Configure Prisma Access Browser Browser Security Controls
Focus
Focus
Prisma Access Browser

Configure Prisma Access Browser Browser Security Controls

Table of Contents

Configure Prisma Access Browser Browser Security Controls

Configure browser security controls for Prisma Access Secure Enterprise Browser (Prisma Access Browser).
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • Prisma Access Browser standalone
  • Prisma Access with Prisma Access Browser bundle license or Prisma Access Browser standalone license
  • Superuser or Prisma Access Browser role
You can configure the controls in the following ways:
The following topics only display one way.

Browser Security – Browser Session

Browser Lock

Mobile Browser - Partial support
The Prisma Access Browser includes a lock screen feature enabling you to apply an extra layer of security to your browser. If the Browser Lock is enabled, users will need to enter a PIN code or a Passkey to unlock the browser upon first use, or after a configurable idle time has elapsed. This feature is especially useful for Unmanaged devices. For Unmanaged devices, you are not able to configure a device lock. This feature allows you to protect the enterprise data by configuring a lock on the browser.
This PIN code is browser-dependent and is not related to the SSO password.
The Prisma Access Mobile Browser relies on the native device screen lock, and not the lock that is included in the PrismaPrisma Access Browser tool. The PIN length and Maximum Failed Attempts will be ignored.
The Authentication method is configured in Browser Security -> Authentication Factor.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Browser Lock.
  3. Select one of the following options:
    • Enable - enable the Browser lock.
      • Select the Idle time - 1 minute to 12 hours (or never). This is the time that must elapse before the Browser Lock screen appears.
    • Disable - the Prisma Access Browser will disable malicious file protection.
  4. Click Set.

Flush Browser Data

Mobile Browser - Partial support
This policy creates temporary browser sessions. This means that browser data will be cleared upon close, or after a configured time period.
The Prisma Access Mobile Browser supports flushing data when the browser closes. Configuring periodic flushing on the mobile browser will have no impact.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Flush Browser Data.
  3. Select one of the following options:
    • Enable - the Prisma Access Browser flush the browser data.
      • Select the attributes to clear:
        • Browsing history
        • Download history
        • Cookies and other site data
        • Cached images and files
        • Passwords and Passkeys
        • Autofill
        • Site settings.
        • Host app data
      • Select the trigger for the browser flush action:
        • Browser close - the data will be flushed when the browser is closed.
        • Time period - the data will be flushed after the configured time elapsed. If this option is selected, you can set the flush time from 1-24 hours.
    • Disable – disable the Browser flush feature.
  4. Click Set.
    i

Concurrent Browser Sessions

Mobile Browser - Partial support
This policy allows you to determine the maximum number of devices that a user can have logged into the browser at one time. This includes both the Prisma Access Browser and the Prisma Access Mobile Browser.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Concurrent number of devices.
  3. Select one of the following options:
    • Limit number of devices - You will be able to limit the number of browser session concurrently. You can set the maximum to between 1 and 5 concurrent sessions per user.
    • Unlimited number of devices – There is no limit to the number of concurrent sessions that users can have.
  4. Click Set.

Browser Security – Browser Hardening

Cast

Mobile Browser - No support
This feature controls the ability to screencast a tab or the desktop via the Prisma Access Browser.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Cast.
  3. Select Allow to permit casting or Block to deny casting.
  4. Click Set.
  5. Restart the browser to apply this feature.
    i

Developer Tools

Mobile Browser - No support
This feature actively controls users' ability to open Developer Tools or manually load browser extensions in "Developer Mode" via "load unpack". It can also assist with preventing users from running unauthorized JavaScript code in the Developer Tools console.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Developer Tools.
  3. Select Allow to permit the Developer options, or Block to deny their use.
  4. Click Set.
    Restart the browser to apply this feature.

Password Saving

Mobile Browser - Full support
This feature determines whether the browser will be able to save passwords for websites.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Password Saving.
  3. Select one of the following options:
    • Allow - Users will be able to save passwords in the browser.
    • Block - Users will be restricted to save passwords in the browser.
  4. Click Set.

Autofill of Forms

Mobile Browser - No support
This feature determines whether or not the browser will store information to autofill forms.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Autofill of Forms.
  3. Select one of the following options:
    • Allow – The browser will save information to autofill forms in the future.
    • Block – The browser will not save form information to be filled automatically in the future.
  4. Click Set.

