@safebrowse/daemon 0.1.2-rc.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +15 -0
- package/README.md +31 -0
- package/dist/cli.d.ts +8 -0
- package/dist/cli.d.ts.map +1 -0
- package/dist/cli.js +93 -0
- package/dist/cli.js.map +1 -0
- package/dist/index.d.ts +4 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +21 -0
- package/dist/index.js.map +1 -0
- package/dist/loaders.d.ts +23 -0
- package/dist/loaders.d.ts.map +1 -0
- package/dist/loaders.js +181 -0
- package/dist/loaders.js.map +1 -0
- package/dist/runtime/config/adapter-registry.json +65 -0
- package/dist/runtime/config/adapter-registry.json.sig +1 -0
- package/dist/runtime/config/v2-compromised-fixtures.json +34 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_action_integrity_patterns.json +1411 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_artifact_surface_patterns.json +891 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_evaluation_scenarios.json +217 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_incident_response_playbooks.json +209 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_base_index.json +143 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_base_index.json.sig +1 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_bases.zip +0 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_bases.zip.sig +1 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_memory_context_poisoning_patterns.json +803 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_policy_controls_catalog.json +686 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_prompt_injection_patterns.json +9930 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_source_registry.json +345 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_tool_protocol_supply_chain_patterns.json +879 -0
- package/dist/runtime/knowledge_base/safebrowse_vf_trust_signals_provenance.json +480 -0
- package/dist/runtime/knowledge_base/signing/safebrowse_vf_ed25519_public.pem +3 -0
- package/dist/runtime/policies/base/research.yaml +56 -0
- package/dist/runtime/policies/emergency/default.yaml +14 -0
- package/dist/runtime/policies/project/default.yaml +13 -0
- package/dist/runtime/policies/tenant/default.yaml +12 -0
- package/dist/server.d.ts +14 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +195 -0
- package/dist/server.js.map +1 -0
- package/package.json +53 -0
|
@@ -0,0 +1,891 @@
|
|
|
1
|
+
{
|
|
2
|
+
"kb_meta": {
|
|
3
|
+
"name": "SafeBrowse vf artifact surface patterns",
|
|
4
|
+
"version": "vf-final",
|
|
5
|
+
"generated_on": "2026-03-28",
|
|
6
|
+
"entry_count": 40,
|
|
7
|
+
"purpose": "Patterns for PDFs, viewers, OCR layers, hidden text, and non-standard browsing surfaces."
|
|
8
|
+
},
|
|
9
|
+
"entries": [
|
|
10
|
+
{
|
|
11
|
+
"pattern_id": "AR-01-01",
|
|
12
|
+
"family_key": "pdf_hidden_text_layer",
|
|
13
|
+
"family_name": "PDF and document hidden text layers",
|
|
14
|
+
"pattern_name": "Invisible OCR text layer",
|
|
15
|
+
"entry_kind": "artifact_surface_pattern",
|
|
16
|
+
"summary": "The rendered document and extracted text layer diverge, or hidden text is present in a PDF or viewer.",
|
|
17
|
+
"surface_kind": "pdf",
|
|
18
|
+
"default_controls": [
|
|
19
|
+
"render-vs-text diffing",
|
|
20
|
+
"artifact quarantine",
|
|
21
|
+
"visibility labeling",
|
|
22
|
+
"optional human review"
|
|
23
|
+
],
|
|
24
|
+
"source_ids": [
|
|
25
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
26
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
27
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
28
|
+
],
|
|
29
|
+
"credibility": "high",
|
|
30
|
+
"last_verified": "2026-03-28"
|
|
31
|
+
},
|
|
32
|
+
{
|
|
33
|
+
"pattern_id": "AR-01-02",
|
|
34
|
+
"family_key": "pdf_hidden_text_layer",
|
|
35
|
+
"family_name": "PDF and document hidden text layers",
|
|
36
|
+
"pattern_name": "White-on-white or zero-size text in PDF",
|
|
37
|
+
"entry_kind": "artifact_surface_pattern",
|
|
38
|
+
"summary": "The rendered document and extracted text layer diverge, or hidden text is present in a PDF or viewer.",
|
|
39
|
+
"surface_kind": "pdf",
|
|
40
|
+
"default_controls": [
|
|
41
|
+
"render-vs-text diffing",
|
|
42
|
+
"artifact quarantine",
|
|
43
|
+
"visibility labeling",
|
|
44
|
+
"optional human review"
|
|
45
|
+
],
|
|
46
|
+
"source_ids": [
|
|
47
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
48
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
49
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
50
|
+
],
|
|
51
|
+
"credibility": "high",
|
|
52
|
+
"last_verified": "2026-03-28"
|
|
53
|
+
},
|
|
54
|
+
{
|
|
55
|
+
"pattern_id": "AR-01-03",
|
|
56
|
+
"family_key": "pdf_hidden_text_layer",
|
|
57
|
+
"family_name": "PDF and document hidden text layers",
|
|
58
|
+
"pattern_name": "Alternate text layer different from visual page",
|
|
59
|
+
"entry_kind": "artifact_surface_pattern",
|
|
60
|
+
"summary": "The rendered document and extracted text layer diverge, or hidden text is present in a PDF or viewer.",
|
|
61
|
+
"surface_kind": "pdf",
|
|
62
|
+
"default_controls": [
|
|
63
|
+
"render-vs-text diffing",
|
|
64
|
+
"artifact quarantine",
|
|
65
|
+
"visibility labeling",
|
|
66
|
+
"optional human review"
|
