Headless sandbox
Playwright/Puppeteer in Docker. No shared cookies with real browser. Ephemeral profile per session.
Advertisement
DOM extraction
Extract text via accessibility tree, not raw HTML. Reduces injection surface. Structured DOM.
Advertisement
Injection filter
Classifier on extracted content before feeding LLM. Delimit as untrusted.
Screenshot risk
Multi-modal agents read text in screenshots. Injection via image text (text-in-image). OCR-aware filter.