We have forwarded root domain to web isolation but after isolation all its redirections are not subject to Cloud SWG policy. 

Example.

• https://huggingface.co is allowed and forwarded to web isolation but the url .
• https://huggingface.co/new is blocked on proxy policy

Direct connections to https://huggingface.co/new gets evaluated fine by proxy and gets blocked. However, when we try going to https://huggingface.co first (which get isolated) and try redirecting from there to https://huggingface.co/new, it does not get blocked. 

• Allow Rule: This rule permits the website or URL to be accessed.
• Forwarding Rule: This rule directs the allowed traffic to Web Isolation.

• If a site hits a block policy, it will not be forwarded to WI.
• Once a connection to a website is forwarded to WI, all subsequent redirections from that site are handled by WI servers, bypassing further scrutiny by the Cloud SWG (Secure Web Gateway) policy. In other words, any navigation or redirection within the isolated site won’t go through additional SWG policy checks since WI takes over traffic handling at that point.

• When you refresh a redirected URL, it breaks the WI session, and the traffic is treated as a new connection. This new connection must go through the Cloud SWG policy filters again.
• If the refreshed site doesn't meet the allow and forwarding rules or hits a block policy in the SWG, the session will be blocked.

• The URL "huggingface.co" works because it is allowed by both the allow rule and the WI forwarding rule.
• Once the website is isolated by WI, all subsequent traffic, including any redirection (such as "huggingface.co/new"), is managed by WI servers and no longer subject to Cloud SWG policy checks.
• However, if the user refreshes the page, a new session is initiated. This session must pass through the Cloud SWG policies again, and if the site or redirect is blocked at that point, access will be denied.