For most of its history, a browser was a program you ran. You opened it, it did what you told it, you closed it. The trust boundary was clean: the page could touch what you handed it, and not much else.
That model is gone, and it did not leave in one dramatic breach. It left through a series of changes that each arrived wrapped in the language of security, performance, or convenience. Taken one at a time, each change is defensible. Taken together, they describe a browser that is no longer a tool you operate. It is an environment you operate inside, and the vendor sets the rules of that environment, not you.
Three recent examples make the pattern concrete. What ties them together is not malice. It is the justification. In each case the vendor's security narrative and the user's security interest have diverged, and the words used to defend the change are the clearest signal that the divergence has happened.
Example one: FROST, where performance beats the leak it enables
Researchers at Graz University of Technology and Liebherr-Transportation Systems published FROST, short for Fingerprinting Remotely using OPFS-based SSD Timing. The work is scheduled for the DIMVA conference in July 2026, and the lead author is Hannes Weissteiner.
The mechanism is a storage timing side channel. The Origin Private File System (OPFS) is a browser API that gives a web page its own sandboxed storage on your local disk, with no permission prompt, because it was designed for performance-heavy web apps like in-browser editors and IDEs. FROST abuses that. A malicious page creates a very large OPFS file, large enough to exceed the operating system's page cache so that every read hits the physical disk, then continuously times small random reads. When you open another website or launch a native application, that activity competes for the same SSD, and the contention shows up as measurable latency spikes. The page never reads your data and never escapes its sandbox. It infers what else is running by watching the disk.
On a test Mac the technique identified running native applications with 95.83% accuracy and visited websites with 88.95% accuracy. Secondary coverage rounds these to roughly 96% and 89%. Because the leak happens at the operating system's storage layer rather than inside a single browser process, a page open in one browser can observe activity from another browser or a native app on the same machine.
The researchers disclosed to Google, Mozilla, and Apple before publishing. The responses are the point. Per the paper, Chromium developers stated that fingerprinting attacks are not considered security vulnerabilities. Apple called the issue currently out of scope while indicating future mitigations might be considered. Mozilla acknowledged the findings without shipping a fix. No CVE has been assigned, and no patches have been announced.
Read the justification literally. "Fingerprinting is not a security vulnerability" is a true statement inside a specific threat model, the one where near-native web performance is the priority and the leakage that performance enables is somebody else's problem. OPFS gives web apps fast local storage. The same property that makes it fast is the property FROST uses to turn your disk into a sensor. The vendor chose performance, which is a defensible engineering call, and then described the cost of that call as outside the definition of a security problem.
Example two: Gemini Nano, where a silent install is framed as a security feature
In May 2026, the security researcher and lawyer Alexander Hanff documented that Chrome had been silently writing a roughly 4 GB on-device model file named weights.bin to disk, in a directory called OptGuideOnDeviceModel, without a consent prompt. Delete the file and Chrome re-downloads it as long as the relevant AI features remain on, and those features are enabled by default on hardware that meets the requirements. Snopes investigated and rated the silent-install and self-reinstall claims mostly true, finding the file on multiple staff machines across macOS and Windows. Hanff argued the practice may violate European privacy law and raised the aggregate bandwidth and emissions cost of pushing a 4 GB file to a browser at global scale.
Google's defense was that it has offered Gemini Nano since 2024 as a lightweight on-device model that powers capabilities like scam detection and developer APIs without sending data to the cloud. That is the security framing: the local model keeps work local.
There is a second layer that makes the framing worse, not better. The visible "AI Mode" pill in the Chrome 147 omnibox, sitting in the most prominent piece of UI in the browser, is not powered by that local model. It is a cloud-backed Search Generative Experience surface, and queries typed into it are sent to Google's servers. So a reasonable user sees a local-looking AI surface, knows a local model was quietly installed on their disk, and infers their queries stay on the device. That inference is wrong. The on-device model is real and is justified as a privacy and security feature. The surface a user is most likely to actually type into ships their input to the cloud. The justification describes one component while the user interacts with another.
Example three: Manifest V3, where security language degrades a security control
Manifest V3 is Chrome's extension platform update. The change that matters replaced the webRequest API with the more limited declarativeNetRequest API. The practical effect is that the dynamic, real-time request filtering that full uBlock Origin relied on is gone, and static filtering is capped. Chrome 138, released July 24, 2025, permanently disabled Manifest V2 extensions for standard users and removed the toggle that let people re-enable them. Chrome 139 removed the enterprise override policy. Chrome 150, scheduled to reach stable on June 30, 2026, removes the last flag that allowed any workaround, and a Google engineer confirmed no workaround remains after that. The full version of uBlock Origin now runs only on Firefox and Brave.
Google's stated rationale is security and performance. Here is where the rationale points backwards. The US Cybersecurity and Infrastructure Security Agency has recommended ad blockers as a defense against malvertising and drive-by downloads served through programmatic ad exchanges. A meaningful share of ad-blocker users run them specifically to stop malware and to limit tracking. Manifest V3 degrades a control that a federal cybersecurity agency recommends as a defensive layer. Meanwhile Google's estimated 2025 advertising revenue was 239.5 billion dollars, and content blockers directly reduce ad impressions. The security-and-performance justification sits on top of a business incentive that the justification never mentions.
The pattern worth naming
Line the three up by their justification rather than their mechanism.
- FROST: the leak is acceptable because fingerprinting is "not a security vulnerability," and the underlying feature exists for performance.
- Gemini Nano: the silent install is acceptable because the local model "powers security capabilities" and keeps data on the device.
- Manifest V3: the removal is acceptable because it was done "for security and performance."
