Merge commit '3a070fba7c46ed947ce13c6f277b84d549a823f4' into jun/do/ft-srs-ga

Author: Oxyjun

bin/fetch-warp-releases.js

@@ -35,7 +35,12 @@ for (let track of tracks) {
 					track = track.replace("noble-intel", "linux");
 				}
 
-				const path = `./src/content/warp-releases/${track}/${item.version}.yaml`;
+				const folder = `./src/content/warp-releases/${track}`;
+				const path = `${folder}/${item.version}.yaml`;
+
+				if (!fs.existsSync(folder)) {
+					fs.mkdirSync(folder, { recursive: true });
+				}
 
 				if (fs.existsSync(path)) {
 					console.log(`${track} ${item.version} already exists.`);
@@ -66,13 +71,16 @@ for (let track of tracks) {
 				});
 
 				const releaseNotes = tokens.reduce((s, t) => s + t.raw, "");
+				const platformName = data.platformName.startsWith("noble-")
+					? "Linux"
+					: data.platformName;
 
 				fs.writeFileSync(
 					`./src/content/warp-releases/${track}/${item.version}.yaml`,
 					YAML.stringify({
 						...item,
 						releaseNotes,
-						platformName: data.platformName,
+						platformName,
 					}),
 					"utf-8",
 				);

src/components/search/InstantSearch.tsx

@@ -15,7 +15,7 @@ function SearchBox(props: UseSearchBoxProps) {
 
 	useEffect(() => {
 		const params = new URLSearchParams(window.location.search);
-		const query = params.get("query");
+		const query = params.get("q") ?? params.get("query");
 
 		if (query) {
 			refine(query);

src/content/docs/cloudflare-one/account-limits.mdx

@@ -65,12 +65,10 @@ This page lists the default account limits for rules, applications, fields, and
 
 ## Digital Experience Monitoring (DEX)
 
-| Feature                                       | Limit                                                             |
-| --------------------------------------------- | ----------------------------------------------------------------- |
-| Tests per account                             | Free Plan: 10, <br/>Pro & Business Plans: 30, <br/>Enterprise: 50 |
-| Remote captures per day (Free users)          | 100                                                               |
-| Remote captures per day (Pay-as-you-go users) | 200                                                               |
-| Remote captures per day (Enterprise users)    | 800                                                               |
+| Feature                 | Limit                                                                                      |
+| ----------------------- | ------------------------------------------------------------------------------------------ |
+| DEX Tests per account   | Zero Trust Free: 10 <br/> Zero Trust Standard: 30 <br/> Zero Trust Enterprise: 50 <br/>    |
+| Remote captures per day | Zero Trust Free: 100 <br/> Zero Trust Standard: 200 <br/> Zero Trust Enterprise: 800 <br/> |
 
 ## Certificates
 

src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx

@@ -18,7 +18,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 
 - Private IPs and hostnames are reachable over Cloudflare WARP, Magic WAN or Browser Isolation. For more details, refer to [Connect a private network](/cloudflare-one/connections/connect-networks/private-net/).
 - Private hostnames route to your custom DNS resolver through [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) or [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/).
-- [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) must be enabled if you would like to present a login page in the browser and issue an authorization JWT to your origin. Otherwise, users will receive a pop-up notification from the WARP client and all session management will be handled in the WARP client.
+- (Optional) Turn on [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) if you want to use Access JWTs to manage [HTTPS application sessions](#https-applications).
 
 ## Add your application to Access
 
@@ -58,7 +58,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 
 12. Select **Next**.
 
-13. (Optional) Configure advanced settings. These settings only apply to private hostnames and require Gateway TLS decryption.
+13. (Optional) Configure advanced settings. These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/).
 
 		- [**Cross-Origin Resource Sharing (CORS) settings**](/cloudflare-one/identity/authorization-cookie/cors/)
 		- [**Cookie settings**](/cloudflare-one/identity/authorization-cookie/#cookie-settings)
@@ -71,6 +71,20 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 
 Users can now connect to your private application after authenticating with Cloudflare Access.
 
