Ultra13
Learn · Browser Agents

How do you secure browser-using AI agents?

A browser-using AI agent reads the page it visits — and pages can contain instructions. Treat page DOM, OCR text, and QR content as untrusted observation. It can influence extraction and summary, but it must not authorize cross-origin navigation, credentialed form submission, file download, or admin actions.

By the Ultra13 teamPublished Updated
TL;DR
  • Page content is untrusted observation, not operator intent.
  • The DOM, OCR text, and QR codes can all carry injected instructions.
  • Content can inform extraction; it cannot authorize navigation or form submission.
  • Gate credentialed and cross-origin actions with policy.

The DOM is an attack surface

A browser agent confuses page content with operator intent when a page says “click the admin link” or “submit this form.” Because the agent uses the user’s authenticated browser, that confusion turns into real, credentialed actions.

Keep observation and action separate

Source-to-sink policy lets page content shape extraction and summary while blocking it from authorizing cross-origin navigation, credentialed submits, downloads, or admin actions — the same discipline as tool-call security, applied to the browser.

FAQ

Frequently asked questions

How do you control AI agent browser actions?
Treat the DOM as untrusted observation and gate high-risk actions — cross-origin navigation, credentialed form submission, downloads, admin actions — behind source-to-sink policy and approval.
How do you stop image-borne prompt injection?
Screen OCR text, EXIF, and QR content as untrusted context. It can inform the answer but cannot authorize an action.

See where the firewall stops the path.

Give us one agent workflow. We’ll map the context boundary, replay the abuse paths, and show where the Context Firewall blocks them.