Skip to main content

Google explains Gemini in Chrome’s agentic browsing security, protections

Avatar for Abner Li  | Dec 8 2025 - 10:52 am PT
0 Comments

With Gemini in Chrome and the upcoming availability of agentic capabilities, Google is detailing how the browser will protect against threats.

Google says the “primary new threat facing all agentic browsers is indirect prompt injection.” The aim of this attack is to “cause the agent to take unwanted actions such as initiating financial transactions or exfiltrating sensitive data.” It can “appear in malicious sites, third-party content in iframes, or from user-generated content like user reviews.”

Given this open challenge, we are investing in a layered defense that includes both deterministic and probabilistic defenses to make it difficult and costly for attackers to cause harm.

First up is a separate “User Alignment Critic” model built with Gemini that “runs after the planning is complete to double-check each proposed action,” and approve or reject it. If the latter occurs, the planning model reformulates the plan, with repeated failures returning control to the user. 

Its primary focus is task alignment: determining whether the proposed action serves the user’s stated goal. If the action is misaligned, the Alignment Critic will veto it. This component is architected to see only metadata about the proposed action and not any unfiltered untrustworthy web content, thus ensuring it cannot be poisoned directly from the web.

Google is also extending Chrome’s “origin-isolation capabilities to constrain what origins the agent can interact with, to just those that are relevant to the task.” 

Advertisement - scroll for more content

To address this, we’re extending those principles with Agent Origin Sets. Our design architecturally limits the agent to only access data from origins that are related to the task at hand, or data that the user has chosen to share with the agent. This prevents a compromised agent from acting arbitrarily on unrelated origins.

Meanwhile, to keep users in control, Gemini in Chrome “details each step in a work log” with the ability to stop it and take over at any time.

That action transparency is paired with deterministic and model-based checks that “trigger user confirmations before the agent takes an impactful action.”

These serve as guardrails against both model mistakes and adversarial input by putting the user in the loop at key moments.

User confirmation is required:

  • …before [the agent] navigates to certain sensitive sites, such as those dealing with banking transactions or personal medical information. This is based on a deterministic check against a list of sensitive sites. 
  • …it’ll confirm before allowing Chrome to sign-in to a site via Google Password Manager – the model does not have direct access to stored passwords. 
  • …before any sensitive web actions like completing a purchase or payment, sending messages, or other consequential actions, the agent will try to pause and either get permission from the user before proceeding or ask the user to complete the next step. 
Add 9to5Google as a preferred source on Google Add 9to5Google as a preferred source on Google

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Google on YouTube for more news:

Comments

Guides

Google Chrome

Google Chrome

Available for Windows, Mac, and Linux, Google C…
Gemini

Gemini

Author

Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com