Web Standards Expert Blasts Google Prompt API

Mat Marquis, a prominent web standards expert, has published a scathing critique of Google's Prompt API, calling it 'the most brazen web standards bullying attempt I have ever seen' — worse even than the controversies surrounding AMP and Manifest V3. The essay has reignited a fierce debate about browser vendor power, the integrity of the standards process, and the privacy implications of embedding AI directly into the browser.

The Prompt API is a Chrome-exclusive feature that allows web pages to invoke a local large language model via JavaScript. While Google frames it as a developer-friendly innovation, critics argue it represents a dangerous precedent for how browser vendors can bypass the collaborative standards process to entrench their market dominance.

Key Takeaways

• Mat Marquis published a detailed critique accusing Google of undermining the W3C standards process with the Prompt API
• The API lets websites call a local LLM built into Chrome through simple JavaScript calls
• Critics say the feature ships proprietary functionality as a de facto standard, forcing other browsers to follow or fall behind
• Privacy advocates warn that on-device AI in the browser could enable sophisticated fingerprinting and behavioral profiling
• The controversy echoes past disputes over Google AMP and the Manifest V3 extension framework
• Mozilla and other browser vendors have not committed to implementing compatible APIs

What Is the Prompt API and Why Does It Matter?

Google's Prompt API is part of a broader suite of built-in AI capabilities the company has been rolling into Chrome under the umbrella of its 'built-in AI' initiative. The API provides a straightforward JavaScript interface — essentially window.ai.languageModel.create() — that allows any website to generate text using a locally running large language model, currently based on Google's Gemini Nano model.

On the surface, this sounds compelling. Developers get free, low-latency AI inference without needing to set up API keys, manage costs, or send user data to remote servers. Google pitches this as a win for both performance and privacy.

But the implementation raises profound questions. The model is bundled with Chrome itself, meaning Google controls what model runs, what capabilities it has, and how it behaves. No other browser vendor has been meaningfully consulted or has agreed to implement a compatible interface. This is not a web standard — it is a Chrome feature masquerading as one.

Marquis Accuses Google of 'Standards Bullying'

Mat Marquis is not a fringe voice. He has served as chair of the Responsive Images Community Group at the W3C and has decades of experience navigating the often-contentious world of web standards development. His critique carries significant weight within the developer community.

Marquis argues that Google is deliberately circumventing the established standards process. In the traditional model, new web platform features go through a multi-stage journey:

• Proposal: A feature is proposed in a public forum, often through the W3C or WHATWG
• Discussion: Browser vendors, developers, and stakeholders debate the design
• Consensus: Multiple browser engines agree on a specification
• Implementation: Browsers ship the feature behind flags, then to stable releases
• Standardization: The spec becomes an official web standard

Google, Marquis contends, has skipped directly from proposal to implementation, shipping the Prompt API in Chrome stable without meaningful multi-vendor consensus. This creates what standards experts call a 'fait accompli' — once millions of websites start using a Chrome-only feature, other browsers face enormous pressure to implement it or risk breaking the web for their users.

This playbook is familiar. Google used similar tactics with AMP, where publishers were effectively coerced into adopting Google's proprietary format to receive preferential treatment in search results. Manifest V3, the controversial overhaul of Chrome's extension system, similarly drew criticism for decisions that appeared to benefit Google's advertising business at the expense of ad-blocking extensions.

The Privacy Paradox: On-Device AI Is Not Automatically Safe

Google has leaned heavily on the privacy narrative, arguing that because the Prompt API runs inference locally on the user's device, no data leaves the browser. This framing is misleading, according to several security researchers and privacy advocates.

The concerns are multifaceted:

• Behavioral fingerprinting: Websites could use the API to analyze user-generated content — keystrokes, form inputs, browsing patterns — in real time without sending any data to a server, making the surveillance invisible to network-level privacy tools
• Model-based fingerprinting: Subtle differences in how the local model responds to specific prompts could be used to identify the user's device, operating system, or Chrome version, creating a new vector for browser fingerprinting
• Consent ambiguity: Users may not understand or be informed that a website is running AI inference on their device using their computational resources
• Scope creep: Once the API exists, there is no technical barrier preventing websites from using it for purposes far beyond what Google initially envisions — from manipulative UX patterns to automated content generation that mimics user behavior

The fundamental issue is that 'on-device' does not equal 'private.' The data being processed is still the user's data, and the website still controls what happens with the outputs. Moving computation from a remote server to the local device changes the architecture but does not inherently change the power dynamics.

