The arrival of artificial intelligence agents integrated into the browser It's changing the way we use the web. In Chrome, these Gemini-based agents are no longer limited to simply displaying pages: They can search for information, complete forms, or advance in purchasing processes on our behalf.This opens the door to much more automated navigation, but also to new security risks that are especially worrying in Europe, where data protection and cybersecurity are a highly regulated issue.
Google has decided to get ahead of those risks with a specific reinforcement of Chrome's defenses against injection attacks. The company knows that An agent with too much freedom and too little protection could become a very dangerous tool in the hands of an attacker.capable of performing actions that the user would never have authorized. Therefore, the browser's security team has designed its own architecture for these agents, extending classic principles such as source isolation and adapting them to the new context of the so-called "agent web."
Agents in Chrome: Power and New Security Risks
With the integration of Gemini, Chrome begins to incorporate agents capable of plan and execute chains of actions on behalf of the userFor example, they can collect data from various websites, analyze it, complete a form or even initiate a purchase process without the person having to intervene at each step. This technological leap promises convenience and productivity, both for individual users and for companies in Spain and the rest of Europe.
The problem is that, if these agents are not properly armored, The focus of the attack shifts from the user to the AI ​​model itself.It's no longer just about displaying a malicious website or a misleading advertisement; it's about manipulating the content the agent sees so that it makes decisions that harm the user: authorizing payments, sharing confidential data, or visiting unwanted sites.
With this scenario in mind, Google has opted for a specific security architecture that expands upon the already known measures of the traditional browser. It involves applying principles such as site isolation and strict permission control, but adapted to the context in which An AI model acts as an intermediary between the user and the web, something that until now was not covered by classic threat models.
This approach is especially relevant in markets where the regulation of personal data and digital services is strict, such as the European environment. Although Google has not detailed measures exclusive to the EU, The design of these defenses aims to reduce the risk of information leaks and unauthorized actionsThis is very much in line with the requirements of community regulators.
Indirect injection: the new weak point of the agents
The most worrying threat in this new context is the so-called indirect injectionUnlike more traditional attacks, where the goal is usually to directly deceive the user, here the target is the artificial intelligence model that controls the agent. The attacker attempts to slip in malicious instructions or content that the model interprets as legitimate and ultimately follows.
The delicate thing about these types of attacks is that Malicious instructions can be hidden in seemingly innocuous content.User comments on a page, advertisements, text embedded through third-party iframes, or even fragments intentionally written to divert the model's decision-making can serve as a channel to alter the agent's behavior.
If that attempt succeeds, the consequences could be serious: a manipulated agent could initiate financial transactions without sufficient supervision, leaking sensitive data, or executing actions that the user has not clearly authorized.For users in Spain or other European countries, this could impact both their economic security and their compliance with data protection regulations.
To minimize these risks, the Chrome team has opted for a strategy of defense in depthNot everything is entrusted to a single filter, but rather deterministic controls—clear rules, based on permissions and technical policies—are combined with probabilistic detection models, also based on AI, which attempt to identify suspicious behaviors or content before the agent accepts them as valid.
In this way, manipulating an agent becomes much more expensive and complicated for an attacker. It's not enough to simply insert malicious text into a page: That content has to pass several layers of review.Some are based on rigid browser rules, and others on models that assess whether the proposed action makes sense to the user and the context.
The User Alignment Critic: a second model that monitors the first
Among the most notable new features is the so-called User Alignment Critic (User Alignment Critical). In essence, it is an independent model, also based on Gemini technology, whose task is to review what the agent wants to do before the browser actually executes it.
This critic functions as a kind of internal supervisor: every time the agent proposes an action—for example, submit a form, visit a new website, or interact with a sensitive element on the page—, the critic evaluates whether that action seems to be aligned with what the user expects and with the task they are performing.
If the reviewer detects something unusual, they can block the action, request additional confirmation, or apply more restrictive rules. The idea is that It is not enough for the main model to have "decided" to do somethingbut rather that there be an automated second opinion that acts as a brake when necessary, especially in the steps with the greatest potential impact.
This approach aligns with the industry trend of introducing monitoring and alignment mechanisms into complex AI systems. In the European context, where specific regulations for artificial intelligence are being promoted, Having these types of safeguards can be key for browsers with agents to meet expected standards. and are acceptable to authorities and users.
Furthermore, Google indicates that there are variations of this critic specialized in different phases of navigation. For example, before loading a new site or processing certain dataAn adapted version of the critic reviews whether the proposed action is reasonable or whether it could expose private information, thus reducing the likelihood of unintentional leaks.
Agent Source Sets: where it can read and where it can act
Another central element of this strategy is the so-called Agent Source SetsThis is an evolution of the same-origin and site isolation policy that Chrome has been applying for years, but applied to the field of AI agents that have to interact with multiple websites to complete a task.
In practice, when a user asks the agent for something complex—for example, Compare prices at several European online stores and complete a reservationChrome does not allow indiscriminate access to any internet source. Instead, it architecturally defines a limited set of sites that the agent can work with, based on what the user has requested or explicitly authorized.
These sets are divided into two main categories. On one hand, there are the origins of read onlyFrom these, the agent can consume content—read text, analyze prices, review opinions—but without being able to perform actions. On the other hand, there are the origins of Reading and writing, in which, in addition to viewing the information, the agent can interact: click, enter text, or submit forms.
In this way, the browser ensures that The agent should not have access to content from sites irrelevant to the current task.Iframes or embedded elements that are unrelated to what the user is trying to do are not even exposed to the model, which significantly reduces the chances of cross-site leaks or indirect injections through secondary content.
An important aspect is that the functions decide which sources are included or excluded from these sets. They are executed outside the scope of untrusted web content.In other words, a malicious site cannot directly influence the list of websites that the agent can access. Furthermore, the agent itself cannot expand this list on its own: any changes to these lists must be processed by the browser's security logic.
Navigation, URLs, and the user's role in critical decisions
Control is not limited to the sites the agent can interact with; it also affects the navigation paths it suggests and the URLs it generates. If the model suggests visiting a new origin that is not within the allowed setChrome doesn't do it automatically. Before starting to load the page, a variant of the Alignment Criterion analyzes whether that navigation makes sense for the current task or if it could be an attempt to steer the agent toward a less secure environment.
In addition, the browser applies further deterministic checks to prevent model-generated URLs from containing private information or sensitive identifiersWhere possible, the use of well-known public domains is limited, thus reducing the exposure of personal data and the likelihood of creating links that reveal more than necessary.
Despite the high degree of automation, Chrome maintains the user as a key figure in critical moments. All agent actions They are reflected in a visible work recordso that the person can monitor what the system is doing, pause a task, or cancel it completely if they detect something that doesn't suit them.
In particularly sensitive operations, the browser always requires explicit confirmation. We're talking about steps like access banking or health websites, log in using Google Password Manager, or complete online payments and purchasesIn these cases, the agent stops and clearly requests permission, becoming a final barrier against model errors or social engineering attempts to force an action without the user's knowledge.
This entire framework of controls, monitoring models, and active user participation demonstrates the extent to which Google is attempting to adapt Chrome for a future in which AI agents will play a leading role. Measures such as the User Alignment Criterion, Agent Source Sets, and restrictions on indirect injection, The browser aims to offer more automation without sacrificing control or security.This balance is especially relevant for the millions of people and organizations that depend on Chrome in Spain and the rest of Europe.
