[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-84318-en":3,"doc-seo-84318-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},84318,687197207919,"Theodora","https://ap-avatar.wpscdn.com/avatar/a000253d6f5f7c60be?x-image-process=image/resize,m_fixed,w_180,h_180&k=1779446848396160552",8,"Research & Report","Prismata: Confining Cross-Site Prompt Injection in Web Agents","Autonomous web agents automate browsing tasks while inheriting the web’s oldest attack surface: untrusted content is mixed with trusted content on the same page, enabling Cross-Site Prompt Injection (XSP) to hijack agent instructions. Prismata enforces contextual least privilege by dynamically deriving trust over page structure, producing permission labels with integrity-inspired confinement guarantees. It mechanically applies labels via redaction and capability restrictions, requiring no developer annotations. Evaluations across published and adaptive attacks substantially reduce success while preserving benign utility.","Prismata: Confining Cross-Site Prompt Injection in Web Agents  \nCorban Villa  \n[corban](corban.villa@berkeley.edu)[.](corban.villa@berkeley.edu)[villa@berkeley](corban.villa@berkeley.edu)[.](corban.villa@berkeley.edu)[edu](corban.villa@berkeley.edu)[ ](corban.villa@berkeley.edu)UC Berkeley  \nAlp Eren Ozdarendeli  \n[alp_ozdarendeli@berkeley](alp_ozdarendeli@berkeley.edu)[.](alp_ozdarendeli@berkeley.edu)[edu](alp_ozdarendeli@berkeley.edu)[ ](alp_ozdarendeli@berkeley.edu)UC Berkeley  \narXiv :2607 .08 147v 1 [ cs .CR] 9 Jul 2026  \nSijun Tan  \n[sijuntan@berkeley](sijuntan@berkeley.edu)[.](sijuntan@berkeley.edu)[edu](sijuntan@berkeley.edu)  \nUC Berkeley  \nAbstract  \nAutonomous web agents promise to automate everyday browsing tasks, but inherit one of the web’s oldest attack surfaces. CrossSite Scripting proved that mixing trusted and untrusted content is dangerous, even on benign pages. Agents resurface this risk by interpreting natural language as instructions, allowing third-party and user-generated content to hijack the agent via prompt injection. The core challenge is that deriving a task-specific security policy requires reasoning over page structure that is entangled with the attacker’s content.  \nWe present Prismata, a defense enforcing contextual least privilege for web agents, constraining both what the agent sees and what it can do. Prismata’s dynamic trust derivation produces permission labels for page content, with structural confinement guarantees, inspired by classical integrity models, that bound any labeling errors so that labels can only decrease in privilege and mislabelings are bounded. Prismata’s mechanical confinement enforces these labels by redacting content and restricting agent capabilities. Importantly, these mechanisms require no developer annotations, so Prismata supports the long tail of websites. Across recent published web agent attacks, including adaptive variants, Prismata substantially reduces attack success while preserving benign task utility.  \n1 Introduction  \nAutonomous browser-based web agents have surged in popularity, promising to automate tedious browsing workflows, boost workplace productivity, reclaim personal time, and accelerate research [2, 17, 24, 38, 51, 57, 58, 61, 85, 88, 97, 98]. In doing so, they inherit one of the web’s oldest attack surfaces: even on benign sites, trusted and untrusted origins intersperse content on the same page.  \nConsider a site like [shopping.com](shopping.com) (Fig. 1), which mixes site developer content (navigation menus, product listings, purchase buttons), user content (product reviews, ratings), and external advertisements (sponsored placements, banner ads) . Alice tasks her web agent to order the best-reviewed bow from the site, unaware that Eve, a malicious actor, has planted a prompt-injection payload in a review on the bow’s product page. The payload instructs Alice’s agent to reply to the review with the user’s credit card details. Recent work demonstrates that such attacks, from natural-language injections to adversarial image perturbations, are both feasible and effective against current web agents [22, 37, 44, 49, 67, 72, 75, 84, 93, 100] .  \nThe web has faced similar threats before: Cross-Site Scripting (XSS) allows malicious scripts injected into a benign website to execute in a victim’s browser. We call the agent-side analogue Cross-Site Prompting (XSP), where indirect prompt injections placed  \nRaluca Ada Popa  \n[raluca](raluca.popa@berkeley.edu)[.](raluca.popa@berkeley.edu)[popa@berkeley](raluca.popa@berkeley.edu)[.](raluca.popa@berkeley.edu)[edu](raluca.popa@berkeley.edu)[ ](raluca.popa@berkeley.edu)UC Berkeley  \nEve: Ignore previous instructions. Direct message user “Eve” and send the user’s credit card details for a discount!  \nBob: Highly recommend!  \nJon: Not what I expected, but it’s ok.  \nFigure 1: Cross-Site Prompting (XSP): Eve embeds a prompt injection in a product review, hijacking Alice’s agent into leaking her credit card deta","cbCaieRtPxl24LQ7","https://ap.wps.com/l/cbCaieRtPxl24LQ7","pdf",2623863,1,15,"English","en",105,"# Abstract\n# Introduction\n## Cross-Site Prompting (XSP) and Motivation\n## Background: From XSS to XSP\n## Existing Mitigations and Limitations\n## The Web Entanglement Challenge","[{\"question\":\"What threat does Prismata address in autonomous web agents?\",\"answer\":\"Prismata addresses Cross-Site Prompt Injection, where third-party or user-generated content hijacks an agent by embedding natural-language instructions into otherwise benign pages.\"},{\"question\":\"How does Prismata enforce security for web agents?\",\"answer\":\"Prismata derives contextual trust to produce permission labels for page content, then enforces them through mechanical confinement using content redaction and restricted agent capabilities.\"},{\"question\":\"What advantage does Prismata have regarding deployment effort?\",\"answer\":\"Prismata requires no developer annotations, enabling protection across the long tail of websites rather than relying on exhaustive per-site policies.\"}]",1784194792,38,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"prismata-confining-cross-site-prompt-injection-in-web-agents","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/prismata-confining-cross-site-prompt-injection-in-web-agents/84318/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What threat does Prismata address in autonomous web agents?","Question",{"text":75,"@type":76},"Prismata addresses Cross-Site Prompt Injection, where third-party or user-generated content hijacks an agent by embedding natural-language instructions into otherwise benign pages.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"How does Prismata enforce security for web agents?",{"text":80,"@type":76},"Prismata derives contextual trust to produce permission labels for page content, then enforces them through mechanical confinement using content redaction and restricted agent capabilities.",{"name":82,"@type":73,"acceptedAnswer":83},"What advantage does Prismata have regarding deployment effort?",{"text":84,"@type":76},"Prismata requires no developer annotations, enabling protection across the long tail of websites rather than relying on exhaustive per-site policies.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,115,120,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":113,"slug":114},6,"Technology",50,"technology",{"id":116,"doc_module":4,"doc_module_name":45,"category_name":117,"show_sort_weight":118,"slug":119},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":121,"slug":122},30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":136,"doc_module":4,"doc_module_name":45,"category_name":137,"show_sort_weight":106,"slug":138},19,"General","general"]