6.12
.
Browser Agent Cross-Origin / DOM Trust Failure
sail
6.12
Risk
Browser Agent Cross-Origin / DOM Trust Failure
Description
Agentic browsers and browser-extension agents make cross-origin tool invocations, treat page DOM as instructions, or inherit cookies and credentials across origins.
Example
A poisoned page in an agentic browser instructs the agent to read cookies from a banking tab and POST them to an attacker domain (CometJacking-class).
Assets Affected
AI Agent
Agent Execution Sandbox
AI App
Mitigation
- Constrain browser agent origin model
- treat page DOM as untrusted input
- isolate cookie and credential access per origin
- monitor for cross-origin tool invocations
- require explicit user consent for sensitive page interactions.
Standards Mapping
- ISO: A.4.5, A.6.2.6
- OWASP agentic: ASI01, ASI02
- OWASP LLM: LLM01:2025
- EU AI Act: Art. 15(5)
- DASF: Agents-MCP Client 13.32, Agents-Core 13.11
- AIUC-1: B008, B006