Google details security measures for Chrome’s agentic features

Google Introduces New Security Measures for Agentic Features on Chrome

An increasing number of browsers are experimenting with agentic features that will take actions on your behalf, such as booking tickets or shopping for different items. However, these agentic capabilities also come with security risks that could lead to loss of data or money.

Google has detailed its approach to handling user security on Chrome using observer models and consent for user action. The company previewed agentic capabilities on Chrome in September and said these features will roll out in the coming months.

Google is using a User Alignment Critic model to scrutinize the action items built by the planner model for a particular task. If the critic model thinks that the planned tasks don’t serve the user’s goal, it asks the planner model to rethink the strategy. Google noted that the critic model only sees the metadata of the proposed action and not the actual web content.

To prevent agents from accessing disallowed or untrustworthy sites, Google is using Agent Origin Sets, which restrict the model to access read-only origins and read-writeable origins. This bounds the threat vector of cross-origin data leaks and enforces separation of data access.

Google is also keeping a check on page navigation by investigating URLs through another observer model. This can prevent navigation to harmful model-generated URLs.

In addition, Google is handing over the reins to users for sensitive tasks. For instance, when an agent tries to navigate to a sensitive site with information like banking or medical data, it first asks the user for permission. Users are also prompted before actions like making a purchase or sending a message.

Google said that it is also using a prompt-injection classifier to prevent unwanted actions and is testing agentic capabilities against attacks created by researchers.

AI browser makers are also focusing on security measures. Perplexity recently released a new open-source content detection model to prevent prompt injection attacks against agents.