|
67
|
+
],
|
|
68
|
+
"source_ids": [
|
|
69
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
70
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
71
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
72
|
+
],
|
|
73
|
+
"credibility": "high",
|
|
74
|
+
"last_verified": "2026-03-28"
|
|
75
|
+
},
|
|
76
|
+
{
|
|
77
|
+
"pattern_id": "AR-01-04",
|
|
78
|
+
"family_key": "pdf_hidden_text_layer",
|
|
79
|
+
"family_name": "PDF and document hidden text layers",
|
|
80
|
+
"pattern_name": "Annotations/comments carrying instructions",
|
|
81
|
+
"entry_kind": "artifact_surface_pattern",
|
|
82
|
+
"summary": "The rendered document and extracted text layer diverge, or hidden text is present in a PDF or viewer.",
|
|
83
|
+
"surface_kind": "pdf",
|
|
84
|
+
"default_controls": [
|
|
85
|
+
"render-vs-text diffing",
|
|
86
|
+
"artifact quarantine",
|
|
87
|
+
"visibility labeling",
|
|
88
|
+
"optional human review"
|
|
89
|
+
],
|
|
90
|
+
"source_ids": [
|
|
91
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
92
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
93
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
94
|
+
],
|
|
95
|
+
"credibility": "high",
|
|
96
|
+
"last_verified": "2026-03-28"
|
|
97
|
+
},
|
|
98
|
+
{
|
|
99
|
+
"pattern_id": "AR-02-01",
|
|
100
|
+
"family_key": "metadata_instruction",
|
|
101
|
+
"family_name": "Metadata-borne instructions",
|
|
102
|
+
"pattern_name": "Document title or subject instruction",
|
|
103
|
+
"entry_kind": "artifact_surface_pattern",
|
|
104
|
+
"summary": "Instructions appear in filenames, alt text, title fields, EXIF, document properties, or other metadata channels.",
|
|
105
|
+
"surface_kind": "metadata",
|
|
106
|
+
"default_controls": [
|
|
107
|
+
"metadata trust downgrading",
|
|
108
|
+
"out-of-band metadata handling",
|
|
109
|
+
"ignore metadata for planning",
|
|
110
|
+
"source labeling"
|
|
111
|
+
],
|
|
112
|
+
"source_ids": [
|
|
113
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
114
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
115
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
116
|
+
],
|
|
117
|
+
"credibility": "high",
|
|
118
|
+
"last_verified": "2026-03-28"
|
|
119
|
+
},
|
|
120
|
+
{
|
|
121
|
+
"pattern_id": "AR-02-02",
|
|
122
|
+
"family_key": "metadata_instruction",
|
|
123
|
+
"family_name": "Metadata-borne instructions",
|
|
124
|
+
"pattern_name": "Filename used as instruction carrier",
|
|
125
|
+
"entry_kind": "artifact_surface_pattern",
|
|
126
|
+
"summary": "Instructions appear in filenames, alt text, title fields, EXIF, document properties, or other metadata channels.",
|
|
127
|
+
"surface_kind": "metadata",
|
|
128
|
+
"default_controls": [
|
|
129
|
+
"metadata trust downgrading",
|
|
130
|
+
"out-of-band metadata handling",
|
|
131
|
+
"ignore metadata for planning",
|
|
132
|
+
"source labeling"
|
|
133
|
+
],
|
|
134
|
+
"source_ids": [
|
|
135
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
136
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
137
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
138
|
+
],
|
|
139
|
+
"credibility": "high",
|
|
140
|
+
"last_verified": "2026-03-28"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"pattern_id": "AR-02-03",
|
|
144
|
+
"family_key": "metadata_instruction",
|
|
145
|
+
"family_name": "Metadata-borne instructions",
|
|
146
|
+
"pattern_name": "Image EXIF or alt-text instruction",
|
|
147
|
+
"entry_kind": "artifact_surface_pattern",
|
|
148
|
+
"summary": "Instructions appear in filenames, alt text, title fields, EXIF, document properties, or other metadata channels.",
|
|
149
|
+
"surface_kind": "metadata",
|
|
150
|
+
"default_controls": [
|
|
151
|
+
"metadata trust downgrading",
|
|
152
|
+
"out-of-band metadata handling",
|
|
153
|
+
"ignore metadata for planning",
|
|
154
|
+
"source labeling"
|
|
155
|
+
],
|
|
156
|
+
"source_ids": [
|
|
157
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
158
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
159
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
160
|
+
],
|
|
161
|
+
"credibility": "high",
|
|
162
|
+
"last_verified": "2026-03-28"
|
|
163
|
+
},
|
|
164
|
+
{
|
|
165
|
+
"pattern_id": "AR-02-04",
|
|
166
|
+
"family_key": "metadata_instruction",
|
|
167
|
+
"family_name": "Metadata-borne instructions",
|
|
168
|
+
"pattern_name": "Embedded file properties or custom fields",
|
|
169
|
+
"entry_kind": "artifact_surface_pattern",
|
|
170
|
+
"summary": "Instructions appear in filenames, alt text, title fields, EXIF, document properties, or other metadata channels.",
|
|
171
|
+
"surface_kind": "metadata",
|
|
172
|
+
"default_controls": [
|
|
173
|
+
"metadata trust downgrading",
|
|
174
|
+
"out-of-band metadata handling",
|
|
175
|
+
"ignore metadata for planning",
|
|
176
|
+
"source labeling"
|
|
177
|
+
],
|
|
178
|
+
"source_ids": [
|
|
179
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
180
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
181
|
+
"SRC_OWASP_LLM02_OUTPUT_2026"
|
|
182
|
+
],
|
|
183
|
+
"credibility": "high",
|
|
184
|
+
"last_verified": "2026-03-28"
|
|
185
|
+
},
|
|
186
|
+
{
|
|
187
|
+
"pattern_id": "AR-03-01",
|
|
