* [Blog](https://www.paloaltonetworks.com/blog)
* [SASE](https://www.paloaltonetworks.com/blog/sase/)
* [CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/)
* 6 Security Gaps Browser E...

# 6 Security Gaps Browser Extensions Cannot Fix on Unmanaged Devices

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsase%2F6-security-gaps-browser-extensions-cannot-fix-on-unmanaged-devices%2F)  
[](https://twitter.com/share?text=6+Security+Gaps+Browser+Extensions+Cannot+Fix+on+Unmanaged+Devices&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsase%2F6-security-gaps-browser-extensions-cannot-fix-on-unmanaged-devices%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsase%2F6-security-gaps-browser-extensions-cannot-fix-on-unmanaged-devices%2F&title=6+Security+Gaps+Browser+Extensions+Cannot+Fix+on+Unmanaged+Devices&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/sase/6-security-gaps-browser-extensions-cannot-fix-on-unmanaged-devices/&ts=markdown)  
\[\](mailto:?subject=6 Security Gaps Browser Extensions Cannot Fix on Unmanaged Devices)  
Link copied  
By [Tom Goldberg](https://www.paloaltonetworks.com/blog/author/tom-goldberg/?ts=markdown "Posts by Tom Goldberg"), [Yonatan Gotlib](https://www.paloaltonetworks.com/blog/author/yonatan-gotlib/?ts=markdown "Posts by Yonatan Gotlib") and [Monique Lance](https://www.paloaltonetworks.com/blog/author/mlance/?ts=markdown "Posts by Monique Lance")  
May 19, 2026  
6 minutes  
[CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/?ts=markdown)  
[Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown)  
[SaaS Security](https://www.paloaltonetworks.com/blog/network-security/category/saas-security/?ts=markdown)  
[Secure Browser](https://www.paloaltonetworks.com/blog/sase/category/secure-browser/?ts=markdown)  
[Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)  
[Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)  
[Web Security](https://www.paloaltonetworks.com/blog/category/web-security/?ts=markdown)  
[Zero Trust Security](https://www.paloaltonetworks.com/blog/category/zero-trust-security/?ts=markdown)

With hybrid work the norm and SaaS adoption skyrocketing, the digital workspace has shifted to the browser. In 2026, this workspace is no longer just about static tabs; it's a high-velocity landscape of Generative AI apps and agentic work. While these tools drive unprecedented productivity, they have turned the browser into the enterprise's most vulnerable attack surface.

This shift introduces a fundamental challenge: how to secure work across two very different environments---managed devices, where IT has control, and unmanaged devices, where it does not. Organizations typically rely on two approaches: secure browsers for deep protection and browser extensions for lightweight control.

Browser extensions are often seen as a quick and easy solution. They are simple to deploy and can add visibility with minimal disruption. However, they were never designed to secure work on unmanaged devices. Because they operate on top of the browser rather than within it, their visibility and control are inherently limited---leaving critical gaps when the underlying device cannot be trusted.

### **Securing Work on Unmanaged Devices: Where Extensions Fail**

Security delivered through extensions is constrained by design, and are becoming more pronounced as browsers evolve. One example is Google's new browser extension framework, Manifest V3, which restricts how extensions can access web traffic and perform background processing.

Here are the most critical security gaps when relying on extensions for unmanaged devices:

1. **Users Can Easily Disable the Security Controls** On unmanaged devices, users can disable or bypass extensions. Without compensating controls like MDM or endpoint protection, there is no reliable enforcement. Even worse, a disabled extension cannot report that it's been turned off, creating a gap between tampering and detection where active sessions, tokens, and cached data remain exposed.
2. **Incapable of Device Posture Validation** Extensions cannot assess whether a device is secure. This is critical when granting access to sensitive data on unmanaged devices. Extensions cannot perform device posture checks---for example, whether disk encryption is enabled or if antivirus is running---making it impossible to enforce Zero Trust access policies based on device health.
3. **Blind Trust in the Underlying Device** Consumer browsers run on the unmanaged device OS and blindly trust it for critical functions like DNS resolution and certificate validation. If that OS is compromised, by malware, a poisoned network, or device takeover, the browser cannot distinguish legitimate from malicious responses. Extensions inherit this blind trust and cannot mitigate OS-level manipulation, exposing credentials, session tokens, and sensitive data to attackers.
4. **Enterprise Work is Vulnerable to Malware on the Device** Extensions cannot separate enterprise activity from the underlying device. On unmanaged devices, this is especially critical. If the organization has no control over the endpoint, users are exposed to threats like keyloggers, infostealers, and screen capture tools that operate outside the browser.
5. **Sensitive Data Can Be Shared Before Security Can Stop It** Extensions typically act after data is already rendered or transmitted, alerting after the fact rather than preventing it. This makes it difficult to prevent sensitive data from being shared with personal apps or GenAI tools in real time. On unmanaged devices, this gap is especially critical, since the browser is often the only control point, and there is no enforcement beyond it.
6. **Dependent on Browser Vendors for Security Capabilities** Extensions can only enforce controls exposed through browser APIs. If a required capability is not supported by the browser, it cannot be implemented by the extension. This creates a dependency chain where enterprises rely on extension vendors for protection---but those vendors, in turn, depend on browser vendors to expose the necessary controls. As a result, critical security capabilities are subject to external prioritization, leading to delays, inconsistent workarounds, and protections that are inherently fragile and easy to bypass.

