Untrusted Content Masking for Web Agents with Security Guarantees
2026-07-06 • Cryptography and Security
Cryptography and SecurityMachine Learning
AI summaryⓘ
The authors explain that keeping trusted instructions separate from untrusted data is key to defending against prompt injection attacks. While this separation is natural in text-based systems, web agents face a problem because web pages mix trusted and untrusted content together. To solve this, the authors introduce Untrusted Content Masking (UCM), which uses the webpage's structure (DOM) to find and block untrusted parts before the agent sees them. This lets web agents safely interact with pages without being tricked by harmful content.
prompt injectiontrusted vs untrusted dataweb agentsDocument Object Model (DOM)sandboxingsecurity isolationwebpage renderinginteraction privilege separation
Authors
Kristina Nikolić, Egor Zverev, Javier Rando, Matthew Jagielski, Edoardo Debenedetti, Florian Tramèr
Abstract
Defenses that provide security guarantees against prompt injection attacks rely on strict isolation between trusted instructions and untrusted data. In text-based environments such as tool-use APIs, this separation arises naturally: agents can reason from interface definitions without ever processing untrusted content. Extending these guarantees to web agents faces a fundamental challenge: to perceive and interact with their environment, web agents must first observe the rendered page, which intermingles trusted content with untrusted content. This structural entanglement removes the trust boundary on which security guarantees depend, undermining provable defenses for web agents. In this paper, we present Untrusted Content Masking (UCM), a simple and effective approach that restores this boundary in web environments. We leverage a key structural insight: a webpage's Document Object Model (DOM) encodes sufficient information to distinguish trusted from untrusted regions without reading their content. Our framework exploits this by redacting untrusted regions before they reach the agent and routing interaction through a sandboxed interface with strict privilege separation, thereby enabling agents to observe and interact with their environment while remaining isolated from adversarial content. The code is publicly available.