system: OPERATIONAL
← back to all hacks
DEFENSE MEDIUM NEW

Untrusted Content Masking: a provable injection defense for web agents

A July 2026 paper restores the trust boundary web agents lose when they read a rendered page — masking untrusted DOM regions and routing them through a type-constrained model to block injection by construction.

2026-07-07 // 7 min affects: claude-sonnet-4-5, claude-sonnet-4-6, gpt-5-4, claude-in-chrome

What is this?

On July 6, 2026, Kristina Nikolić (ETH Zurich), Egor Zverev (ISTA), Javier Rando (Anthropic / ETH Zurich), Matthew Jagielski (Anthropic), Edoardo Debenedetti and Florian Tramèr (ETH Zurich) published Untrusted Content Masking for Web Agents with Security Guarantees on arXiv. It proposes a defense — Untrusted Content Masking (UCM) — that gives a web-browsing agent a provable guarantee against prompt-injection control-flow hijacking, while still letting it read pages and act on them.

The starting problem is a known gap. Defenses that carry a formal guarantee against prompt injection all rely on strict isolation between trusted instructions and untrusted data. In a text tool-use API that boundary is natural: the agent reads a function’s interface, not the raw untrusted payload. A web agent has no such luxury — it must observe a rendered page, which, in the authors’ words, “intermingles trusted content with untrusted content.” That structural entanglement dissolves the trust boundary the guarantee depends on. UCM is an attempt to rebuild it inside the browser. This is peer-reviewed academic work on a defense; no working exploit is reproduced here.

How it works

The key observation is that a page’s DOM already encodes enough structure to separate trusted from untrusted regions without reading their content. UCM redacts untrusted regions before they ever reach the agent, swapping each one for a labeled placeholder that keeps the layout and, where available, a semantic tag (advertisement, user comment, review) plus an element ID. The agent sees the full trusted page and its structure, but has zero exposure to attacker-controlled text or images.

When a task genuinely needs an untrusted value, the agent still does not read it. It queries an isolated Quarantined Model (Q-Model): it references the masked element’s ID, asks a natural-language question, and declares a return type from a fixed set — bool, int, float, date, enum. The Q-Model reads the hidden content and returns a type-constrained answer.

rendered page
   ├── trusted regions ─────────────► agent (full visibility)
   └── untrusted regions
          │  replaced by labeled placeholder [#c12: "user comment"]

   agent needs the value? ──► ask Q-Model: "is #c12 a 5-star review?" -> bool

   Q-Model reads hidden text, returns:  true
          │  (a bool cannot carry "navigate to evil.com")

   injected instruction cannot propagate into the agent's control flow

Because a boolean or an integer cannot smuggle a free-form instruction, control-flow hijacking is blocked by construction, no matter how clever the injection. Who draws the boundaries? An active site owner labels untrusted regions directly — the authors found 15–30 CSS selectors per site sufficed for GitLab, Booking.com and Reddit. For a passive owner who provides nothing, an LLM infers the boundaries from a content-sanitized DOM (structure and tags kept, all text stripped so the labeler itself can’t be injected) and emits CSS selectors.

Why it matters

The numbers are the point. Against the WASP benchmark with strengthened attacks, UCM reached 0% attack success rate across Claude Sonnet 4.5, Claude Sonnet 4.6 and GPT-5.4. Utility held up: on ten custom task suites the masked agent matched the undefended one, at a cost overhead of 1.05×–1.84× — and about 15% of tasks were actually cheaper, because a decluttered page is easier to navigate. On real WebArena GitLab tasks the type-constrained Q-Model solved the majority, and an optional user-approved string fallback recovered full undefended utility.

The architectural lesson generalizes past work like the lethal trifecta. Heuristic filters can be beaten by adaptive attackers; earlier guaranteed defenses bought their guarantee by keeping the agent blind to page content, which gutted utility. UCM instead removes the attack surface — untrusted content never enters the agent’s context — while letting the agent run its normal reason-and-act loop.

Defenses

For teams building or hardening computer-use agents, the paper offers a concrete pattern rather than another filter.

Draw the trust boundary at the DOM, not in the token stream. Deciding what is trusted from structure — before any untrusted text is read — is what makes the isolation soundly enforceable, unlike keyword or classifier filters that must first ingest the payload.

Route untrusted reads through a type-constrained, isolated model. Forcing the Q-Model to answer as a bool/int/date/enum is the mechanism that stops injected instructions from returning as control flow. Reserve free-text extraction for an explicit user-approval path.

Mind the residual data-flow risk. UCM guarantees control-flow integrity, not correct values: a well-typed but attacker-chosen answer can still mislead. The authors bound this by querying each untrusted element in a fresh, isolated Q-Model call, so aggregate manipulation needs the attacker to control a large share of inputs, and by flagging multiple positive matches as a tampering signal. Pair it with action-level policies and user confirmation for sensitive actions.

Know the trust anchor. The guarantee assumes an honest site owner and correct labels; a fully malicious site is unsafe regardless, and active-content bugs (XSS that escapes a labeled region or rewrites the DOM at runtime) are explicitly out of scope.

Status

ItemDetail
DisclosurearXiv preprint 2607.05277 v1, published July 6, 2026 (CC BY 4.0)
ClassDefense — provable control-flow-integrity against web-agent prompt injection via DOM masking + quarantined typed model
Tested onAgents: Claude Sonnet 4.5, Claude Sonnet 4.6, GPT-5.4 · Q-Model: Claude Sonnet 4.5
Reported result0% ASR on strengthened WASP; utility preserved; 1.05×–1.84× cost overhead
Boundary labelingActive owner: 15–30 CSS selectors/site · Passive owner: LLM inference on content-sanitized DOM (F1 0.84–0.997)
Known limitsData-flow attacks (well-typed wrong values); honest-owner + correct-label assumption; XSS / active content out of scope
Codegithub.com/ethz-spylab/untrusted-content-masking

Sources