Abstract: Systems and methods are described for client-side rewriting of web page code. A proxy computing device receives a web page from a server computing device and analyzes the web page to identify a code component. The proxy computing device generates a modified version of the web page by replacing the identified code component with a wrapped code component and including a code rewriting and evaluation function in the web page. The wrapped code component includes a call to the code rewriting and evaluation function that includes the identified code component as an argument thereof. The code rewriting and evaluation function is configured to generate a rewritten code component by rewriting the identified code component and to evaluate the rewritten code component. The proxy computing device sends the modified version of the web page to a client computing device that is configured to load the modified version of the web page.

Abstract: A tenant network of a cloud services platform performs the rewriting of code included in a web page. For example, a proxy service communicatively coupled to a plurality of browser applications belonging to the same tenant network and a server receives a request, from a first browser, for a web page hosted by the server. The web page is returned to the proxy service, and the proxy service identifies code component(s) thereof for rewriting. The proxy service provides the identified code component(s) to a second browser included in the same tenant network as the first browser that is configured to rewrite the code component(s). After rewriting the code component, the second browser provides the rewritten code component(s) to the proxy service, which forwards the web page, along with the rewritten code component(s), to the first browser for execution and rendering.

Abstract: Methods, systems and computer program products are provided for multi-layer, browser-based context emulation detection, which may be implemented by a proxy for browsers. A policy may be enforced against requests if a request context indicates a restricted context. Context may be detected and indicated in a response header and body based on one or more context detection/indication rules. Context may be indicated by marking or not marking resources indicated in responses. Code may be injected to cause the client web browser to indicate context. A response may be forwarded to the client with a response header context, a response body context, and/or injected code, which a client browser may process to generate a request with one or more indications of request context.

Abstract: A tenant network of a cloud services platform performs the rewriting of code included in a web page. For example, a proxy service communicatively coupled to a plurality of browser applications belonging to the same tenant network and a server receives a request, from a first browser, for a web page hosted by the server. The web page is returned to the proxy service, and the proxy service identifies code component(s) thereof for rewriting. The proxy service provides the identified code component(s) to a second browser included in the same tenant network as the first browser that is configured to rewrite the code component(s). After rewriting the code component, the second browser provides the rewritten code component(s) to the proxy service, which forwards the web page, along with the rewritten code component(s), to the first browser for execution and rendering.

Abstract: According to examples, an apparatus may include a processor and a memory on which are stored machine-readable instructions that when executed by the processor, may cause the processor to obtain an encryption key from a user. The processor may identify session activity data during a proxy session of the user and may encrypt the identified session activity data using the encryption key obtained from the user. The processor may store the encrypted session activity data.

Abstract: Systems and methods are provided for managing dynamic controls over access to computer resources and, even more particularly, for evaluating and re-evaluating dynamic conditions and changes associated with user sessions. The systems and methods are configured to automatically make a determination as to whether new or additional authentication credentials are required for a user that is already authorized for accessing resources in a user session, in response to triggering events such as the identification of a new or changed condition associated with the user session.

Abstract: Systems and methods are described for client-side rewriting of web page code. A proxy computing device receives a web page from a server computing device and analyzes the web page to identify a code component. The proxy computing device generates a modified version of the web page by replacing the identified code component with a wrapped code component and including a code rewriting and evaluation function in the web page. The wrapped code component includes a call to the code rewriting and evaluation function that includes the identified code component as an argument thereof. The code rewriting and evaluation function is configured to generate a rewritten code component by rewriting the identified code component and to evaluate the rewritten code component. The proxy computing device sends the modified version of the web page to a client computing device that is configured to load the modified version of the web page.

Abstract: The disclosure is directed towards proxy services for the secure uploading of file-system tree structures. A method includes receiving, at a web security service, an indication that client device to upload content to a storage cloud provider. The proxy service performs a security scan of the content while the content is stored on the client device. A security and/or a privacy concern is identified in the content stored on the client device. A security and/or privacy mitigation action is performed in response to identifying the security and/or privacy concern.

Abstract: Methods and systems are provided for a browser in a client device that receives a user interface script-code snippet from a web page. A chain logic engine determines whether an in-memory map indicates an output value of prior execution of the UI script-code snippet. If the in-memory map does indicate the output value, it is returned from the in-memory map to generate the user interface. If not, the engine determines whether an in-local storage map indicates the prior executed snippet output. If the in-local storage map indicates the prior executed snippet output, it is returned from the in-local storage map to generate the user interface, and it is stored in the in-memory map. If not, the UI script-code snippet is executed to generate the output value, which is used to generate the user interface, and is stored in the in-memory map and in the in-local storage map.

Abstract: The disclosure is directed towards proxy services for the secure uploading of file-system tree structures. A method includes receiving, at a web security service, an indication that client device to upload content to a storage cloud provider. The proxy service performs a security scan of the content while the content is stored on the client device. A security and/or a privacy concern is identified in the content stored on the client device. A security and/or privacy mitigation action is performed in response to identifying the security and/or privacy concern.

