Users accessing internet sites via Cloud SWG service using WSS Agents successfully.

Cloud SWG integrated with a dedicated Web isolation tenant.

All internet sites are isolated with the exception of a handful of domains.

When users access a site that is bypassed from isolation e.g. example.com, all works as expected and site renders successfully.

When users browse to google.com (which is isolated), search for the bypassed site example.com and click on th resulting google search response links to browse to example.com (bypassed from isolation), the site fails to render correctly.

Developer tools seems to show that added URL parameters are being sent to non isolation example.com site, and manually removing these headers shows the page render successfully. A sample query string parameter addition includes

/?fireglass_rsn=true#fireglass_params&tabid=xxxxxx&start_with_session_counter=y&application_server_address=sample_tenant-europe-west1.prod.fire.glass

UPE managed Cloud SWG tenant (although also happens with Portal managed tenants).

Dedicated Web isolation tenant.

All Cloud SWG access methods.

The fireglass parameters are included by default when Isolation expects a tab’s navigation to return to Isolation. Any back end web server that checks for URL parameters and errors out when finding unexpected variables could generate an error.

For domains that bypassed from isolation on Cloud SWG, these domains can be added to the Web Isolation tenant policy under Policy Entities > URL Objects > 'Primary Zone exclusions group for URLs' to prevent Isolation from including the parameters.

In the above use case, adding example.com domain to the above list fixed the issue.