users accessing internet sites via Cloud SWG using proxy forwarding and IPSEC access methods.

On premise users running on managed virtual desktops.

Due to concerns over CVE-2026-2441 (Google Chrome Zero Day Vulnerability), the Proxy/Cloud SWG admins want to restrict access to approved browsers only.

Chrome/Edge are approved browsers and require updating to the latest 146 version.

Cloud SWG admin wants to create a policy allowing 146.0.7680.80 as well as the next 3 major versions, but noticed the user-agent headers do not include major, minor and build information.

ProxySG.

Cloud SWG.

User-Agent.

With the User-Agent not including all the needed information to restrict what the admins wanted, it was decided to leverage the client hints mechanism to challenge the user-agent for details.

To do this, the admin

• Created a policy that inserted a Response HTTP header with a name / value pair of 'Accept-CH: Sec-CH-UA-Full-Version-List' and
• Created the following policy checking for the Sec-CH-UA-Full-Version-List request header and make sure it only has the supported Edge/Chrome versions allowed
  
  
  ;
  ; Only allow sec-ch-ua-full-version-list HTTP header with Chrome/Edge versions > 146.0.7680.80+  and 147.x.x.x to 149.x.x.x
  ;
  <Proxy>
     request.x_header.sec-ch-ua-full-version-list.regex='Chromium";v="(146\.0\.7680\.([8-9][\d]|[1-9]\d\d))"' allow
     request.x_header.sec-ch-ua-full-version-list.regex='Chromium";v="(14[7-9]|1[5-9]\d|[2-9]\d\d)(\.\d+)+"' allow
     request.x_header.sec-ch-ua-full-version-list.regex='Microsoft Edge";v="(146\.0\.3856\.(6[2-9]|[7-9]\d|[1-9]\d\d))"' allow
     request.x_header.sec-ch-ua-full-version-list.regex='Microsoft Edge";v="(14[7-9]|1[5-9]\d|[2-9]\d\d)(\.\d+)+"' allow
     request.x_header.sec-ch-ua-full-version-list.exists=yes deny
  ;