TL;DR
Claude in Chrome (Anthropic’s official extension, in beta on all paid plans as of June 2026) reads the active tab and can navigate, click, and fill forms on your behalf. That makes it great for research and comparison shopping and dangerous on banking, email, or admin tabs. The safe workflow: keep it off by default, grant permission one domain at a time, leave it in “Ask before acting” mode, and never grant it on financial or work-admin sites. Anthropic already blocks banking, trading, crypto-exchange, and adult sites by default; this guide adds the human discipline that closes the rest of the gap.
What you actually get (and what changed)
The original 2025 version of this extension was a near read-only “summarize this tab” helper. The shipping product is more capable: Claude in Chrome can open tabs, read pages, run JavaScript per domain, fill forms, manage a tab group, and run scheduled background tasks. That is more useful and a bigger blast radius, so the workflow below treats it like screen sharing — off until you deliberately turn it on.
Two facts set the boundaries:
- It is not free. As of June 2026 the extension is in beta on Pro, Max, Team, and Enterprise plans only. There is no Free-tier access.
- Your plan picks the model. On Pro ($20/mo, $17/mo annual) the extension runs Claude Haiku 4.5 — fast, cheap, and the right default for page reading. On Max ($100/$200), Team, and Enterprise you can switch to Sonnet 4.6 or Opus 4.7 for heavier reasoning over a page.
Who this is for
Claude paid subscribers doing research, web reading, comparison shopping, competitive analysis, or anyone who keeps 20+ tabs open and wants AI to make sense of them without copy-paste.
When to reach for it
You are reading something dense — a long blog post, a product spec, a SEC filing — and want Claude to react to the actual page, not your paraphrase. It also shines for tab-to-tab comparisons where pasting both sides manually is tedious. Pro users running Haiku 4.5 should keep prompts focused on extraction and summary; for multi-page synthesis, a Max account on Sonnet 4.6 reads more reliably.
When this is NOT the right tool
Banking, email, work admin consoles, internal company portals, healthcare records, or any tab with personal or financial data. Anthropic already refuses some of these by default (see the table below), but the safe default is still: disable the extension before you open them, period.
The permission model, in plain terms
This is the part most guides get wrong, so here is the current model as of June 2026:
| Control | What it does | Where it lives |
|---|---|---|
| Per-domain permission | Claude must get your approval before it reads or runs JavaScript on a new domain. Each domain is separate. | Extension side panel prompt |
| ”Ask before acting” mode | Claude writes a plan and waits for your approval before doing anything. Keep this on. | Extension settings |
| ”Act without asking” mode | Claude takes actions without per-step approval. Higher risk; use only on a sandbox site you control. | Extension settings |
| Always-confirm actions | High-risk steps (purchases, sending data) require explicit confirmation regardless of mode. | Automatic, cannot disable |
| Default-blocked categories | Claude refuses to act on entire site classes out of the box. | Built in |
Default-blocked site categories Anthropic lists (Claude will not operate on these even if you ask):
| Category | Examples |
|---|---|
| Financial services and banking | Bank logins, payment portals |
| Investment and trading platforms | Brokerages, trading dashboards |
| Cryptocurrency exchanges | Coinbase-style exchange pages |
| Adult content | Explicit sites |
| Known pirated-content sites | Flagged piracy domains |
These blocks are a floor, not a fence. Personal email, your company’s internal admin tool, and a health-records portal are not on that list — you have to handle those yourself.
Setup, step by step
- From a paid Claude account, install the official Anthropic extension from the Chrome Web Store and sign in with your Claude credentials. It is supported on Google Chrome; it is not supported on mobile or, per Anthropic’s docs, most other Chromium browsers.
- Pin the extension via the puzzle-piece icon so the on/off state is always visible in the toolbar.
- Open the extension settings and confirm it is in “Ask before acting” mode. Do not switch to “Act without asking” for everyday use.
- Grant permission per domain, not broadly. When Claude asks to access a new site, approve only the one you are actively researching.
- Set your personal default to off. Turn it on for a specific tab, then turn it off when you switch context. This single rule prevents most accidents.
- Make a reflex: every time you open a banking, email, or admin tab, glance at the icon and confirm Claude is not active there.
The research workflow
- Navigate to the page first, then ask with a specific verb. “Summarize this page in 3 bullets, then list 5 follow-up questions worth asking” pulls far less than a vague “what is this.”
