Policy bypassed sites could have issues with loading resources that are not bypassed by policy.

For example, say the policy defines www.youtube.com as a bypassed site. When Youtube loads, it requests different resources (videos, images, ads). These resources can reside on different domains, which do not correspond to the same "Bypass Youtube" rule.

To allow bypassed sites to render properly, we use a "Transitive Bypass " logic.  In high level, if we have a bypassed site that tries to load non-HTML resources, we modify the verdict of the resources that were referred by the site to bypass as well.  For example, if www.example.com is bypassed and the site tries to load some javascript file from a different domain, we "Bypass" this network request even though that domain verdict could be defined differently in the policy.  As the "Transitive Bypass" is more focused on the connectivity aspect rather than the security one, it is possible to define the "Transitivity verdict" as Inspect.  You can do so via the "Policy Advanced Settings"→ non_html_isolation_fallbacksetting. See the "Transitive Inspect troubleshooting" section below for more details.

Place holder article