188
|
+
"family_key": "embedded_docs_iframes",
|
|
189
|
+
"family_name": "Embedded documents and iframes",
|
|
190
|
+
"pattern_name": "Cross-origin PDF or viewer iframe",
|
|
191
|
+
"entry_kind": "artifact_surface_pattern",
|
|
192
|
+
"summary": "Content is embedded from a distinct origin or viewer surface and should not automatically inherit the parent page trust level.",
|
|
193
|
+
"surface_kind": "iframe",
|
|
194
|
+
"default_controls": [
|
|
195
|
+
"frame-origin labeling",
|
|
196
|
+
"origin gating",
|
|
197
|
+
"separate artifact extraction path",
|
|
198
|
+
"cross-origin default deny"
|
|
199
|
+
],
|
|
200
|
+
"source_ids": [
|
|
201
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
202
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
203
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026"
|
|
204
|
+
],
|
|
205
|
+
"credibility": "high",
|
|
206
|
+
"last_verified": "2026-03-28"
|
|
207
|
+
},
|
|
208
|
+
{
|
|
209
|
+
"pattern_id": "AR-03-02",
|
|
210
|
+
"family_key": "embedded_docs_iframes",
|
|
211
|
+
"family_name": "Embedded documents and iframes",
|
|
212
|
+
"pattern_name": "Embedded office document viewer",
|
|
213
|
+
"entry_kind": "artifact_surface_pattern",
|
|
214
|
+
"summary": "Content is embedded from a distinct origin or viewer surface and should not automatically inherit the parent page trust level.",
|
|
215
|
+
"surface_kind": "iframe",
|
|
216
|
+
"default_controls": [
|
|
217
|
+
"frame-origin labeling",
|
|
218
|
+
"origin gating",
|
|
219
|
+
"separate artifact extraction path",
|
|
220
|
+
"cross-origin default deny"
|
|
221
|
+
],
|
|
222
|
+
"source_ids": [
|
|
223
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
224
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
225
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026"
|
|
226
|
+
],
|
|
227
|
+
"credibility": "high",
|
|
228
|
+
"last_verified": "2026-03-28"
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"pattern_id": "AR-03-03",
|
|
232
|
+
"family_key": "embedded_docs_iframes",
|
|
233
|
+
"family_name": "Embedded documents and iframes",
|
|
234
|
+
"pattern_name": "Third-party slide or notebook embed",
|
|
235
|
+
"entry_kind": "artifact_surface_pattern",
|
|
236
|
+
"summary": "Content is embedded from a distinct origin or viewer surface and should not automatically inherit the parent page trust level.",
|
|
237
|
+
"surface_kind": "iframe",
|
|
238
|
+
"default_controls": [
|
|
239
|
+
"frame-origin labeling",
|
|
240
|
+
"origin gating",
|
|
241
|
+
"separate artifact extraction path",
|
|
242
|
+
"cross-origin default deny"
|
|
243
|
+
],
|
|
244
|
+
"source_ids": [
|
|
245
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
246
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
247
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026"
|
|
248
|
+
],
|
|
249
|
+
"credibility": "high",
|
|
250
|
+
"last_verified": "2026-03-28"
|
|
251
|
+
},
|
|
252
|
+
{
|
|
253
|
+
"pattern_id": "AR-03-04",
|
|
254
|
+
"family_key": "embedded_docs_iframes",
|
|
255
|
+
"family_name": "Embedded documents and iframes",
|
|
256
|
+
"pattern_name": "Sandbox escape attempt via nested embed",
|
|
257
|
+
"entry_kind": "artifact_surface_pattern",
|
|
258
|
+
"summary": "Content is embedded from a distinct origin or viewer surface and should not automatically inherit the parent page trust level.",
|
|
259
|
+
"surface_kind": "iframe",
|
|
260
|
+
"default_controls": [
|
|
261
|
+
"frame-origin labeling",
|
|
262
|
+
"origin gating",
|
|
263
|
+
"separate artifact extraction path",
|
|
264
|
+
"cross-origin default deny"
|
|
265
|
+
],
|
|
266
|
+
"source_ids": [
|
|
267
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
268
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
269
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026"
|
|
270
|
+
],
|
|
271
|
+
"credibility": "high",
|
|
272
|
+
"last_verified": "2026-03-28"
|
|
273
|
+
},
|
|
274
|
+
{
|
|
275
|
+
"pattern_id": "AR-04-01",
|
|
276
|
+
"family_key": "dynamic_scripts_ads",
|
|
277
|
+
"family_name": "Ads, widgets, and dynamic scripts",
|
|
278
|
+
"pattern_name": "Ad slot injects instruction text",
|
|
279
|
+
"entry_kind": "artifact_surface_pattern",
|
|
280
|
+
"summary": "Dynamically loaded content introduces instruction-bearing text after the initial page load or from third-party script contexts.",
|
|
281
|
+
"surface_kind": "script",
|
|
282
|
+
"default_controls": [
|
|
283
|
+
"late-load observation gating",
|
|
284
|
+
"third-party frame suppression",
|
|
285
|
+
"DOM mutation provenance",
|
|
286
|
+
"read-only downgrade on suspicious mutation"
|
|
287
|
+
],
|
|
288
|
+
"source_ids": [
|
|
289
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
290
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
291
|
+
"SRC_OWASP_PI_CHEATSHEET_2026"
|
|
292
|
+
],
|
|
293
|
+
"credibility": "high",
|
|
294
|
+
"last_verified": "2026-03-28"
|
|
295
|
+
},
|
|
296
|
+
{
|
|
297
|
+
"pattern_id": "AR-04-02",
|
|
298
|
+
"family_key": "dynamic_scripts_ads",
|
|
299
|
+
"family_name": "Ads, widgets, and dynamic scripts",
|
|
300
|
+
"pattern_name": "Widget or plugin injects hidden DOM",
|
|
301
|
+
"entry_kind": "artifact_surface_pattern",