- For comparison, open tab A and ask Claude to summarize. Open tab B and ask: “Compare this to what you just summarized — give 3 reasons to prefer A, 3 to prefer B, and one thing both are missing.” On Max, you can drag both tabs into Claude’s tab group and have it read both at once.
- For long pages, target the section: “Find the paragraph that explains the refund policy and quote it” beats “read the whole thing,” and it is much cheaper on Haiku 4.5.
- Disable the extension when the research session ends. Habit beats memory; many people leave it on all evening by accident.
First-run drill (5 minutes)
- Pick a low-stakes target — a single product page or a blog post you genuinely want to read.
- Grant the extension on that one domain. Ask: “Summarize this page in 3 bullets. Then list 5 follow-ups.”
- Disable it. Open a banking or email tab. Confirm the icon shows inactive — and note that on a banking domain Claude should refuse outright.
- Re-enable on a second product page and ask Claude to compare the two. Save the output to your notes app.
Quality check
- Spot-check 2-3 facts from the summary against the actual page text. Connector summaries inherit page misreads silently, and Haiku 4.5 is fast but less careful than Sonnet 4.6 on dense pages.
- Confirm the icon state matches the tab: active only on the page you want read, inactive everywhere else.
- Watch for “I cannot see this page” responses. They mean the page is gated (paywall, login wall, late JS render) and Claude has an empty shell to work with.
- Weekly, open the extension’s site-permission list and revoke any domain you only needed once.
The security part you should not skip
Browser AI agents have a real, named threat: prompt injection, where hidden instructions on a page hijack the agent into doing something you never asked for. This is not theoretical for this extension. In early 2026 researchers disclosed ShadowPrompt, a zero-click chain that let any website inject prompts into Claude’s Chrome extension with no click and no permission prompt. Anthropic shipped a fix on January 15, 2026 that added a strict origin check (requiring exactly https://claude.ai) and confirmed it working by January 18.
The broader numbers from Anthropic’s own red-teaming: across 123 adversarial test cases, browser use without safety mitigations had a 23.6% attack success rate; their current configuration drops that to roughly 1%. One percent is not zero. That is exactly why the discipline in this guide — default off, per-domain grants, “Ask before acting,” no sensitive tabs — is the part that protects you, not the model.
Common mistakes
- Switching to “Act without asking” to skip prompts — convenience now, an injected action later.
- Granting a broad permission to avoid the per-domain prompt. Keep it one domain at a time.
- Asking “what is on this page” instead of a specific extraction prompt; Claude pulls heavy or stale content.
- Trusting a long-page summary without spot-checking, especially on Haiku 4.5.
- Using it on gated content (paywalls, login walls). Claude reads only what rendered for you, and the failure is silent.
- Leaving it enabled while screen-sharing on a call; anything Claude reads can surface in your reply visible to the room.
Advanced tips
- Use a separate Chrome profile for sensitive browsing (banking, work admin) and do not install the extension there. Profile isolation beats willpower.
- Keep favorite prompts (“compare two tabs,” “extract pricing table,” “find the section on X”) in a notes app so you stop retyping them.
- For weekly competitor tracking, run the same prompt over the same set of pages — changes are easier to spot, and Claude’s scheduled tasks can queue it.
- Screenshot key sections as backup; pages change, and you want a record of what the summary was based on.
FAQ
- Which plans can use Claude in Chrome?: As of June 2026 it is in beta on Pro, Max, Team, and Enterprise. There is no Free-tier access. Pro runs Haiku 4.5; Max/Team/Enterprise can also pick Sonnet 4.6 or Opus 4.7.
- Does Claude see all my tabs at once?: Only domains you have granted. Each domain requires separate permission. On Max you can deliberately group tabs so Claude reads several at once.
- Is the page sent to Anthropic servers?: Yes. Page content is sent for the model to process, so treat it like any chat input — do not point it at anything you would not paste into a chat.
- Can it click buttons or fill forms?: Yes, the current extension is agentic, not read-only. In “Ask before acting” mode it asks first, and high-risk actions like purchases always require explicit confirmation.
- Is it safe given the prompt-injection reports?: Anthropic patched the ShadowPrompt zero-click chain in January 2026 and reduced attack success in its own tests from 23.6% to about 1%. That residual risk is why you keep it off by default and never grant it on sensitive sites.
- How do I fully remove it?: Uninstall from
chrome://extensions, then check Site Settings and the extension’s permission list for any lingering per-domain grants.