SAIL 2.0

/

Operate - Safe Execution Environment - Sandbox

/

Browser Agent Cross-Origin / DOM Trust Failure

6.12

.

Browser Agent Cross-Origin / DOM Trust Failure

sail
6.12
Risk

Browser Agent Cross-Origin / DOM Trust Failure

Description

Agentic browsers and browser-extension agents make cross-origin tool invocations, treat page DOM as instructions, or inherit cookies and credentials across origins.

Example

A poisoned page in an agentic browser instructs the agent to read cookies from a banking tab and POST them to an attacker domain (CometJacking-class).

Assets Affected

AI Agent

Agent Execution Sandbox

AI App

Mitigation
  • Constrain browser agent origin model
  • treat page DOM as untrusted input
  • isolate cookie and credential access per origin
  • monitor for cross-origin tool invocations
  • require explicit user consent for sensitive page interactions.
Standards Mapping
  • ISO: A.4.5, A.6.2.6
  • OWASP agentic: ASI01, ASI02
  • OWASP LLM: LLM01:2025
  • EU AI Act: Art. 15(5)
  • DASF: Agents-MCP Client 13.32, Agents-Core 13.11
  • AIUC-1: B008, B006