Autofill of Credit Cards

Mobile Browser - No support
This feature determines whether or not the browser will allow users to store credit card information.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Autofill of Credit Cards.
  3. Select one of the following options:
    • Allow – Prisma Access Browser will be able to save credit card details.
    • Block – Prisma Access Browser will be restricted from saving credit card details for future use.
  4. Click Set.

Native Messaging Hosts

Mobile Browser - No support
Native Messaging Hosts allows the software installed on the device to communicate with Prisma Access Browser and its installed extensions, and vice versa. Enterprise software that interacts with the browser typically requires you to select "Allow only hosts installed with admin permissions."
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Native Messaging Hosts.
  3. Select one of the following options:
    • Allow – the browser will be able to communicate with Native Messaging Hosts.
    • Allow only hosts installed with admin permissions
    • Block – the browser’s use of Native Messaging Hosts will be restricted.
  4. Click Set.

JavaScript Running from Omnibox

Mobile Browser - No support
This feature determines whether or not users will be able to run JavaScript code from the browser omnibox (Address Bar). Users may exploit this functionality to manipulate web pages using JavaScript.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select JavaScript Running from Onmibox.
  3. Select one of the following options:
    • Allow – the Prisma Access Browser will allow JavaScript to run from omnibox..
    • Block – the Prisma Access Browser will restrict JavaScript from running from omnibox.
  4. Click Set.

Keylogging Protection

Mobile Browser - No support
This policy allows you to determine if keylogging protection will be enabled. Keylogging tools can monitor and report a user's actions as they interact with the computer. As the name suggests, a keylogger records what the user types, and reports the information back to whoever installed the logger.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Keylogging Protection.
  3. Select one of the following options:
    • Allow – Keyloggers will be prevented from listening to keystrokes typed on Prisma Access Browsers.
    • Block – Keylogging protection is turned off.
  4. Click Set.

Popups

Mobile Browser - No support
With this feature, you can control the display of popups in the browser.
The popups can be allowed, allowed with exceptions, blocked, or blocked with exceptions.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Popups.
  3. Select one of the following options:
    • Allow – Popups will be permitted in the browser. You can specifically exclude domains from being allowed. This will block popups from those domains only.
    • Block – Popups will be blocked. You can specifically exclude domains from being blocked. This will allow popups from those domains only.
  4. Click Set.

Notifications

Mobile Browser - No support
You can use this feature to control notifications being displayed within the browser. The notifications can be allowed, allowed with exceptions, blocked, or blocked with exceptions.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Notifications.
  3. Select one of the following options:
    • Allow - Notifications will be permitted in the browser. You can specifically exclude specific domains. This will block notifications from these domains.
    • Block - Notifications will be blocked. You can specifically exclude specific domains from the rule. This will allow popups from those domains only.
  4. Click Set.

Authentication Factor

Mobile Browser - No support
You can use this feature to configure the settings for the Authentications methods. When you need to enable the Browser Lock or step-up MFA across the different data controls, this control is needed to select the options for the lock.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Authentication Factor.
  3. Select one of the following options:
    • PIN Code – configure the size of the code (between 4-6 digits) and the number of attempts that can be made before the account will be locked out.
    • Passkey – select whether the passkey will be an Internal or External authenticator.
  4. Click Set.

Browser Security – Network Protection

Pages with SSL Errors

Mobile Browser - No support
This feature manages how the Prisma Access Browser will react when it encounters a page with an SSL error. In general, most browsers ask for permission to "Proceed to [FQDN] (unsafe)".
Since SSL errors can occur during an SSL MitM attack, you can use this control to block the "Proceed..." functionality.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Pages with SSL Errors.
  3. Select one of the following options:
    • Allow - Allow users to bypass the blocking page when an SSL issue is identified.
    • Block – the Prisma Access Browser will block the "Proceed..." option when an SSL issue is identified.
  4. Click Set.

DNS-Over-HTTPS

Mobile Browser - No support
This feature manages the DNS resolution over the HTTPS protocol. It is used for encrypting requests.
This assists in preventing MitM attacks.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select DNS-Over-HTTPS.
  3. Select one of the following options:
    • Enable - Enter the following information:
      Upon DNS over HTTPS resolve failure:
      • Fail-open: Resolve using plain DNS.
      • Fail-close: Do not resolve.
    • Enter the DNS-over-HTTPS resolver's URL.
    • Disable – Prisma Access Browser will not enable DNS over HTTPS resolution.
  4. Click Set.

