Block Sensitive Text Transfers in Browser Applications

Last updated
Save as PDF

Limited Availability: To access the Text Upload Protection feature, contact Skyhigh Support.

Text Upload Protection is designed to prevent the unauthorized transfer of sensitive information through browser‑based text interactions. This capability actively monitors actions such as pasting text and dragging content into web applications. It intercepts inputs at the browser level, ensuring that sensitive data is not inadvertently or maliciously uploaded. This capability functions as a safeguard against data leakage, applying SWG policies to block or control text uploads before they reach the destination application. Because it operates within the browser, Text Upload Protection is application‑agnostic and works across a wide range of services, including cloud storage platforms, collaboration tools, messaging applications, and productivity suites.

This capability scans text before it is transmitted, closing gaps that traditional network-level inspection might miss, especially when technologies such as end-to-end encryption or WebSockets prevent the SWG from analyzing the content. In these situations, browser‑level enforcement ensures sensitive information is detected and blocked before it leaves the user’s environment.

How it Works?

When text is passed to a browser‑based application, whether through pasting or dragging. It is intercepted and submitted to SWG for scanning against the organization’s configured Web and DLP policies.

SWG applies existing Web and DLP rules to identify sensitive data patterns and perform real‑time content inspection before the text is released to the destination application. During this inspection, SWG verifies compliance with the configured policies, including all DLP and other security rules.

If sensitive data is detected or a policy violation occurs, the text upload is blocked, and the application is prevented from processing the content. When Agentless Notification is enabled, the user receives a message stating: The content you attempted to upload is blocked by your organization’s security policy, along with violation details. The block page is tied to the specific policy that was violated and can be customized within the appropriate ruleset.

When these controls are enforced at the browser level, Text Upload Protection makes sure sensitive information is stopped before it is transmitted, even in situations where encryption technologies, such as end‑to‑end encryption or WebSockets, would normally prevent SWG from analyzing the content.

Use Cases for Text Upload Protection in Web DLP

Use Case 1: Prevent Confidential Text Pasted into Unsanctioned Web Chat

A user pastes sensitive financial data into Slack Web chat. SWG inspects the text in real time, detects confidential information, and blocks the upload. With Agentless Notification enabled, the user sees a message explaining the violation. The incident is logged for visibility.

Use Case 2: Stop Source Code via Copilot Web

An employee drags and drops internal source code into Copilot Web. SWG applies DLP policies to detect restricted code content. The action is blocked, preventing exposure of internal resources. The user is notified, and the violation is logged for review.

Enable Text Upload Protection for Browser

Follow the steps below to enable Text Upload Protection:

Navigate to Policy > Web Policy > Policy.
On the Web Policy page, under the Policy Ruleset tree, open the Browser Control ruleset.
Click the three‑dot menu, then under Add New Ruleset, select From Library.
In the Browser Control Rulesets list, check the box for Text Upload Protection.

NOTE: It is recommended to use Agentless Notification in conjunction with Text Upload Protection, allowing users to be notified when actions are blocked.

Click Add to include the ruleset.
Go to Web > Policy > Web Policy > Policy Ruleset > Browser Control > Text Upload Protection.
On the Text Upload Protection page, locate the Text Upload Protection rule.

NOTE: Scope the rule to specific sites or groups of sites where protection is required. Blocking text extraction from every site may reduce usability.

Turn On the toggle to enable the rule.
Review the settings on the page. Then select the yellow badge to save and publish the policy changes.

Text Upload Protection occurs when a text is uploaded to the browser through a text selection dialog or drag-and-drop. If a text violates any configured policy rules, the browser will be blocked from accessing the text.

If Agentless Notification is enabled, a block notification appears to inform the user.
If Agentless Notification is disabled, no pop-up appears, but the upload is silently blocked in the background.

In both cases, the activity is recorded in the Audit Logs and DLP Incident.

Importance of File Upload Pre-scan Scoping

File Upload Pre-scan is most effective when scoped to websites known to prevent inspection. Since SWG cannot scan uploads on encrypted (WhatsApp and Facebook Messenger) or WebSocket-based platforms (Copilot Web), targeting these sites ensures the feature provides actual security value. Secure Web Gateway (SWG) can already scan uploads for most websites, so enabling File Upload Pre-scan for all sites provides minimal additional benefit and may introduce unnecessary overhead. This is because content is uploaded twice during the File Upload Pre-scan process:

First upload. The file is sent to the Secure Web Gateway (SWG) for inspection before it proceeds anywhere else.
Second upload. After inspection, the same file is uploaded again to the destination website or application (for example, WhatsApp, Facebook Messenger, or Copilot Web).

Consider the potential impact on user experience and bandwidth usage, especially for large files or metered network connections, where duplicate uploads may lead to delays or additional charges.

Configure Text Upload Protection Settings

The Text Upload Protection Settings include a key component: Preset Rules

Preset Rules. You can Select Action under Preset Rules. This capability actively monitors multiple browser interactions, including pasting text, dragging text, and dropping URLs.

Select Action

Block All:
Follow the steps below to block all paste and drag options, regardless of content or size.
- Select Block All to block all rules.
- Click the three‑dot menu and choose Select Block Setting.
  
  The Select End User Notification pane appears.
- Choose the required notification from the list.
- Click Save to apply the changes.

Pre‑scan: Select this option to have SWG inspect the text being pasted or dragged and block the action if policy detects sensitive content. The text is scanned against the normal SWG policy. Pre-scan has the following options:
- Set a scan size limit.
- Choose a pre‑scan action if the text size exceeds the limit.
The default action is Block.
The default scan size limit is 1 MB.

Scanning larger amounts of text can reduce performance, increase processing time, and disrupt normal browsing. To help maintain a smooth user experience, the feature scans up to 1 MB of text at a time.

Options when the limit is exceeded:

Block – Recommended for very large images to avoid network lag.
Allow – Permits the download even if the image size exceeds the limit.

Detect Pre-scan Requests in SWG policy

The pre-scan request uses a standardized URL format: https://xxxxxx/Skyhigh/pppppp/aaaaaa. Where xxxxxx represents the domain of the currently loaded page in the browser; pppppp is the SWG policy name which enabled the drag or paste inspection, and aaaaa will be either drag.text or paste.text depending on the action the user is taking.

This URL is logged in DLP incidents and audit logs for visibility and tracking.