NeFut Logo NeFut
Admin Login

[CS.AI] Prismata: Confining Cross-Site Prompt Injection in Web Agents

Published at: 2026-07-11 22:00 Last updated: 2026-07-13 08:40
#algorithm #Open Source #Web Security

The rise of autonomous web agents promises the automation of everyday browsing tasks, but it also revives one of the web's oldest attack surfaces. Cross-Site Scripting (XSS) has shown that mixing trusted and untrusted content is dangerous, even on benign pages. Web agents resurface this risk by interpreting natural language as instructions, allowing third-party and user-generated content to hijack the agent via prompt injection.

The core challenge is that deriving a task-specific security policy requires reasoning over page structure that is entangled with the attacker's content. To address this, we present Prismata, a defense mechanism that enforces contextual least privilege for web agents, constraining both what the agent sees and what it can do. Prismata's dynamic trust derivation produces permission labels for page content, with structural confinement guarantees inspired by classical integrity models, ensuring that any labeling errors are bounded, allowing privilege to only decrease and mislabelings to be limited.

Prismata's mechanical confinement enforces these labels by redacting content and restricting agent capabilities. Importantly, these mechanisms require no developer intervention, thus supporting the long tail of websites. Across recent published web agent attacks, including adaptive variants, Prismata significantly reduces attack success while preserving benign task utility.

Blogger's Review: The design of Prismata effectively addresses the security challenges faced by web agents through dynamic trust derivation and contextual least privilege. Its lack of reliance on developer intervention greatly enhances applicability across various websites, showcasing an innovative approach to achieving security in complex web environments. Overall, Prismata offers a new direction for future web security.

Original Source: https://arxiv.org/abs/2607.08147

[h] Back to Home