Go to ICLR 2026 Workshop AIWILD homepageAgentic Browsers and the Same-Origin Policy
Keywords: agentic browsers, browser agents, same-origin policy, web security, prompt injection
TL;DR: With systematic experiments, we find that many agentic browsers fail to uphold the web's same-origin policy, enabling cross-origin attacks from malicious websites.
Abstract: The same-origin policy, which prevents web content from one origin from accessing or interacting with content from another origin, is a key component of browser security. In this paper, we conceptually and experimentally investigate how emerging agentic browsers (such as ChatGPT Atlas or Chrome with Gemini) handle the same-origin policy and related webpage access questions. Across seven agentic browsers, we find a wide variety of design decisions around how the embedded agents can interface with web content. In the least restrictive cases, we find that if a malicious website can mount a successful prompt injection, then it can leverage the browser agent to circumvent the same-origin policy — for example, to steal cross-origin content or forge user actions on other sites. We demonstrate
a full proof-of-concept attack on one agentic browser (ChatGPT Atlas) and find that several others meet preconditions for cross-origin attacks.
PDF: pdf
Email Sharing: We authorize the sharing of all author emails with Program Chairs.
Data Release: We authorize the release of our submission and author names to the public in the event of acceptance.
Submission Number: 58
Loading