Browsers are increasingly incorporating agentic features designed to perform tasks on your behalf, such as booking tickets or making purchases. However, these advanced capabilities also introduce significant security vulnerabilities and risks, potentially leading to data loss or financial compromise.
Google has outlined its comprehensive strategy for ensuring user security within Chrome, utilizing observer models and requiring explicit user consent for actions. The company initially showcased these agentic functionalities in Chrome back in September, indicating that their rollout will occur over the coming months.
The company noted that it leverages several models to effectively manage agentic operations. Google specifically developed a User Alignment Critic, powered by Gemini, to scrutinize the proposed actions generated by the planner model for any given task. If this critic model determines that the planned tasks do not align with the user’s objective, it prompts the planner model to revise its strategy. Google emphasized that the critic model only reviews the metadata of the suggested action, not the actual web page content.
Furthermore, to prevent agents from accessing unauthorized or untrustworthy websites, Google employs Agent Origin Sets. These sets restrict the model’s access to specific read-only and read-writeable origins. A read-only origin signifies data that Gemini is permitted to consume. For instance, on a shopping website, product listings are relevant to the task, unlike banner advertisements. Similarly, Google stated that the agent is only allowed to interact (click or type) with designated iframes on a page.
“This distinction ensures that the agent can only access data from a limited number of origins, and this data can only be transmitted to writable origins. This significantly reduces the risk of cross-origin data leaks. It also empowers the browser to enforce this segregation, for example, by preventing data outside the readable set from being sent to the model at all,” the company explained in a blog post.
Google also actively monitors page navigation by examining URLs through an additional observer model. This measure, according to the company, helps prevent navigation to potentially harmful URLs generated by the model.
The search giant affirmed that it also grants users control over sensitive tasks. For instance, if an agent attempts to access a sensitive site containing information like banking or medical data, it will first request user permission. For sites requiring a login, it will ask the user for authorization to use Chrome’s password manager. Google clarified that the agent’s model does not have access to password data. The company added that it will obtain user consent before executing actions such as making a purchase or sending a message.
Google further stated that, in addition to these safeguards, it incorporates a prompt-injection classifier to prevent unwanted actions and is rigorously testing its agentic capabilities against attacks devised by security researchers.
Other developers of AI browsers are also prioritizing security. Earlier this month, Perplexity introduced a new open-source content detection model designed to counter prompt injection attacks against agents.