OpenAI’s Codex Can Now Log Into Your Gmail, LinkedIn, and Salesforce — Using Your Own Browser Session
The boundary between an AI tool and an AI actor just moved. OpenAI has released a Chrome extension for its Codex coding agent — available for Mac and PC — that allows Codex to operate directly inside a user’s signed-in browser sessions on platforms like LinkedIn, Salesforce, and Gmail. This is not a sandboxed demo environment: the agent reads, navigates, and acts through the same authenticated sessions the user already has open, effectively placing a user’s entire signed-in digital identity within reach of an AI agent.
Until now, Codex operated through dedicated plugins or its own in-app browser — controlled channels with defined data boundaries. The Chrome extension changes that architecture entirely. Codex now operates across three distinct tool tiers: plugins, the new Chrome extension, and its in-app browser. Each tier expands the agent’s operational surface, but the Chrome extension is the one that crosses into live, authenticated web territory.
The practical consequence is immediate: a developer or knowledge worker can instruct Codex to open Salesforce and update account records from call notes, or pull context from multiple open tabs simultaneously, without writing a single line of API integration code. According to Codex’s official documentation, users can invoke this capability by typing @Chrome directly in a prompt — for example, @Chrome open Salesforce and update the account from these call notes — and Codex will launch Chrome if it is not already running.
What the Extension Actually Does — and What It Asks For
The Codex Chrome extension, currently at version v1.1.4 and weighing in at 109 KiB, requests a broad set of browser permissions: access to the page debugger, the ability to read and change data on all websites, read and change browsing history, view and manage tab groups, and manage downloads. That permission scope is not incidental — it is the technical prerequisite for the agent to function as a genuine browser operator rather than a passive observer.
To prevent the agent from derailing a user’s active work, Codex uses task-specific tab groups, isolating its activity from the user’s current session. The extension also enables testing web applications and using Chrome DevTools — the browser’s built-in suite for inspecting and debugging web pages — making it a credible tool for developers who need an AI agent to interact with staging environments or internal dashboards. As confirmed in Codex’s official cloud documentation, the @Chrome mention syntax gives users direct, explicit control over when the agent engages the browser, which is a meaningful design choice given the permissions involved.
Notably, Codex does not support other Chromium-based browsers — Brave, Edge, and Arc are all excluded. The extension is also currently unavailable in the EU or UK, a geographic restriction that almost certainly reflects regulatory caution around data handling rules like GDPR rather than a technical limitation. That absence is itself a signal about how OpenAI is reading the compliance landscape for this capability.
The Permission Architecture: A Two-Layer System With Real Gaps
OpenAI has built a secondary permission layer on top of Chrome’s own controls. By default, Codex asks for confirmation before interacting with each new website host — meaning the first time it tries to access LinkedIn, it will pause and request user approval. Users can manage a permanent allowlist and blocklist through Computer Use settings, giving them ongoing control over which sites the agent can touch without repeated prompting. Codex also applies its own per-site confirmation prompts on top of whatever Chrome permissions are already granted.
OpenAI states that browser activity is stored only when explicitly added to a chat’s context — a meaningful constraint, but one that depends entirely on users understanding what “explicitly added” means in practice. If the Memories setting is enabled, Codex can draw on previously stored context during Chrome tasks, which introduces a persistence dimension that users may not immediately anticipate. To upload local files through the extension, users must separately enable “Allow access to file URLs” in the extension’s details panel — a non-default step that adds friction but also limits accidental file exposure.
The most direct security warning in Codex’s own documentation is unambiguous: treat page content as untrusted due to the risk of prompt injection. Prompt injection — where malicious instructions embedded in a webpage hijack the AI agent’s behavior — is not a theoretical concern. An agent with access to signed-in sessions and the ability to take actions on behalf of a user is a high-value target for exactly this kind of attack. The two-layer permission system addresses some risks, but it does not neutralize the injection vector.
📊 Key Numbers
- Extension version: v1.1.4 — the current release available for Mac and PC via the Chrome Web Store
- Extension size: 109 KiB — lightweight footprint that belies the breadth of permissions it requests
- Three tool tiers: Codex now operates across plugins, the Chrome extension, and its in-app browser — each with a different access surface
- Geographic restriction: Extension is unavailable in the EU and UK, signaling active regulatory risk assessment by OpenAI
- Default permission behavior: Codex requests confirmation before interacting with each new website host — opt-in expansion via allowlist in Computer Use settings
- Unsupported browsers: Brave, Edge, and Arc are all excluded — Chrome is the only supported runtime, limiting deployment flexibility
🔍 Context
The gap this extension addresses is the friction between AI agents and the authenticated web. Traditional AI integrations rely on OAuth tokens or dedicated APIs — structured handshakes that grant access to specific data fields in a controlled manner. The Codex Chrome extension bypasses that architecture entirely by operating inside the user’s existing session, which means it can reach any interface a human can reach, including internal tools that have no public API. This is the specific capability gap that no plugin-based approach can close. The trend this accelerates is the shift from AI as a query-response tool to AI as a persistent, action-taking agent embedded in daily workflows — a direction that browser-use frameworks and computer-use APIs have been pushing toward, but which OpenAI is now delivering through a consumer-installable extension. The competitive contrast here is not with a named rival but with the architectural alternative: bespoke browser automation scripts (like Selenium or Playwright pipelines) that developers currently maintain manually to achieve similar cross-platform automation. Codex replaces that custom glue with a natural-language interface, but at the cost of a much broader permission surface. The timing is tied directly to Codex’s own capability expansion — the extension supplements an already-existing in-app browser and plugin system, meaning OpenAI is deliberately widening the agent’s operational reach as a product decision, not as a response to an external forcing function.