Trusted Certificate Authorities

Mobile Browser - Partial support
This feature manages how the Prisma Access Browser will react when it encounters a page with an SSL error. In general, most browsers ask for permission to "Proceed to [FQDN] (unsafe)".
Since SSL errors can occur during an SSL MitM attack, you can use this control to block the "Proceed..." functionality.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Trusted Certificate Authorities.
  3. Select the certificate authorities that are to be trusted by the Prisma Access Browser (this limits the trust to certificates that are already trusted):
    • Device trust store - Trust the certificate authorities installed in the device's certificate store.
    • Prisma Access Browser trust store - Trust only certificate authorities that are trusted by Palo Alto Networks, and ignores certificates installed in the Device trust store.
    • None - Do not trust certificates in any trust store.
  4. Additional trusted certificate authorities- Add customer-provided certificates not already trusted by the Prisma Access Browser..
    1. Enter a name for the certificate.
    2. Drag or Browse a certificate in .pem, .der, .crt, or .cer formats.
  5. Click Set.

Basic Authentication over HTTP

Mobile Browser - No support
This feature controls whether the Prisma Access Browser can use Basic Authentication over HTTP websites.
Since Basic Authentication sends authentication tokens in clear text, sending them over HTTP can be visible to attackers as part of a MitM attack.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Basic Authentication over HTTP.
  3. Select one of the following options:
    • Allow - allow Prisma Access Browser to use Basic Authentication over HTTP websites.
    • Block – block Prisma Access Browser from using Basic Authentication over HTTP websites.
  4. Click Set.

Pages with Insecure Content

Mobile Browser - No support
This feature controls whether users can load insecure content (data located on HTTP servers) to secure websites (located on HTTPS servers).
You can choose to exclude specific domains from this feature when there are specific applications that need an exception to the rule.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Pages with Insecure Content.
  3. Select one of the following options:
    • Allow- Prisma Access Browser will allow insecure content.
      1. Exclude specific domains - list domains that will receive an exception to the rule.
    • Block – Prisma Access Browser will not allow insecure content.
      1. Exclude specific domains - list domains that will receive an exception to the rule.
  4. Click Set.

Force HTTPS

Mobile Browser - No support
You can force the use of the HTTPS protocol, minimizing the risk of MitM attacks.
You will be able to force HTTPS for all domains, force HTTPS but exclude certain domains, or disable forced HTTPS and work without any restrictions.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Force HTTPS.
  3. Select one of the following options:
    • Enable- Prisma Access Browser will require use of the HTTPS protocol. You can select specific domains that will be excluded - meaning that these domains will not require the HTTPS protocol.
    • Disable – Prisma Access Browser will not require use of the HTTPS protocol.
  4. Click Set.

Post-Quantum Key Support

Mobile Browser - No support
This feature manages the ability to enable or disable the use of post-quantum key agreement protocols within TLS (Transport Layer Security). Post-quantum cryptography refers to algorithms designed to be secure against quantum computer attacks, which could potentially break traditional cryptographic methods. While enabling this feature enhances security by preparing for future quantum threats, it may cause compatibility issues with existing network security products that do not yet support or recognize post-quantum algorithms. Disabling it may help avoid these conflicts, but it reduces future-proofing against emerging quantum-based vulnerabilities.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Post-Quantum Key Security.
  3. Select Enable to permit the use of Post-Quantum Key Security, or Block to deny the use.
  4. Click Set.

Browser Security – Extensions

Allowed or Blocked Extensions

Mobile Browser - No support
Allowed or Blocked Extensions give you control over which extensions are permitted in the Prisma Access Browser.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Allowed or Blocked Extensions.
  3. Select one of the following options:
    • Allow all - allow all extensions.
    • Block specific extensions - you can select specific extensions to block. The extension must be identified by its ID.
    • Allow only specific extensions - you can select specific extensions to permit. The extension must be identified by its ID.
    • Block all - block all extensions.
  4. Click Set.

Block Extensions by Permission

Mobile Browser - No support
This control allows you to block extensions based on their required permissions.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Block Extensions by Permission.
  3. Select one of the following options:
    • Grant all permissions - permit running extensions without regard to their required permissions.
    • Block extensions that use specific permissions - block that requires specific permissions. Permissions that were not selected will be permitted. You can select as many permissions as required.
  4. Click Set.

Hide Sensitive Data from Extensions

Mobile Browser - No support
This control allows you to hide sensitive data - any data that can compromise user information and be used for illicit logins - from extensions.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Hide Sensitive Data from Extensions.
  3. Select one of the following options:
    • Enable - enable hiding sensitive data from extensions.
    • Disable - do not hide sensitive data from extensions.
  4. Click Set.

