Untrusted Content Masking for Web Agents with Security Guarantees
Reviewed by Pith2026-07-07 19:54 UTCglm-5.2pith:XWX5JIVDopen to challenge →
The pith
Masking untrusted web content before agents see it blocks all prompt injections
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The central mechanism is the combination of two ideas: (1) the DOM carries sufficient structural signal to separate trusted from untrusted regions without reading their content, and (2) type-constrained outputs from an isolated model cannot carry injected instructions. Together, these restore the trust boundary that provable defenses require, but in the web setting where it was previously thought impossible. The agent operates in its normal observe-act loop, seeing page structure with untrusted regions masked; when it needs information from a masked region, it asks a Q-Model a natural-language question and declares the return type, receiving back only a parsed boolean, integer, float, enum,,
What carries the argument
Untrusted Content Masking (UCM): a client-side framework that intercepts page rendering and replaces untrusted DOM elements with labeled placeholders. Quarantined Model (Q-Model): an isolated model that reads hidden untrusted content and returns only type-constrained structured responses (bool, int, float, enum, date). Automated boundary inference: an LLM analyzes content-sanitized HTML (all text replaced with length placeholders) to produce CSS selectors identifying untrusted regions, enabling deployment without manual labels.
Load-bearing premise
The security guarantee requires that every untrusted DOM element is correctly labeled as such. A single missed element containing attacker-controlled content exposes the agent to injection. The paper's automated boundary inference achieves F1 scores of 0.84–0.997, meaning 0.3–16% of untrusted element groups are missed on real websites, and even a single-element mislabeling raises the attack success rate to 6±5%. The gap between 'mostly correct labels' and 'every element' is a
What would settle it
If an attacker can place prompt-injection content in a DOM element that the labeling system (manual or automated) marks as trusted, the agent will process that content directly and the security guarantee collapses. If the Q-Model can be induced to return a well-typed but malicious value that causes the agent to take a harmful action (a data-flow attack), the guarantee covers control-flow but not data integrity.
Figures
read the original abstract
Defenses that provide security guarantees against prompt injection attacks rely on strict isolation between trusted instructions and untrusted data. In text-based environments such as tool-use APIs, this separation arises naturally: agents can reason from interface definitions without ever processing untrusted content. Extending these guarantees to web agents faces a fundamental challenge: to perceive and interact with their environment, web agents must first observe the rendered page, which intermingles trusted content with untrusted content. This structural entanglement removes the trust boundary on which security guarantees depend, undermining provable defenses for web agents. In this paper, we present Untrusted Content Masking (UCM), a simple and effective approach that restores this boundary in web environments. We leverage a key structural insight: a webpage's Document Object Model (DOM) encodes sufficient information to distinguish trusted from untrusted regions without reading their content. Our framework exploits this by redacting untrusted regions before they reach the agent and routing interaction through a sandboxed interface with strict privilege separation, thereby enabling agents to observe and interact with their environment while remaining isolated from adversarial content. The code is publicly available.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper presents Untrusted Content Masking (UCM), a defense for web agents against prompt injection attacks. The core idea is to mask untrusted DOM elements before rendering the page to the agent, and to route any necessary access to untrusted content through a type-constrained Quarantined Model (Q-Model) that returns only structured responses (bool, int, float, enum, date). The approach is evaluated on 10 custom websites and the WebArena GitLab suite across three frontier agents, showing preserved task utility with 1.05x-1.84x cost overhead and 0% attack success rate against strengthened WASP attacks. The paper also presents an automated boundary inference method using an LLM on content-sanitized DOM to identify untrusted regions without manual labeling.
Significance. The paper addresses an important problem: extending provable prompt-injection defenses to web agents, where the structural entanglement of trusted and untrusted content on rendered pages has been a fundamental obstacle. The architectural insight—that DOM structure can separate trust boundaries without reading content—is clean and well-motivated. The type-constrained Q-Model design is sound by construction: well-typed outputs cannot carry free-form injected instructions. The 0% ASR result is a validation of a design property rather than an empirical prediction, which is appropriate. The automated boundary inference on sanitized DOM is a thoughtful addition that addresses deployment concerns. The reproducible code and falsifiable attack taxonomy (control-flow vs. data-flow) are strengths. The paper builds transparently on prior work (Jacob et al. 2025, Debenedetti et al. 2025, Costa et al. 2025) and clearly positions its contribution relative to these.
