Anthropic has opened up the browser pane in Claude Desktop's Code tab to external websites. Claude can now open documentation and issue trackers, read their contents, and execute clicks and text input. Previously, the browser pane was mainly used to run apps under development locally and inspect the DOM or screen. Now, that verification capability has expanded to reach external web services as well.

This isn't a matter of every instance of the terminal-based Claude Code getting a built-in browser—the feature applies specifically to the Code tab in Claude Desktop. Even so, it expands what the development agent can do. That's because checking specs, implementing code, verifying behavior locally, and reflecting changes to external services can all now happen continuously within a single workspace.

AD

From Local Verification to External Services

Claude Code Desktop already had the ability to launch a dev server after rewriting code and check the results in the browser pane. Claude takes screenshots, inspects the DOM, clicks elements, and fills in forms. If it finds a problem, it goes back to the code, repeating fixes and re-verification.

The new browser pane connects the external web to the far end of this loop. You can open the pane with Cmd+Shift+B on macOS or Ctrl+Shift+B on Windows, and arrange multiple sites in tabs. When you click an external link in a chat, you can choose whether to open it within the app or send it to the device's default browser.

With this change, the browser shifts from being a preview screen that reflects implementation results to an execution surface where the agent interacts with the external environment. For example, you can go through checking a spec change against the official documentation, implementing it, and verifying it locally—all within a single session. If you also grant permission for data entry and issue updates, you can reduce the manual work that used to exist between the development environment and SaaS tools.

Distinguishing Between the Clean Profile and the Chrome Extension

Anthropic has placed the in-app browser and Claude in Chrome in different trust boundaries. The browser pane runs on a clean profile separated from your personal browser. By default, it doesn't inherit saved logins or browsing history from your default browser. If you use it with public documentation or a verification-only account, it's less likely to mix with your personal web activity.

Claude in Chrome, on the other hand, is a browser extension for Chrome or Edge that shares your existing login state with Claude Code. This is suited for cases where you want Claude to operate on everyday web apps—like Gmail, Notion, or Google Docs—using your own permissions. According to the official documentation, the requirements are Chrome or Edge, extension version 1.0.36 or later, and Claude Code 2.0.73 or later. It's available to Anthropic's paid plans (4 tiers), and is not offered in environments where Claude Code is used only via Bedrock, Vertex AI, or Microsoft Foundry.

However, "clean" doesn't mean you can't log in. The browser pane supports sign-in flows including Google OAuth popups, and you can choose to persist sessions. Once authenticated, Claude can read whatever information that pane can see. Whether you use a dedicated account for development and testing, or limit yourself to sites that don't require login—these operational decisions determine how safe the setup is.

AD

The Approval Line That Remains for Automated Actions

Writing to external sites is subject to controls separate from code editing. Actions like clicking and text input are all reviewed by a safety classifier before execution, regardless of permission mode—this applies even under Auto or Bypass permissions. If the classifier judges an action to be dangerous, Claude stops and asks for the user's approval.

Furthermore, in modes other than Auto and Bypass permissions, an allowlist is checked before navigating to a new domain. The first time you take an action, you choose whether to allow it just this once, always allow that site, or deny it. Approval is required per subdomain, and "always allow" settings are saved locally on the device and can be revoked later.

Permission isn't unlimited proxy authority. Anthropic restricts Claude from proceeding on its own with purchases, account creation, or CAPTCHA bypassing. Even though operating on external pages can feel just like previewing on localhost, the ease of undoing results and the impact on third parties differ. The approval flow is designed to absorb that gap.

The Browser Expands Both Productivity and Attack Surface

For Claude, a web page is both a workspace and an untrusted source of input. Anthropic identifies prompt injection—where instructions hidden in websites, emails, or documents alter the AI's behavior—as the greatest risk. Because the permission to read external sites and the permission to write to code or external services exist within the same session, the impact of a successful attack can be significant.

Anthropic explains that content entering Claude's context and each individual action Claude executes are each checked by separate classifiers. Actions judged dangerous are either blocked or held pending human approval. That said, Anthropic itself acknowledges it cannot reduce risk—including unknown attacks—to zero. Having classifiers in place is not the same as being able to safely open sensitive information.

For enterprises, allowlists and blocklists are provided to restrict external sites. If you've already configured a list for Claude in Chrome, the browser pane will inherit it. Administrators can disable Claude's tools on external pages using browserExternalPageTools. Even when disabled, employees can still open pages—they just lose Claude's ability to read or operate on them.

When deciding on rollout, uniformly enabling or disabling the browser feature entirely is too coarse an approach. Start by limiting it to official documentation, staging environments, and internal verification tools, and grant permission for external writes only on a case-by-case basis where the work requires it. With that kind of operation, you can measure both the shortening of the development loop and the rate of unexpected actions side by side. There's no rush to expand further until you've confirmed those results.