Search papers, labs, and topics across Lattice.
This paper introduces Untrusted Content Masking (UCM), a novel approach designed to restore security guarantees for web agents by effectively separating trusted and untrusted content in rendered pages. By leveraging the Document Object Model (DOM) to identify and redact untrusted regions without direct content inspection, UCM allows agents to interact with web environments while maintaining a secure boundary against prompt injection attacks. The key result demonstrates that UCM enables safe agent operation in complex web environments, preserving the integrity of security protocols that are typically compromised by content entanglement.
Web agents can now safely interact with complex environments while avoiding prompt injection attacks by masking untrusted content without ever reading it.
Defenses that provide security guarantees against prompt injection attacks rely on strict isolation between trusted instructions and untrusted data. In text-based environments such as tool-use APIs, this separation arises naturally: agents can reason from interface definitions without ever processing untrusted content. Extending these guarantees to web agents faces a fundamental challenge: to perceive and interact with their environment, web agents must first observe the rendered page, which intermingles trusted content with untrusted content. This structural entanglement removes the trust boundary on which security guarantees depend, undermining provable defenses for web agents. In this paper, we present Untrusted Content Masking (UCM), a simple and effective approach that restores this boundary in web environments. We leverage a key structural insight: a webpage's Document Object Model (DOM) encodes sufficient information to distinguish trusted from untrusted regions without reading their content. Our framework exploits this by redacting untrusted regions before they reach the agent and routing interaction through a sandboxed interface with strict privilege separation, thereby enabling agents to observe and interact with their environment while remaining isolated from adversarial content. The code is publicly available.