Google outlines protective strategies for Chrome’s autonomous capabilities

Browsers Embrace Agentic Features: Security Measures in Focus

More web browsers are beginning to introduce agentic functions that can perform tasks for users, such as making purchases or booking reservations. While these advancements offer convenience, they also introduce potential security threats that could result in data breaches or financial loss.

Google has outlined its strategy for safeguarding users on Chrome by employing observer models and requiring explicit user consent before actions are taken. The company first showcased these agentic features in Chrome last September and plans to make them available in the near future.

How Google Ensures Safe Agentic Actions

To maintain oversight of automated actions, Google utilizes several models. One key component is the User Alignment Critic, powered by Gemini, which evaluates the tasks generated by the planner model. If the critic determines that the proposed actions do not align with the user's objectives, it prompts the planner to revise its approach. Importantly, this critic model only reviews the metadata associated with each action, not the actual website content.

Image Credits: Google

Restricting Agent Access with Origin Sets

To prevent agents from interacting with unauthorized or suspicious websites, Google implements Agent Origin Sets. These sets define which sources the model can access in either read-only or read-write modes. For example, on a shopping platform, the agent can access product listings but is restricted from interacting with banner advertisements. Additionally, the agent is only permitted to click or type within specific iframes on a webpage.

According to Google, "This separation ensures that agents can only access data from approved sources, and any information can only be shared with designated writable origins. This approach limits the risk of cross-origin data leaks and allows the browser to enforce these boundaries, such as by withholding data outside the permitted set from the model."

Monitoring Navigation and User Consent

Google also monitors page navigation using another observer model, which checks URLs before allowing navigation. This helps block access to potentially dangerous, model-generated web addresses.

Image Credits: Google

For sensitive actions, Google places control firmly in the hands of users. If an agent attempts to visit a site containing confidential information, such as banking or medical records, it will first request user approval. Similarly, when accessing sites that require authentication, Chrome will prompt the user for permission to utilize the password manager. Google assures that the agent model never accesses password data directly. Before proceeding with actions like making purchases or sending messages, the system will always seek user confirmation.

Additional Security Layers and Industry Efforts

Beyond these measures, Google has developed a prompt-injection classifier to block unauthorized actions and is actively testing agentic features against simulated attacks from security researchers.

Other AI browser developers are also prioritizing security. For instance, Perplexity recently introduced an open-source content detection model designed to defend against prompt injection attacks targeting agents.