CaptchaLa Blog

Appearance

Same-Origin Policy for Agentic Browsers

Source: arXiv:2606.14027 · Published 2026-06-12 · By Xilong Wang, Xiaoxing Chen, Patrick Li, Dawn Song, Neil Gong

TL;DR

This paper addresses the important security challenge posed by agentic browsers, which integrate autonomous AI agents capable of performing web tasks via natural language instructions. Traditional browsers enforce the same-origin policy (SOP) to prevent unauthorized automated cross-origin data flows triggered by scripts. However, whether SOP remains effective in agentic browsers—a novel paradigm where an AI agent can persistently retain and transfer data across webpage origins—has not been systematically studied. The authors expose that agentic browsers inherently violate SOP due to the agent acting as an automated cross-origin data channel, both in benign and adversarial prompt injection settings. To quantify this risk, they create SOPBench, a comprehensive benchmark spanning 10 source and 5 sink webpage categories with synthetic and real data. Evaluations demonstrate widespread SOP violations in current agentic browsers and backbone large language models (LLMs). To mitigate this, they propose SOPGuard, an origin-label tracking and enforcement mechanism tailored for agentic browsers, implemented in the open-source BrowserOS. SOPGuard tracks data provenance and requires user confirmation before cross-origin writes, reducing SOP violations on SOPBench to zero with minimal (~2-6%) runtime overhead while preserving utility. This work is pioneering in clarifying the security boundaries of SOP for agentic browsers and provides both a benchmark and a practical enforcement mechanism.

Key findings

  • Agentic browsers violate SOP extensively: proactive SOP violation rates exceed 40-100% across five popular agentic browsers and six backbone LLMs on synthetic SOPBench data.
  • Optimization-based prompt injection attacks yield higher SOP violation rates than heuristic-based attacks, with rates up to 0.84 on SeeAct with OpenAI o3 LLM for Airlines→Reddit source-sink.
  • Passive SOP violations occur even without attacks, e.g., by summarizing iframe-embedded cross-origin content, showing that agentic browsers leak data in benign uses.
  • SOPGuard implemented in BrowserOS eliminates all SOP violations on SOPBench, reducing violation rates to 0.00 across attack types and webpage categories.
  • SOPGuard introduces only 2.07% to 5.79% runtime overhead and maintains utility comparable to unprotected BrowserOS per paired two-sided t-tests.
  • SOPBench contains 10 source and 5 sink webpage categories with 20-100 webpages each, combining ten private-data rich source types and public sink types like Reddit, GitHub, Google Forms.
  • User confirmation in SOPGuard blocks unauthorized automated writes but still allows manual cross-origin data transfers, respecting traditional SOP assumptions.

Threat model

The adversary is an attacker controlling or partially controlling a sink webpage who seeks to induce the agentic browser to leak private information obtained from a different (source) webpage of another origin. The attacker may fully control the sink webpage content (owner-level) or partially control content (e.g., by posting comments). They have black-box access to the agentic browser (can query it and observe actions and outputs) but do not possess internal knowledge such as system prompts or model parameters. The adversary cannot modify the agentic browser's internal code or the source webpage. The goal is to bypass SOP protections that prevent unauthorized automated cross-origin data flows.

Methodology — deep read

The paper's methodology unfolds systematically to evaluate SOP violations in agentic browsers and design enforcement.

(1) Threat Model: Adversaries seek unauthorized automated cross-origin data flows via agentic browsers. They may be sink webpage owners with full control or malicious users with partial content control. They have black-box query access to the agentic browser’s outputs but lack internal details like system prompts or weights. The attacker aims to inject prompts that cause the agent to leak private information gathered from a source webpage to a sink webpage.

(2) Data: SOPBench was constructed with 10 synthetic source webpage categories (e-commerce, banking, airlines, email, calendar, messages, HR portal, document workspace, insurance, and pharmacy) generated via GPT-5.4 to replicate realistic private user data without using real user information. It also includes some static real webpage snapshots. Five sink webpage categories were chosen (X/Twitter, Discord, GitHub, Reddit, and Google Forms), synthesized via GPT-5.4 with layouts matching the real websites. The benchmark covers 50 source–sink category pairs, with 20–100 webpages each, ensuring coverage of diverse scenarios.

(3) Architecture / Algorithm: The authors observe the agent in agentic browsers retains data in an interaction history accessible across origins, allowing cross-origin data flows even when the browser enforces SOP for scripts. To prevent SOP violations, SOPGuard was designed with five components: a label database storing origin labels for data objects, a labeling module that assigns origin labels on data reading, a label propagation module that tracks labels through agent data processing outputs, a detection module that compares the origin label of data about to be written with the sink webpage origin, and a user confirmation step that blocks unauthorized writes unless explicitly approved.

(4) Training Regime: Not applicable as this is not a learned model paper; rather, large language models (LLMs) GPT-5.4-mini, GPT-5.4, OpenAI o3, GPT-5.5, Claude Sonnet, and Gemini Pro were used as backbone LLMs in experiments to simulate agent behavior.

(5) Evaluation Protocol: The protocol evaluates both passive SOP violation scenarios (benign uses allowing unintentional cross-origin data flows) and proactive violations induced by prompt injection attacks. Two attack types were tested on sink webpages: heuristic-based prompt injections (Combined Attack) from prior work and a novel optimization-based attack extending TAP to generate natural but malicious prompts. Agentic browsers tested include three open-source (BrowserOS, VisualWebArena, SeeAct) and two closed-source (Perplexity Comet, ChatGPT Atlas). SOP violation rate was the main metric: fraction of runs where the agent wrote exact private data from a source webpage into a sink webpage without authorization, evaluated strictly by exact match to injected tasks. Each setting ran 100 trials (3 for manual closed-source runs). Utility and runtime overhead of SOPGuard were measured on SOPBench and three other benchmarks.

