神刀安全网

Chrome Data Compression Proxy for Carriers and ISPs

Chrome Data Compression Proxy for Network Administrators, Carriers, and ISPs

This document provides technical background for network administrators on the Chrome Data Compression Proxy for Android or iOS (henceforth referred to as DCP). It also describes mechanisms that the DCP provides to allow network administrators to restrict access to the proxy for specific users and URLs.

Proxy Connection

Enabling theData Saver feature in Chrome establishes a connection between the browser and Google’s servers to proxy HTTP requests. HTTPS requests and pages loaded in Incognito tabs are not proxied.

When possible, the proxy connection is encrypted using SSL, and uses the HTTP/2 protocol to optimize data transfers. In certain cases, as described below, the proxy connection may use unencrypted HTTP/1.1.

Google’s proxy servers perform various optimizations on the Web page content, with the goal of reducing bandwidth usage. The DCP transcodes images to the WebP format, reduces image quality, compresses and minifies Javascript and CSS resources, and applies gzip and other transport-level compression.

Requests made by the DCP on behalf of users will carry the header Via: 1.1 Chrome-Compression-Proxy . The DCP also acts as an HTTP-compliant proxy cache. It respects Cache-Control directives, including Cache-Control: no-transform which informs the DCP not to transcode a given resource.

Identifying the Client IP Address

Because requests to destination websites are sent from Google’s servers, the IP address of the client making the connection will reflect the location of Google’s servers, not the user. The DCP sends the IP address of the client in the X-Forwarded-For header with each request, for example: X-Forwarded-For: 74.125.239.111

Websites should use the X-Forwarded-For header to determine the IP address of the client for the purpose of IP geolocation.

Disabling Encryption

By default, the connection between the browser and the proxy is over an encrypted channel. A network administrator can restrict the use of encryption for a specific user by blocking access to a canary URL ( http://check.googlezip.net/connect ) and returning a response other than a status code 200 with a response body of OK . As described below, Chrome issues an in-the-clear request to this URL prior to connecting to the DCP. The canary URL is only used for this purpose and does not serve any other content.

Because downgrading to HTTP does not allow the DCP to use HTTP/2 and other protocol-level enhancements, this will incur a performance penalty for the user.

It is preferable to send an immediate response for the canary URL, rather than inducing a DNS or connection timeout, which will not disable use of the DCP.

Details

When Chrome starts with the DCP setting enabled, the DCP is enabled by the user, or a network interface change occurs, Chrome asynchronously issues an in-the-clear HTTP request to the canary URL, http://check.googlezip.net/connect .

There are three possible outcomes of the canary URL request:

  • If the response status code is 200 and the response body is OK , Chrome uses an encrypted proxy connection for subsequent HTTP requests.
  • If the response status code is anything other than 200 or the response body is anything other than OK , Chrome uses an unencrypted proxy connection.
  • If the canary URL request times out or a DNS error occurs, Chrome uses an encrypted proxy connection.

Proxy Bypass

The Chrome DCP issues a proxy bypass response for URLs matching a list of restricted URLs maintained by Google. A proxy bypass causes Chrome to disable the use of SSL for the DCP connection for a short time (randomly chosen between 1 and 5 minutes). Carriers or network administrators can then block or take appropriate action on the request.

Proxy Bypass is used mainly for:

  • Child sexual abuse material, which includes NCMEC, IWF and other lists used globally by Google for restricting access to such illegal material
  • URLs subject to court-ordered DMCA and other takedowns on Google services
  • Country-specific takedown lists, which are applied only to users with IP addresses originating in the associated country
  • A small number of other sites known not to work well with the DCP (e.g., known carrier billing portal and intranet sites)

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Chrome Data Compression Proxy for Carriers and ISPs

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