They Said Extensions Were Dead. Then AI Needed a Browser.

The arc of browser plug-ins — from power-user toy, to security liability, to the quiet backbone of the agentic web.

There's a moment in late 2024 that I keep coming back to. Anthropic ships Computer Use — a way for Claude to take screenshots and control a mouse cursor. The cleanest path to doing this in a browser isn't a new protocol or a custom runtime. It's a Chrome extension.

Something that had been declared dead a hundred times.

Act I: The Golden Age (2008–2014)

Firefox invented the modern browser extension. Not just as a feature — as a philosophy. A browser was an OS-in-waiting, and anyone could extend it. Greasemonkey let you rewrite any webpage with a few lines of JavaScript. AdBlock Plus blocked every ad on the internet. Firebug built the first real devtools before browsers had them.

When Chrome launched in 2008, Google took the model and made it faster, more sandboxed, and distributable via the Web Store. By 2013, there were tens of thousands of extensions. The category had its own celebrity developers, acquisition stories, and venture bets.

This era's defining trait: extensions as consumer products. You installed them for yourself. Password managers, tab managers, grammar checkers, ad blockers. The browser was a platform and extensions were apps.

Act II: The Long Decline (2015–2021)

Then came the rot.

It arrived slowly — a few extensions caught data harvesting in 2017, then a few more. Between 2024 and 2026, coordinated malware campaigns would go on to affect over 8.8 million users across Chrome, Edge, and Firefox. The Web Store turned out to be a decent distribution channel for malware. Extensions requesting <all_urls> permission got acquired for five figures, had their update payload quietly replaced, and started exfiltrating browsing history to ad brokers.

Google's response was Manifest V3, announced in 2018, which became one of the most contentious spec debates in browser history. Replacing persistent background pages with short-lived service workers. Replacing the webRequest blocking API that ad blockers depended on with a declarative declarativeNetRequest API capped on rules.

The ad blocker developers were furious. uBlock Origin's developer wrote long posts explaining exactly why the new model was insufficient. The EFF weighed in. Users signed petitions.

The vibe around extensions shifted entirely. Security-conscious companies started blocking extensions in managed Chrome deployments. The narrative calcified: extensions are a supply-chain risk, a performance tax, a privacy gamble. Between 2018 and 2021, if you worked in developer tools or security tooling, extensions were something you used reluctantly — not a platform you built for.

Act III: The Resurgence (2022–Present)

Four things happened nearly simultaneously, and together they changed the calculus entirely.

1. Computer Use Agents

In October 2024, Anthropic launched Computer Use — a capability that lets Claude take screenshots and control a computer. OpenAI followed with Operator in January 2025, powered by a model they called the Computer-Using Agent (CUA).

The performance numbers were striking. The open-source Browser Use framework hit 89% on WebVoyager (a standardized web task benchmark), compared to 87% for OpenAI Operator and 56% for Anthropic's initial Computer Use release. These numbers moved fast — by mid-2025, Anthropic's computer use tooling was shipping production-ready headers across Claude Opus 4.7 and Sonnet 4.6.

In August 2025, Anthropic launched Claude for Chrome — a Chrome extension that gives Claude a persistent sidecar in the browser, with permission to take actions on the user's behalf. Rolling out to 1,000 subscribers on the Max plan as a research preview. Google launched Gemini integrations with Chrome. Perplexity launched its own AI browser, Comet. OpenAI merged Operator directly into ChatGPT as "agent mode" in July 2025.

The browser extension is the agent's body. It has the right permissions — <all_urls>, content script injection, synthetic event dispatch — and it's already trusted by the browser's security model in a way an external process is not.

Extensions didn't become popular again because they got better. They became necessary because the use case required them.

2. Remote CDP and Browser Harness Tooling

The Chrome DevTools Protocol — the WebSocket API that Chrome exposes when launched with --remote-debugging-port — has existed since 2011. For years it was mostly used by Puppeteer and later Playwright for test automation.

What changed was the architecture around it. A new pattern emerged: a lightweight daemon process holds the CDP connection to an already-running Chrome, and scripts send one-shot JSON commands over a Unix socket. No Playwright overhead, no Node.js runtime, no process spawning — just a direct line to the user's real browser, with their cookies and authenticated sessions.

browser-harness <<'PY'
new_tab("https://example.com")
wait_for_load()
print(page_info())
PY

This made browser automation feel like a UNIX tool. First navigation is new_tab() not goto() — because you're attaching to the user's live browser, not a clean test instance.

Cloud providers took the same insight and productized it at scale. Browserbase, founded in 2024, raised $67.5M total — including a $40M Series B led by Notable Capital in June 2025, valuing them at $300M. By 2025 they were running 50 million browser sessions per year, with customers including Airtable, Instacart, Notion, Stripe, Perplexity, and Vercel. Forbes named them to their Next Billion-Dollar Startups list.

