Website Management - Browser Variation

Do you have an example domain that isn't being blocked?

is that the exact URL you are visiting in the browser?

Could you provide the details of the entry as defined in policy as well that has a "blocked" tag?  I'd like to reproduce it but probably need both.

Sorry for the delay.

I suspect the problem is related to the browser forcing HTTPS.  How to Stop Chrome from Automatically Redirecting to https - Howchoo this was the first link Google found for me about this feature.

The Sophos client proxy (swi_fc.exe) that the traffic is routed through from the browser process does not decrypt traffic.  Because of this, if the traffic is HTTP, then it gets to see the entire URL and headers etc.  In the case of HTTPS, it is only able to see the domain name from the SNI (part of the TLS client hello handshake), as a result it will block sites visited via HTTPS based on categories for the domains seen but not for specific URLs.

C:\ProgramData\Sophos\Web Control\Policy\ contains the policy fragments for the web control policy, in this case the EP has the following defined:

 Policy.localsitelist[#Policy.localsitelist + 1] = {['rule_id']='LSL_1',['category']='9',['domain']='spark.adobe.com',['path']='page/59pE4SzohUVP6/'}

So the domain and path is split.  Given the implementation, the path part could never be seen by swi_fc.exe over HTTPS which has to be the issue.  

I assume if you explicitly request it with the HTTP protocol from Chrome it will work and why the browser behaviour is different.

The replacement web protection/control component that is about to be released to EAP does inspect all the traffic so I would think it would work then.

Sorry for the delay.

I suspect the problem is related to the browser forcing HTTPS.  How to Stop Chrome from Automatically Redirecting to https - Howchoo this was the first link Google found for me about this feature.

The Sophos client proxy (swi_fc.exe) that the traffic is routed through from the browser process does not decrypt traffic.  Because of this, if the traffic is HTTP, then it gets to see the entire URL and headers etc.  In the case of HTTPS, it is only able to see the domain name from the SNI (part of the TLS client hello handshake), as a result it will block sites visited via HTTPS based on categories for the domains seen but not for specific URLs.

C:\ProgramData\Sophos\Web Control\Policy\ contains the policy fragments for the web control policy, in this case the EP has the following defined:

 Policy.localsitelist[#Policy.localsitelist + 1] = {['rule_id']='LSL_1',['category']='9',['domain']='spark.adobe.com',['path']='page/59pE4SzohUVP6/'}

So the domain and path is split.  Given the implementation, the path part could never be seen by swi_fc.exe over HTTPS which has to be the issue.  

I assume if you explicitly request it with the HTTP protocol from Chrome it will work and why the browser behaviour is different.

The replacement web protection/control component that is about to be released to EAP does inspect all the traffic so I would think it would work then.

(+) Important Changes to the Endpoint/Server Protection and EDR Features Early Access Program - Announcements - Endpoint EAP - Sophos Community is the info I could find about the upcoming change to fully support HTTPS at the endpoint.

Thank you for taking the time to investigate and respond.

I've been back through a few other URLs that are "blocked" in the same way and that bears out what you have said.