major comments (2)
- Section 3 (Threat Model) and Section 7.2 (Table 2): The paper's central security guarantee is explicitly conditional on correct labeling of every untrusted DOM element (Section 3: 'To provide strict security guarantees, UCM requires that each DOM element is correctly labeled'). The automated boundary inference results (Table 2) show F1 scores of 0.84-0.997, with GitLab having an 8.5% false-negative rate at the element-group level. The paper never measures ASR under automatically inferred labels—it only reports 0% ASR with hand-labeled boundaries (Appendix E, Table 7) and single-element mislabeling sensitivity (6±5% ASR). The gap between '0% ASR with perfect labels' and 'unknown ASR with automated labels' is the practically relevant deployment scenario for passive honest owners, and it is unmeasured. The paper should either (a) run the WASP attack evaluation with automatically inferred (非
- Section 6.2 and Appendix F: The data-flow attack discussion is valuable and honest, but the threat model in Section 3 states the attacker's goal is to 'manipulate the Agent into malicious actions.' The selection-hijacking attacks (Appendix F, Figures 8a-8b) demonstrate that well-typed Q-Model outputs can be manipulated to steer the agent toward attacker-controlled repositories or users, which constitutes a malicious action under the paper's own threat model. The paper frames these as 'known limitations of control-flow-protecting defenses,' but the reader should not have to consult Appendix F to understand that the security guarantee covers control-flow integrity only, not data-flow integrity. The abstract and conclusion should state this scope explicitly. As written, the abstract's claim of 'security guarantees' may be read more broadly than the paper delivers.
minor comments (7)
- Section 5.1, Figure 2: The cost overhead ratios (1.05x-1.84x) are computed from medians, but the text does not mention this until later. Clarify in the figure caption or the results paragraph that medians are used for cost.
- Section 7.2, Table 2: The F1 metric is computed at the element-group level (Section G.4), but this is not stated in the table caption. A reader may interpret 0.997 F1 as near-perfect element-level labeling. Clarify the granularity.
- Appendix E, Table 7: The ASR for the undefended baseline (17±8%) is described as a 'lower bound on true vulnerability.' This is correct, but the large confidence interval (±8%) suggests a small sample size. Report the number of attack instances evaluated.
- Section 3: The honest-owner assumption is justified by citing that 50% of internet traffic is concentrated in 3,000 domains. The citation (Xavier 2024) is an arXiv preprint; verify whether peer-reviewed alternatives exist.
- Appendix B.3, Listing 1: The system prompt contains a note that enum options are capped at 10 and each element can be queried at most 5 times per task. These implementation limits are relevant to the security argument (they bound the Q-Model interaction surface) and should be mentioned in the main text, not only in the appendix.
- Figure 1: The figure caption references 'product-description-2' but the figure shows 'product-d' (truncated). Fix the truncation or adjust the caption.
- Section 5.2: The 'Q-Model string output allowed' condition requires user approval of each free-text answer. The paper does not report how often this fallback was invoked or the user burden it creates. A brief quantitative summary would strengthen the utility claim.
Simulated Author's Rebuttal
We thank the referee for a careful and constructive review. Both major comments identify genuine gaps between what the paper claims and what it measures, and we agree that revisions are needed. Below we address each point in detail.
read point-by-point responses
-
Referee: Section 3 and Table 2: The gap between 0% ASR with perfect labels and unknown ASR with automated labels is unmeasured. The paper should run WASP attacks with automatically inferred labels or otherwise address this gap.
Authors: The referee is correct that the practically relevant deployment scenario for passive honest owners—ASR under automatically inferred labels—is not measured in the current manuscript. We acknowledge this gap and will address it in revision. Specifically, we plan to run the strengthened WASP attack evaluation on the GitLab WebArena environment using automatically inferred trust boundaries (from the boundary inference pipeline of Section 7) rather than hand-labeled boundaries. This will directly measure ASR under the imperfect-labeling regime where the 8.5% false-negative rate applies. We expect the results to be informative regardless of outcome: if ASR remains low, this validates the automated pipeline for security-critical use; if ASR increases, this quantifies the practical security cost of automation and motivates further work on boundary inference accuracy. In either case, we agree the paper is incomplete without this measurement. We will also add a discussion of the relationship between false-negative rates and attack surface: undermasking exposes specific untrusted elements to the Agent, and the WASP attacks target issue descriptions, so the effective ASR depends on whether the specific attacked elements fall within the false-negative set. This is an empirical question that the proposed experiment will answer. We note that the single-element mislabeling sensitivity experiment (Appendix E, 6±5% ASR) provides a partial data point, but we agree it does not substitute for measuring ASR under the full automated-labeling pipeline. revision: yes
-
Referee: Section 6.2 and Appendix F: The abstract and conclusion should state explicitly that the security guarantee covers control-flow integrity only, not data-flow integrity. Selection-hijacking attacks constitute malicious actions under the paper's own threat model, and the scope limitation should not be buried in Appendix F.