Restrict Extension Host Permissions

Mobile Browser - No support
This control allows you to hide sensitive data - any data that can compromise user information and be used for illicit logins - from extensions.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Restrict Extension Host Permissions.
  3. Select one of the following options:
    • Enable - prevent extensions from running scripts and accessing content.
    • Enable for specific domains - prevent extensions from running scripts and accessing content from specific domains. Click here to see information regarding domain syntax.
    • Disable - do not prevent extensions from running scripts and accessing content.
  4. Click Set.

Browser Security – Internet Explorer Compatibility Mode

Internet Explorer Compatibility Mode

Mobile Browser - No support
Microsoft has announced end-of-support dates for different versions of IE. For more information, refer to Microsoft's Lifecycle FAQ.
Organizations may require compatibility with Internet Explorer, as they are running internal legacy websites.
You can select these particular sites and allow users to access them in the Prisma Access Browser using Internet Explorer Compatibility Mode. This will render the application or site as if it were being accessed via Internet Explorer.
The Prisma Access Browser Internet Explorer ~Compatibility Mode is compatible with the Internet Explorer browser version 11.
Click here for more information regarding entering URLs.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Internet Explorer Compatibility Mode.
  3. Select one of the following options:
    • Enable compatibility mode - You need to add the target URLs that need Internet Explorer Compatibility.
    • No compatibility mode support - Users will not be able to use sites that require IE Compatibility.
  4. Click Set.

Browser Security – Printers

Allowed Printers

Mobile Browser - No support
The Prisma Access Browser allows you to configure particular printers for users who need to print from the browser. This provides an additional level of security, where end-users will only be able to print to permitted devices, such as printers in the office.
This feature does not preclude users from printing from other devices when using applications not managed through the Prisma Access Browser.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Allowed Printers.
  3. Select one of the following options:
    • No printers – end-users cannot print from the browser.
    • Set printers - Click Add Printer to enter the network location of each printer that end users will be able to select when printing is required.
  4. Click Set.

Browser Security – Privacy

Third-party Cookies

Mobile Browser - No support
The Prisma Access Browser allows you to configure particular printers for users who need to print from the browser. This provides an additional level of security, where end-users will only be able to print to permitted devices, such as printers in the office.
This feature does not preclude users from printing from other devices when using applications not managed through the Prisma Access Browser.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Third-party Cookies.
  3. Select one of the following options:
    • Allow - Third-party elements can set cookies.
    • Block - Third-party elements cannot set cookies.
  4. Click Set.

Browser History

Mobile Browser - No support
The Prisma Access Browser allows you to configure particular printers for users who need to print from the browser. This provides an additional level of security, where end-users will only be able to print to permitted devices, such as printers in the office.
This feature does not preclude users from printing from other devices when using applications not managed through the Prisma Access Browser.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Browser History.
  3. Select one of the following options:
    • Enable - browser history is saved.
    • Disable - browser history is not saved, and tab syncing is disabled. This setting cannot be changed by users.
    • Block Deletion - browser history and download history cannot be deleted.
  4. Click Set.

Cookies

Mobile Browser - No support
This policy controls the ability to store cookies on the browser. It allows companies to keep the data only for the session to avoid theft of the credentials.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Cookies.
  3. Select one of the following options:
    • Allow - default cookies behavior, as controlled by the end-user.
      After choosing this option, you can select specific domains to exclude. This means that the selected domains will not be able to set cookies.
    • Block - do not allow any websites to set the local data.
      After choosing this option, you can select specific domains to include. This means that the selected domains will be able to set cookies.
    • Session only - keep cookies for the duration of the session. After choosing this option, you can select the URLs that will keep cookies for the duration of the session.
  4. Click Set.

Browser Security – Anti-exploitation (Attack surface reduction)

Anti-exploitation controls enable you to reduce the potential attack surface of the browser. These controls effectively limit usage of browser components that are complex and are occasionally found to contain vulnerabilities. While the latest version of the browser would never include known vulnerabilities, disabling unnecessary components limits the potential exposure between when a vulnerability is found and the time it is fixed.
You should be aware that by disabling these components, you may impact some web page functionality. To minimize the impact on end-users, a non-intrusive dialog will be displayed if a capability is canceled. You need to be aware of these dialogs and the corresponding events in case users report issues with web pages. For example, disabling WebGL may impact functionality of an online maps website. When the users complain, you can identify the issue by looking for corresponding events and dialogs when users browse to these sites.
When a web page is affected by a disabled component, an abbreviated message is shown. The message will pop up again every 2 hours if you revisit the website. The system will also generate a log event.

