Prismata: Confining Cross-Site Prompt Injection in Web Agents
Summary
The arXiv paper Prismata introduces a defense for web agents against cross-site prompt injection by enforcing contextual least privilege and dynamic trust derivation. It uses content labeling and structural confinement to bound agent capabilities and feeds these labels through redaction and enforcement mechanisms, aiming to preserve benign utility while dramatically reducing attack success. The approach is annotation-free, scalable to the long tail of websites, and draws on integrity-model concepts to ensure confinement guarantees.