When the proxy opens HTTPS connections, browsers configured for explicit proxy send a
CONNECT message. The message contains the origin content server (OCS) hostname and informs the proxy that the client is about to open a tunnel to that host. What happens next depends on the authentication mode specified in policy:
- If form-cookie mode is in use (or when no authentication mode is specified), the proxy does not return a redirect. The browser does not present the CAPTCHA form, and users cannot complete validation.
- If form-cookie-redirect is in use, the proxy returns a redirect; however, browsers do not follow redirects sent in response to a CONNECT message. The browser displays an error message, and users cannot complete validation.
Note: Because
CONNECT messages are meant for the proxy and not the OCS, they do not contain cookies.