Skip to main content

Browser Extension

Supported modes: Hosted Available in: Teams -- View pricing

When NOT to use this

This governs what users paste into chat UIs (claude.ai, ChatGPT, Gemini, Perplexity). For governing AI agents you build or run, use the SDK or gateway.

The Control Zero browser extension enforces DLP rules on browser-based AI chat applications. It works as a content overlay on Claude.ai, ChatGPT, Gemini, and Perplexity, scanning input fields and clipboard operations against your organization's DLP rules before content reaches the AI provider.

What It Does

The extension runs as a Chrome/Edge MV3 extension that:

  1. Scans text input and clipboard pastes in AI chat interfaces against your DLP rules.
  2. Overlays a warning when sensitive content is detected, giving the user a chance to review or redact.
  3. Blocks paste operations that match high-severity rules (configurable per rule).
  4. Audits every scan result (detection, block, user override) to the Control Zero backend.
  5. Syncs DLP rules from the dashboard automatically, with no manual configuration per device.

Supported AI Chat Applications

ApplicationDomainAdapter
Claudeclaude.aiClaude adapter
ChatGPTchatgpt.comChatGPT adapter
Google Geminigemini.google.comGemini adapter
Perplexityperplexity.aiPerplexity adapter

Each adapter understands the specific DOM structure of its target application. When the AI provider changes their UI, only the adapter needs updating.

How Rules Sync

  1. An admin creates or updates DLP rules in the Control Zero dashboard.
  2. The backend stores the rules and makes them available via the device config endpoint.
  3. The extension's background service worker polls for rule updates on a configurable interval.
  4. Updated rules are cached locally in extension storage for offline operation.
  5. The content script applies the latest rules on every input field interaction and paste event.

Rules are scoped. Only rules with the browser_ext scope apply in the extension. Rules scoped to sdk or gateway only are ignored.

Threat Model: The Overseer

The extension operates under the Overseer threat model:

  • Trust boundary: The extension trusts the backend as the source of truth for DLP rules. It does not trust the page content or the user's clipboard.
  • Secret hashing: Detected sensitive content is hashed with HMAC at the content script boundary before being sent to the background service worker. A second defense-in-depth HMAC is applied at the background script before transmission to the backend. Raw sensitive content never leaves the device.
  • Fail-closed on cold boot: If the extension has never successfully synced rules from the backend (neverSynced state), all paste operations into monitored AI chat applications are blocked. The user sees a message directing them to contact their administrator. This prevents data exfiltration during the window between installation and first rule sync.

Circuit Breaker

The extension includes two circuit breakers to prevent performance degradation:

  • Per-rule circuit breaker: If a single rule triggers more than 20 times per minute, it is temporarily disabled for that tab. This prevents pathological regex patterns from locking up the UI.
  • Global performance circuit breaker: If DLP scanning exceeds 50ms for 3 consecutive scans, the extension falls back to audit-only mode (log detections but do not block) until scan times recover.

Compliance Acknowledgment Gate

Before the extension begins monitoring, the user must acknowledge a compliance notice. This notice is configurable per organization in the dashboard. Until acknowledged, the extension displays a persistent banner and does not scan or audit. This satisfies informed-consent requirements in jurisdictions that require explicit employee acknowledgment of monitoring.

Pattern Specificity Floor

Rules with overly broad patterns (patterns that would match common English words or short strings) are rejected at the dashboard level. The extension enforces a minimum specificity floor: patterns shorter than 4 characters or with an estimated false positive rate above the configured threshold are flagged during rule creation.

Enterprise Deployment

Chrome Enterprise (Google Admin Console)

Deploy the extension via Chrome Enterprise policy:

{
  "ExtensionInstallForcelist": ["<extension-id>;https://clients2.google.com/service/update2/crx"],
  "ExtensionSettings": {
    "<extension-id>": {
      "installation_mode": "force_installed",
      "toolbar_pin": "force_pinned"
    }
  }
}

Jamf (macOS)

Create a configuration profile with the Chrome ExtensionInstallForcelist key. Deploy to your managed Mac fleet. The extension auto-installs and auto-updates.

Intune (Windows)

Use the Administrative Templates ADMX for Chrome or Edge. Set the ExtensionInstallForcelist policy to include the extension ID. Deploy to your managed Windows fleet.

MDM Configuration

For detailed MDM deployment steps, see the Browser Extension Deployment guide.

How Audit Flows

Content script (tab) -> HMAC hash sensitive content
        |
        v
Background service worker -> HMAC (defense-in-depth)
        |
        v
POST /api/audit -> Backend ingest -> Analytical store
        |
        v
Dashboard: Audit log page (filterable by source=browser_ext)

Every audit entry includes: timestamp, device ID, matched rule, action taken (detect / block / user override), the target application, and the HMAC hash of the matched content. Raw content is never transmitted.

Session State

The extension maintains per-tab session state:

  • Scan statistics: Total scans, detections, and blocks for the current session.
  • Pause state: Users can pause scanning for a configurable duration (default: 5 minutes, maximum set by admin policy).
  • Activity buffer: Recent scan events buffered for batch upload to the backend. Buffer flushes every 30 seconds or when it reaches 50 events, whichever comes first.

DLP Rule Scoping

Only rules with the browser_ext scope are enforced by the extension. When creating rules in the dashboard, include browser_ext in the scopes array:

name: block-credit-cards
pattern: '\b4[0-9]{12}(?:[0-9]{3})?\b'
category: financial
action: block
scopes:
  - browser_ext
  - gateway

Rules scoped only to sdk or gateway are ignored by the extension. This lets you maintain different enforcement levels per surface. For example, you might block credit card numbers in the browser extension but only detect them in the gateway.

The extension supports all 59 built-in patterns across the 6 locales. Enable locales for your organization in the dashboard under Settings > DLP > Active Locales. See the Locale-Aware DLP guide for pattern details.

Verify Installation

  1. Open any supported AI chat application (e.g., claude.ai).
  2. Paste content that matches a known DLP rule (e.g., a test credit card number 4111-1111-1111-1111).
  3. The extension overlay should appear, showing the matched rule and offering redact or cancel options.
  4. Check the Control Zero dashboard audit log for an entry with source: browser_ext.

Troubleshooting

Extension not scanning. Check that the compliance acknowledgment has been completed. Open the extension popup and verify the status shows "Active."

Rules not updating. Open the extension popup and check the "Last sync" timestamp. If it shows "Never," the extension cannot reach the backend. Verify network connectivity and the backend URL configuration.

Performance issues. If the extension causes input lag, check the circuit breaker status in the extension popup. Broad regex patterns are the most common cause. Review your DLP rules for specificity.