Technical Tip: Why there are web monitoring policy false positives on Chrome
| Description | This article describes Why there are web monitoring policy false positives on Chrome. |
| Scope | FortiDLP. |
| Solution | To browse and search faster, Chrome preloads pages possible to visit. This is done by sending the same browser requests as a page that is actively navigated by the user. This means that in such circumstances, preload events will be indistinguishable from genuine browser navigations even if not subsequently visited by the user.
Potential impact: This means that browser events should be visible, or have detections raised for a user visiting a particular site when they did not actually navigate there. For example, if a user visits bbc.co.uk often, are begins typing a different URL beginning with bb, then Chrome may preload bbc.co.uk, which will therefore appear as a browser navigation event, or could trigger a policy where bbc.co.uk is prohibited.
Identifying the problem: One indication that preloading may have occurred is that the Tab URL does not seem to match the website that has been visited. Often, if the URL was typed on a new tab, this will be chrome://newtab/:
However, this is only a potential indication; there is unfortunately no guaranteed method to detect whether or not a page has been loaded by preloading.
Workaround: Preloading can be disabled in Chrome, either via Chrome settings:
Or via GPO, by setting Enable network prediction to Disabled in the Google Chrome ADMX:
 |