Chrome is implementing new security measures to address threats associated with agentic browsing, particularly focusing on indirect prompt injection. This type of attack can occur through malicious sites or user-generated content, potentially leading to unwanted actions by the browsing agent, such as unauthorized financial transactions. To combat this, Chrome is enhancing its defenses with a layered approach that includes both deterministic and probabilistic methods. The aim is to make it harder for attackers to exploit vulnerabilities. A notable feature of this update is the User Alignment Critic, a model that reviews the agent’s planned actions to ensure they align with the user's goals. This model only has access to metadata, isolating it from potentially harmful content. If an action is misaligned, the Critic can veto it, prompting the planning model to adjust its approach. This mechanism provides a safeguard against goal-hijacking and data exfiltration. Chrome is also redefining how agents interact with different web origins through the introduction of Agent Origin Sets. This approach limits what data agents can access based on the task at hand, effectively preventing compromised agents from accessing unrelated sites. For each task, a gating function determines which sites are relevant, categorizing them into read-only and read-writable origins. This prevents cross-origin data leaks and ensures that the agent operates securely within defined boundaries. User control is a key aspect of these enhancements. The agent maintains a work log that shows its actions in real-time, allowing users to intervene when necessary. Before executing sensitive tasks, such as navigating to banking sites, the agent requires user confirmation. These measures reinforce security while maintaining transparency, giving users the ability to oversee and manage their interactions with the agent.