Together, these gaps highlight a fundamental issue: extensions provide incremental visibility but cannot establish trust, enforce isolation, or deliver comprehensive protection on unmanaged devices.

Beyond these security gaps, practical challenges further limit effectiveness\*\*.\*\* User adoption is not guaranteed, installing extensions on personal devices raises privacy concerns and often leads to resistance. At the same time, managing multiple tools, policies, and vendors creates operational complexity and cost, without meaningfully strengthening security.

### **Prisma Browser: Security by Design**

Addressing these challenges requires a fundamentally different approach, one where security is built directly into the browser itself.

[Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) delivers a secure-by-design workspace that overcomes architectural limitations inherent to extension-based security:

* **Native Security Control:** Unlike extensions that are constrained by browser-exposed APIs, Prisma Browser integrates security controls directly into the browser's core. This removes the dependency chain on external vendors to enable critical protections, giving enterprises full control over security capabilities without waiting on browser-level support. The result is consistent, enforceable controls that are not subject to external prioritization or easily bypassed.
* **Real-Time Data Protection:** Prisma Browser enforces data controls at the moment of user action, preventing data from being copied, uploaded, or shared inappropriately before it leaves the environment.

Prisma Browser also establishes a trusted workspace on unmanaged devices, reducing reliance on the underlying endpoint and closing security gaps extensions cannot address:

* **Hardened Workspace:** Prisma Browser embeds active defense mechanisms, such as memory scraping protection and integrity checks, that raise the cost and complexity of local attacks. These built-in controls provide a level of self-protection that add-on extensions cannot offer.
* **Device-Aware Access Control:** Prisma Browser validates device posture before granting access, enabling Zero Trust principles even on unmanaged devices.
* **Protection Beyond the OS:** By handling critical functions like DNS resolution and certificate validation within the browser, Prisma Browser reduces reliance on a potentially compromised operating system.
* **Isolation of Enterprise Work:** Corporate sessions, credentials, and data are isolated from the device, ensuring that sensitive information cannot be accessed by malware on the device, such as keyloggers, infostealers, and screenscrapers.

Beyond security, Prisma Browser also simplifies adoption and operations, separating personal and corporate browsing to preserve privacy, while unifying security and management in a single platform to reduce complexity and cost.

**Where Extensions Still Fit**

Extensions still have a role in modern security strategies. They are effective for quickly extending visibility, applying lightweight controls, and supporting transitional or hybrid environments.

Take the next step in modernizing your browser security strategy. Visit our [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) page to learn more.

*** ** * ** ***

## Related Blogs

### [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/category/zero-trust-security/?ts=markdown)

[#### Elevating Transparency: Introducing the Palo Alto Networks SASE Health Portal](https://www.paloaltonetworks.com/blog/sase/elevating-transparency-introducing-the-palo-alto-networks-sase-health-portal/)

### [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/category/zero-trust-security/?ts=markdown)

[#### Why Sovereignty Controls in SASE Are the New Standard for the Modern Enterprise](https://www.paloaltonetworks.com/blog/sase/why-sovereign-sase-is-the-new-standard-for-the-modern-enterprise/)

### [CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/?ts=markdown), [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Information Security Governance](https://www.paloaltonetworks.com/blog/cloud-security/information-security-governance/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Moving Beyond Traditional EDR](https://www.paloaltonetworks.com/blog/2020/10/secops-beyond-traditional-edr/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Gartner: Market Guide for SOAR Solutions](https://www.paloaltonetworks.com/blog/2020/10/secops-gartner-soar-solutions/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### The 2020 State of Security Operations: Assessing Analyst Burnout](https://www.paloaltonetworks.com/blog/2020/09/secops-analyst-burnout/)

### Subscribe to Sase Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer} Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/ai-security?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Next-Generation Identity Security](https://www.paloaltonetworks.com/idira?ts=markdown)

* [Privileged Access Management](https://www.paloaltonetworks.com/idira/human/privileged-access-management?ts=markdown)

* [Identity and Access Management](https://www.paloaltonetworks.com/idira/human/identity-and-access-management?ts=markdown)

* [Endpoint Privilege Manager](https://www.paloaltonetworks.com/idira/human/endpoint-privilege-manager?ts=markdown)

* [Identity Governance](https://www.paloaltonetworks.com/idira/human/identity-governance?ts=markdown)

* [Workforce Password Management](https://www.paloaltonetworks.com/idira/human/workforce-password-management?ts=markdown)

* [Agentic Identities](https://www.paloaltonetworks.com/idira/agentic?ts=markdown)

* [Secrets Management](https://www.paloaltonetworks.com/idira/machine/secrets-management?ts=markdown)

* [Unified Secrets Governance](https://www.paloaltonetworks.com/idira/machine/unified-secrets-governance?ts=markdown)

* [Application Credentials Delivery](https://www.paloaltonetworks.com/idira/machine/application-credentials-delivery?ts=markdown)

* [Vendor Privileged Access](https://www.paloaltonetworks.com/idira/human/vendor-privileged-access?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)  
  Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)

* [Careers](https://jobs.paloaltonetworks.com/en/)

* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)

* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)

* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)

* [Investor Relations](https://investors.paloaltonetworks.com/)

* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)

* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)  
  Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)

* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)

* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)

* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)

* [Event Center](https://events.paloaltonetworks.com/)

* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)

* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)

* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)

* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)

* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)

* [Tech Docs](https://docs.paloaltonetworks.com/)

* [Unit 42](https://unit42.paloaltonetworks.com/)

* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)

* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)

* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)

* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)

* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language