A growing number of browsers are experimenting with agent features that will take actions on your behalf, such as booking tickets or shopping for different items. However, these agency capacities also come with me security risks that could lead to loss of data or money.
Google detailed its approach to handling user security in Chrome using observer models and consent for user action. The company previewed agent features in Chrome in September and said those features will roll out in the coming months.
The company said it uses the help of a few models to keep the agency’s actions under control. Google said it created a User Alignment Critic using Gemini to review action items generated by the design model for a specific task. If the critique model believes that the planned tasks do not serve the user’s goal, it asks the planner model to reconsider the strategy. Google noted that the review model only sees the metadata of the suggested action, not the actual web content.
Additionally, to prevent agents from accessing unauthorized or untrusted sites, Google uses agent origin sets, which restrict the model to access read-only and read-writable origins. Read-only origin is data from which Gemini is allowed to consume content. For example, on a shopping site, listings are job-related, but banner ads are not. Similarly, Google said that the agent is only allowed to click or type on certain iframes of a page.
“This delimitation enforces that only data from a limited set of origins is available to the agent, and that data can only be passed to the writable origins. This limits the threat vector of cross-origin data leaks. This also gives the browser the ability to enforce some of this separation, such as by not even sending data to the model, that is outside of posting to a readable dataset.”
Google also monitors page navigation by probing URLs through another observer model. This can prevent navigation to harmful model-generated URLs, the company said.
The search giant said it is also handing over the reins to users for sensitive tasks. For example, when an agent tries to navigate to a sensitive website with information like your banking or medical data, it first asks the user. For sites that require a login, it will ask the user for permission to allow Chrome to use the password manager. Google said the agent model is not exposed to password data. The company added that it will ask users before taking actions such as making a purchase or sending a message.
Techcrunch event
San Francisco
|
13-15 October 2026
Google said that in addition to this, it also has a direct injection classifier to prevent unwanted effects and also tests the agents’ abilities against researcher-made attacks.
AI browser makers also pay attention to security. Earlier this month, Perplexity was released a new open source content detection model to avoid early agent injection attacks.