|
|
302
|
+
"summary": "Dynamically loaded content introduces instruction-bearing text after the initial page load or from third-party script contexts.",
|
|
303
|
+
"surface_kind": "script",
|
|
304
|
+
"default_controls": [
|
|
305
|
+
"late-load observation gating",
|
|
306
|
+
"third-party frame suppression",
|
|
307
|
+
"DOM mutation provenance",
|
|
308
|
+
"read-only downgrade on suspicious mutation"
|
|
309
|
+
],
|
|
310
|
+
"source_ids": [
|
|
311
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
312
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
313
|
+
"SRC_OWASP_PI_CHEATSHEET_2026"
|
|
314
|
+
],
|
|
315
|
+
"credibility": "high",
|
|
316
|
+
"last_verified": "2026-03-28"
|
|
317
|
+
},
|
|
318
|
+
{
|
|
319
|
+
"pattern_id": "AR-04-03",
|
|
320
|
+
"family_key": "dynamic_scripts_ads",
|
|
321
|
+
"family_name": "Ads, widgets, and dynamic scripts",
|
|
322
|
+
"pattern_name": "Late-loading banner or consent wall text",
|
|
323
|
+
"entry_kind": "artifact_surface_pattern",
|
|
324
|
+
"summary": "Dynamically loaded content introduces instruction-bearing text after the initial page load or from third-party script contexts.",
|
|
325
|
+
"surface_kind": "script",
|
|
326
|
+
"default_controls": [
|
|
327
|
+
"late-load observation gating",
|
|
328
|
+
"third-party frame suppression",
|
|
329
|
+
"DOM mutation provenance",
|
|
330
|
+
"read-only downgrade on suspicious mutation"
|
|
331
|
+
],
|
|
332
|
+
"source_ids": [
|
|
333
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
334
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
335
|
+
"SRC_OWASP_PI_CHEATSHEET_2026"
|
|
336
|
+
],
|
|
337
|
+
"credibility": "high",
|
|
338
|
+
"last_verified": "2026-03-28"
|
|
339
|
+
},
|
|
340
|
+
{
|
|
341
|
+
"pattern_id": "AR-04-04",
|
|
342
|
+
"family_key": "dynamic_scripts_ads",
|
|
343
|
+
"family_name": "Ads, widgets, and dynamic scripts",
|
|
344
|
+
"pattern_name": "Third-party script mutates visible content",
|
|
345
|
+
"entry_kind": "artifact_surface_pattern",
|
|
346
|
+
"summary": "Dynamically loaded content introduces instruction-bearing text after the initial page load or from third-party script contexts.",
|
|
347
|
+
"surface_kind": "script",
|
|
348
|
+
"default_controls": [
|
|
349
|
+
"late-load observation gating",
|
|
350
|
+
"third-party frame suppression",
|
|
351
|
+
"DOM mutation provenance",
|
|
352
|
+
"read-only downgrade on suspicious mutation"
|
|
353
|
+
],
|
|
354
|
+
"source_ids": [
|
|
355
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
356
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
357
|
+
"SRC_OWASP_PI_CHEATSHEET_2026"
|
|
358
|
+
],
|
|
359
|
+
"credibility": "high",
|
|
360
|
+
"last_verified": "2026-03-28"
|
|
361
|
+
},
|
|
362
|
+
{
|
|
363
|
+
"pattern_id": "AR-05-01",
|
|
364
|
+
"family_key": "canvas_blob_shadow_dom",
|
|
365
|
+
"family_name": "Canvas, blob, and shadow-DOM surfaces",
|
|
366
|
+
"pattern_name": "Canvas-rendered text",
|
|
367
|
+
"entry_kind": "artifact_surface_pattern",
|
|
368
|
+
"summary": "Critical content is presented in non-standard render paths that ordinary text extraction may miss or misclassify.",
|
|
369
|
+
"surface_kind": "canvas",
|
|
370
|
+
"default_controls": [
|
|
371
|
+
"specialized extractor adapters",
|
|
372
|
+
"surface tagging",
|
|
373
|
+
"fallback screenshot review path",
|
|
374
|
+
"default distrust for opaque renderers"
|
|
375
|
+
],
|
|
376
|
+
"source_ids": [
|
|
377
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
378
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
379
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
380
|
+
],
|
|
381
|
+
"credibility": "high",
|
|
382
|
+
"last_verified": "2026-03-28"
|
|
383
|
+
},
|
|
384
|
+
{
|
|
385
|
+
"pattern_id": "AR-05-02",
|
|
386
|
+
"family_key": "canvas_blob_shadow_dom",
|
|
387
|
+
"family_name": "Canvas, blob, and shadow-DOM surfaces",
|
|
388
|
+
"pattern_name": "Blob URL document viewer",
|
|
389
|
+
"entry_kind": "artifact_surface_pattern",
|
|
390
|
+
"summary": "Critical content is presented in non-standard render paths that ordinary text extraction may miss or misclassify.",
|
|
391
|
+
"surface_kind": "blob",
|
|
392
|
+
"default_controls": [
|
|
393
|
+
"specialized extractor adapters",
|
|
394
|
+
"surface tagging",
|
|
395
|
+
"fallback screenshot review path",
|
|
396
|
+
"default distrust for opaque renderers"
|
|
397
|
+
],
|
|
398
|
+
"source_ids": [
|
|
399
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
400
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
401
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
402
|
+
],
|
|
403
|
+
"credibility": "high",
|
|
404
|
+
"last_verified": "2026-03-28"
|
|
405
|
+
},
|
|
406
|
+
{
|
|
407
|
+
"pattern_id": "AR-05-03",
|
|
408
|
+
"family_key": "canvas_blob_shadow_dom",
|
|
409
|
+
"family_name": "Canvas, blob, and shadow-DOM surfaces",
|
|
410
|
+
"pattern_name": "Shadow-DOM hidden instruction slot",
|
|
411
|
+
"entry_kind": "artifact_surface_pattern",
|
|
412
|
+
"summary": "Critical content is presented in non-standard render paths that ordinary text extraction may miss or misclassify.",
|
|
413
|
+
"surface_kind": "shadow_dom",
|
|
414
|
+
"default_controls": [