JavaScript v8 JIT

Mobile Browser - No support
Just-in-time (JIT) helps improve the performance of JavaScript code by compiling bytecode into native machine code at run time.
This anti-exploitation policy controls the use of the JavaScript v8 JIT mechanism, which can be potentially exploited.
In addition, disabling JIT activates multiple vulnerability mitigation techniques, including Control Flow Guard (CFG), Control-flow Enforcement Technology (CET), and Arbitrary Code Guard (ACG).
Note: Disabling JavaScript v8 JIT may impact browser performance.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select JavaScript v8 JIT.
  3. Select one of the following options:
      1. Allow - allow the use of JavaScript v8 JIT.
      2. Block- block the use of JavaScript v8 JIT.
      3. To exclude specific applications, enter their domains into the exclusion list. Click here for more information regarding entering URLs.
  4. Click Set.

WebRTC

Mobile Browser - No support
Web Real-Time Communication (WebRTC) is an open-source project that enables real-time voice, text, and video communication capabilities between web browsers and devices.
This anti-exploitation policy controls the use of the WebRTC protocol, which can be potentially exploited.
Note: Disabling WebRTC will prevent some video conferencing tools, including Microsoft Teams and Google Meet from working. To overcome this issue, add their domains to the exclusion list as described below.
When a user attempts to access a domain that is blocked, they will receive an on-screen notification, and a Log event will be created.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select WebRTC.
  3. Select one of the following options:
      1. Allow - Allow the use of WebRTC.
      2. Block- Block the use of WebRTC.
      3. To exclude specific applications, enter their domains into the exclusion list. Click here for more information regarding entering URLs.
  4. Click Set.

PDFium

Mobile Browser - No support
The PDFium library is used to render PDF files in Chromium browsers.
This anti-exploitation policy controls the use of the PDFium library, which can be potentially exploited.
When PDFium is disabled, the Prisma Access Browser will not be able to open regular or protected PDF files.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select PDFium.
  3. Select one of the following options:
      1. Allow - Permit use of the PDFium library to render PDF files.
      2. Block- Block use of the PDFium library to render PDF files.
  4. Click Set.

WebGL API

Mobile Browser - No support
WebGL is a JavaScript-based API that is used for rendering high performance interactive 2-and 3D graphics using hardware graphics acceleration features provided in the user's device.
This anti-exploitation policy controls the use of the WebGL API, which can be potentially exploited.
Note: Disabling WebGL API may impact different websites using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will receive an on-screen notification, and a Log event will be created.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select WebGL API.
  3. Select one of the following options:
      1. Allow - Permit use of the WebGL API.
      2. Block- Block use of the WebGL API.
  4. Click Set.

File System API

Mobile Browser - No support
The File System Access API (formerly known as the Native File System API and Writable Files API) enables developers to build powerful web apps that interact with files on the user's local device, such as IDEs, photos, video editors, text editors, and more. After a user grants a web app access, this API allows them to read or save changes directly to files and folders on the user's device. Beyond reading and writing files, the File System Access API allows opening a directory and enumerating its contents.
This anti-exploitation policy controls the use of the File System API, which can be potentially exploited.
Note: Disabling File System API may impact different websites using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will receive an on-screen notification, and a Log event will be created.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select File System API.
  3. Select one of the following options:
      1. Allow - Permit use of the File System API.
      2. Block- Block use of the File System API.
  4. Click Set.

Sensors API

Mobile Browser - No support
The Sensors API controls access to several different low-level and high-level device sensor types.
This anti-exploitation policy controls the use of the Sensors API, which can be potentially exploited.
Note: Disabling Sensors API may impact different websites using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will receive an on-screen notification, and a Log event will be created.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Sensors API.
  3. Select one of the following options:
    • Allow - Permit use of the Sensors API.
    • Block - Block use of the Sensors API.
  4. Click Set.

WebSerial API

Mobile Browser - No support
The WebSerial API provides a method for websites to read from and write to serial devices. The devices can be connected via serial port, or by USB or Bluetooth devices that emulate a serial port.
This anti-exploitation policy controls the use of the WebSerial API, which can be potentially exploited.
Note: Disabling WebSerial API may impact different websites using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will receive an on-screen notification, and a Log event will be created.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select WebSerial API.
  3. Select one of the following options:
    • Allow - Permit use of the WebSerial API.
    • Block - Block use of the WebSerial API.
  4. Click Set.

