[jitl]

What's happening is that some MiTM Palo Alto networks system is intercepting the HTML contents of the page, waiting a bit, and then rendering that HTML content again in old Chrome on a separate machine. It's like if you go to a authenticated page that only you can see, like https://news.ycombinator.com/flagged?id=aaron695, did "View Source", copy-and-paste that source into a HTML file, and then you send me the HTML file and I open the HTML file on my computer.

[ta1243]

Are you sure it's has the page contents, or if it's just got the URLs that were called?

Either way it feels like malware on a client machine, but doesn't necessarily mean that the page contents are being read by the malware.

I guess if you had some javascript which only loaded if the chrome version was not the latest you could confirm -- the attempt to load the URL would not occur on GoodChrome, but it would on the "security" device. Therefore if the page contents was being shipped to BadDevice completely it would be loaded, but if it was just re-loading the URLs called by GoodChrome the URL wouldn't be called.

[caydenm]

Exactly! Our library is embedding in these pages and similar to Segment or other analytics tools will get told information about user events from that state. Sometimes that state is stored in the page that is sent over the wire (eg. userid) and as such we get a request saying a particular user is on the other side of the world.