A Broader Pattern of Browser Vendor Overreach

Marquis's critique situates the Prompt API within a larger pattern of Google leveraging its dominant position in the browser market to shape the web in its image. Chrome commands roughly 65% of the global desktop browser market and an even higher share on mobile through Android's default browser settings.

This market power creates an asymmetry that distorts the standards process. When Google ships a feature in Chrome, it instantly reaches billions of users. Developers — especially those working under tight deadlines and limited budgets — naturally gravitate toward features that work for the largest audience. Over time, Chrome-specific features become de facto standards, regardless of whether they have gone through proper review.

Mozilla has historically pushed back against such moves, but Firefox's market share has dwindled to roughly 3-4% globally, limiting its leverage. Apple's WebKit team, which controls Safari, has been more vocal in opposing features it considers premature or harmful, but Safari's influence is largely confined to the Apple ecosystem.

The result is a web platform increasingly shaped by a single company's priorities — a situation that echoes the Internet Explorer 6 era, when Microsoft's browser dominance led to years of web stagnation and proprietary lock-in.

How This Compares to Past Google Controversies

The Prompt API controversy did not emerge in a vacuum. It follows a well-documented pattern:

What makes the Prompt API particularly concerning, Marquis argues, is its scope. AMP affected publishers. Manifest V3 affected extension developers. The Prompt API potentially affects every website and every user, embedding Google's AI model as a foundational layer of the web platform.

What This Means for Developers and Businesses

For web developers, the practical implications are significant. The Prompt API offers genuinely useful capabilities — client-side text summarization, translation, content classification, and form assistance, all without API costs or latency. The temptation to adopt it will be strong.

But building on a Chrome-only API carries real risks:

• Cross-browser compatibility: Any feature built on the Prompt API will not work in Firefox, Safari, or other non-Chromium browsers without fallback logic
• Vendor lock-in: Relying on Google's model means accepting Google's decisions about model updates, capability changes, and deprecation timelines
• User trust: Privacy-conscious users may disable built-in AI features or switch browsers entirely, creating fragmented experiences
• Regulatory exposure: As EU regulators increasingly scrutinize Big Tech platform practices, building on proprietary browser APIs could create compliance uncertainties

Developers who need client-side AI capabilities today have alternatives. WebAssembly-based inference using models from Hugging Face, ONNX Runtime Web, or Transformers.js provides cross-browser AI functionality without vendor lock-in. These approaches require more setup but preserve the open web's foundational principle of interoperability.

Looking Ahead: The Battle for the AI-Powered Web

The Prompt API debate is really a proxy for a much larger question: who gets to define how AI integrates with the web platform?

Google's position is clear — it wants Chrome to be the AI-native browser, with built-in capabilities that make it the default choice for developers building AI-powered experiences. This strategy aligns with Google's broader push to make Gemini the ubiquitous AI layer across its products, from Search to Android to Workspace.

The standards community's position is equally clear — new platform capabilities, especially ones as consequential as embedded AI, must go through a transparent, multi-stakeholder process. Anything less risks creating a web that serves one company's interests rather than the public good.

Several possible outcomes could unfold over the next 12 to 18 months:

• Standardization: Google could submit the Prompt API to a formal standards body and work toward multi-browser consensus, though this would likely require significant design compromises
• Fragmentation: Other browsers could implement their own incompatible AI APIs, leading to a fragmented landscape reminiscent of the early 2000s browser wars
• Regulatory intervention: EU regulators, particularly under the Digital Markets Act, could view Chrome's built-in AI as a gatekeeper practice requiring interoperability obligations
• Community pushback: Sustained developer opposition could slow adoption, as happened with AMP, which Google eventually deprioritized after years of criticism

What is certain is that the conversation about AI in the browser is far from over. Mat Marquis's critique has crystallized a set of concerns that many in the web community have been voicing quietly for months. Whether Google responds with genuine engagement or continues to push forward unilaterally will say a great deal about the future of the open web.

The stakes extend beyond any single API. They touch the fundamental question of whether the web remains an open, interoperable platform governed by consensus — or becomes a proprietary runtime controlled by its most powerful vendor.