Idle connection timeout: 15s
Tests DLP policy inspection of sensitive field data (SSN, credit card, PII) across
different submission methods and encodings. The key variable is sec-fetch-mode —
navigate (native form) vs cors (XHR/fetch) — which determines
how tungsten classifies the request.
Real browser form submission. Matches dlptest.com behavior. Proxy headers not
readable by JS — check DevTools Network tab for x-menlo-* headers on the iframe request.
Programmatic form submission via fetch(). Browser sends
sec-fetch-mode: cors — tests whether policy inspects non-navigating form POSTs.