Same-Origin Policy for Agentic Browsers
- company BrowserOS
- company Hugging Face
- lab arXivLabs
- location Taiwan
- model SOPGuard
- person Sam Altman
- product BrowserOS
- product alphaXiv
A new study finds that agentic browsers — web browsers controlled by autonomous AI agents — routinely violate the same-origin policy, a bedrock web security rule, and proposes a dedicated enforcement mechanism called SOPGuard to close the gap [1][2]. The same-origin policy (SOP) prevents scripts from one website from accessing data on another, a safeguard that underpins modern browser security [6][7]. Researchers from the paper “Same-Origin Policy for Agentic Browsers” argue that the rise of agentic browsers, which let users issue natural-language commands to complete web tasks, has created an unexamined threat: the AI agent itself can become an automated channel for cross-origin data flows [1][2]. To measure the problem, the team built SOPBench, a benchmark for evaluating SOP violations in agentic browsers, and found that existing systems frequently breach the policy in both benign scenarios and under active attack [1][2]. A separate study accepted at ICLR 2026 corroborates these findings. Franziska Roesner and David Kohlbrenner examined seven agentic browsers, including ChatGPT Atlas and Chrome with Gemini, and documented a wide range of design choices governing how embedded agents interact with web content [3][4]. In the least restrictive implementations, a malicious website that successfully injects a prompt can leverage the browser agent to steal cross-origin content or forge user actions on other sites [3][4]. The authors demonstrated a full proof-of-concept attack on ChatGPT Atlas and noted that several other browsers met the preconditions for cross-origin attacks [3][4]. A third research effort, detailed in a separate arXiv preprint, catalogued attacks that revive ten heavily mitigated web threats that modern browser architectures were designed to close [5]. The authors distilled the failures into five broad modes: agents bridging cross-site data, agents bridging same-site data, agents hallucinating URLs, websites attacking the large language model directly, and agents misusing integrated tools [5]. The paper concludes that meaningful protection of confidentiality and integrity will likely require rearchitecting agentic browsers around a security model aligned with a formal threat model, rather than retrofitting safety atop existing designs [5]. To address the enforcement gap, the SOPGuard proposal introduces a mechanism tailored specifically for agentic browsers [1][2]. The researchers implemented SOPGuard in BrowserOS, an open-source agentic browser, and report that it enforces the same-origin policy while preserving utility and adding only a small runtime overhead [1][2]. The code and data have been released publicly [1][2].
regulationresearch-paperapplicationtool-releasemodel-releaseproduct-launchbenchmark
Background sources we checked (10)
- arxiv.org ↗ Agentic browsers integrate autonomous AI agents into web browsers, enabling users to accomplish web tasks through natural-language instructions. The same-origin policy (SOP) is a fundamental browser security mechanism that prevents unauthorized automated cross-origin data flows i…
- openreview.net ↗ Agentic Browsers and the Same-Origin Policy | OpenReview ## Agentic Browsers and the Same-Origin Policy ### Franziska Roesner, David Kohlbrenner ICLR 2026 AIWILDEveryone Revisions CC BY 4.0 Keywords: agentic browsers, browser agents, same-origin policy, web security, prompt i…
- openreview.net ↗ ABSTRACT The same-origin policy, which prevents web content from one origin from ac cessing or interacting with content from another origin, is a key component of browser security. In this paper, we conceptually and experimentally investigate how emerging agentic browsers (such a…
- arxiv.org ↗ The attacks show that the current revisions of agentic browsers allow for the circumvention of the same-origin policy, a cornerstone of the web through agent-mediated means and bring back 10 heavily-mitigated web threats that modern browser architectures were explicitly designed …
- en.wikipedia.org ↗ An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small block of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the de…
- en.wikipedia.org ↗ Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3…
- en.wikipedia.org ↗ Google Chrome is a cross-platform web browser developed by Google. It was launched in September 2008 for Microsoft Windows and was built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, iPadOS, and Android, w…
- en.wikipedia.org ↗ Safari is a web browser developed by Apple. It is built into several of Apple's operating systems, including macOS, iOS, iPadOS, and visionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML. It is the second most used browser in the world, after …
- en.wikipedia.org ↗ The Mozilla Application Suite (originally known as Mozilla, marketed as the Mozilla Suite) is a discontinued cross-platform integrated Internet suite. Its development was initiated by Netscape Communications Corporation, before their acquisition by AOL. It was based on the source…
- huggingface.co ↗ mradermacher/Clado-BrowserOS-Action-i1-GGUF · Hugging Face ... weighted/imatrix quants of https://huggingface.co/DavidBShan/Clado-BrowserOS-Action ... For a convenient overview and download list, visit our model page for this model. ... static quants are available at https://hugg…
Sources
- export.arxiv.org — Same-Origin Policy for Agentic Browsers ↗