How to Use the Claude Web Extension | Web Automation & Cowork Integration in Chrome
More and more people are asking: which extension should I install to get the official version, how do the available models differ between Pro and Max, and what exactly happened with the ClaudeBleed vulnerability? This article covers everything about Anthropic's official "Claude for Chrome" extension — from installation steps to Cowork integration and the May 2026 security response.
The Claude Web Extension (Claude for Chrome) is a browser extension piloted by Anthropic on August 25, 2025, and rolled out to all paid plans — Pro, Max, Team, and Enterprise — on December 18, 2025. It lets you open Claude in Chrome's side panel while continuing to browse, and delegate web page operations, information extraction, and multi-tab workflows to Claude.
The available models are Pro = Haiku 4.5 only, and Max / Team / Enterprise = choice of Opus 4.7 / Sonnet 4.6 / Haiku 4.5 (as of May 2026). Heavy research tasks requiring complex reasoning require Max or above. Check the official help center for the latest available models. When used together with Cowork, Chrome handles information gathering while Cowork generates Excel spreadsheets, PowerPoint decks, and reports — eliminating the need to copy and paste between them.
On the security front, mitigations have reduced the prompt injection attack success rate from 23.6% to 11.2%, and the ClaudeBleed vulnerability present in v1.0.69 (released April 22, 2026) was fixed in v1.0.70 (released May 6, 2026) (some issues remain in privileged mode).
目次 (14)
- What Is the Claude Web Extension — Background of the August 25, 2025 Release
- Installation Steps — 6 Steps from the Chrome Web Store
- Available Plans and Models — Pro = Haiku 4.5 / Max = Opus 4.7 (as of May 2026)
- Key Features — navigate / click / form fill / multi-tab
- End-to-End Workflow with Cowork Integration
- A Typical Workflow
- Required Permissions and Team / Enterprise Admin Controls
- Admin Controls for Team / Enterprise
- Security Risks — Prompt Injection and ClaudeBleed (Fixed in v1.0.70)
- Anthropic's Mitigations
- The ClaudeBleed Vulnerability (April 2026 – May 2026)
- What Users Should Do Now
- Difference from Claude Code Integration (/chrome) — How to Choose
- Summary — Decision Criteria for Adopting the Claude Web Extension
What Is the Claude Web Extension — Background of the August 25, 2025 Release
The official name of the Claude Web Extension is Claude for Chrome, an official browser extension from Anthropic. It was released on August 25, 2025 as a research preview limited to Max plan users, then expanded to all paid plans including Pro, Team, and Enterprise on December 18, 2025 (Source: Piloting Claude in Chrome).
Note that Anthropic officially uses both "Claude for Chrome" (product blog and official landing page) and "Claude in Chrome" (help center and Chrome Web Store). Both names refer to the same extension.
Once installed, a Claude icon is added to the Chrome toolbar, and you can open Claude in a side panel while continuing to browse the web. Claude can click, fill forms, scroll, and take screenshots, completing tasks such as multi-tab workflows and information extraction from logged-in sites entirely within the browser (Source: Claude for Chrome Official Page).
While many extensions claim to be "browser AI," this extension is the only official Chrome extension distributed directly by Anthropic, and is entirely separate from third-party extensions that merely call Claude. When installing, always confirm the vendor name "Anthropic" and the Chrome Web Store verification badge.
Installation Steps — 6 Steps from the Chrome Web Store
The official help center installation steps are as follows (Source: Get started with Claude in Chrome):
- Launch Google Chrome (other Chromium-based browsers and mobile versions are not supported)
- Search for "Claude in Chrome" or "Claude for Chrome" on the Chrome Web Store and confirm the distributor is Anthropic
- Click "Add to Chrome" to install the extension
- Sign in with your Claude account (direct Anthropic plan required — see below)
- Pin the extension from the puzzle icon to keep it in the toolbar
- Grant the required permissions (approve the 15 permissions described below)
After installation, clicking the Claude icon in the toolbar opens the side panel, where you can give Claude instructions while viewing web pages. To connect with Claude Desktop, enable "Claude in Chrome" from Settings → Connectors so the desktop app can also control Chrome.
