Agents
Cursor Browser Tool: Let the Agent Drive a Real Browser
Cursor's Browser tool gives the agent control of a web browser so it can test applications, edit layout and styles visually, audit accessibility, and turn designs into code. It can read console output and network traffic to debug issues, and works without installing any external tools. Browser actions require your approval by default, and enterprise admins govern access through MCP allow and deny lists.
On this page
What can the Cursor Browser tool do?
The agent drives a browser the way you would, and it sees what the page does. With access to console logs and network traffic, it can debug issues and run testing workflows itself. Cursor lists the specific browser actions the agent has; the table below maps each one to what it lets the agent accomplish.
- Action
- Navigate
- What the agent can do
- Visit URLs, follow links, go back and forward, and refresh pages.
- Action
- Click
- What the agent can do
- Click, double-click, right-click, and hover on any visible element.
- Action
- Type
- What the agent can do
- Fill out forms, submit data, and enter text into fields and search boxes.
- Action
- Scroll
- What the agent can do
- Reveal more content and find elements on long pages.
- Action
- Screenshot
- What the agent can do
- Capture the page so it can verify layout and confirm its actions.
- Action
- Console output
- What the agent can do
- Read console messages, errors, and logs to troubleshoot behavior.
- Action
- Network traffic
- What the agent can do
- Monitor HTTP requests and responses to diagnose API and network issues.
| Action | What the agent can do |
|---|---|
| Navigate | Visit URLs, follow links, go back and forward, and refresh pages. |
| Click | Click, double-click, right-click, and hover on any visible element. |
| Type | Fill out forms, submit data, and enter text into fields and search boxes. |
| Scroll | Reveal more content and find elements on long pages. |
| Screenshot | Capture the page so it can verify layout and confirm its actions. |
| Console output | Read console messages, errors, and logs to troubleshoot behavior. |
| Network traffic | Monitor HTTP requests and responses to diagnose API and network issues. |
Network traffic monitoring is currently available in the Agent panel, with the layout coming soon, per Cursor's docs.
Browser logs are written to files the agent can grep and read selectively, so it reads only the lines it needs instead of summarizing verbose output after every action. Screenshots are passed through the file-reading tool as images, so the agent sees the page rather than a text description of it.
How does the design sidebar work?
The browser includes a design sidebar for changing your site directly in Cursor, so you can adjust the look and keep the code in sync. Cursor groups the controls into a few categories.
- Position and layout: move elements, and change flex direction, alignment, and grid layouts.
- Dimensions: adjust width, height, padding, and margins with exact pixel values.
- Colors: apply colors from your design system or add gradients through a visual picker.
- Appearance: change shadows, opacity, and border radius with sliders.
- Theme testing: check your design in light and dark themes.
When the visual change looks right, click apply to start an agent that translates it into the matching code edits. You can also select multiple elements across the site and describe the change in text; agents run in parallel and the result appears after hot-reload.
Does the browser remember sessions between runs?
Yes. Browser state persists between agent sessions, scoped to your workspace, so a logged-in test does not start from scratch each time. Cursor documents three kinds of retained state, and isolates the context per workspace so projects keep separate cookies and storage.
- Cookies: authentication cookies and session data stay available across sessions.
- Local storage: data in localStorage and sessionStorage persists.
- IndexedDB: database content is retained between sessions.
How is the Browser tool kept safe?
The browser runs as a secure web view controlled by an MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. server that runs as an extension, and Cursor says the integration has been reviewed by multiple external security auditors. By default browser actions require your approval; you can change that in Agent Settings, and the three modes trade convenience for control.
- Mode
- Manual approval
- Behavior
- Review and approve each browser action individually (recommended).
- Mode
- Allow-listed actions
- Behavior
- Actions matching your allow list run automatically; others need approval.
- Mode
- Auto-run
- Behavior
- All actions run immediately without approval (use with caution).
| Mode | Behavior |
|---|---|
| Manual approval | Review and approve each browser action individually (recommended). |
| Allow-listed actions | Actions matching your allow list run automatically; others need approval. |
| Auto-run | All actions run immediately without approval (use with caution). |
Approval modes from Cursor Settings > Agents > Auto-Run.
Cursor warns that allow and block lists give best-effort protection because AI behavior can be unpredictable through prompt injection and similar issues. Never use auto-run with untrusted code or unfamiliar sites: the agent could run malicious scripts or submit sensitive data without your knowledge. Review auto-approved actions regularly.
How do enterprise admins control browser access?
For enterprise customers, browser functionality is managed through Cursor's MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. controls: admins toggle availability and have granular control over each MCP server and over browser access. Two settings matter most for a controlled rollout.
- Enable browser for the team in the Settings Dashboard under MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. Configuration by toggling browser features; access then follows your MCP allow or deny lists.
- Configure a Browser Origin Allowlist that restricts which sites the agent can automatically navigate to and where MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. tools can run; this feature must be enabled for your organization by your Cursor account team before it appears.
The allowlist restricts automatic agent navigation but is best-effort. Cursor documents three cases where navigation to a non-allowed origin still succeeds: clicking a link on an allowed domain that points off-list, a redirect from an allowed origin, and client-side JavaScript navigation. Review the allowlist regularly and weigh allowing domains that redirect or link out.
Frequently asked questions
Do I need to install anything to use Cursor's Browser tool?
No. Cursor's docs state you can use Browser without installing or configuring any external tools.
Which models does Cursor recommend for the Browser tool?
Cursor recommends Sonnet 4.5, GPT-5, and Auto for the best performance with the Browser tool.
Can the agent run browser actions without asking me?
Only if you change the default. Browser actions require manual approval by default; you can switch to allow-listed actions or auto-run in Cursor Settings > Agents > Auto-Run, but Cursor warns against auto-run on untrusted code or unfamiliar sites.
Sources & last verified
Cursor ships frequently. Facts verified against primary sources on June 26, 2026.