Browser Extension · Step 2 of 7

Prerequisites Validation

Before deploying, prove from a pilot device that the Quilr CDN, your tenant-specific update manifest, and the .crx package are all reachable and not being re-signed by an upstream proxy. These are the exact checks Step 6 troubleshooting falls back to — running them now prevents most rollout failures.

⚠️
Use your real Tenant ID Substitute your tenant ID in each URL below. A 403/404 almost always means a wrong tenant ID in the request, not a network problem.

Quick smoke test — every URL in one shot

Paste this single script in an elevated shell on the pilot device. It probes every host in the Step 1 allow-list — the three shared backplane hosts plus the base / DLP / auth URLs for the environment selected in the top bar (the hosts auto-swap when you change the Environment dropdown). If everything prints [OK], you can skip the per-host checks below.

Hosted check — recommended, nothing to paste:

PowerShell (admin)
& ([scriptblock]::Create((irm https://quilr-extensions.quilr.ai/Quilr-SOP/BrowserExtension/Windows/quilr-be-connectivity-check.ps1))) -Env uspoc
Downloads blocked? Paste this full script instead
PowerShell (admin)
$hosts = @(
  # Shared — all environments
  'quilr-extensions.quilr.ai',
  'discover.quilrai.dev',
  'log.quilrai.dev',
  # Tenant base + DLP + Auth — selected environment
  'app.quilr.ai',
  'dlpone.quilr.ai',
  'auth-extension.quilr.ai'
)
$failed = @()
foreach ($h in $hosts) {
  $ok = Test-NetConnection $h -Port 443 -InformationLevel Quiet -WarningAction SilentlyContinue
  if ($ok) {
    Write-Host ("[OK]   {0}" -f $h) -ForegroundColor Green
  } else {
    Write-Host ("[FAIL] {0}" -f $h) -ForegroundColor Red
    $failed += $h
  }
}
if ($failed.Count -eq 0) {
  Write-Host "All hosts reachable on TCP/443." -ForegroundColor Green
  exit 0
} else {
  Write-Host ("Blocked: " + ($failed -join ', ')) -ForegroundColor Red
  Write-Host "Allowlist the blocked hosts on the firewall AND SSL-bypass them on any TLS-intercepting SWG, then re-run." -ForegroundColor Yellow
  exit 1
}

Hosted check — recommended, nothing to paste:

bash · zsh
curl -fsSL https://quilr-extensions.quilr.ai/Quilr-SOP/BrowserExtension/macOS/quilr-be-connectivity-check.sh | bash -s -- --env uspoc
Downloads blocked? Paste this full script instead
bash · zsh
hosts=(
  # Shared — all environments
  quilr-extensions.quilr.ai
  discover.quilrai.dev
  log.quilrai.dev
  # Tenant base + DLP + Auth — selected environment
  app.quilr.ai
  dlpone.quilr.ai
  auth-extension.quilr.ai
)
failed=()
for h in "${hosts[@]}"; do
  if nc -zv -G 5 "$h" 443 >/dev/null 2>&1; then
    printf '\033[32m[OK]\033[0m   %s\n' "$h"
  else
    printf '\033[31m[FAIL]\033[0m %s\n' "$h"
    failed+=("$h")
  fi
done
if (( ${#failed[@]} == 0 )); then
  printf '\033[32mAll hosts reachable on TCP/443.\033[0m\n'
  exit 0
else
  printf '\033[31mBlocked: %s\033[0m\n' "${failed[*]}"
  printf '\033[33mAllowlist on firewall AND SSL-bypass on any TLS-intercepting SWG, then re-run.\033[0m\n'
  exit 1
fi
Expected: every host prints [OK] and the script exits with All hosts reachable on TCP/443.. Any [FAIL] — allowlist that host and SSL-bypass it on any TLS-intercepting SWG, then re-run. Use the per-host checks below to drill into a specific failure (e.g. tenant-ID 403, SWG cert re-signing).

Check 1 · CDN reachability

PowerShell
Test-NetConnection quilr-extensions.quilr.ai -Port 443 -InformationLevel Quiet
bash
nc -zv -G 5 quilr-extensions.quilr.ai 443
Expected: True / succeeded. A timeout means allowlist quilr-extensions.quilr.ai on TCP/443.

Check 2 · Tenant manifest reachable

PowerShell
$tid = '<TENANT-ID>'
Invoke-WebRequest "https://quilr-extensions.quilr.ai/$tid/manifest.xml" |
  Select-Object StatusCode, @{n='Bytes';e={$_.RawContentLength}}
bash
TENANT_ID="<TENANT-ID>"
curl -fsSL "https://quilr-extensions.quilr.ai/${TENANT_ID}/manifest.xml" | head -3
Expected: HTTP 200, non-zero bytes, and XML starting with <gupdate xmlns="http://www.google.com/update2/response"…>.
FailureCause & fix
403 / 404Wrong tenant ID in the URL — confirm with support@quilr.ai
Connection timeoutAllowlist quilr-extensions.quilr.ai
SSL errorAn upstream SWG is decrypting the host and presenting its own cert — add it to the SSL-bypass list

Check 3 · .crx package reachable

The manifest’s codebase attribute points to the .crx. Confirm it serves correctly:

bash
TENANT_ID="<TENANT-ID>"
curl -sI "https://quilr-extensions.quilr.ai/${TENANT_ID}/vanguard.crx" \
  | grep -iE 'HTTP/|content-type|content-length'
Expected: HTTP 200, Content-Type: application/x-chrome-extension, and a non-zero Content-Length.
ℹ️
Some corporate SWGs strip the Chrome-extension content-type. If the type is wrong or stripped, the browser will refuse the package even though it downloads — bypass the host from inspection.