|
|
415
|
+
"specialized extractor adapters",
|
|
416
|
+
"surface tagging",
|
|
417
|
+
"fallback screenshot review path",
|
|
418
|
+
"default distrust for opaque renderers"
|
|
419
|
+
],
|
|
420
|
+
"source_ids": [
|
|
421
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
422
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
423
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
424
|
+
],
|
|
425
|
+
"credibility": "high",
|
|
426
|
+
"last_verified": "2026-03-28"
|
|
427
|
+
},
|
|
428
|
+
{
|
|
429
|
+
"pattern_id": "AR-05-04",
|
|
430
|
+
"family_key": "canvas_blob_shadow_dom",
|
|
431
|
+
"family_name": "Canvas, blob, and shadow-DOM surfaces",
|
|
432
|
+
"pattern_name": "Data URL or client-side generated page",
|
|
433
|
+
"entry_kind": "artifact_surface_pattern",
|
|
434
|
+
"summary": "Critical content is presented in non-standard render paths that ordinary text extraction may miss or misclassify.",
|
|
435
|
+
"surface_kind": "data_url",
|
|
436
|
+
"default_controls": [
|
|
437
|
+
"specialized extractor adapters",
|
|
438
|
+
"surface tagging",
|
|
439
|
+
"fallback screenshot review path",
|
|
440
|
+
"default distrust for opaque renderers"
|
|
441
|
+
],
|
|
442
|
+
"source_ids": [
|
|
443
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
444
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
445
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
446
|
+
],
|
|
447
|
+
"credibility": "high",
|
|
448
|
+
"last_verified": "2026-03-28"
|
|
449
|
+
},
|
|
450
|
+
{
|
|
451
|
+
"pattern_id": "AR-06-01",
|
|
452
|
+
"family_key": "ocr_mismatch",
|
|
453
|
+
"family_name": "OCR and vision-text mismatch",
|
|
454
|
+
"pattern_name": "Low-confidence OCR on screenshot/document",
|
|
455
|
+
"entry_kind": "artifact_surface_pattern",
|
|
456
|
+
"summary": "Text recovered by OCR or vision differs materially from visible semantics or is low-confidence.",
|
|
457
|
+
"surface_kind": "ocr",
|
|
458
|
+
"default_controls": [
|
|
459
|
+
"confidence thresholds",
|
|
460
|
+
"dual extractor comparison",
|
|
461
|
+
"artifact quarantine on mismatch",
|
|
462
|
+
"do not promote OCR text to trusted instructions"
|
|
463
|
+
],
|
|
464
|
+
"source_ids": [
|
|
465
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
466
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
467
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
468
|
+
],
|
|
469
|
+
"credibility": "high",
|
|
470
|
+
"last_verified": "2026-03-28"
|
|
471
|
+
},
|
|
472
|
+
{
|
|
473
|
+
"pattern_id": "AR-06-02",
|
|
474
|
+
"family_key": "ocr_mismatch",
|
|
475
|
+
"family_name": "OCR and vision-text mismatch",
|
|
476
|
+
"pattern_name": "OCR detects hidden watermark text",
|
|
477
|
+
"entry_kind": "artifact_surface_pattern",
|
|
478
|
+
"summary": "Text recovered by OCR or vision differs materially from visible semantics or is low-confidence.",
|
|
479
|
+
"surface_kind": "ocr",
|
|
480
|
+
"default_controls": [
|
|
481
|
+
"confidence thresholds",
|
|
482
|
+
"dual extractor comparison",
|
|
483
|
+
"artifact quarantine on mismatch",
|
|
484
|
+
"do not promote OCR text to trusted instructions"
|
|
485
|
+
],
|
|
486
|
+
"source_ids": [
|
|
487
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
488
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
489
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
490
|
+
],
|
|
491
|
+
"credibility": "high",
|
|
492
|
+
"last_verified": "2026-03-28"
|
|
493
|
+
},
|
|
494
|
+
{
|
|
495
|
+
"pattern_id": "AR-06-03",
|
|
496
|
+
"family_key": "ocr_mismatch",
|
|
497
|
+
"family_name": "OCR and vision-text mismatch",
|
|
498
|
+
"pattern_name": "Vision model and DOM text disagree",
|
|
499
|
+
"entry_kind": "artifact_surface_pattern",
|
|
500
|
+
"summary": "Text recovered by OCR or vision differs materially from visible semantics or is low-confidence.",
|
|
501
|
+
"surface_kind": "ocr",
|
|
502
|
+
"default_controls": [
|
|
503
|
+
"confidence thresholds",
|
|
504
|
+
"dual extractor comparison",
|
|
505
|
+
"artifact quarantine on mismatch",
|
|
506
|
+
"do not promote OCR text to trusted instructions"
|
|
507
|
+
],
|
|
508
|
+
"source_ids": [
|
|
509
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
510
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
511
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
512
|
+
],
|
|
513
|
+
"credibility": "high",
|
|
514
|
+
"last_verified": "2026-03-28"
|
|
515
|
+
},
|
|
516
|
+
{
|
|
517
|
+
"pattern_id": "AR-06-04",
|
|
518
|
+
"family_key": "ocr_mismatch",
|
|
519
|
+
"family_name": "OCR and vision-text mismatch",
|
|
520
|
+
"pattern_name": "Image text includes instruction overlay",
|
|
521
|
+
"entry_kind": "artifact_surface_pattern",
|
|
522
|
+
"summary": "Text recovered by OCR or vision differs materially from visible semantics or is low-confidence.",
|
|
523
|
+
"surface_kind": "ocr",
|
|
524
|
+
"default_controls": [
|
|
525
|
+
"confidence thresholds",
|
|
526
|
+
"dual extractor comparison",
|
|
527
|
+
"artifact quarantine on mismatch",
|
|
528
|
+
"do not promote OCR text to trusted instructions"
|
|
529
|
+
],
|
|
530
|
+
"source_ids": [
|
|
531
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
532
