Headless sandbox

Playwright/Puppeteer in Docker. No shared cookies with real browser. Ephemeral profile per session.

Advertisement

DOM extraction

Extract text via accessibility tree, not raw HTML. Reduces injection surface. Structured DOM.

Advertisement

Injection filter

Classifier on extracted content before feeding LLM. Delimit as untrusted.