Some websites are used to convert the data from CSV to JSON.
If you type sensitive data in CSV and click on convert, data can be seen in JSON even though policy should block the sensitive data. No incident is created.
Websites with this issue:
http://csvjson.com/csv2json
http://www.jsondiff.com/
The reason we don't see the detection is that the data is not going over the wire.
The way the website works is that it downloads a script - http://csvjson.com/js/csvjson.min.js - from the website which then executes locally to transform the data entered on the left-hand side from CSV to JSON on the right-hand side. This is done without any network calls.
In HTTP detection. DLP agent only detects the data when it's going over the network. In this case, as the data is getting converted locally no detection is taking place.