Check 4 · File-type / MIME allow-list

Some SWG / download-control policies block or rewrite responses based on file extension or Content-Type. The Browser Extension flow needs six file types to download cleanly: .exe (helper binaries), .msi (Windows installer), .msp (Windows patch), .json (tenant config), .xml (update manifest), and .crx (the extension package itself). This check downloads a tiny probe file per extension and verifies it returns HTTP 200, the content marker is intact (a proxy block-page would be missing it), and the Content-Type header survived.

Hosted check — recommended, nothing to paste:

PowerShell (admin)
& ([scriptblock]::Create((irm https://quilr-extensions.quilr.ai/Quilr-SOP/BrowserExtension/Windows/quilr-be-filetype-check.ps1)))
Downloads blocked? Paste this full script instead
PowerShell (admin)
$base   = 'https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/mime-test'
$marker = 'QUILR-MIME-PROBE-OK'
$exts   = 'exe','msi','msp','json','xml','crx'
$fail   = $false
"{0,-6}  {1,-12}  {2}" -f 'Ext', 'Status', 'Content-Type'
foreach ($e in $exts) {
  $status='BLOCKED'; $ct='-'
  try {
    $r = Invoke-WebRequest -Uri "$base/probe.$e" -UseBasicParsing -TimeoutSec 15
    $ct = "$($r.Headers['Content-Type'])"; if (-not $ct) { $ct='(none)' }
    $body = if ($r.Content -is [byte[]]) { [Text.Encoding]::ASCII.GetString($r.Content) } else { [string]$r.Content }
    if ($r.StatusCode -eq 200 -and $body -like "*$marker*") { $status='OK' }
    elseif ($r.StatusCode -eq 200) { $status='ALTERED' }
  } catch {
    if ($_.Exception.Response) {
      $c=[int]$_.Exception.Response.StatusCode
      if ($c -eq 404) { $status='NO-PROBE'; $ct="HTTP 404 (no probe.$e at base)" } else { $ct="HTTP $c" }
    }
  }
  "{0,-6}  {1,-12}  {2}" -f ".$e", $status, $ct
  if ($status -in 'BLOCKED','ALTERED') { $fail = $true }
}
if ($fail) { Write-Host 'RESULT: BLOCKED/ALTERED - allow on SWG and re-run.' -ForegroundColor Red }
else { Write-Host 'RESULT: all probed types pass.' -ForegroundColor Green }

Hosted check — recommended, nothing to paste:

bash · zsh
curl -fsSL https://quilr-extensions.quilr.ai/Quilr-SOP/BrowserExtension/macOS/quilr-be-filetype-check.sh | sh
Downloads blocked? Paste this full script instead
bash · zsh
BASE='https://quilr-extensions.quilr.ai/Quilr-SOP/EndpointAgent/mime-test'
MARKER='QUILR-MIME-PROBE-OK'
TMP="${TMPDIR:-/tmp}/quilr_be_probe.$$"
FAIL=0
printf '%-6s  %-12s  %s\n' 'Ext' 'Status' 'Content-Type'
for e in exe msi msp json xml crx; do
  meta=$(curl -sS -m 15 -o "$TMP" -w '%{http_code}|%{content_type}' "$BASE/probe.$e")
  http=${meta%%|*}; ctype=${meta#*|}; [ -n "$ctype" ] || ctype='(none)'
  case "$http" in
    200) if grep -q "$MARKER" "$TMP"; then status=OK; else status=ALTERED; FAIL=1; fi ;;
    404) status=NO-PROBE; ctype="HTTP 404 (no probe.$e at base)" ;;
    *)   status=BLOCKED;  ctype="HTTP ${http:-000}"; FAIL=1 ;;
  esac
  printf '.%-5s  %-12s  %s\n' "$e" "$status" "$ctype"
done
rm -f "$TMP"
if [ "$FAIL" -eq 0 ]; then printf '\033[32mRESULT: all probed types pass.\033[0m\n'
else printf '\033[31mRESULT: BLOCKED/ALTERED - allow on SWG and re-run.\033[0m\n'; fi
Expected: every row shows OK and the final result is all probed types pass.. A BLOCKED row means the SWG / web-filter is dropping that extension — allow it. ALTERED means the body was rewritten (block page) — SSL-bypass the host. NO-PROBE just means the probe file for that extension isn’t on the CDN yet; not a SWG block.
Exit criteria for Step 2 CDN reachable · tenant manifest returns valid XML · .crx serves with the correct content-type, all with no SSL interception. You’re clear to install.
BackPrerequisites Step 2 of 7