Comment by BeefySwain
20 hours ago
Can someone explain what the hell is going on here?
Do websites want to prevent automated tooling, as indicated by everyone putting everything behind Cloudfare and CAPTCHAs since forever, or do websites want you to be able to automate things? Because I don't see how you can have both.
If I'm using Selenium it's a problem, but if I'm using Claude it's fine??
In a nutshell: Google wants your websites to be more easily used by the agents they are putting in the browser and other products.
They own the user layer and models, and get to decide if your product will be used.
Think search monopoly, except your site doesn't even exist as far as users are concerned, it's only used via an agent, and only if Google allows.
The work of implementing this is on you. Google is building the hooks into the browser for you to do it; that's WebMCP.
It's all opaque; any oopsies/dark patterns will be blamed on the AI. The profits (and future ad revenue charged for sites to show up on the LLM's radar) will be claimed by Google.
The other AI companies are on board with this plan. Any questions?
Knowing Google, there’s a good chance it will turn out like AMP [0]: concerning, but only spotty adoption, and ultimately kind of abandoned/irrelevant.
It’s the Google way.
[0] https://en.wikipedia.org/wiki/Accelerated_Mobile_Pages
While I'm glad AMP never got truly widespread adoption, it did get adopted in places that mattered -- notably, major news sites.
The amount of times I've had to translate an AMP link that I found online before sending it onwards to friends in the hopes of reducing the tracking impact has been huge over the years. Now there are extensions that'll do it, but that hasn't always been the case, and these aren't foolproof either.
I do hope this MCP push fizzles, but I worry that Google could just double down and just expose users to less of the web (indirectly) by still only showing results from MCP-enabled pages. It'd be like burning the Library of Alexandria, but at this point I wouldn't put the tech giants above that.
Hopefully that's what happens, but it seems like compared to AMP there is more of a joint standardisation effort this time which worries me.
AMP lives on, mostly as AMP for Email and used by things like Google Workspace for performing actions within an email body (allow listed javascript basically).
> It’s the Google way.
Don't forget the all-important last step: abruptly killing the product - no matter how popular or praiseworthy it is (or heck: even profitable!) if unnamed Leadership figures say so; vide: killedbygoogle.com
The irony is Google properties are more locked down than ever. When I use a commercial VPN I get ReCAPTCHA’ed half of the time doing every single Google search; and can’t use YouTube in Incognito sometimes, “Sign in to confirm you’re not a bot”.
There's also the newer push against what they're calling "model distillation," where their models get prompted in some specific ways to try and extract the behaviour, which, coming from a limited background in machine learning broadly but especially the stuff that's happened since transformers came onto the scene, doesn't seem like something that could be productively done at any useful scale.
1 reply →
That's by design, their own agents running on their hardware in their network will pass every recaptcha on every customer site
What about Authentication? Should the users to be on Google SSO to use their WebMCP?
Here is the answer from Gemini:
> Google's Web Model Context Protocol (WebMCP) handles authentication by inheriting the user's existing browser session and security context. This means that an AI agent using WebMCP operates within the same authentication boundaries (session cookies, SSO, etc.) that apply to a human user, without requiring a separate authentication layer for the agent itself.
1 reply →
We should definitely feel trepidation at the prospects of any LLM guided browser, in addition to WebMCP (e.g. Claude for Chrome enters the same opaque LLM-controlled/deferred decision process, OpenClaw etc).
Just one example: Prompting the browser to "register example.com" means that Google/Anthropic gets to hustle registrars for SEO-style priority. Using countermeasures like captcha locks you out of the LLM market.
Google's incentive to allow you to shop around via traditional web search is decreased since traditional ads won't be as lucrative (businesses will catch on that blanket targeted ads aren't as effective as a "referral" that directs an LLM to sign-up/purchase/exchange something directly)... expect web search quality to decline, perhaps intentionally.
The only way to combat this, as far as I can conceptualize, is with open models, which are not yet as good as private ones, in no small part due to the extraordinary investment subsidization. We can hope for the bubble to pop, but plan for a deader Internet.
Meanwhile, trust online, at large, begins to evaporate as nobody can tell what is an LLM vs a human-conducted browser. The Internet at large is entering some very dark waters.
Oh ho, this is the succinct and correct evaluation. Buckle up y'all, you're gonna be taken for a ride.
The Google hate virus is thick here. It seems uncontroversial that users will likely want to use AI to find info for them and do things for them. So either Google provides users with what they want or they go out of business to some other company that provides what users want.
https://www.perplexity.ai/comet
https://chatgpt.com/atlas/
https://arc.net/max
That is not in any way to suggest companies are ok to do bad things. I don't see anything bad here. I just see the inevitable. People are going to want to ask some AI for whatever they used to get from the internet. Many are already doing this. Who ever enables that for users best will get the users.
