
  <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
    <channel>
      <title>Chaos and Order</title>
      <link>https://www.youngju.dev/blog</link>
      <description>천천히 올바르게. AI Researcher &amp; DevOps Engineer Youngju&#39;s tech blog. GPU/CUDA, LLM, MLOps, Kubernetes AI workloads, distributed training, and data engineering.</description>
      <language>ko</language>
      <managingEditor>fjvbn2003@gmail.com (Youngju Kim)</managingEditor>
      <webMaster>fjvbn2003@gmail.com (Youngju Kim)</webMaster>
      <lastBuildDate>Sat, 11 Jul 2026 00:00:00 GMT</lastBuildDate>
      <atom:link href="https://www.youngju.dev/tags/prismata/feed.xml" rel="self" type="application/rss+xml"/>
      
  <item>
    <guid>https://www.youngju.dev/blog/2026-07-11-confining-prompt-injection-web-agents.en</guid>
    <title>Web Agents Read Page Text as Commands — Cross-Site Prompt Injection and Prismata&#39;s Confinement</title>
    <link>https://www.youngju.dev/blog/2026-07-11-confining-prompt-injection-web-agents.en</link>
    <description>Prismata, posted to arXiv on July 9, 2026 by Villa, Ozdarendeli, Tan, and Popa, tackles the oldest weakness of autonomous web agents. Because agents interpret natural language as instructions, third-party and user-generated content on a page can hijack the agent outright, and the authors read this as Cross-Site Scripting returning. Prismata&#39;s answer is contextual least privilege: derive trust from page structure, redact untrusted content, and restrict what the agent can do, all without developer annotations so the long tail of sites is covered. I also note the honest part, which is that the abstract claims it substantially reduces attack success, not that it eliminates it.</description>
    <pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate>
    <author>fjvbn2003@gmail.com (Youngju Kim)</author>
    <category>prompt-injection</category><category>web-agents</category><category>ai-security</category><category>least-privilege</category><category>browser-agents</category><category>prismata</category>
  </item>

  <item>
    <guid>https://www.youngju.dev/blog/2026-07-11-confining-prompt-injection-web-agents.ja</guid>
    <title>ウェブエージェントはページの文章を命令として読む — クロスサイトプロンプトインジェクションとPrismataの封じ込め</title>
    <link>https://www.youngju.dev/blog/2026-07-11-confining-prompt-injection-web-agents.ja</link>
    <description>2026年7月9日にarXivへ投稿されたPrismata論文(Villa、Ozdarendeli、Tan、Popa)は、自律型ウェブエージェントのもっとも古い弱点を扱います。エージェントは自然言語を命令として解釈するため、ページに混ざった第三者・ユーザー生成コンテンツがそのままエージェントを乗っ取れてしまいます。著者らはこれをCross-Site Scriptingの再来と見ます。Prismataは、ページ構造から信頼を導き、信頼できないコンテンツを伏せ、エージェントの行動権限を制限する「文脈的最小権限」の防御を提案します。開発者の注釈が不要でロングテールのサイトにも効く一方、論文が攻撃成功率を大きく下げるとだけ述べ、完全な遮断は主張していない点も併せて整理します。</description>
    <pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate>
    <author>fjvbn2003@gmail.com (Youngju Kim)</author>
    <category>prompt-injection</category><category>web-agents</category><category>ai-security</category><category>least-privilege</category><category>browser-agents</category><category>prismata</category>
  </item>

  <item>
    <guid>https://www.youngju.dev/blog/2026-07-11-confining-prompt-injection-web-agents</guid>
    <title>웹 에이전트는 웹페이지의 글을 명령으로 읽는다 — 교차 사이트 프롬프트 인젝션과 Prismata의 봉쇄</title>
    <link>https://www.youngju.dev/blog/2026-07-11-confining-prompt-injection-web-agents</link>
    <description>2026년 7월 9일 arXiv에 올라온 Prismata 논문(Villa, Ozdarendeli, Tan, Popa)은 자율 웹 에이전트의 가장 오래된 약점을 다룹니다. 에이전트는 자연어를 명령으로 해석하기 때문에, 페이지에 섞인 제3자·사용자 생성 콘텐츠가 그대로 에이전트를 탈취할 수 있습니다. 저자들은 이를 Cross-Site Scripting의 재림으로 봅니다. Prismata는 신뢰를 구조적으로 도출해 콘텐츠를 가리고 에이전트의 행동 권한을 제한하는, 문맥적 최소 권한 방어를 제안합니다. 개발자 주석이 필요 없어 롱테일 웹사이트에도 적용된다는 점, 그리고 논문이 공격 성공률을 크게 줄인다고만 말할 뿐 완전한 차단을 주장하지 않는다는 점을 함께 짚습니다.</description>
    <pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate>
    <author>fjvbn2003@gmail.com (Youngju Kim)</author>
    <category>prompt-injection</category><category>web-agents</category><category>ai-security</category><category>least-privilege</category><category>browser-agents</category><category>prismata</category>
  </item>

    </channel>
  </rss>