The pattern is the same everywhere: get a cdpUrl, resolve the WebSocket endpoint via /json/version, drive the remote Chrome instance. The browser becomes stateless infrastructure you rent by the session.

3. WebGPU-Based In-Browser LLMs

This one is weirder and arguably bigger in the long run.

WebGPU shipped in Chrome 113 in May 2023. Unlike WebGL, it's a proper compute API — shaders, compute pipelines, buffer access. For ML inference, this means matrix multiplications at speeds that benchmark at roughly 80% of native Metal or CUDA throughput. On an Apple M3 Max, WebLLM runs Llama 3.1 8B at 4-bit quantization at ~41 tokens per second — about 80% of native MLC-LLM performance. Phi 3.5 Mini hits 71 tokens per second. On discrete NVIDIA hardware, WebGPU is 10–15× faster than WASM for token generation.

WebLLM, MediaPipe LLM Inference, and Transformers.js proved that Gemma 2B, Phi-3-mini, and Qwen-1.5B could run entirely in the browser — no server, no API key, no round-trip latency. The practical sweet spot is 1B–3B parameter models at 4-bit quantization for reliable cross-device performance.

Where do extensions re-enter? An extension can load a model once into the background service worker and expose it via message passing to every tab. This is meaningfully better than each page re-downloading and re-initializing a 2GB model file. The extension becomes a local model host.

The privacy angle is also genuinely new. An extension running Gemma via WebGPU processes data that never leaves the machine — legally and technically. No server to subpoena. No request to intercept. For health data, legal documents, personal finance: this is a capability class that didn't exist three years ago.

4. Manifest V3 Actually Landed (And It's Fine)

Here's the part that surprises people: after all the drama, Manifest V3 turned out to be largely fine for the new use cases.

Chrome 139, released July 2025, completed the MV3 transition by fully removing MV2 extensions. By August 2025, 73.4% of actively maintained extensions had migrated. More telling: 90% of new extension uploads are already in MV3. The developer community absorbed the change.

For agent workloads specifically, the MV3 constraints are non-issues or improvements. Event-driven service workers rather than persistent background pages? Better for agent tasks that should only run when triggered. The controversial declarativeNetRequest cap? Irrelevant to screenshot capture, DOM injection, or synthetic input dispatch.

The ad blocker developers had a real grievance — for ad blockers. For computer use agents, browser harnesses, and in-browser LLMs, MV3 is not a blocker. The new use cases were inadvertently designed around the new constraints.

What This Actually Means

The first wave of browser extensions was consumer software. The second wave is infrastructure.

A consumer extension is something you choose to install for yourself. Infrastructure is something an application depends on — something that has to be there, permissioned correctly, composing with other systems.

The AI extensions market reflects this shift. There were 238 AI-powered Chrome extensions with meaningful user bases in 2025. By early 2026, that number was 442 — an 85.7% year-over-year increase, with 115.5 million combined downloads. The market was valued at roughly $2.3 billion in 2025, with projections ranging from $8.2 billion to $17.5 billion by the early 2030s.

The technical primitives that make this possible — CDP, content scripts, native messaging, WebGPU — aren't new. They've been there for years. What changed is that we found use cases that need exactly those capabilities and nothing simpler.

Where It Goes

Extension-as-agent-runtime becomes a standard pattern. Just as every serious product eventually shipped a mobile app, every AI agent product involving the web will ship an extension. Not because it's trendy, but because the alternative — screen capture plus pixel-coordinate clicking — is brittle, slow, and has no access to the DOM or authenticated session state.

In-browser model inference becomes a tier, not a novelty. As models shrink and WebGPU matures, the question won't be "can you run a model in the browser" but "which tier do you want — local, edge, or cloud?" Extensions that manage this routing will be the abstraction layer.

CDP browser farms consolidate around a few infrastructure players. Browserbase's $300M valuation after 16 months of existence is a signal. The pattern is too clean not to become commodity infrastructure. Three or four players will own this the way AWS owns EC2.

The security concerns didn't go away. The same properties that make extensions powerful for agents — <all_urls> permission, access to every page, background persistence — are the properties that made them dangerous before. Security researchers have already flagged that agentic browser extensions are prompt-injection surfaces: a malicious page can try to hijack the agent's actions by embedding instructions in its content. Simon Willison has argued that the entire concept of an agentic browser extension "is fatally flawed and cannot be built safely." That's probably too strong — but it's not wrong that the security model is unsolved.

Extensions had a decade as consumer software, a half-decade as a liability, and are now becoming infrastructure for the agentic web. The category didn't change. The demand did.

The browser turns out to be the last-mile interface for AI agents — not because it was designed for that, but because it's where humans already are, where the data already lives, and where the sessions are already authenticated. The extension is the seam between the model and that world.

They were never really dead. They were just waiting for something to actually need them.

Building in this space — browser agents, CDP tooling, WebGPU inference? I'd love to hear what you're working on.