> It seems uncontroversial that users will likely want to use AI to find info for them and do things for them
Lots of weasel words in there. You're doing a lot of work with "seems", "uncontroversial" and "likely". Power users and tech professionals probably want this or their bosses really want this and they fall in line. But a large portion of the 'normal' users still struggle with basic search, distrust AI or just don't trust to delegating tasks to opaque systems they can't inspect. "Users" is not a monolith.
2 replies →
> Who ever enables that for users best will get the users.
And if it's anything like Uber, that'll be when the enshittification really kicks into gear.
I'm old enough to remember discussions around the meaning of `User-Agent` and why it was important that we include it in HTTP headers. Back before it was locked to `Chromium (Gecko; Mozilla 4.0/NetScape; 147.01 ...)`. We talked about a magical future where your PDA, car, or autonomous toaster could be browsing the web on your behalf, and consuming (or not consuming) the delivered HTML as necessary. Back when we named it "user agent" on purpose. AI tooling can finally realize this for the Web, but it's a shame that so many companies who built their empires on the shoulders of those visionaries think the only valid way to browse is with a human-eyeball-to-server chain of trust.
Me too but it died when ads became the currency of the web. If the reason the site exists is to use ads, they’re not going to let you use an user agent that doesn’t display the ads.
> If the reason the site exists is to use ads, they’re not going to let you use an user agent that doesn’t display the ads.
They've been giving it the old college try for the better part of two decades and the only website I've had to train myself not to visit is Twitch, whose ads have invaded my sightline one time too many, and I conceded that particular adblocking battle. I don't get the sense that it's high on the priority list for most sites out there (knock on wood).
3 replies →
Adblocker is only few clicks away and a surprisingly large amount of users running one. So they might not like it, but they already letting plenty of users to use agent that doesn't display the ads.
Not only ads. Primary anti-scraping use today is obfuscation either as anti-competitive practice or hiding unlawful behavior like IP infringement etc.
> AI tooling can finally realize this for the Web
There was a concept named Web 3.0 a while ago, aka the 'Semantic Web'. It wasn't the crypto/blockchain scam that we call Web3 today. The idea was to create a web of machine readable data based on shared ontologies. That would have effectively turned the web into a giant database of sorts, that the 'agents' could browse autonomously and derive conclusions from. This is sort of like how we browse the web to do research on any topic.
Since the data was already in a structured form in Web 3.0 instead of natural language, the agent would have been nowhere near the energy hogs that LLMs are today. Even the final conversion of conclusions into natural language would have been much more energy-efficient than the LLMs, since the conclusions were also structured. Combine that with the sorts of technology we have today, even a mediocre AI (by today's standards) would have performed splendidly.
Opponents called it impractical. But there already were smaller systems around from various scientific fields, operating on the same principle. And the proponents had already made a lot of headway. It was going to revolutionize information sharing. But what I think ultimately doomed it is the same reason you mentioned. The powers that be, didn't want smarter people. They wanted people who earned them money. That means those who spend their attention on dead scrolling feeds, trash ads and slop.
> but it's a shame that so many companies who built their empires on the shoulders of those visionaries think the only valid way to browse is with a human-eyeball-to-server chain of trust.
Yes, this! But only when your eyeball and attention earns them profit. Otherwise they are perfectly content with operating behind your backs and locking you out of decisions about how you want to operate the devices you paid for in full. This is why we can't have good things. No matter which way you look, the ruins of all the dreams lead to the same culprit - the insatiable greed of a minority. That makes me question exactly how much wealth one needs to live comfortably or even lavishly till their death.
Just like then we were naive about folks not abusing these things to the point of making everyone need to block them to oblivion. I think we are relearning these lessons 30 years later.
I think I have one explanation why for a website, exposing an MCP servers AND having captchas can make sense.
- an agent loading the real page is waste for the server, because the data sent is a few megavytes, and you don't have the usual returns of an user seeing your ads
- BUT API requests (or here, MCP) are much lighter, a few dozen kB, so that makes the ROI positive again
At least that's my view : please tell me, anyone, if that reason doesn't make sense!
They wanna let you use the service the way they want.
An e-commerce? Wanna automate buying your stuff - probably something they wanna allow under controlled forms
Wanna scrape the site to compare prices? Maybe less so.
A brave new world for fraud and returns.
Also I just recently noticed Chrome now has a Klarna/BNPL thing as a built in payments option that I never asked for...
Yeah it's a payment method they added to Google Pay (Google Wallet? I don't know anymore). You can turn it off in autofill settings.
> Do websites want to prevent automated tooling, as indicated by everyone putting everything behind Cloudfare and CAPTCHAs since forever, or do websites want you to be able to automate things? Because I don't see how you can have both.
The proposal (https://docs.google.com/document/d/1rtU1fRPS0bMqd9abMG_hc6K9...) draws the line at headless automation. It requires a visible browsing context.
> Since tool calls are handled in JavaScript, a browsing context (i.e. a browser tab or a webview) must be opened. There is no support for agents or assistive tools to call tools "headlessly," meaning without visible browser UI.
