Following the introduction of Gemini in Chrome and the preview of agentic capabilities, Google is introducing new security protections for the browser’s users.
To ensure the new Chrome agentic capabilities can be safely used, the internet giant is implementing layered defenses to make it difficult and costly for attackers to harm users.
The protections, it explains, target the main threat to agentic browsers, namely indirect prompt injections, which can lead to data leaks and other unwanted actions being performed by the agent.
According to Google, threat actors can deliver indirect prompts through malicious sites, iframes with third-party content, or user-generated content, such as reviews.
To combat these threats, Google is introducing a new, separate AI model built with Gemini, called the User Alignment Critic.
Isolated from untrusted content, its purpose is to vet the agent’s actions, focusing on determining if the proposed action aligns with the user’s stated goal, to protect against goal-hijacking and data exfiltration.
“If the action is misaligned, the Alignment Critic will veto it. This component is architected to see only metadata about the proposed action and not any unfiltered untrustworthy web content, thus ensuring it cannot be poisoned directly from the web,” Google explains.
The internet giant is also expanding the existing Site Isolation and same-origin policy protections in Chrome with Agent Origin Sets, to tackle scenarios in which a compromised agent could bypass the controls.
“Our design architecturally limits the agent to only access data from origins that are related to the task at hand, or data that the user has chosen to share with the agent. This prevents a compromised agent from acting arbitrarily on unrelated origins,” Google notes.
A gating function isolated from untrusted content determines the origins relevant to the task, separating them into read-only origins that Gemini can consume content from, and read-writable origins that the agent can actuate in addition to reading from.
This limits the model’s exposure to cross-site data, and each new origin the planner wants to navigate to is checked for relevancy before navigation starts.
To provide transparency and control over the new Chrome agentic capabilities, the agent creates a work log, and deterministic and model-based checks trigger user confirmation before impactful actions are taken.
“These serve as guardrails against both model mistakes and adversarial input by putting the user in the loop at key moments,” Google notes.
The agents request confirmation before navigating to certain sensitive sites, such as banking and healthcare/medical portals, before allowing sign-ins via Google Password Manager, and before completing purchases or payments, and sending messages.
To complement Safe Browsing and scam detection capabilities in Chrome, the agent also checks each page for indirect prompt injections.
“This prompt-injection classifier runs in parallel to the planning model’s inference, and will prevent actions from being taken based on content that the classifier determined has intentionally targeted the model to do something unaligned with the user’s goal,” the internet giant explains.
Google says it is testing these defenses using automated red-teaming systems that generate malicious sandboxed sites, prioritizing defenses against user-generated and ad content, and attacks leading to credential leaks and unwanted financial transactions.
Related: Chrome 143 Patches High-Severity Vulnerabilities
Related: Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors
Related: Firefox 145 and Chrome 142 Patch High-Severity Flaws in Latest Releases
Related: Chrome to Turn HTTPS on by Default for Public Sites
