service performs a security scan of the content while the content is stored on the client device. A security and/or a privacy concern is identified in the content stored on the client device. A security and/or privacy mitigation action is performed in response to identifying the security and/or privacy concern.

Abstract: Methods and systems are provided for a client computing device including a browser that renders a web page. Program code generates a mock upload event and a corresponding mock data transfer object for uploading data using the web page. The mock upload event and the corresponding mock data transfer object are propagated to an upload event listener of the web page and executed. Prior to generating the mock upload event and corresponding mock data transfer object, an embedded upload event listener may receive an upload event, read the upload event, drop the received upload event from an event handler pipeline, and call synchronously or asynchronously, code to perform logic on the received upload event for the generation of the mock upload event and a corresponding mock data transfer object.

Abstract: Systems and methods are described for authenticating a client device through remote browser isolation (RBI). An RBI service determines that a remote browser thereof is configured to issue an authentication request to an identity provider to access a resource of a resource provider and, in response, transmits a command to an RBI frontend of a client browser executing on a client computing device. The RBI frontend receives the command and, in response, generates a browsing context that issues a client-side authentication request to the identity provider that includes information accessible to the client computing device. Responsive to issuing the client-side authentication request, the browsing context receives an authentication artifact from an access service and transmits the authentication artifact to the RBI service.

Abstract: Methods for network aware endpoint data loss prevention (DLP) in web transactions are performed by systems and devices, which includes implementing DLP on endpoint devices and focuses on web traffic events from web browsers, while also associating the events to the network source entity. File download and upload events are intercepted from the operating system by a file system filter that determines the process creating events is a web browser based on process identifiers and comparing process names and process executable signatures. A uniform resource locator (URL) from a current tab or session is retrieved for the web browser. Policies for events are evaluated via a policy server or via cache, and additional data from the file is provided for policy decisions when necessary. DLP actions taken via the file system filter to block or allow events, including encrypting file data, are based on the policy decisions.

Abstract: Policy-based routing of internet protocol (IP) packets using flow context. A system intercepts an event associated with creation of a network connection by an operating system (OS). The system identifies a flow context, including a flow tuple, associated with the network connection. Based on the flow context, and based on a flow-based routing policy, the system determines a provider associated with the network connection. The system records, in a state database, an association between the flow tuple and the provider, and instructs the OS to initiate the network connection. After the creation of the network connection, the system intercepts an IP packet associated with the network connection. Based on a header of the IP packet, the system identifies the flow tuple and, based on a result of querying the state database for the flow tuple, and initiates a provider-based action for the IP packet.

Abstract: The implementation of application layer-based and transport-layer based security rules via a reverse proxy server chain is described. Each reverse proxy server in the chain is configured to perform a particular function with respect to client messages intended for a destination server and/or convey contextual information pertaining to the messages to a subsequent reverse proxy server in the chain. For instance, a first reverse proxy server in the chain is configured to include client-specific metadata in the transport layer of the message. A second reverse proxy server in the chain enforces transport layer-based policy rules based on the metadata. This enables the second reverse proxy server to manage transport layer connections on a client-by-client basis, thereby enabling the second reverse proxy server to block unauthorized clients, while maintaining the transport layer connections for authorized clients. A third reverse proxy server in the chain enforces application layer-based policy rules.

Abstract: A computer-implemented method includes receiving, by a proxy device, a document from a service provider in response to a request to the service provider from a client device. The proxy device injects into the document event monitoring code for monitoring user actions on the client device. The proxy device sends the document with the event monitoring code to the client device. The event monitoring code intercepts a user request for a file upload event using a client-side application on the client device. The proxy device receives a client request including file information regarding the file upload event from the event monitoring code. The proxy device determines whether the file upload event should be allowed or blocked based on the received file information and stored policy data.

Abstract: Policy-based routing of internet protocol (IP) packets using flow context. A system intercepts an event associated with creation of a network connection by an operating system (OS). The system identifies a flow context, including a flow tuple, associated with the network connection. Based on the flow context, and based on a flow-based routing policy, the system determines a provider associated with the network connection. The system records, in a state database, an association between the flow tuple and the provider, and instructs the OS to initiate the network connection. After the creation of the network connection, the system intercepts an IP packet associated with the network connection. Based on a header of the IP packet, the system identifies the flow tuple and, based on a result of querying the state database for the flow tuple, and initiates a provider-based action for the IP packet.

Abstract: The disclosure is directed towards proxy services for the secure uploading of file-system tree structures. A method includes receiving, at a web security service, an indication that client device to upload content to a storage cloud provider. The proxy service performs a security scan of the content while the content is stored on the client device. A security and/or a privacy concern is identified in the content stored on the client device. A security and/or privacy mitigation action is performed in response to identifying the security and/or privacy concern.

