{"slug": "prismata-confining-cross-site-prompt-injection-in-web-agents", "title": "Prismata: Confining cross-site prompt injection in web agents", "summary": "Researchers introduced Prismata, a defense against cross-site prompt injection in autonomous web agents that enforces contextual least privilege by dynamically deriving permission labels for page content and mechanically confining agent actions. The system reduces attack success across published web agent attacks while preserving benign task utility without requiring developer annotations.", "body_md": "# Computer Science > Cryptography and Security\n\n[Submitted on 9 Jul 2026]\n\n# Title:Prismata: Confining Cross-Site Prompt Injection in Web Agents\n\n[View PDF](/pdf/2607.08147)\n\n[HTML (experimental)](https://arxiv.org/html/2607.08147v1)\n\nAbstract:Autonomous web agents promise to automate everyday browsing tasks, but inherit one of the web's oldest attack surfaces. Cross-Site Scripting proved that mixing trusted and untrusted content is dangerous, even on benign pages. Agents resurface this risk by interpreting natural language as instructions, allowing third-party and user-generated content to hijack the agent via prompt injection. The core challenge is that deriving a task-specific security policy requires reasoning over page structure that is entangled with the attacker's content.\n\nWe present Prismata, a defense enforcing contextual least privilege for web agents, constraining both what the agent sees and what it can do. Prismata's dynamic trust derivation produces permission labels for page content, with structural confinement guarantees, inspired by classical integrity models, that bound any labeling errors so that labels can only decrease in privilege and mislabelings are bounded. Prismata's mechanical confinement enforces these labels by redacting content and restricting agent capabilities. Importantly, these mechanisms require no developer annotations, so Prismata supports the long tail of websites. Across recent published web agent attacks, including adaptive variants, Prismata substantially reduces attack success while preserving benign task utility.\n\n### References & Citations\n\nLoading...\n\n# Bibliographic and Citation Tools\n\nBibliographic Explorer\n\n*(*[What is the Explorer?](https://info.arxiv.org/labs/showcase.html#arxiv-bibliographic-explorer))\nConnected Papers\n\n*(*[What is Connected Papers?](https://www.connectedpapers.com/about))\nLitmaps\n\n*(*[What is Litmaps?](https://www.litmaps.co/))\nscite Smart Citations\n\n*(*[What are Smart Citations?](https://www.scite.ai/))# Code, Data and Media Associated with this Article\n\nalphaXiv\n\n*(*[What is alphaXiv?](https://alphaxiv.org/))\nCatalyzeX Code Finder for Papers\n\n*(*[What is CatalyzeX?](https://www.catalyzex.com))\nDagsHub\n\n*(*[What is DagsHub?](https://dagshub.com/))\nGotit.pub\n\n*(*[What is GotitPub?](http://gotit.pub/faq))\nHugging Face\n\n*(*[What is Huggingface?](https://huggingface.co/huggingface))\nScienceCast\n\n*(*[What is ScienceCast?](https://sciencecast.org/welcome))# Demos\n\n# Recommenders and Search Tools\n\nInfluence Flower\n\n*(*[What are Influence Flowers?](https://influencemap.cmlab.dev/))\nCORE Recommender\n\n*(*[What is CORE?](https://core.ac.uk/services/recommender))# arXivLabs: experimental projects with community collaborators\n\narXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.\n\nBoth individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.\n\nHave an idea for a project that will add value for arXiv's community? [ Learn more about arXivLabs](https://info.arxiv.org/labs/index.html).", "url": "https://wpnews.pro/news/prismata-confining-cross-site-prompt-injection-in-web-agents", "canonical_source": "https://arxiv.org/abs/2607.08147", "published_at": "2026-07-10 21:03:38+00:00", "updated_at": "2026-07-10 22:14:39.666030+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "ai-research"], "entities": ["Prismata"], "alternates": {"html": "https://wpnews.pro/news/prismata-confining-cross-site-prompt-injection-in-web-agents", "markdown": "https://wpnews.pro/news/prismata-confining-cross-site-prompt-injection-in-web-agents.md", "text": "https://wpnews.pro/news/prismata-confining-cross-site-prompt-injection-in-web-agents.txt", "jsonld": "https://wpnews.pro/news/prismata-confining-cross-site-prompt-injection-in-web-agents.jsonld"}}