🤖 AI Summary
Existing web proxies struggle to distinguish trustworthy from untrustworthy content within web pages, undermining isolation-based defenses against prompt injection attacks. This work proposes a novel DOM-structure-based security mechanism that identifies and blocks untrusted regions without inspecting their actual content, thereby sanitizing inputs before they reach the proxy. By integrating sandboxed interaction interfaces and a privilege-separated architecture, the approach reestablishes provably secure boundaries. Notably, it achieves, for the first time in web environments, content-agnostic demarcation of trusted regions, effectively mitigating prompt injection threats. The accompanying system has been open-sourced.
📝 Abstract
Defenses that provide security guarantees against prompt injection attacks rely on strict isolation between trusted instructions and untrusted data. In text-based environments such as tool-use APIs, this separation arises naturally: agents can reason from interface definitions without ever processing untrusted content. Extending these guarantees to web agents faces a fundamental challenge: to perceive and interact with their environment, web agents must first observe the rendered page, which intermingles trusted content with untrusted content. This structural entanglement removes the trust boundary on which security guarantees depend, undermining provable defenses for web agents. In this paper, we present Untrusted Content Masking (UCM), a simple and effective approach that restores this boundary in web environments. We leverage a key structural insight: a webpage's Document Object Model (DOM) encodes sufficient information to distinguish trusted from untrusted regions without reading their content. Our framework exploits this by redacting untrusted regions before they reach the agent and routing interaction through a sandboxed interface with strict privilege separation, thereby enabling agents to observe and interact with their environment while remaining isolated from adversarial content. The code is publicly available.