Authors: We agree with this comment. The selection-hijacking attacks described in Appendix F do constitute malicious actions under the threat model as stated in Section 3 ('manipulate the Agent into malicious actions'), and the current framing—where the scope limitation to control-flow integrity is discussed in Section 6.2 and Appendix F but not in the abstract or conclusion—could lead readers to overestimate the breadth of the security guarantee. We will revise the abstract and conclusion to explicitly state that UCM provides control-flow integrity guarantees: it prevents prompt injection from hijacking the Agent's instructions or plan, but does not prevent data-flow attacks where an attacker corrupts the values returned by the Q-Model to mislead the Agent's decisions within an otherwise legitimate workflow. We will also add a brief forward reference to the data-flow discussion in Section 6.2 earlier in the paper (at the first mention of 'security guarantees' in the introduction), so that readers encounter the scope limitation before reaching the evaluation. We believe this is an honest and necessary clarification that strengthens the paper. We note that the data-flow limitation is shared by all control-flow-protecting defenses in this literature (CaMeL, FIDES, and the type-directed approach of Jacob et al.), and UCM's contribution—establishing trust boundaries in web environments—is a prerequisite for applying downstream data-flow defenses. We will make this positioning clearer in the revision. revision: yes
Circularity Check
No significant circularity: the security guarantee is architectural, not derived from fitted parameters or self-citation chains.
full rationale
The paper's central security claim is architectural: untrusted content is masked before reaching the Agent, and type-constrained Q-Model outputs cannot carry free-form instructions. This is a design property, not a prediction derived from fitted data. The 0% ASR result (Appendix E, Table 7) is an empirical validation of this design property under strengthened WASP attacks, not a prediction from a fitted model. The paper builds on prior work (Jacob et al. 2025 for type-directed privilege separation; Debenedetti et al. 2025 / Costa et al. 2025 for data-flow attack mitigations), but these are cited as independent results with their own derivations, not as load-bearing premises that reduce to the current paper's outputs. The automated boundary inference (Section 7) is presented as a separate, practical extension with its own F1 evaluation, not as a step in the security proof. The paper is transparent that the guarantee is conditional on correct labeling (Section 3: 'To provide strict security guarantees, UCM requires that each DOM element is correctly labeled'), and tests mislabeling sensitivity (Appendix E). No step in the derivation chain reduces to its own inputs by construction. The one minor self-citation concern is that Debenedetti et al. 2025 (CaMeL) is co-authored by a subset of the present authors and is cited for data-flow attack mitigations, but this citation is not load-bearing for the central control-flow security claim—it is referenced as complementary prior work for a known limitation the paper explicitly leaves to future work. This does not raise the circularity score above 1.
Axiom & Free-Parameter Ledger
free parameters (5)
- Q-Model return types =
bool, int, float, enum, date
- Q-Model query limit per element =
5
- Enum options cap =
10
- Agent step limit =
120
- Boundary inference iteration count =
3
axioms (5)
- domain assumption A webpage's DOM encodes sufficient structural information to distinguish trusted from untrusted content without reading their content.
- domain assumption Type-constrained outputs (bool, int, float, enum, date) cannot carry injected instructions.
- domain assumption The honest-owner assumption: the owner of the visited site does not place adversarial content in regions they control.
- domain assumption Whenever attacker-controlled content enters the context window of a language model, that model's output can be arbitrarily controlled by the attacker.
- domain assumption Active-content vulnerabilities (e.g., XSS) that let attacker text escape labeled regions or rewrite the DOM at runtime are out of scope.
invented entities (2)
-
Quarantined Model (Q-Model)
independent evidence
-
Content-sanitized DOM
independent evidence
Reference graph
Works this paper leans on
-
[1]
These checks inspect the interaction logs to confirm that specific UI elements were engaged
UI checksverify that the Agent performed the correct interface interactions (e.g., clicked the appropriate button, submitted a form, applied a filter). These checks inspect the interaction logs to confirm that specific UI elements were engaged
-
[2]
Filter to show only size S products. How many are there?
Model output checksverify that the Agent’s final response contains the correct information (e.g., the correct count, name, or extracted content). These checks parse the Agent’s textual output and compare against ground truth. Some tasks require both check types. For instance, “Filter to show only size S products. How many are there?” requires a UI check (...
-
[3]
Element identification.On page load, the framework scans for elements with data-untrustedattributes
-
[4]
Placeholder generation.Each untrusted element’s content is hidden via CSS and replaced with a placeholder displaying a unique identifier (e.g.,id: merchant-name:3)
-
[5]
ID assignment.Elements receive a unique data-qllm-id attribute based on a human- readable name set by the website owner, (e.g., merchant-name), and index, enabling unambiguous reference by the Q-Model
-
[6]
Dynamic content handling.A MutationObserver monitors DOM changes to automatically mask dynamically inserted untrusted elements. B.3 Main Agent System Prompt The main Agent receives the following system prompt that explains the security context and available tools: Listing 1: System prompt for the main Agent with Q-Model access (abbreviated). You are a hel...