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
533
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
534
|
+
],
|
|
535
|
+
"credibility": "high",
|
|
536
|
+
"last_verified": "2026-03-28"
|
|
537
|
+
},
|
|
538
|
+
{
|
|
539
|
+
"pattern_id": "AR-07-01",
|
|
540
|
+
"family_key": "scholarly_nonstandard_reader",
|
|
541
|
+
"family_name": "Scholarly and non-standard reading surfaces",
|
|
542
|
+
"pattern_name": "Scholar landing page vs publisher PDF",
|
|
543
|
+
"entry_kind": "artifact_surface_pattern",
|
|
544
|
+
"summary": "Research portals and document landing pages mix abstracts, citation widgets, previews, access controls, and downloads across multiple surfaces.",
|
|
545
|
+
"surface_kind": "scholar",
|
|
546
|
+
"default_controls": [
|
|
547
|
+
"artifact-type classification",
|
|
548
|
+
"separate preview vs full-document handling",
|
|
549
|
+
"download-safe handoff",
|
|
550
|
+
"origin-aware provenance"
|
|
551
|
+
],
|
|
552
|
+
"source_ids": [
|
|
553
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
554
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
555
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026"
|
|
556
|
+
],
|
|
557
|
+
"credibility": "high",
|
|
558
|
+
"last_verified": "2026-03-28"
|
|
559
|
+
},
|
|
560
|
+
{
|
|
561
|
+
"pattern_id": "AR-07-02",
|
|
562
|
+
"family_key": "scholarly_nonstandard_reader",
|
|
563
|
+
"family_name": "Scholarly and non-standard reading surfaces",
|
|
564
|
+
"pattern_name": "Citation popup or abstract panel",
|
|
565
|
+
"entry_kind": "artifact_surface_pattern",
|
|
566
|
+
"summary": "Research portals and document landing pages mix abstracts, citation widgets, previews, access controls, and downloads across multiple surfaces.",
|
|
567
|
+
"surface_kind": "scholar",
|
|
568
|
+
"default_controls": [
|
|
569
|
+
"artifact-type classification",
|
|
570
|
+
"separate preview vs full-document handling",
|
|
571
|
+
"download-safe handoff",
|
|
572
|
+
"origin-aware provenance"
|
|
573
|
+
],
|
|
574
|
+
"source_ids": [
|
|
575
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
576
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
577
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026"
|
|
578
|
+
],
|
|
579
|
+
"credibility": "high",
|
|
580
|
+
"last_verified": "2026-03-28"
|
|
581
|
+
},
|
|
582
|
+
{
|
|
583
|
+
"pattern_id": "AR-07-03",
|
|
584
|
+
"family_key": "scholarly_nonstandard_reader",
|
|
585
|
+
"family_name": "Scholarly and non-standard reading surfaces",
|
|
586
|
+
"pattern_name": "Access-denied or interstitial page treated as content",
|
|
587
|
+
"entry_kind": "artifact_surface_pattern",
|
|
588
|
+
"summary": "Research portals and document landing pages mix abstracts, citation widgets, previews, access controls, and downloads across multiple surfaces.",
|
|
589
|
+
"surface_kind": "scholar",
|
|
590
|
+
"default_controls": [
|
|
591
|
+
"artifact-type classification",
|
|
592
|
+
"separate preview vs full-document handling",
|
|
593
|
+
"download-safe handoff",
|
|
594
|
+
"origin-aware provenance"
|
|
595
|
+
],
|
|
596
|
+
"source_ids": [
|
|
597
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
598
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
599
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026"
|
|
600
|
+
],
|
|
601
|
+
"credibility": "high",
|
|
602
|
+
"last_verified": "2026-03-28"
|
|
603
|
+
},
|
|
604
|
+
{
|
|
605
|
+
"pattern_id": "AR-07-04",
|
|
606
|
+
"family_key": "scholarly_nonstandard_reader",
|
|
607
|
+
"family_name": "Scholarly and non-standard reading surfaces",
|
|
608
|
+
"pattern_name": "Download gateway with mixed metadata/content",
|
|
609
|
+
"entry_kind": "artifact_surface_pattern",
|
|
610
|
+
"summary": "Research portals and document landing pages mix abstracts, citation widgets, previews, access controls, and downloads across multiple surfaces.",
|
|
611
|
+
"surface_kind": "scholar",
|
|
612
|
+
"default_controls": [
|
|
613
|
+
"artifact-type classification",
|
|
614
|
+
"separate preview vs full-document handling",
|
|
615
|
+
"download-safe handoff",
|
|
616
|
+
"origin-aware provenance"
|
|
617
|
+
],
|
|
618
|
+
"source_ids": [
|
|
619
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
620
|
+
"SRC_GOOGLE_CHROME_AGENTIC_2025",
|
|
621
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026"
|
|
622
|
+
],
|
|
623
|
+
"credibility": "high",
|
|
624
|
+
"last_verified": "2026-03-28"
|
|
625
|
+
},
|
|
626
|
+
{
|
|
627
|
+
"pattern_id": "AR-08-01",
|
|
628
|
+
"family_key": "download_archive_container",
|
|
629
|
+
"family_name": "Downloads, archives, and containerized artifacts",
|
|
630
|
+
"pattern_name": "ZIP or TAR archive download",
|
|
631
|
+
"entry_kind": "artifact_surface_pattern",
|
|
632
|
+
"summary": "Downloaded artifacts may contain nested files or instructions and should not be flattened directly into model context.",
|
|
633
|
+
"surface_kind": "download",
|
|
634
|
+
"default_controls": [
|
|
635
|
+
"download quarantine",
|
|
636
|
+
"content-type allowlisting",
|
|
637
|
+
"nested-file inventory",
|
|
638
|
+
"no auto-open or auto-execute"
|
|
639
|
+
],
|
|
640
|
+
"source_ids": [
|
|
641
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
642
