Agentic Browsers and the Same-Origin Policy

The same-origin policy, which prevents web content from one origin from accessing or interacting with content from another origin, is a key component of browser security. In this paper, we conceptually and experimentally investigate how emerging agentic browsers (such as ChatGPT Atlas or Chrome with Gemini) handle the same-origin policy and related webpage access questions. Across seven agentic browsers, we find a wide variety of design decisions around how the embedded agents can interface with web content. In the least restrictive cases, we find that if a malicious website can mount a successful prompt injection, then it can leverage the browser agent to circumvent the same-origin policy — for example, to steal cross-origin content or forge user actions on other sites. We demonstrate a full proof-of-concept attack on one agentic browser (ChatGPT Atlas) and find that several others meet preconditions for cross-origin attacks.