The Ruling That Defines Agent Access
In March 2026, a federal judge issued a preliminary injunction blocking Comet's AI browser agent from accessing Amazon accounts on behalf of users. The ruling established a principle that will shape the agentic web: a user's permission to an AI agent does not substitute for the platform's authorization. Even if a user explicitly asks an AI agent to browse Amazon, buy products, or manage their account, Amazon retains the right to block that agent.
The injunction applies specifically to Comet, but the legal reasoning applies broadly. Any AI agent that accesses a website is subject to that website's terms of service, regardless of whether the user requested the access. This creates a legal distinction between a user browsing a site and an agent browsing the same site on the user's behalf.
Why This Matters Now
Google is shipping Chrome auto browse to 200 million Android devices in late June 2026. OpenAI's Operator and ChatGPT Go are live. Anthropic's Claude Computer Use achieves 44% task completion on real-world web tasks. Perplexity, Brave Leo, Arc Browse for Me — the browser agent market is exploding. And a federal court has ruled that platform operators can block any of them.
The Comet injunction means that the 57.5% of web traffic that is now automated does not have the same legal standing as human traffic. Websites can differentiate, challenge, or block AI agents — and the courts will enforce those decisions. This is the legal foundation for the two-tier web that Cloudflare's Web Bot Auth is building technically.
Framework Implications
The ruling creates a new dimension in framework evaluation: agent accessibility. Websites that want to be accessible to AI agents must explicitly opt in — through Web Bot Auth, robots.txt, API endpoints, or terms of service that permit automated access. Websites that block agents lose a growing share of traffic. Websites that welcome agents gain a competitive advantage in the agentic browsing era.
The frameworks that make this choice easiest are the ones with clean API layers. A FastAPI service can expose a public API endpoint for agents and a protected endpoint for sensitive operations — the platform controls exactly what agents can access. A WordPress site with 27 plugins has no unified access control layer for agent traffic. Each plugin handles requests independently, making granular agent access control impossible.
The Security Angle
The Comet ruling also highlighted security concerns. Comet was found vulnerable to indirect prompt injection attacks — malicious content on web pages that hijacks the agent's behavior. When an AI agent operates with a user's credentials and navigates arbitrary web pages, every page becomes a potential attack vector. The agent trusts the page content. The page content can instruct the agent to take unauthorized actions.
This is the same attack vector that the TrapDoor supply chain campaign exploited — adversarial instructions hidden in configuration files that AI assistants read and execute. The difference is scale: TrapDoor targeted developers via package managers. Prompt injection via web pages targets every user of every AI browser agent. The frameworks that output clean, structured, semantic content are safer for agents to consume than the frameworks that output complex, JavaScript-heavy pages with embedded third-party content.