💡 AIUniverse Analysis
Our reading: The genuine advance here is architectural, not cosmetic. By operating inside signed-in browser sessions rather than through API handshakes, Codex can reach internal tools, legacy dashboards, and SaaS interfaces that have never exposed a machine-readable API — and never will. That is a real capability gap that no amount of plugin development can close. The @Chrome mention syntax, confirmed in Codex’s official cloud documentation, keeps the user in the invocation loop, which is a more honest design than fully autonomous background agents.
The shadow is harder to dismiss. The permission set — read and change data on all websites, access browsing history, manage downloads — is functionally equivalent to what a browser-based malware would request. OpenAI’s two-layer confirmation system and the explicit prompt-injection warning in its own documentation acknowledge the risk, but acknowledgment is not mitigation. A user who adds a malicious or compromised site to their allowlist, or who has Memories enabled without realizing it persists context across sessions, has created an attack surface that no UI warning fully addresses. The EU and UK exclusion is not a minor footnote — it suggests OpenAI’s own legal team is uncertain whether this architecture is compliant with existing data protection frameworks, which is a meaningful signal for enterprise buyers anywhere.
For this to matter in 12 months, OpenAI would need to demonstrate that the prompt-injection risk has been structurally contained — not just warned against — and that enterprise security teams can audit what Codex actually did inside a signed-in session after the fact.
⚖️ AIUniverse Verdict
👀 Watch this space. The capability is genuinely novel — accessing signed-in sessions closes an integration gap that plugins cannot — but the combination of broad browser permissions, an active prompt-injection warning in OpenAI’s own documentation, and a regulatory exclusion from the EU and UK means enterprise adoption requires answers that do not yet exist.
🎯 What This Means For You
Founders & Startups: Codex’s Chrome extension removes the need to build custom API integrations for every SaaS tool in your stack — but before deploying it in a customer-facing workflow, map exactly which sites will land on the allowlist and who controls that list.
Developers: The @Chrome mention syntax and Chrome DevTools access make Codex a credible replacement for manual Playwright or Selenium scripts in testing pipelines — but the prompt-injection risk means any page Codex reads should be treated as potentially adversarial input, not trusted data.
Enterprise & Mid-Market: The EU and UK exclusion is a direct signal: your legal and compliance teams should evaluate whether this architecture is compatible with your data residency and processing agreements before piloting it, regardless of your jurisdiction.
General Users: If you enable this extension, review the allowlist in Computer Use settings regularly and treat the Memories setting as a data-persistence decision — context stored from one Chrome session can influence future ones.
⚡ TL;DR
- What happened: OpenAI released a Chrome extension for its Codex agent (v1.1.4, 109 KiB) that lets the AI operate directly inside signed-in browser sessions on sites like LinkedIn, Salesforce, and Gmail.
- Why it matters: This moves AI agents from controlled API channels into live authenticated sessions, reaching internal tools and SaaS interfaces that have no machine-readable API — while simultaneously creating a broad permission surface that OpenAI itself flags as a prompt-injection risk.
- What to do: Before enabling the extension in any professional context, audit the allowlist in Computer Use settings and confirm whether your organization’s data agreements permit an AI agent to operate inside authenticated sessions on your behalf.
📖 Key Terms
- Codex Chrome extension
- A browser add-on (v1.1.4) that allows the Codex AI agent to operate inside a user’s existing signed-in Chrome sessions, giving it access to any web interface the user can reach — without requiring a dedicated API integration.
- Signed-in browser session
- An active, authenticated connection between a browser and a web service (like Gmail or Salesforce) where the user is already logged in — the Codex extension operates within this session rather than creating a separate, isolated connection.
- Task-specific tab groups
- A Chrome feature that Codex uses to isolate its own browser activity into labeled clusters of tabs, preventing the agent’s work from interfering with the user’s currently open pages.
- Chrome DevTools
- A built-in browser toolkit for inspecting, debugging, and testing web pages; Codex’s access to DevTools means it can analyze page structure and behavior programmatically, not just visually.
- Prompt injection
- An attack where malicious instructions are embedded in content that an AI agent reads — such as a webpage — causing the agent to execute unintended actions on behalf of the attacker rather than the user; OpenAI’s own documentation flags this as an active risk for the Codex Chrome extension.
- In-app browser
- Codex’s pre-existing built-in browser environment, which operates in an isolated context separate from the user’s main Chrome profile — the new Chrome extension supplements this by adding access to live, authenticated sessions instead.
📎 Sources
Sources: MarkTechPost | developers.openai.com/codex/cloud | github.com/openai/codex
Analysis based on reporting by MarkTechPost. Original article here. Additional sources consulted: Official Blog — developers.openai.com/codex/cloud; Github Repository — github.com/openai/codex.