Skip to content

Google Chrome

Validate Chrome’s network egress, upload behavior, clipboard/drag-drop, and screen capture deterrence under the Secure Sandbox.

Objectives

  • Enforce deny-by-default egress across IPv4/IPv6; block QUIC/HTTP3, WebRTC STUN/TURN, and DoH/DoT.
  • Ensure uploads (including chunked) respect proxy+pinned roots and fail-closed posture.
  • Verify clipboard/drag-drop boundaries and screen capture/share deterrence.

Preconditions

  • Windows target with Turbo Launcher and Secure Sandbox.
  • Networking deny-by-default with proxy enforcement and pinned roots.
  • DataMotion deny-by-default posture for clipboard/drag/drop/screen capture as applicable.

Controls Under Test

  • runtime.networking.egressDefaultAction, proxy enforcement and pinned roots, UDP/QUIC disabled.
  • runtime.dataMotion.rules[] with channel: "clipboard"|"dragDrop"|"screenCapture"|"screenShare".

Test Scenarios

IDCanonical IDsScenarioProcedureExpected Outcome
SCEN-APP-CHROME-01NET-PROTO-01QUIC/HTTP3 disabledOpen YouTube; verify QUIC ALPN h3 is denied; fallback to HTTPS/TCP.UDP denied; audit shows alpn: "h3" denied or TCP fallback.
SCEN-APP-CHROME-02NET-PROTO-01WebRTC STUN/TURN blockedStart a WebRTC test page; attempt STUN/TURN.UDP/STUN/TURN denied; audit shows protocol=udp or TURN deny.
SCEN-APP-CHROME-03NET-DNS-02DoH/DoT blockedForce DoH in Chrome; attempt resolve.Denied via proxy+pinned roots; audit reason: "dohBlocked".
SCEN-APP-CHROME-04NET-EGRESS-01Direct IPNavigate to http://<IP> (resolved on host).Connection fails without explicit allow.
SCEN-APP-CHROME-05DM-WEB-02Chunked uploadsPerform chunked upload to test server.Denied/rate-limited; no exfiltration.
SCEN-APP-CHROME-06DM-WEB-04Pinning/Proxy outageMitM w/ wrong CA or take proxy down.Connection fails; no direct fallback.
SCEN-APP-CHROME-07DM-CLIP-01Clipboard outboundCopy large text/image in Chrome; paste to host.Denied/processed per policy; audit dataMotion event.
SCEN-APP-CHROME-08DM-DRAG-01Drag-drop outboundDrag a file from Chrome download list to host.Operation blocked per policy.
SCEN-APP-CHROME-09DM-SCREEN-01Screen capture/shareSnipping Tool or share session.Watermark/blur or block per policy; audit reflects outcome.
SCEN-APP-CHROME-10NET-EGRESS-05Env proxy var / flag bypassLaunch Chrome with a system/OS HTTPS_PROXY set to a non-designated proxy or pass a proxy flag if applicable; browse to https://example.com.Denied; audit shows reason: "unauthorizedProxy", proxyEnforced: true.
SCEN-APP-CHROME-11NET-EGRESS-06NO_PROXY bypassSet NO_PROXY=* (system scope) and browse to https://example.com.Denied; audit reason: "proxyBypassAttempt", proxyEnforced: true.
SCEN-APP-CHROME-12NET-EGRESS-08PAC/WPAD hijackConfigure a PAC URL to an unapproved proxy or enable auto-detect (WPAD) with a malicious server; browse to https://example.com.Denied/Ignored; audit reason: "pacNotTrusted" or "wpadBlocked", proxyEnforced: true.
SCEN-APP-CHROME-13NET-EGRESS-09Proxy fail-closedTake the designated proxy down (service stop or blackhole); attempt browsing.Denied; no direct fallback; audit reason: "proxyUnavailable", proxyEnforced: true.
SCEN-APP-CHROME-14NET-EGRESS-10Proxy identity/pinningIntercept the proxy TLS with a wrong CA/cert; attempt browsing.TLS error/handshake failure; audit reason: "certMismatch" or "pinningFailed", proxyEnforced: true.
SCEN-APP-CHROME-15NET-EGRESS-11IPv6 direct egressNavigate to an IPv6 literal (for example, https://[2606:4700:4700::1111]/).Denied; audit ipVersion: 6, action: deny.
SCEN-APP-CHROME-16NET-EGRESS-12CONNECT to non-proxyConfigure system proxy to https://nonproxy.example:443 and browse.Denied; audit reason: "destNotProxy", proxyEnforced: true.
SCEN-APP-CHROME-17HARD-FILES-PREVIEW-01PDF built-in preview (default)Using a policy with fileTypes[].defaultPreviewProvider: "builtInPdf", open a PDF from Files tab or via Chrome capability routing.Built-in PDF preview is used by default; audit fileOp shows preview action, rule.id.
SCEN-APP-CHROME-18HARD-FILES-ASSOC-02Open With (Chrome hidden)With Chrome visibility: "hidden" and an association open action showInOpenWith: true, select Open With → Chrome on a PDF.Chrome does not appear in Applications, but Open With routes to Chrome when authorized; audit authz/fileOp reflect invocation and rule.id.
SCEN-APP-CHROME-19HARD-FILESBYPASS-02Save Page As to UNCFile > Save Page As... and attempt to save to a UNC path like \\\\localhost\\C$ or a mapped drive letter (e.g., Y: mapped to \\\\localhost\\C$).Denied or redirected to overlay/context; SMB egress blocked by policy; audit fileOp deny/virtualize with attempted UNC/mapped path.

Evidence Requirements

  • network events: protocol, destination, action, outcome; include alpn, sni, proxyEnforced, and reason when relevant; include ipVersion for IPv6 tests.
  • dataMotion events: channel, direction, action, outcome, rule.id, priority.

Troubleshooting

  • Ensure Chrome does not force TCP fallback before QUIC is tested; observe ALPN in audit.
  • Use a clean profile to avoid extensions altering network behavior.

Known Limitations & Negative Space

  • Optical capture (camera/phone) is out of scope; use organizational controls.
  • Some enterprise proxies may alter ALPN visibility; rely on audit fields where available.