+## Authentication flow
+
+### HTTPS applications
+
+If [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](/cloudflare-one/identity/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/).
+
+If [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) is turned off, session management is [handled in the WARP client](#non-https-applications) instead of in the browser.
+
+### Non-HTTPS applications
+
+The WARP client manages sessions for all non-HTTPS applications. Users will receive an `Authentication required` pop-up notification from the WARP client. When the user selects the notification, WARP will open a browser window with your Access login page.
+
+<Render file="gateway/client-notifications-os" product="cloudflare-one" />
+
 ## Modify order of precedence in Gateway
 
 By default, Cloudflare will evaluate a private application's Access policies after evaluating all Gateway network policies. To evaluate Access private applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):

src/content/docs/cloudflare-one/insights/logs/logpush.mdx

@@ -41,6 +41,7 @@ Refer to [Logpush log fields](/logs/reference/log-fields/) for a list of all ava
 | -------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | [Access Requests](/logs/reference/log-fields/account/access_requests/)                             | HTTP requests to sites protected by Cloudflare Access                                                                                                       |
 | [Audit Logs](/logs/reference/log-fields/account/audit_logs/)                                       | Authentication events through Cloudflare Access                                                                                                             |
+| [Browser Isolation User Actions](/logs/reference/log-fields/account/biso_user_actions/)                                       | Data transfer actions performed by a user in the remote browser                                                                                                            |
 | [CASB Findings](/logs/reference/log-fields/account/casb_findings/)                                 | Security issues detected by Cloudflare CASB                                                                                                                 |
 | [Device Posture Results](/logs/reference/log-fields/account/device_posture_results/)               | Device posture status from the WARP client                                                                                                                  |
 | [DLP Forensic Copies](/logs/reference/log-fields/account/dlp_forensic_copies/)                     | Entire HTTP requests or payloads of HTTP requests captured by [Cloudflare DLP](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/) |

src/content/docs/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation.mdx

@@ -106,6 +106,7 @@ To turn on or off the address bar, users can right-click on any isolated page an
 - **Authentication events**: User login events are available in [Access audit logs](/cloudflare-one/insights/logs/audit-logs/).
 - **HTTP requests**: Traffic from the remote browser to the Internet is logged in [Gateway activity logs](/cloudflare-one/insights/logs/gateway-logs/).
 - **DNS queries**: DNS queries from the remote browser are shown in [Gateway activity logs](/cloudflare-one/insights/logs/gateway-logs/).
+- **User actions**: Track copy/paste, download/upload, and print actions initiated by users in the remote browser (only available in [Logpush](/cloudflare-one/insights/logs/logpush/)).
 
 ## Redirect traffic to the remote browser
 

src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx

@@ -142,7 +142,7 @@ When choosing the Block action, turn on **Display custom block page** to respond
 
 #### WARP client block notifications
 
-<Render file="gateway/client-notifications" />
+<Render file="gateway/client-notifications-os" product="cloudflare-one" />
 
 ### Override
 

src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx

@@ -155,7 +155,7 @@ The Block action blocks outbound traffic from reaching destinations you specify
 
 #### WARP client block notifications
 
-<Render file="gateway/client-notifications" />
+<Render file="gateway/client-notifications-os" product="cloudflare-one" />
 
 ### Isolate
 

src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx

@@ -179,7 +179,7 @@ Policies with Block actions block network traffic from reaching certain IPs or p
 
 #### WARP client block notifications
 
-<Render file="gateway/client-notifications" />
+<Render file="gateway/client-notifications-os" product="cloudflare-one" />
 
 ### Network Override
 

src/content/docs/data-localization/compatibility.mdx

@@ -126,10 +126,10 @@ The table below provides a summary of the Data Localization Suite product's beha
 [^12]: Logpull not available when using Customer Metadata Boundary outside US region. Logs may be stored and retrieved with [Logs Engine](https://blog.cloudflare.com/announcing-logs-engine/) which is adding region support in 2025.
 [^13]: Logpush available with Customer Metadata Boundary for [these datasets](/data-localization/metadata-boundary/logpush-datasets/). Contact your account team if you need another dataset.
 [^14]: Access App SSL keys can use Geo Key Manager. [Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) is not yet localized.
-[^15]: Can be localized to US FedRAMP region only. More regions coming in 2024.
+[^15]: Can be localized to US FedRAMP Moderate Domestic region only.
 [^16]: Customer Metadata Boundary can be used to limit data transfer outside region, but Access User Logs will not be available outside US region.
 [^17]: Currently may only be used with US FedRAMP region.
-[^18]: The only connectivity option is [US FedRAMP region](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#region). Regional Services only applies when using [Public Hostnames](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) set to a region.
+[^18]: The only connectivity option is [US FedRAMP Moderate Domestic region](/cloudflare-one/connections/connect-networks/configure-tunnels/cloudflared-parameters/run-parameters/#region). Regional Services only applies when using [Public Hostnames](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) set to a region.
 [^19]: Uses Gateway HTTP and CASB.
 [^20]: You can [bring your own certificate](https://blog.cloudflare.com/bring-your-certificates-cloudflare-gateway/) to Gateway but these cannot yet be restricted to a specific region.
 [^21]: Gateway HTTP supports Regional Services. Gateway DNS does not yet support regionalization. <br/> ICMP proxy and WARP-to-WARP proxy are not available to Regional Services users.