Available Plans and Models — Pro = Haiku 4.5 / Max = Opus 4.7 (as of May 2026)
Claude for Chrome is available on all paid plans, but the models you can select differ by plan (Source: Official Help — Plan Information):
| Plan | Available Models | Intended Use |
|---|---|---|
| Pro | Haiku 4.5 only | Lightweight tasks such as form filling and short information extraction |
| Max | Choose from Opus 4.7 / Sonnet 4.6 / Haiku 4.5 | Multi-tab research, long-form summarization, reasoning-intensive web tasks |
| Team / Enterprise | Same as above (with admin controls) | Business research, sales research, automation within approved domains |
The model lineup above reflects the state as of May 2026. Newer models such as Opus 4.8 (1M context, released June 2026) may have been added since. Check the official help center for the latest available models.
Using Opus 4.7 via the web extension on the Pro plan is not possible. If you want to delegate reasoning-heavy tasks — such as synthesizing findings from multiple sources or extracting structured data from long pages — to the web extension, Max or above is required. Conversely, for simpler tasks like filling forms on a known site after login or extracting standardized data, Haiku 4.5 on Pro is sufficient.
Note that Claude accessed via Bedrock, Vertex, or Foundry (third-party providers) does not work with the web extension. Authentication via a direct Anthropic plan is required.
Key Features — navigate / click / form fill / multi-tab
The official landing page describes the extension's core capabilities concisely as "navigate, click buttons, and fill forms on Chrome," but in practice it supports a wider range of operations (Source: Claude for Chrome Official Page):
- Page navigation and element clicking: Autonomously clicks search results and CTA links to navigate
- Form filling: Automatically fills inquiry forms, applications, and search boxes
- Multi-tab workflows: Aggregates prices and specs by traversing 5 comparison tabs
- Scheduled tasks: "Open this dashboard at 9 AM every morning and summarize the KPIs"
- Screenshot capture: Provides visual information to Claude to help it understand UI context
- Debugger integration: Reads Console / Network tab information to diagnose web app behavior
Multi-tab workflows are where Claude for Chrome truly shines. For a single research task, Claude can open 5 to 10 tabs, extract key points from each page, and generate a consolidated report — all within the side panel.
End-to-End Workflow with Cowork Integration
Claude for Chrome handles "information gathering and web operations," while handing off the final deliverable creation to Cowork — this division of labor is officially recommended (Source: Claude for Chrome Official Page).
Quoting the official description: "Chrome navigates and gathers information, Cowork produces Excel models, comparison decks, and reports without having to copy and paste."
A Typical Workflow
- Chrome side: Visits 5 competitor sites and extracts pricing, features, and release dates
- Handoff: Shares the extracted results with Cowork via the Claude session
- Cowork side: Automatically generates an Excel comparison table and a PowerPoint competitive analysis deck from the received data
- Final step: The user simply reviews the output produced by Cowork
This paired operation works because Chrome and Cowork run on the same Claude session and the same account authentication — eliminating the traditional friction of "export data to CSV, download it, then import it into another tool" between the research and output generation stages.
Required Permissions and Team / Enterprise Admin Controls
Claude for Chrome requests the following 15 Chrome permissions (Source: Official Help — Required Permissions):
The key permissions at the core of its operation are:
| Permission | Role |
|---|---|
debugger |
Reads Console / DOM — diagnoses web app behavior and helps Claude understand page structure |
scripting |
Injects scripts into pages — executes button clicks, form filling, and text extraction |
tabs / tabGroups |
Cross-tab navigation — manages workflows that open new tabs or move between tabs |
downloads |
File retrieval — downloads files from pages for Claude to reference |
nativeMessaging |
Desktop integration — serves as the communication channel with Claude Desktop |
sidePanel / storage / unlimitedStorage |
Side panel display and data persistence |
alarms / notifications |
Execution of scheduled tasks and notifications |
system.display / webNavigation / offscreen / declarativeNetRequestWithHostAccess |
Screen information retrieval, page navigation control, and request handling |
The official help center states: "This lets Claude actually control your browser – clicking buttons, typing text, and taking screenshots." The debugger and scripting permissions are particularly powerful. These broad permissions are necessary because Claude autonomously performs real browser operations — navigating to links, filling inputs, and clicking — and this permission set is also the background for the prompt injection and ClaudeBleed risks described below.
Admin Controls for Team / Enterprise
Team / Enterprise plan administrators can apply the following controls across the organization:
- Extension availability: Whether organization members can install Claude for Chrome
- Site allowlist: Explicitly lists domains Claude is permitted to operate on
- Site blocklist: Prevents operation on sensitive domains such as internal systems and SaaS admin panels
- Automatic blocking by category: Enables Anthropic-defined category-based restrictions (e.g., financial sites)
If you want to prevent Claude from autonomously submitting forms on internal systems, the recommended approach is to finalize the allowlist design before rolling out the extension.