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
643
|
+
"SRC_NIST_HIJACK_EVAL_2025"
|
|
644
|
+
],
|
|
645
|
+
"credibility": "high",
|
|
646
|
+
"last_verified": "2026-03-28"
|
|
647
|
+
},
|
|
648
|
+
{
|
|
649
|
+
"pattern_id": "AR-08-02",
|
|
650
|
+
"family_key": "download_archive_container",
|
|
651
|
+
"family_name": "Downloads, archives, and containerized artifacts",
|
|
652
|
+
"pattern_name": "Self-extracting or executable download",
|
|
653
|
+
"entry_kind": "artifact_surface_pattern",
|
|
654
|
+
"summary": "Downloaded artifacts may contain nested files or instructions and should not be flattened directly into model context.",
|
|
655
|
+
"surface_kind": "download",
|
|
656
|
+
"default_controls": [
|
|
657
|
+
"download quarantine",
|
|
658
|
+
"content-type allowlisting",
|
|
659
|
+
"nested-file inventory",
|
|
660
|
+
"no auto-open or auto-execute"
|
|
661
|
+
],
|
|
662
|
+
"source_ids": [
|
|
663
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
664
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
665
|
+
"SRC_NIST_HIJACK_EVAL_2025"
|
|
666
|
+
],
|
|
667
|
+
"credibility": "high",
|
|
668
|
+
"last_verified": "2026-03-28"
|
|
669
|
+
},
|
|
670
|
+
{
|
|
671
|
+
"pattern_id": "AR-08-03",
|
|
672
|
+
"family_key": "download_archive_container",
|
|
673
|
+
"family_name": "Downloads, archives, and containerized artifacts",
|
|
674
|
+
"pattern_name": "Office macro-enabled document",
|
|
675
|
+
"entry_kind": "artifact_surface_pattern",
|
|
676
|
+
"summary": "Downloaded artifacts may contain nested files or instructions and should not be flattened directly into model context.",
|
|
677
|
+
"surface_kind": "download",
|
|
678
|
+
"default_controls": [
|
|
679
|
+
"download quarantine",
|
|
680
|
+
"content-type allowlisting",
|
|
681
|
+
"nested-file inventory",
|
|
682
|
+
"no auto-open or auto-execute"
|
|
683
|
+
],
|
|
684
|
+
"source_ids": [
|
|
685
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
686
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
687
|
+
"SRC_NIST_HIJACK_EVAL_2025"
|
|
688
|
+
],
|
|
689
|
+
"credibility": "high",
|
|
690
|
+
"last_verified": "2026-03-28"
|
|
691
|
+
},
|
|
692
|
+
{
|
|
693
|
+
"pattern_id": "AR-08-04",
|
|
694
|
+
"family_key": "download_archive_container",
|
|
695
|
+
"family_name": "Downloads, archives, and containerized artifacts",
|
|
696
|
+
"pattern_name": "Attachment bundle with mixed trust files",
|
|
697
|
+
"entry_kind": "artifact_surface_pattern",
|
|
698
|
+
"summary": "Downloaded artifacts may contain nested files or instructions and should not be flattened directly into model context.",
|
|
699
|
+
"surface_kind": "download",
|
|
700
|
+
"default_controls": [
|
|
701
|
+
"download quarantine",
|
|
702
|
+
"content-type allowlisting",
|
|
703
|
+
"nested-file inventory",
|
|
704
|
+
"no auto-open or auto-execute"
|
|
705
|
+
],
|
|
706
|
+
"source_ids": [
|
|
707
|
+
"SRC_MCP_SECURITY_BEST_PRACTICES_2025",
|
|
708
|
+
"SRC_OWASP_AGENTIC_TOP10_2026",
|
|
709
|
+
"SRC_NIST_HIJACK_EVAL_2025"
|
|
710
|
+
],
|
|
711
|
+
"credibility": "high",
|
|
712
|
+
"last_verified": "2026-03-28"
|
|
713
|
+
},
|
|
714
|
+
{
|
|
715
|
+
"pattern_id": "AR-09-01",
|
|
716
|
+
"family_key": "multimodal_image_layers",
|
|
717
|
+
"family_name": "Multimodal image and layered visual attacks",
|
|
718
|
+
"pattern_name": "Steganographic or tiny-font text in image",
|
|
719
|
+
"entry_kind": "artifact_surface_pattern",
|
|
720
|
+
"summary": "Images, figures, or layered visuals carry instructions not obvious from the primary reading path.",
|
|
721
|
+
"surface_kind": "image",
|
|
722
|
+
"default_controls": [
|
|
723
|
+
"vision-only tainting",
|
|
724
|
+
"hidden-text heuristics",
|
|
725
|
+
"do not elevate image text without provenance",
|
|
726
|
+
"optional human review for high-risk flows"
|
|
727
|
+
],
|
|
728
|
+
"source_ids": [
|
|
729
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
730
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
731
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
732
|
+
],
|
|
733
|
+
"credibility": "high",
|
|
734
|
+
"last_verified": "2026-03-28"
|
|
735
|
+
},
|
|
736
|
+
{
|
|
737
|
+
"pattern_id": "AR-09-02",
|
|
738
|
+
"family_key": "multimodal_image_layers",
|
|
739
|
+
"family_name": "Multimodal image and layered visual attacks",
|
|
740
|
+
"pattern_name": "Chart annotation used as instruction",
|
|
741
|
+
"entry_kind": "artifact_surface_pattern",
|
|
742
|
+
"summary": "Images, figures, or layered visuals carry instructions not obvious from the primary reading path.",
|
|
743
|
+
"surface_kind": "image",
|
|
744
|
+
"default_controls": [
|
|
745
|
+
"vision-only tainting",
|
|
746
|
+
"hidden-text heuristics",
|
|
747
|
+
"do not elevate image text without provenance",
|
|
748
|
+
"optional human review for high-risk flows"
|
|
749
|
+
],
|
|
750
|
+
"source_ids": [
|
|
751
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
752
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
753
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
754
|
+
],
|
|
755
|
+
"credibility": "high",
|
|
756
|
+
"last_verified": "2026-03-28"
|
|
757
|
+
},
|
|
758
|
+
{
|
|
759
|
+
"pattern_id": "AR-09-03",
|