Every one of these is a transfer of control over your own machine from you to the vendor, and every one is defended in the language of your own protection. That is the tell. The justification is not a lie in any of these cases. It is a frame, and the frame is chosen so that the part of the change that costs you control falls outside the definition of the problem the vendor admits to.
Two of the three do not just shift control. They invert the security claim. OPFS opens a new attack surface and is defended as not-a-vulnerability. Manifest V3 removes an existing defense and is defended as security. When the stated reason for a change is your security, and the effect of the change is to open a surface or remove a defense, the reason and the effect are not describing the same thing.
The honest limitations
This argument fails if it is overstated, so here are the caveats it has to survive.
FROST is not a turnkey weapon. It requires an enormous OPFS file, up to 60% of disk on Chrome and Safari, which is noisy and detectable. Application fingerprinting depends on the target activity sharing the same SSD, so a machine with separate drives for different workloads is harder to profile. As of May 2026 the researchers reported no evidence of FROST being used outside a research environment. It is a demonstrated capability, not an active campaign.
Gemini Nano's local model genuinely does keep some work on-device, and on-device inference is a legitimate privacy posture. The criticism is the absence of consent and the misleading proximity of a cloud surface, not the existence of local AI.
Manifest V3's static filtering is real and uBlock Origin Lite exists. The replacement is weaker, not nonexistent, and Google's performance and supply-chain arguments for the extension model are not pure fiction. The claim here is that the security framing is incomplete, not that it is invented.
None of these caveats dissolve the pattern. They bound it. The pattern is about the justification language, and the justification language holds up across all three even where the technical severity varies.
What this means if you handle sensitive data
If you are a lawyer, an accountant, a consultant, a clinician, or anyone working with client material on the same machine you browse from, the practical takeaway is that the browser is now part of your threat model in a way it was not five years ago. A tab that sits idle can, in the FROST case, infer which applications you have open. A default-on feature can write multi-gigabyte artifacts to your disk without asking. A platform update can quietly remove a control your security posture assumed was there.
Concrete steps that follow from this, in rough order of effort:
- Close tabs you are not using, especially before opening sensitive applications, because idle attacker tabs are what FROST needs.
- Use browser profiles to isolate sensitive sessions, since OPFS storage is isolated per profile and the timing leak does not cross profile boundaries.
- If full-strength content blocking is part of your defensive posture, recognize that Chrome after June 30, 2026 cannot provide it through extensions, and that Firefox and Brave can. This is a configuration decision, not a preference.
- Audit what your browser has installed. The Gemini Nano file lives in
OptGuideOnDeviceModelinside your Chrome profile. You may want it. You should at least know it is there.
The local-control counterposition
The opposite of an environment the vendor controls is a system where control stays local by design. That is the instinct behind the home network monitoring layer I built, which polls a local API, stores everything in a local database, exposes no inbound surface, and sends nothing off the box. The threat model it defends against, household data staying in the house, is structurally the same one FROST makes relevant for a professional workstation. The browser changes above all move in the other direction, toward capability and reach that the vendor extends into your machine. Naming that direction is the first step in deciding, deliberately, how much of it you accept.
The browser is an environment now. The question is whose environment, and the justification language is where the answer is hiding in plain sight.
References
Primary sources are marked. Where outlets disagree on a detail, the primary source governs.
FROST (OPFS-based SSD timing side channel)
| Source | Notes |
|---|---|
| FROST paper, Weissteiner et al. (PDF) | Primary. Graz University of Technology and Liebherr-Transportation Systems. OPFS support across Chrome, Firefox, Safari; 60% disk file size. Verify accuracy figures here. |
| Tom's Hardware | Vendor disclosure responses; 60% disk detail. |
| Help Net Security | Chromium "not a security vulnerability" stance; no sandbox bypass. |
| CyberInsider | Full vendor response breakdown; proposed mitigations. |
| GBHackers | Cross-browser, cross-application observation. |
| TechRadar | General coverage; notes practical limitations. |
| fdaytalk | DIMVA July 2026 date; no in-the-wild use as of May 2026. Aggregator. |
Not cited: windowsnews.ai botched the acronym ("File Resource Observing") and wrongly claimed Firefox and Safari are immune. The paper contradicts both.
Gemini Nano (silent on-device model install)
| Source | Notes |
|---|---|
| Alexander Hanff, That Privacy Guy | Original report. AI Mode pill is cloud-backed SGE, not the local model. |
| Snopes fact check | Rated silent-install and self-reinstall claims mostly true; verified on staff machines. Strongest citation. |
| gHacks | Google's official statement; emissions estimate. |
| Cybernews | Hanff's EU privacy law argument. |
| AlternativeTo | weights.bin, OptGuideOnDeviceModel directory, default-on behavior. |
Manifest V3 (uBlock Origin)
| Source | Notes |
|---|---|
| uBlock Origin official site | Primary. webRequest to declarativeNetRequest change; full extension pulled late 2024; MV2 disabled July 2025; full version now Firefox and Brave only. |
| The Next Web | CISA malvertising guidance; $239.5B 2025 ad revenue; Chrome 150 and 151 flag removals. Best single MV3 source. |
| TechTimes | Chrome 150 June 30, 2026 date; Google engineer Devlin Cronin confirming no workaround remains. |
| PCWorld | Workaround removal timeline. |
| allaboutcookies | PCWorld "bonus" quote; MV2 disablement timeline. |
| Stands blog | Detailed timeline; Chrome 138 on July 24, 2025. |
| Ghostery | uBlock Origin Lite tradeoffs. |
Accuracy figures of 95.83% (native macOS apps) and 88.95% (top websites) are confirmed against the published DIMVA paper.