More and more browsers are experimenting with agent features that perform actions on your behalf, such as booking tickets or shopping for various items. However, these agent features also come with security risks that can lead to loss of data and money.
Google detailed its approach to handling user security in Chrome using the observer model and user action consent. The company previewed agent features on Chrome in September and said these features will be rolled out in the coming months.
The company said it utilizes several models to constrain agent actions. Google said it built the User Alignment Critic using Gemini to vet action items built by planner models for specific tasks. If the critic model determines that the planned task is not achieving the user’s objectives, it asks the planner model to reconsider its strategy. Google pointed out that the critic model only looks at the metadata of the proposed action, not the actual web content.
Additionally, to prevent agents from accessing unauthorized or untrusted sites, Google uses agent origin sets. This restricts the model to access read-only and read-write origins. Read-only origins are data that Gemini is allowed to consume content from. For example, on a shopping site, lists are task-related, but banner ads are not. Similarly, Google said agents are only allowed to click or enter specific iframes on pages.
“This boundary forces that only data from a limited set of origins is available to the agent, and that this data is passed only to writable origins. This limits the threat vector of cross-origin data leakage. It also gives browsers the ability to enforce some of the isolation, such as not even sending data outside of the readable set to the model,” the company said in a blog post.
Google also continues to check page navigation by inspecting URLs through a separate observer model. The company says this prevents navigation to harmful URLs generated by the model.
The search giant also said it is handing the reins of sensitive tasks to users. For example, when an agent attempts to navigate to a sensitive site containing information such as banking or medical data, it first asks the user questions. For sites that require sign-in, ask users for permission to use a password manager in Chrome. Google said this agent model is not exposed to password data. The company added that it asks users questions before taking actions such as making a purchase or sending a message.
tech crunch event
san francisco
|
October 13-15, 2026
In addition to this, Google said it also has a prompt injection classifier to prevent unwanted actions, and is also testing agent functionality against attacks created by researchers.
AI browser makers are also paying attention to security. Earlier this month, Perplexity released a new open-source content detection model to prevent instant injection attacks against agents.