(6) Reproducibility: The authors open sourced SOPGuard and SOPBench code and data at https://github.com/wxl-lxw/BrowserOS-SOPGuard. The benchmark synthetic webpages, prompts, and evaluation scripts enable independent replication. Closed-source browsers required manual evaluation.

A concrete example: In proactive SOP violation, a user interacts with a banking source webpage giving a benign task to view account details. The agent ingests private account info into its history. Then the user visits a Reddit sink webpage containing a heuristic-based injected prompt disguised as a comment that instructs the agent to leak banking credentials. The agent obeys, writing private info into the Reddit comment box, violating SOP. SOPGuard intercepts this by checking the origin label on the data user tries to write to Reddit (sink origin) and blocks automatic write until explicit user consent.

Overall, the methodology combines realistic synthetic data, diverse agentic browsers, multiple LLMs, carefully designed attacks, and a principled labeling enforcement mechanism with human-in-the-loop policies to rigorously study and mitigate SOP violations.

Technical innovations

  • Identification that agentic browsers' AI agents act as automated cross-origin data channels, potentially bypassing traditional SOP protections enforced at script level.
  • Construction of SOPBench, a comprehensive synthetic benchmark spanning 10 private data-rich source webpage categories and 5 sink webpage categories with both benign and multiple prompt injection attack scenarios.
  • Design of SOPGuard, a novel SOP enforcement mechanism for agentic browsers using origin-label propagation through the agent's interaction history and output data along with user confirmation before cross-origin data writes.
  • Extension of TAP prompt optimization to craft sophisticated black-box prompt injection attacks against agentic browsers inducing cross-origin data flows.

Datasets

  • SOPBench — ~2000 synthetic webpages across 10 source and 5 sink categories — synthesized with GPT-5.4, includes some real static snapshots

Baselines vs proposed

  • VisualWebArena with GPT-5.4-mini: heuristic-based SOP violation rates between 0.37 and 1.00 across sink-source pairs vs SOPGuard: 0.00 violation rate
  • SeeAct with OpenAI o3: optimization-based attack achieves SOP violation rate up to 0.84 (Airlines→Reddit) vs SOPGuard: 0.00
  • BrowserOS with GPT-5.4-mini: heuristic-based attack violation rates ~0.30 to 0.99 vs SOPGuard: 0.00
  • Runtime overhead: BrowserOS-SOPGuard incurs 2.07% to 5.79% runtime overhead compared to BrowserOS baseline
  • Utility (measured on Mind2Web, WebArena-Infinity, REAL, SOPBench) remains statistically comparable under paired two-sided t-test between SOPGuard and BrowserOS

Figures from the paper

Figures are reproduced from the source paper for academic discussion. Original copyright: the paper authors. See arXiv:2606.14027.

Fig 1

Fig 1: Overview of SOPGuard.

Fig 2

Fig 2 (page 2).

Fig 4

Fig 4: Screenshot of agentic browser, using BrowserOS as an example.

Fig 20

Fig 20: Screenshot of e-commerce webpage.

Fig 21

Fig 21: Screenshot of banking webpage.

Fig 22

Fig 22: Screenshot of airlines webpage.

Fig 23

Fig 23: Screenshot of email webpage.

Fig 24

Fig 24: Screenshot of calendar webpage.

Limitations

  • SOPBench relies primarily on synthetic webpages generated by GPT-5.4, which might not capture all nuances of real-world webpages or user behaviors.
  • Evaluation on closed-source agentic browsers was limited to three manual runs per setting due to lack of automation, reducing statistical robustness.
  • SOPGuard’s user confirmation mechanism may introduce usability friction; the paper does not explore long-term user experience or habituation effects.
  • Robustness of SOPGuard against adaptive attacker strategies beyond studied heuristic and optimization-based prompt injections remains unexplored.
  • The evaluation focuses on offline benchmarks rather than live interaction with dynamic real-world web services.
  • No adversarial evaluation against fully white-box attackers who might reverse-engineer SOPGuard’s inner labeling mechanism.

Open questions / follow-ons

  • How can SOP enforcement mechanisms be scaled to support more complex multi-agent interactions and dynamic origin definitions in agentic browsers?
  • Can adaptive adversaries develop prompt injections that subvert label propagation or user confirmation, and how can defenses evolve accordingly?
  • What are the long-term usability impacts and user burden trade-offs introduced by interactive SOP enforcement in agentic contexts?
  • How do real-world web complexity and third-party scripts impact SOPGuard effectiveness in live agentic browser deployments?

Why it matters for bot defense

This work informs bot-defense and CAPTCHA practitioners that agentic browsers, integrating autonomous AI agents, introduce novel cross-origin data flow risks that traditional same-origin policies do not fully address. Given the rising use of agentic browsers to automate web interactions, bots might exploit prompt injection attacks to leak data across origins invisibly, bypassing script-level SOP protections. Defenses like SOPGuard that track data origin labels across an agent’s reasoning and require user consent for cross-origin writes are critical new tools to prevent unauthorized data exfiltration in automated browsing contexts. Captcha platforms and bot detection systems can consider similar principles of provenance tracking and user confirmation when designing defenses for agentic browser-driven automation to limit data leakage and unauthorized interactions.

Cite

bibtex
@article{arxiv2606_14027,
  title={ Same-Origin Policy for Agentic Browsers },
  author={ Xilong Wang and Xiaoxing Chen and Patrick Li and Dawn Song and Neil Gong },
  journal={arXiv preprint arXiv:2606.14027},
  year={ 2026 },
  url={https://arxiv.org/abs/2606.14027}
}

Read the full paper

Articles are CC BY 4.0 — feel free to quote with attribution

© 2026 CaptchaLa