Prismata: Stopping Cross-Site Prompt Injection in Web Agents
Prismata: Confining cross-site prompt injection in web agents

Autonomous web agents face a critical risk where malicious content can hijack their instructions through prompt injection. We present Prismata, a defense system that enforces contextual least privilege without needing developer annotations. By dynamically labeling page content and restricting agent capabilities, Prismata substantially reduces attack success while preserving the utility of benign tasks across the long tail of websites.
"Cross-Site Scripting proved that mixing trusted and untrusted content is dangerous, even on benign pages."