Google details security measures for Chrome’s agentic features

As web browsers increasingly adopt intelligent features capable of performing tasks such as booking tickets or shopping on users' behalf, concerns regarding security risks have surfaced. These functionalities, while convenient, could potentially jeopardize users' data and finances. In response, Google has outlined its comprehensive security strategy for Chrome, emphasizing user safety through observer models and user consent. In a recent preview, Google showcased its forthcoming agentic features for Chrome, slated for release in the upcoming months. The tech giant is employing various models to ensure that these agentic actions remain secure. Notably, Google has developed a User Alignment Critic using its Gemini technology to critically evaluate the tasks proposed by its planner model. This critic model assesses whether the planned actions align with the user's objectives, prompting the planner to adjust its approach if necessary. Google assures that the critic only processes metadata related to the proposed tasks, without accessing the actual web content. To further enhance security, the company has introduced Agent Origin Sets, which restrict agent access to specific read-only and read-writeable data origins. For example, when shopping online, the agent can access relevant product listings but is restricted from interacting with unrelated advertisements. The delineation of data access is crucial in mitigating cross-origin data leaks, as it ensures that only information from a limited set of origins is available to the agent. This strategy is supported by the browser's ability to prevent the model from receiving data outside the designated readable set. Additionally, Google is monitoring page navigation through another observer model to block harmful URLs generated by the agent. In terms of user control, Google emphasizes the importance of user consent for sensitive actions. When an agent attempts to access sensitive information, such as banking or medical sites, it will seek user approval first. For sites requiring sign-in, the agent will ask for permission to utilize the password manager, while ensuring that the model does not have access to password data. Furthermore, before executing actions like making purchases or sending messages, Google will prompt users for consent. To combat unwanted actions, the company has implemented a prompt-injection classifier and is actively testing its agentic features against potential attack scenarios crafted by researchers. The focus on security is a shared concern among AI browser developers, with competitors like Perplexity also introducing measures to prevent prompt injection attacks.