惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Hacker News
The Hacker News
Google Online Security Blog
Google Online Security Blog
K
Kaspersky official blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
S
Schneier on Security
C
Cybersecurity and Infrastructure Security Agency CISA
Security Archives - TechRepublic
Security Archives - TechRepublic
Hacker News - Newest:
Hacker News - Newest: "LLM"
Cisco Talos Blog
Cisco Talos Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Cyberwarzone
Cyberwarzone
L
LINUX DO - 最新话题
PCI Perspectives
PCI Perspectives
酷 壳 – CoolShell
酷 壳 – CoolShell
云风的 BLOG
云风的 BLOG
N
News and Events Feed by Topic
N
News and Events Feed by Topic
V
Vulnerabilities – Threatpost
T
Troy Hunt's Blog
GbyAI
GbyAI
C
CERT Recently Published Vulnerability Notes
G
Google Developers Blog
Microsoft Azure Blog
Microsoft Azure Blog
量子位
Scott Helme
Scott Helme
月光博客
月光博客
Attack and Defense Labs
Attack and Defense Labs
aimingoo的专栏
aimingoo的专栏
博客园 - 聂微东
Project Zero
Project Zero
G
GRAHAM CLULEY
博客园 - 【当耐特】
Recorded Future
Recorded Future
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
小众软件
小众软件
D
DataBreaches.Net
T
The Blog of Author Tim Ferriss
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
O
OpenAI News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
V2EX
Stack Overflow Blog
Stack Overflow Blog
爱范儿
爱范儿
S
Security @ Cisco Blogs
The Last Watchdog
The Last Watchdog
MongoDB | Blog
MongoDB | Blog
H
Hacker News: Front Page
Latest news
Latest news
P
Proofpoint News Feed

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
The Browser That Brought Its Own AI
Vivian Voss · 2026-05-02 · via DEV Community

A cyberpunk editorial illustration showing a desktop web browser as an architectural cross-section against a deep night-blue background with magenta and cyan glow. In the centre, a powerful black computer chip labelled

Not in the Brief, Episode 01

Open chrome://on-device-internals in a new tab. If your machine qualifies, you will see a multi-gigabyte language model that Chrome has downloaded onto your disk, listed with a version number and a file size. Any website you visit can call this model through an API in JavaScript. There is no permission prompt. There never was. This is the first episode of Not in the Brief: a series on the documented mechanics of software that has been added to your machine without you being asked. We start with the largest target available, because the change is hidden in plain sight, and because almost everyone is affected.

What Is Built In

Chrome ships seven on-device AI APIs, all backed by a foundation model called Gemini Nano. Gemini Nano runs locally; the inference does not leave the machine. The APIs, in order of relevance, are:

  • LanguageModel: the Prompt API. Free-form text in, text out.
  • Summarizer: text summarisation.
  • Translator: language translation between supported pairs.
  • Writer: short-form generative writing.
  • Rewriter: text rewriting and tone change.
  • Proofreader: grammar and style correction.
  • LanguageDetector: language identification.

Generally available for extensions since Chrome 138 (May 2025). For ordinary web pages, the APIs are in Origin Trial and behind a feature flag for end users; in practice, this means a website needs an Origin Trial token, and the browser must have the model loaded. The trial route does not require user consent at the page level either.

How It Got On Your Machine

Announced at Google I/O in May 2024. The decision logic Chrome applies today, as documented by Google's own developer pages, is the following.

When the user starts Chrome on a qualifying device, the browser checks four things in the background: more than 4 GB of VRAM available, at least 16 GB of system RAM, at least 22 GB of free space on the volume holding the Chrome profile, and a supported operating system (Windows 10 or 11, macOS 13 or later, Linux, or ChromeOS on a Plus device). On mobile Chrome the entire feature is unavailable, so phones are out. Desktops, laptops and Chromebook Plus devices are in.

When all four conditions hold and any local activity (a relevant page, an extension, an Origin Trial token) triggers the API, Chrome downloads Gemini Nano in the background, on an unmetered connection. There is no installation prompt. No "Chrome would like to download a 2 GB model" dialog. The model arrives, lives on disk, and updates itself.

If the free disk space later drops below 10 GB, Chrome removes the model. If the eligibility criteria are not met for 30 days, the model is purged. Both removals happen without user interaction; both reinstall when the conditions return.

How A Website Talks To The Model

The API surface is straightforward. A web page in JavaScript writes:

const session = await LanguageModel.create();

If the model is available, a session is returned and the page can call session.prompt("...") to get text back. There is no permission dialog at any point in this exchange. The same code, in 2018, would have produced a navigator.mediaDevices.getUserMedia() call for the microphone or camera, and would have triggered a browser-level prompt asking the user. The Prompt API does not.

The cross-origin story is partial. A top-level page on example.com can call the API. A same-origin iframe can call it. A cross-origin iframe (an embedded ad, an embedded widget) needs the parent page to set the allow="language-model" attribute on the iframe. This is the only permission boundary in the architecture, and it lives between iframes, not between site and user.

The capability probe LanguageModel.availability() returns one of three values: 'available', 'downloading', or 'unavailable'. Any page that calls this method learns whether the visitor is on a model-capable device. This is a hardware-class probe without a permission prompt, in a browser whose Privacy Sandbox was discontinued in April 2025 and whose own advertising policy explicitly permits digital fingerprinting since February 2025. It is one further entry in a list of more than thirty active fingerprinting vectors active in production Chrome today.