WebBluetooth API

Mobile Browser - No support
The WebBluetooth API provides a way for websites to communicate over GATT (Generic ATTribute Profile) with nearby user-selected Bluetooth devices in a secure and privacy-preserving way.
This anti-exploitation policy controls the use of the WebBluetooth API, which can be potentially exploited.
Note: Disabling WebBluetooth API may impact different websites using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will receive an on-screen notification, and a Log event will be created.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select WebBluetooth API.
  3. Select one of the following options:
    • Allow - Permit use of the WebBluetooth API.
    • Block - Block use of the WebBluetooth API.
  4. Click Set.

WebUSB API

Mobile Browser - No support
The WebUSB API is a JavaScript specification for providing secure access from web pages to USB devices.
This anti-exploitation policy controls the use of the WebUSB API, which can be potentially exploited.
Note: Disabling WebUSB API may impact different websites using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will receive an on-screen notification, and a Log event will be created.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select WebUSB API.
  3. Select one of the following options:
    • Allow - Permit use of the WebUSB API.
    • Block - Block use of the WebUSB API.
  4. Click Set.

WebHID API

Mobile Browser - No support
The WebHID API is used for providing access for Human Interface Devices. This feature permits access to alternative auxiliary devices, such as secondary keyboards and mouse-pointing devices.
This anti-exploitation policy controls the use of the WebHID API, which can be potentially exploited.
Note: Disabling WebHID API may impact different websites using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will receive an on-screen notification, and a Log event will be created.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select WebHID API.
  3. Select one of the following options:
    • Allow - Permit use of the WebHID API.
    • Block - Block use of the WebHID API.
  4. Click Set.

Print Preview

Mobile Browser - No support
Print Preview displays the print preview in a new tab, a DOM UI page. The print preview page consists of a left pane that allows for printer selection and printer options and a right pane for displaying the preview and page thumbnails.
This anti-exploitation policy controls the use of the print preview, which can be potentially exploited.
If this is disabled, users will not see a preview of the page or file.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Print Preview.
  3. Select one of the following options:
    • Allow - Permit use of the Print Preview.
    • Block - Block use of the Preview.
  4. Click Set.

Google Cloud Print

Mobile Browser - No support
Google Cloud Print is a discontinued Google service that allows users to print from any Cloud Print-aware application (web, desktop, mobile) on any device in the network cloud to any printer with native support for connecting to Cloud Print services.
This anti-exploitation policy controls the use of the Google Cloud Print API, which can be potentially exploited.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Google Cloud Print.
  3. Select one of the following options:
    • Allow - Permit use of Google Cloud Print.
    • Block - Block use of Google Cloud Print.
  4. Click Set.

QUIC Protocol

Mobile Browser - No support
QUIC (Quick UDP Internet Connections) is a new internet transport protocol developed by Google. QUIC solves several application-layer issues experienced by modern web applications while requiring little or no change from application writers. QUIC is very similar to TCP+TLS+HTTP2 but implemented on top of UDP.
This anti-exploitation policy controls the use of the QUIC protocol, which can be potentially exploited.
Note: Disabling QUIC protocol may impact different websites using it in a legitimate way.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select QUIC Protocol.
  3. Select one of the following options:
    • Allow - Permit use of the QUIC Protocol
    • Block - Block use of the QUIC Protocol.
  4. Click Set.

Web Clipboard API

Mobile Browser - No support
The Clipboard API empowers applications to handle clipboard commands and engage in asynchronous reading from and writing to the system clipboard. This control manages use of the Clipboard API which may be exploited.
When a user attempts to access a domain that is blocked, they will receive an on-screen notification, and a Log event will be created.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Web Clipboard API.
  3. Select one of the following options:
    • Allow - Permit the Web Clipboard API to access the clipboard.
    • Block - Block the Web Clipboard API from accessing the clipboard.
  4. Click Set.

Local Fonts

Mobile Browser - No support
The Local Fonts provides access to the local fonts installed on the device which may be exploited.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Local Fonts.
  3. Select one of the following options:
    • Allow - Permit the Prisma Access Browser to access local fonts installed on the device.
    • Block - Block the Prisma Access Browser from accessing local fonts installed on the device.
  4. Click Set.