That really just increases the processing power required to automate it. VM running Chrome to a virtual frame buffer, point agent at frame buffer, automate session. It's clunky, but probably not that much more memory intensive than current browser automation. You could probably ditch the frame buffer as well, except for giving the browser something to write out to. It can probably be /dev/null.
>Can someone explain what the hell is going on here?
Someone at Chromium team is launching rapidly for an promotion
Not fine if you use Claude. But it's fine if you are Google Flights and the user uses Gemini. The paid version of course.
i’m seeing this at my corporate software job now. that service that you used to have security and product approval for to even read their Swagger doc has an MCP server you can install with 2 clicks.
Sometimes, it gets added there without your consent.
Obviously if you wanted people to book flights with a bot then you could have provided a public API for that long ago.
I think potentially the subtlety here is a sort of cooperative mode - the computer filling out a lot of the forms and doing the grunt, but it's important that the human is still in the loop - so they need to be able to share a UI with the agent.
Hence a agent friendly web page, rather than just an API.
different threat model. cloudflare blocks automation that pretends to be human -- scraping, fake clicks, account stuffing. webmcp is a site explicitly publishing 'here are the actions i sanction.' you can block selenium on login and expose a webmcp flight search endpoint at the same time. one's unauthorized access, the other's a published api.
as a website operator, i want my website to not experience downtime and unreliability because of usage rates that exceed the rate at which humans load pages, and i want to not be defrauded.
if you want to access my website using automated tools, that's fine. but if there's a certain automated tool that is consistently used to either break the site or attempt to defraud me, i'm going to do my best to block that tool. and sometimes that means blocking other, similar tools.
if the webMCP client in chrome behaves in a reasonable way that prevents abuse, then i don't see a problem with it. if scammers discover they can use it to scam, then websites will block it too.
I can deeply, deeply relate. X and Bluesky are both going nuts with ai and ai scams, but _both_ of them banned an advertising account because we were... using a bot to automate behavior because their APIs are only a subset of functionality.
Their vision is a world where they use all the automation regardless of safety or law, and we have to jump through extra hoops and engage in manual processes with AI that literally doesn't have the tool access to do what we need and will not contact a human.
Remember when many websites had quite open public APIs? Over time this became less common, and existing things like FB added more limitations.
These are obviously different people you're talking about here
I was also thinking about more or less the same thing with APIs and MCPs. The companies that didn't have any public apis are now exposing MCPs. That, to me is quite interesting. Maybe it is the FOMO effect.
I can't see walled garden platforms or any website that monetizes based on ads offering WebMCP. Agents using their site represent humans who aren't.
Both. I imagine if using this there is a tell (e.g. UA or other header). Sites can just block unauthenticated sessions using it but allow it to be used when they know who.
Also, as someone who has tried to build tools that automate finding flights, The existing players in the space have made it nearly impossible to do. But now Google is just going to open the door for it?
WebMCP should be a really easy way to add some handy automation functionality to your website. This is probably most useful for internal applications.
It’s weirder than that. There is a surge of companies working on how to provide automated access to things like payments, email, signup flows, etc to *Claw.
And what site is going to open their api up to everyone? Document endpoints already exist, why make it more complicated.
In early experiments with the Claude Chrome extension Google sites detected Claude and blocked it too. Shrug
Is the website Stripe or NYTimes?
I feel like this is a way to ultimately limit the ability to scrape but also the ability to use your own AI agent to take actions across the internet for you. Like how Amazon doesn’t let your agent to shop their site for you, but they’ll happily scrape every competitor’s website to enforce their anti competitive price fixing scheme. They want to allow and deny access on their terms.
WebMCP will become another channel controlled by big tech and it’ll come with controls. First they’ll lure people to use this method for the situations they want to allow, and then they’ll block everything else.
Oh, that's an easy one. LLMs have made people lose their god damned minds. It makes sense when you think about it as breaking a few eggs to get to the promised land omelette of laying off the development staff.
> Do websites want to prevent automated tooling, as indicated by everyone putting everything behind Cloudfare and CAPTCHAs since forever,
Not if they don't want their rankings to tank. Now you'll need to make your website machine friendly while the lords of walled gardens will relentlessly block any sort of 'rogue' automated agent from accessing their services.
They will wish that you use an official API, follow the funnel they settled for you, and make purchases no matter how
Why should a browser care about how websites want you to use them?
In my opinion sites that want agent access should expose server-side MCP, server owns the tools, no browser middleman. Already works today.
Sites that don’t want it will keep blocking. WebMCP doesn’t change that.
Your point about selenium is absolutely right. WebMCP is an unnecessary standard. Same developer effort as server-side MCP but routed through the browser, creating a copy that drifts from the actual UI. For the long tail that won’t build any agent interface, the browser should just get smarter at reading what’s already there.
Wrote about it here: https://open.substack.com/pub/manveerc/p/webmcp-false-econom...
So... an API?
Most sites don't want to expose APIs or care enough about setup and maintenance of said API.
Are you asking if Agents should use API?