There is no rate limit on the website's calls. There is no per-origin token quota. The compute cost is paid by the user's CPU, GPU and battery; the website pays nothing.

Why The Permission Prompt Is The Story

Browsers express their security policy through their dialogs. Geolocation needs one. Microphone, camera, screen capture, notifications, clipboard, USB, MIDI, Bluetooth: all need them. Local language-model inference does not. That is not a small detail. It is an architectural statement: this feature is classified, by Chrome, as belonging to the standard platform, not to the privileged plate. It sits next to the JavaScript engine, not next to the camera.

A reasonable user reading the brief would expect to be asked about a feature that uses several gigabytes of disk, runs on the user's GPU, and consumes battery whenever a website calls it. The user is not asked. The brief did not specify this, the user accepted it by accepting Chrome.

What This Means For Risk

Three risk lines are real, and they should be named without panic.

Fingerprinting and tracking. LanguageModel.availability() is a fingerprinting input. Combined with the canvas, font, audio, language, GPU and timing vectors that are already in production use across roughly thirteen percent of the top 20,000 websites (per a 2025 ACM study), the addition of a model-availability probe contributes to a higher-entropy fingerprint. In a browser without Privacy Sandbox and with explicit policy permission for fingerprinting, this is a measurable degradation.

Indirect prompt injection. Web content goes into the model. Model output goes back into web UIs. A page that includes a hidden instruction in user-readable text can attempt to coerce the model into producing output that influences subsequent actions. OWASP found indirect prompt injection in 73 percent of production AI deployments it audited in 2024. Google has responded with a five-layer defence and a separate "User Alignment Critic" model that watches the agentic Gemini sidebar; that response is itself a recognition that the threat class is severe. The on-device Prompt API does not face the agentic-action surface, but a website that uses it to summarise web content for the user is one Prompt-Injection layer away from inserting whatever the attacker has inserted into the displayed result.

Hijack and privilege boundaries. CVE-2026-0628, disclosed in early January 2026 and fixed by Google in mid-January, allowed Chrome extensions with basic permissions to hijack the Gemini Live panel and inherit camera, microphone and file-access privileges through the panel's surface. The panel is not the same component as the Prompt API, but the disclosure shows that the boundary between the AI surfaces in Chrome and the rest of the browser's privilege system has been crossed at least once.

These are not theoretical risks. They are documented in Chrome's own security advisories, in OWASP's annual report and in disclosures by Palo Alto's Unit 42, Malwarebytes and SecurityWeek.

How To See It On Your Own Machine

Three tabs, one policy. Five minutes.

chrome://on-device-internals. The model status, version, file size and update history. If the page shows a Gemini Nano entry with a version number and a size, the model is on your disk and ready to be called.

chrome://flags/#optimization-guide-on-device-model. Set this to Disabled. Relaunch Chrome. The model will not be downloaded; if it has already been downloaded, it will be removed.

chrome://flags/#prompt-api-for-gemini-nano. Set this to Disabled. Relaunch. The web-page API surface is gone; pages calling LanguageModel.create() will fail with 'unavailable'.

Enterprise policy. On Windows, set the registry value HKLM\SOFTWARE\Policies\Google\Chrome\GenAILocalFoundationalModelSettings = 1 (DWORD). On macOS and Linux there are equivalent profile keys. Chrome will respect this and the model will not return through future updates.

DevTools. Open a tab on any site, open DevTools, switch to the Network panel, and filter for optimizationguide-pa.googleapis.com. This is the model and configuration update server. You will see traffic when Chrome checks for or pulls model updates.

The Pattern Is Not Chrome-Only

This is a series, and Chrome is the first episode because it is the largest. The same pattern is in other browsers, each in its own form.

  • Microsoft Edge ships a Copilot Sidebar that is enabled by default for many users; the toggle lives at edge://settings/copilot.
  • Brave Browser ships Leo AI built in, with a cloud-mode toggle in Settings → Leo.
  • Firefox added an AI Chat sidebar with a configurable provider in about:preferences#general → AI Chatbot.
  • Arc ships AI features in Settings → AI; the project is now under The Browser Company.
  • Apple Safari integrates Apple Intelligence on supported macOS and iOS versions, configured under System Settings → Apple Intelligence.

The architecture varies. The pattern is the same: an AI feature added by default, exposed to web pages or to the user, with the awareness path tucked into a Settings page that few users will visit unprompted. We will take each of these in turn over the coming episodes, and the awareness path for each.

What To Take Home

If your browser ships an API without a permission prompt, the browser has stated where that API stands. It is treating the feature like part of the standard platform: not a privileged surface that needs explicit user consent, but a default capability of the runtime.

That is not an argument against Chrome's built-in AI. It is an argument for knowing it is there. The feature is real. The performance is genuinely good. The local-model architecture is, in some respects, more privacy-respecting than a cloud round-trip would have been. The quarrel is not with the existence of the feature. It is with the silence of its arrival, and with the dialog that the browser used to show and now does not.

The browser used to ask about the camera. It does not ask about the model. The line moved. The dialog did not.

If you have not looked, you do not know what is on. The looking is not difficult. It just has to start.

Read the full article on vivianvoss.net →


By Vivian Voss, System Architect & Software Developer. Follow me on LinkedIn for daily technical writing.