Abstract: The disclosure is directed towards controlling the persistency of information provided to a service worker. A method includes receiving a response that includes response data. The response is received at a security service and was transmitted by a second computing device in response to receiving an information request from a first computing device. The first computing device implements a service worker. Sensitive data included in the response data is identified. The response includes caching instructions that instruct the service worker to cache the sensitive data at the first computing device. In response to identifying the sensitive data, the caching instructions are updated such that any portion of the response data that the updated caching instructions instruct the service worker to cache at the first computing device excludes the sensitive data. The updated response is transmitted to the first computing device and includes the response data and the updated caching instructions.

Abstract: According to examples, an apparatus may include a processor and a memory on which are stored machine-readable instructions that when executed by the processor, may cause the processor to obtain an encryption key from a user. The processor may identify session activity data during a proxy session of the user and may encrypt the identified session activity data using the encryption key obtained from the user. The processor may store the encrypted session activity data.

Abstract: Context menu item operations pose risks to sensitive data, such as confidentiality violations from data exfiltration during “search” or “translate” communications with external sites, as well as “paste”, “delete”, “move” and other context menu item operations that may harm data integrity or data availability even if no external site is involved. Control scripts injected by a security broker or proxy, working with event listeners in a web page, may be used to monitor and control web browser context menu item displays and functionalities based on suggested or mandated context menu policy actions obtained from a policy server. Policy that is specific to context menus is also enforced in other interactive programs that use context menus, thereby protecting sensitive data against both malevolent efforts and innocent mistakes. Protection may be provided for any kind of sensitive data, regardless of the sensitivity designation criteria or mechanism.

Abstract: Restricting the printing of sensitive electronic documents. After the client downloads a document (e.g., by viewing the document in a web browser), the client intercepts a print command, pauses the print, and issues a print request to a server. From a server perspective, upon receiving the request, the server determines whether the document is print restricted. If not, the print operation is permitted to proceed. If so, the server responds negatively to the print request and alters the document so that, even if printed, sensitive information is not printed. In another embodiment, the server may restrict printing prior to downloading a document. For example, the server may make the document read-only, or replace the document with another printable document that does not contain sensitive content.

Abstract: Securing inter-frame communication within a web page. First, receipt of a request from a client for accessing a web page document is detected. The request includes a URL that identifies the web page document. The web page document has a tree structure that includes a top parent object and multiple child objects. The multiple child objects include at least a first child object associated with a first domain and a second child object associated with a second domain. The web page document is retrieved from a location corresponding to the URL. The code of the retrieved web page document is then modified to enable secure communication between modified code of the first child object and modified code of the second object. Finally, the modified web page document is sent to the client.

Abstract: Communication between web frames increases consistent application of security policies, without reducing security. A proxy receives a first request implicating a first web frame and its URL, potentially issues a sub-request and gets a sub-response, and creates a first response to the first request, including a control frame child creation in frame creation or frame navigation code. The control frame child code only permits setting and retrieving data of a browser store, using postMessage( ) without reference to external resources or external scripts. Safely sharing message data this way between frames allows the proxy to ascertain a policy based on the shared data, so the proxy and browser can apply the policy in reactions to subsequent requests, allows window frames to be associated together in the proxy, allows initialization control, supports reporting, and otherwise enhances browsing without reducing security.

Abstract: Sharing context between web frames increases consistent application of security policies, without requiring changes to a document object model. A proxy receives a first request implicating a first web frame and its URL, potentially issues a sub-request and gets a sub-response, and creates a first response to the first request, including a context in frame creation or frame navigation code. Thus, context such as a domain identification is made available for sharing between the first web frame and a second web frame without altering a document object model of a web page of the first web frame, and without imposing a same-origin policy workaround. Sharing the context allows the proxy to ascertain a policy based on the context, so it can apply the policy in reactions to subsequent requests. Context sharing allows window frames to be associated together in the proxy, and informs browser rendering.

Abstract: A domain is automatically attributed to a cloud application hosted on a cloud service. The attribution of a domain with a cloud application is used to initiate session policies that protect the cloud applications. A security session monitors the operations performed by a user with a cloud application and applies session policies that are pre-configured automated actions used to protect a particular cloud application, such as blocking downloads, blocking modifications, etc.

Abstract: Techniques are disclosed for session control of a client-side native application that utilizes a browser for an authentication process. A login request from the browser is received in a proxy service, which scans the request for a URL redirecting back to the native application. The URL is modified to redirect the login request to a policy endpoint to determine if the request is allowed based on policy applied to the native application and browser. If the request is allowed, the policy endpoint restores the URL redirecting to the native application and bypasses the request to resume normal authentication flow. If the request is prohibited, a failure message is sent to the browser. Some implementations may include injection of browser detection code into the browser to determine which variant of the browser is used and sending the browser data regarding the variant to the policy endpoint for consideration in applying policy.

Abstract: Methods, systems, and media are shown for session control by a proxy service of client-side applications in a client. A service request from a client is received by the proxy service and forwarded to a service provider, which sends a service response with a document. Event monitoring code is injected into the document and the response is forwarded to the client. The event monitoring code intercepts a user action and sends a query to the proxy service to determine whether the user action is permitted. The proxy service checks the user action against access data defined for the document and sends a query response to the event monitoring code indicating whether the user action is permitted. If the user action is permitted, the event monitoring code allows normal execution flow. If the user action is denied, the code blocks further execution.