Security Risks — Prompt Injection and ClaudeBleed (Fixed in v1.0.70)
The biggest risk with Claude for Chrome is prompt injection attacks — attacks where hidden instructions embedded in malicious web pages, emails, or PDFs cause Claude to act in unintended ways. In Anthropic's own testing, attack success rates of 23.6% without mitigations and 11.2% with mitigations were observed (Source: Piloting Claude in Chrome).
Anthropic's Mitigations
- Site-level permission controls — operations are authorized at the domain level
- Confirmation dialogs for sensitive operations — required for money transfers, purchases, and password changes
- Category-based blocking of financial and adult sites
- Advanced classifiers to detect suspicious instruction patterns
- Browser-specific attack mitigations — achieving 0% success rate on a targeted test set
The ClaudeBleed Vulnerability (April 2026 – May 2026)
In April 2026, a researcher at LayerX discovered a critical design flaw in Claude for Chrome and disclosed it as ClaudeBleed (Source: ClaudeBleed: A Flaw In Claude's Browser Extension):
| Item | Details |
|---|---|
| Affected version | v1.0.69 (released April 22, 2026) |
| Fixed version | v1.0.70 (released May 6, 2026) |
| Root cause | Trusting the claude.ai origin (the browser's identifier for a page's source) rather than the execution context |
| Impact | Even a zero-permission malicious extension could "hijack" Claude's permissions (data extraction from Gmail / Drive / GitHub, actions taken on behalf of the user) |
| Fix status | Partial fix only — the vulnerability persists in privileged mode |
The essence of ClaudeBleed is that Claude for Chrome's trust model allowed circumvention of the "per-extension permission boundaries" assumed by Chrome's extension security model. Even after v1.0.70, LayerX recommends introducing "extension-to-page authentication tokens," "restricting which extension IDs are trusted via externallyConnectable," and "one-time token binding to tie connections to user approval" — and Anthropic's remediation work is ongoing.
What Users Should Do Now
- Check the extension version — Verify it is v1.0.70 or later via
chrome://extensions/ - Audit other installed extensions — Reduce risk from other extensions installed in the same profile
- Remove sensitive domains from the allowlist — Disable the extension on banking sites, internal SSO, and SaaS admin panels
- Perform "privileged" operations manually — Do not delegate money transfers, password changes, or contract approvals to Claude
Difference from Claude Code Integration (/chrome) — How to Choose
Claude for Chrome is designed so that "Claude, accessed via the web UI or Desktop app, directly controls the browser." In contrast, the mode launched from Claude Code via claude --chrome or /chrome is a different use case: "A Claude Code session running in the CLI controls Chrome through that same browser extension."
| Aspect | Claude Web Extension (this article) | Claude Code + /chrome |
|---|---|---|
| Launch from | Chrome toolbar / Claude Desktop | Terminal (Claude Code CLI) |
| Target users | General knowledge workers, sales, researchers | Engineers, automation specialists |
| Primary purpose | Web research, form filling, Cowork integration | E2E testing, web app debugging, automated operation scripts |
| Constraints | Pro = Haiku 4.5 only | Direct Anthropic plan + extension v1.0.36 or later |
For developers who want to control the web from Claude Code, the companion article How to Use Claude in Chrome | Beta Limitations and Workarounds Explained covers Brave/Arc constraints and prioritization relative to Computer Use. For general users who want to delegate web tasks to Claude, installing the Chrome Web Store version following the steps in this article is the fastest path.
Summary — Decision Criteria for Adopting the Claude Web Extension
Claude for Chrome is an official extension for general users who want to delegate web research and simple web operations to AI, and its greatest strength is the ability to combine it with Cowork to handle the entire "research → deliverable creation" workflow in one continuous flow. At the same time, as prompt injection and ClaudeBleed demonstrate, it sits at the frontier of browser extension security, and there are at least three things to confirm before adopting it:
- Plan selection — Reasoning-heavy research requires Max or above (Opus 4.7 or latest generation); lightweight tasks are fine with Pro (Haiku 4.5)
- Version management — Stay on v1.0.70 or later and do not block update notifications from Anthropic
- Permission boundaries — Remove sensitive domains from the allowlist and perform money transfers and contract actions manually
Understanding that this is a beta-stage feature, the sensible approach is to start with low-risk research tasks before expanding usage.
Sources