Abstract: A proxy server to receive a request from a client to a webserver and a response corresponding with the request from the webserver to the client is disclosed. The request is wrapped, and a wrapped request is received at the proxy server. The wrapped request is read at the proxy server. Metadata is added to a response corresponding with the wrapped request at the proxy server. The metadata can be based on the read wrapped request or the corresponding response.

Abstract: Methods and systems are provided for a client computing device including a browser that renders a web page. Program code generates a mock upload event and a corresponding mock data transfer object for uploading data using the web page. The mock upload event and the corresponding mock data transfer object are propagated to an upload event listener of the web page and executed. Prior to generating the mock upload event and corresponding mock data transfer object, an embedded upload event listener may receive an upload event, read the upload event, drop the received upload event from an event handler pipeline, and call synchronously or asynchronously, code to perform logic on the received upload event for the generation of the mock upload event and a corresponding mock data transfer object.

Abstract: A file is enabled to be downloaded from a web server on behalf of a client browser, via an isolated browser of an RBI server. An isolated browser engine detects the file download and notifies an isolated browser controller. The isolated browser controller determines whether the file download is permitted. Responsive to determining that the file download is not permitted, the file is deleted at the RBI server and a policy event is transmitted to the client browser. Responsive to determining that the file download is permitted, the file is transmitted to the client browser. The file may be streamed to the client browser, or it may be published via an independent web server and a notification is transmitted to the client browser. The client browser is controlled to issue a request to the independent web server to download the file to the client browser.

Abstract: Methods and systems are provided for a browser in a client device that receives a user interface script-code snippet from a web page. A chain logic engine determines whether an in-memory map indicates an output value of prior execution of the UI script-code snippet. If the in-memory map does indicate the output value, it is returned from the in-memory map to generate the user interface. If not, the engine determines whether an in-local storage map indicates the prior executed snippet output. If the in-local storage map indicates the prior executed snippet output, it is returned from the in-local storage map to generate the user interface, and it is stored in the in-memory map. If not, the UI script-code snippet is executed to generate the output value, which is used to generate the user interface, and is stored in the in-memory map and in the in-local storage map.

Abstract: Techniques are described herein that are capable of using entity name mapping for routing network traffic having encrypted SNI headers. A name resolution request that specifies an entity name is intercepted. Translation of the entity name to a representation of an IP address associated with the entity name is caused. A mapping that cross-references the representation of the IP address to the entity name is stored. A data transfer request that requests establishment of a connection to a destination corresponding to the representation of the IP address is intercepted. The data transfer request includes an encrypted SNI header and a payload. Establishment of the connection to the destination is initiated by providing the encrypted SNI header, the payload, and metadata toward the destination. The metadata includes the entity name based on the mapping.

Abstract: Techniques are described herein that are capable of implementing a client-side policy on client-side logic. The client-side policy is configured to support client-side hooks by configuring a rule in the client-side policy to be applied to the client-side logic, which is configured to be executed in a browser of a client device in a network-based system. The rule indicates an administrator-defined action to be performed in response to a request to execute the client-side logic. The request to execute the client-side logic in the browser is received. The administrator-defined action is performed based at least in part on the rule in the client-side policy in response to receipt of the request.

Abstract: Methods for dynamic forward proxy chaining are performed by systems and devices. A forward proxy server receives an electronic communication message that includes destination information in a header and payload information. Destination information includes an ordered set of subsequent destination identifiers associated with subsequent forward proxy servers and an ultimate destination identifier for the electronic communication message. The destination information in the electronic communication message is modified by the forward proxy server to generate a modified electronic communication message. Based on proxy operations performed by the forward proxy server, destination information is modified by removing destinations, adding destinations, altering ports for destinations, and other modifications.

Abstract: The disclosure is directed towards proxy services for the secure uploading of file-system tree structures. A method includes receiving, at a web security service, an indication that client device to upload content to a storage cloud provider. The proxy service performs a security scan of the content while the content is stored on the client device. A security and/or a privacy concern is identified in the content stored on the client device. A security and/or privacy mitigation action is performed in response to identifying the security and/or privacy concern.

Abstract: Methods and systems are provided for a browser in a client device that receives a user interface script-code snippet from a web page. A chain logic engine determines whether an in-memory map indicates an output value of prior execution of the UI script-code snippet. If the in-memory map does indicate the output value, it is returned from the in-memory map to generate the user interface. If not, the engine determines whether an in-local storage map indicates the prior executed snippet output. If the in-local storage map indicates the prior executed snippet output, it is returned from the in-local storage map to generate the user interface, and it is stored in the in-memory map. If not, the UI script-code snippet is executed to generate the output value, which is used to generate the user interface, and is stored in the in-memory map and in the in-local storage map.