Stop Sensitive Text Extraction from Browser Content

Last updated
Save as PDF

Limited Availability: To access the Text Download Protection feature, contact Skyhigh Support.

Text Download Protection is designed to safeguard sensitive information through the prevention of unauthorized extraction of text content from web sources. This rule set actively monitors browser‑level actions such as copying text, dragging text, or dragging URLs from the browser. It intercepts these interactions before the data leaves the browser, ensuring that confidential information is not leaked or misused.

This capability enforces SWG policies through blocking or controlling text downloads to ensure that sensitive data is not misused and publicly available data is not used inappropriately. For example, AI‑generated content may not be permissible to be copied within an enterprise environment. Because it operates directly within the browser, Text Download Protection is application‑agnostic and applies across a wide range of services, including cloud storage platforms, collaboration tools, messaging applications, and productivity suites.

Browser‑level enforcement ensures that sensitive information is detected and blocked before leaving the user’s environment.

How it Works?

When text is copied or dragged from a browser‑based application—such as copying text from a webpage or dragging text into another application from protected sources- it is intercepted through the Skyhigh Web Gateway and scanned against the organization’s configured web and DLP policies.

SWG applies existing Web and DLP rules to identify sensitive data patterns and perform real‑time inspection before the text leaves the browser environment. During this process, SWG verifies compliance with the configured policies, including all DLP and other security rules.

If sensitive data is detected or a policy violation occurs, the text download is blocked, and the user is prevented from extracting the content. When Agentless Notification is enabled, the user receives a message stating: The content you attempted to download is blocked by your organization’s security policy, along with violation details. The block page is tied to the specific policy that was violated and can be customized within the appropriate ruleset.

When these controls run at the browser level, Text Download Protection makes sure sensitive information is stopped, even when technologies such as end-to-end encryption or web sockets would normally prevent SWG from analyzing the content.

Use Cases for Text Download Protection in Web DLP

Use Case 1: Prevent Copying of Confidential Data from HR Portal

A user attempts to copy employee salary details from the HR web portal. SWG inspects the text extraction in real time, detects sensitive data, and blocks the action. The user receives a notification, and the incident is logged for HR security review.

Use Case 2: Prevent Copying of AI‑Generated Content in Enterprise Applications

A user attempts to copy AI‑generated content from a browser‑based application into an enterprise system. SWG inspects the text extraction in real time, detects that the content is not permitted for use within the organization, and blocks the action. The user receives a notification, and the incident is logged for compliance review.

Enable Text Download Protection for Browser

Follow the steps below to enable Text Download Protection:

Navigate to Policy > Web Policy > Policy.
On the Web Policy page, under the Policy Ruleset tree, open the Browser Control ruleset.
Click the three‑dot menu, then under Add New Ruleset, select From Library.
In the Browser Control Rulesets list, check the box for Text Download Protection.

NOTE: It is recommended to use Agentless Notification in conjunction with Text Download Protection, allowing users to be notified when actions are blocked.

Click Add to include the ruleset.
Go to Web > Policy > Web Policy > Policy Ruleset > Browser Control > Text Download Protection.
On the Text Download Protection page, locate the Text Download Protection rule.

NOTE: Scope the rule to specific sites or groups of sites where protection is required. Blocking text extraction from every site may reduce usability.

Turn On the toggle to enable the rule.
Review the settings on the page. Then select the yellow badge to save and publish the policy changes.

Text Download Protection occurs when a text is extracted from the browser through a text selection, dragging text, and URL. If a text violates any configured policy rules, the browser will be blocked from accessing the text.

If Agentless Notification is enabled, a block notification appears to inform the user.
If Agentless Notification is disabled, no pop-up appears, but the download is silently blocked in the background.

In both cases, the activity is recorded in the Audit Logs and DLP Incident.

Importance of File Upload Pre-scan Scoping

File Upload Pre-scan is most effective when scoped to websites known to prevent inspection. Since SWG cannot scan uploads on encrypted (WhatsApp and Facebook Messenger) or WebSocket-based platforms (Copilot Web), targeting these sites ensures the feature provides actual security value. Secure Web Gateway (SWG) can already scan uploads for most websites, so enabling File Upload Pre-scan for all sites provides minimal additional benefit and may introduce unnecessary overhead. This is because content is uploaded twice during the File Upload Pre-scan process:

First upload. The file is sent to the Secure Web Gateway (SWG) for inspection before it proceeds anywhere else.
Second upload. After inspection, the same file is uploaded again to the destination website or application (for example, WhatsApp, Facebook Messenger, or Copilot Web).

Consider the potential impact on user experience and bandwidth usage, especially for large files or metered network connections, where duplicate uploads may lead to delays or additional charges.

Configure Text Download Protection Settings

The Text Download Protection Settings include a key component: Preset Rules

Preset Rules. You can Select Action under Preset Rules. This capability actively monitors copying texts, dragging texts, and dragging URL.

NOTE: If you want to start with pre‑scan, you can enable the pre‑scan feature to ensure texts are checked at the browser level before encryption. For more details, see File Upload Pre-scan.

Select Action

Block All:
Follow the steps below to block all copy and drag actions, regardless of content or size.
- Select Block All to block all rules.
- Click the three‑dot menu and choose Select Block Setting.
  
  The Select End User Notification pane appears.
- Choose the required notification from the list.
- Click Save to apply the changes.

Image 4.1.png

Pre‑scan: Select this option to have SWG inspect the text being copied or dragged and block the action if policy detects sensitive content. The text is scanned against the normal SWG policy. Pre-scan has the following options:
- Set a scan size limit.
- Choose a pre‑scan action if the text size exceeds the limit.

The default action is Block which will unconditionally prevent all copying and dragging of text.

The default scan size limit is 1 MB.

Scanning larger amounts of text can reduce performance, increase processing time, and disrupt normal browsing. To help maintain a smooth user experience, the feature scans up to 1 MB of text at a time.

Options when the limit is exceeded:

Block – Drag and copy operations on text exceeding the size limit will be blocked without triggering inspection by SWG.
Allow – Permits the drag or copy operation even if the text size exceeds the limit.

Detect Pre-scan Requests in SWG policy

The pre-scan request uses a standardized URL format: https://xxxxxx/Skyhigh/pppppp/aaaaaa. Where xxxxxx represents the domain of the currently loaded page in the browser; pppppp is the SWG policy name which enabled the drag or copy inspection, and aaaaa will be either drag.text or copy.text depending on the action the user is taking.

This URL is logged in DLP incidents and audit logs for visibility and tracking.