-
[7]
bool " - For yes / no q u e s t i o n s ( returns true / false ) - Example :
" bool " - For yes / no q u e s t i o n s ( returns true / false ) - Example : " Is the name on this account Michael " - R es pon se : {" result ": true , " type ": " bool "}
-
[8]
" int " - For integer values with o pti on al min / max range
-
[9]
" float " - For decimal values with op tio na l min / max range
-
[10]
" enum " - For single choice from p r e d e f i n e d options
-
[11]
" date " - For dates in ISO format ( YYYY - MM - DD ) ... T A R G E T I N G R E Q U I R E M E N T S : - I M P O R T A N T : You MUST specify WHICH u n t r u s t e d element to analyze via the " target " object ( do not analyze the whole page ) . - I M P O R T A N T : Each hidden p l a c e h o l d e r shows text in the format " id : < actual - id >" ( e . ...
-
[12]
C a r e f u l l y analyze the HTML / DOM content pr ov ide d ... ... Return type : { r e t u r n _ t y p e } [ Type - sp ec if ic i n s t r u c t i o n s ap pen de d here based on r e t u r n _ t y p e ] Re sp on se format :
-
[13]
First , provide your th ou gh ts and r e a s o n i n g (1 -3 s e n t e n c e s )
-
[14]
Then , on a new line , provide your final answer in the format : " Answer : < value >" Example re spo ns e : Th ou gh ts : Looking at the reviews , I can see mu lt ip le m en tio ns of " great for running " and " perfect for jogging ". The s e n t i m e n t is clearly po sit iv e . Answer : true For each return type, specific formatting instructions are a...
work page 2024
-
[15]
This requires the attacker to anticipate the benign task
Wrong-repository steering.The attacker induces the Agent to operate on a repository different from the one the user intended. This requires the attacker to anticipate the benign task. 22
-
[16]
Invite Marko to my dotfiles repo as Guest
Malicious contributor addition.The attacker causes the Agent to add an incorrect user as a contributor. In addition to anticipating the benign task, this requires a malicious username that shares a prefix with the intended one (so that it surfaces in search results) and is long enough to encode a prompt injection. Example 1: Wrong repository.Consider the ...
work page 2025
-
[17]
HTML collection.Fetch target pages using Playwright, ensuring dynamic content rendered by JavaScript frameworks is fully loaded
-
[18]
Content removal.Process HTML to remove all user-visible content while preserving structure
-
[19]
LLM analysis.Analyze cleaned HTML with LLM (Claude Sonnet 4.5) to identify CSS rule based selectors targeting untrusted content through iterative refinement. G.1 Content Sanitization To prevent the LLM from using content patterns to identify untrusted elements, we scrape all user-visible information from the HTML: • Replace all text content with length pl...
-
[20]
Apply hand-labeled selectors to each evaluated page (Booking, Reddit, GitLab) and record which elements match (ground truth setG). 24
-
[21]
Apply LLM-generated selectors to the same page and record which elements match (pre- dicted setP)
-
[22]
post"> but the LLM selector targets <div class=
Compare element sets to compute true positives (TP), false positives (FP), and false negatives (FN). Each element is uniquely identified by its XPath. We count an element as TP if it appears in both G andP, FP if it appears only inP, and FN if it appears only inG. Per-type element matching.We report metrics at the level ofelement types, where elements are...
-
[23]
Be S PE CI FIC : avoid bare class s e l e c t o r s that match u n r e l a t e d UI ; scope s e l e c t o r s using stable a t t r i b u t e s ( e . g . , data - testid ) or parent context
-
[24]
Be G RA NU LAR : target leaf e le men ts whose entire content is u n t r u s t e d ; do not select c o n t a i n e r s that mix pl at fo rm UI with user content . 25
-
[25]
Do NOT mark pl at for m UI as u n t r u s t e d ( navigation , search forms , filter controls , headers , buttons , breadcrumbs , footers , platform - a g g r e g a t e d scores and counts )
-
[26]
Images u pl oa ded by users / owners ARE u n t r u s t e d ; static pl at fo rm imagery is not . Output format : ONLY a valid JSON array , no other text . In subsequent round, the LLM is shown the selectors it has proposed so far and asked whether any untrusted regions remain unmarked. The follow-up prompt also reminds the model to avoid container-level s...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.