Claude Opus 4.5 marks a meaningful advance in resisting prompt injections when agents act inside the browser. Anthropic says the Claude extension for Chrome is moving from research preview to beta for Max plan users, but they also remind us the problem is still active and the web remains an adversarial environment that needs ongoing work.
What prompt injection is and why the browser is so vulnerable
Can you imagine asking an agent to read your emails and, without you noticing, one message instructs it to send information to a third party? That is prompt injection: adversarial instructions hidden inside the content the model processes.
In the browser the risk grows for two clear reasons. First, the attack surface is huge: pages, embedded documents, ads, dynamic scripts, forms. Second, browser agents perform many actions — navigate, fill forms, click, download files — that an attacker can try to manipulate if they influence the agent's behavior.
A concrete example: an email with white-colored text or a manipulated image that contains hidden instructions. You don't see it, the agent does, and if the agent misses the trap it can leak data or take unwanted steps.
