I would get connection traces from a working scenario (direct proxy), and from a non-working scenario (as ICAP server). Then submit this to support, connection traces can be gathered under Configuration > Troubleshooting, then you will need to specify the client IP, and check both of the boxes for connection tracing.
Turn connection tracing off immediatley after you reproduced the issue. They can be collected from the CLI or under Troubleshooting > Connection tracing.
Connection tracing will allow us to see what is different. SafeSearch enforcer should work if MWG is an ICAP server.
Hope this helps,
Keep in mind that SafeSearch is used in the REQMOD cycle only.
It modifies the request before it goes out to google.
If you are using Squid in RESPMOD, it will have no effect.
I opened a case to support. I sent TCP Dump and connection traces to support.
We are using MWG as ICAP Server with REQMOD and RESPMOD.
I will post results here.
MWGs ICAP server component did not detect that the SSE changed the URL and sent back the original one. So SafeSearch was effectively not enforced. This has been fixed in 7.3 and 18.104.22.168.
The Bugzilla discussion tells the following workaround: "As a workaround the customer can add an arbitrary header in the request cycle."