|
760
|
+
"family_key": "multimodal_image_layers",
|
|
761
|
+
"family_name": "Multimodal image and layered visual attacks",
|
|
762
|
+
"pattern_name": "Layered SVG/PNG text mismatch",
|
|
763
|
+
"entry_kind": "artifact_surface_pattern",
|
|
764
|
+
"summary": "Images, figures, or layered visuals carry instructions not obvious from the primary reading path.",
|
|
765
|
+
"surface_kind": "image",
|
|
766
|
+
"default_controls": [
|
|
767
|
+
"vision-only tainting",
|
|
768
|
+
"hidden-text heuristics",
|
|
769
|
+
"do not elevate image text without provenance",
|
|
770
|
+
"optional human review for high-risk flows"
|
|
771
|
+
],
|
|
772
|
+
"source_ids": [
|
|
773
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
774
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
775
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
776
|
+
],
|
|
777
|
+
"credibility": "high",
|
|
778
|
+
"last_verified": "2026-03-28"
|
|
779
|
+
},
|
|
780
|
+
{
|
|
781
|
+
"pattern_id": "AR-09-04",
|
|
782
|
+
"family_key": "multimodal_image_layers",
|
|
783
|
+
"family_name": "Multimodal image and layered visual attacks",
|
|
784
|
+
"pattern_name": "White-on-background visual prompt",
|
|
785
|
+
"entry_kind": "artifact_surface_pattern",
|
|
786
|
+
"summary": "Images, figures, or layered visuals carry instructions not obvious from the primary reading path.",
|
|
787
|
+
"surface_kind": "image",
|
|
788
|
+
"default_controls": [
|
|
789
|
+
"vision-only tainting",
|
|
790
|
+
"hidden-text heuristics",
|
|
791
|
+
"do not elevate image text without provenance",
|
|
792
|
+
"optional human review for high-risk flows"
|
|
793
|
+
],
|
|
794
|
+
"source_ids": [
|
|
795
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
796
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
797
|
+
"SRC_NIST_AGENTIC_EMERGING_2026"
|
|
798
|
+
],
|
|
799
|
+
"credibility": "high",
|
|
800
|
+
"last_verified": "2026-03-28"
|
|
801
|
+
},
|
|
802
|
+
{
|
|
803
|
+
"pattern_id": "AR-10-01",
|
|
804
|
+
"family_key": "comments_notes_annotations",
|
|
805
|
+
"family_name": "Comments, notes, and collaborative annotations",
|
|
806
|
+
"pattern_name": "Document comment thread instruction",
|
|
807
|
+
"entry_kind": "artifact_surface_pattern",
|
|
808
|
+
"summary": "Instruction-like text arrives through comments, tracked changes, notes, chat sidebars, or collaborative annotations rather than main body content.",
|
|
809
|
+
"surface_kind": "annotation",
|
|
810
|
+
"default_controls": [
|
|
811
|
+
"annotation channel separation",
|
|
812
|
+
"low-trust default",
|
|
813
|
+
"user-shared-only promotion",
|
|
814
|
+
"main-body vs annotation provenance"
|
|
815
|
+
],
|
|
816
|
+
"source_ids": [
|
|
817
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
818
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
819
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026"
|
|
820
|
+
],
|
|
821
|
+
"credibility": "high",
|
|
822
|
+
"last_verified": "2026-03-28"
|
|
823
|
+
},
|
|
824
|
+
{
|
|
825
|
+
"pattern_id": "AR-10-02",
|
|
826
|
+
"family_key": "comments_notes_annotations",
|
|
827
|
+
"family_name": "Comments, notes, and collaborative annotations",
|
|
828
|
+
"pattern_name": "Suggestion/track-change note",
|
|
829
|
+
"entry_kind": "artifact_surface_pattern",
|
|
830
|
+
"summary": "Instruction-like text arrives through comments, tracked changes, notes, chat sidebars, or collaborative annotations rather than main body content.",
|
|
831
|
+
"surface_kind": "annotation",
|
|
832
|
+
"default_controls": [
|
|
833
|
+
"annotation channel separation",
|
|
834
|
+
"low-trust default",
|
|
835
|
+
"user-shared-only promotion",
|
|
836
|
+
"main-body vs annotation provenance"
|
|
837
|
+
],
|
|
838
|
+
"source_ids": [
|
|
839
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
840
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
841
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026"
|
|
842
|
+
],
|
|
843
|
+
"credibility": "high",
|
|
844
|
+
"last_verified": "2026-03-28"
|
|
845
|
+
},
|
|
846
|
+
{
|
|
847
|
+
"pattern_id": "AR-10-03",
|
|
848
|
+
"family_key": "comments_notes_annotations",
|
|
849
|
+
"family_name": "Comments, notes, and collaborative annotations",
|
|
850
|
+
"pattern_name": "Chat sidebar or inline note",
|
|
851
|
+
"entry_kind": "artifact_surface_pattern",
|
|
852
|
+
"summary": "Instruction-like text arrives through comments, tracked changes, notes, chat sidebars, or collaborative annotations rather than main body content.",
|
|
853
|
+
"surface_kind": "annotation",
|
|
854
|
+
"default_controls": [
|
|
855
|
+
"annotation channel separation",
|
|
856
|
+
"low-trust default",
|
|
857
|
+
"user-shared-only promotion",
|
|
858
|
+
"main-body vs annotation provenance"
|
|
859
|
+
],
|
|
860
|
+
"source_ids": [
|
|
861
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
862
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
863
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026"
|
|
864
|
+
],
|
|
865
|
+
"credibility": "high",
|
|
866
|
+
"last_verified": "2026-03-28"
|
|
867
|
+
},
|
|
868
|
+
{
|
|
869
|
+
"pattern_id": "AR-10-04",
|
|
870
|
+
"family_key": "comments_notes_annotations",
|
|
871
|
+
"family_name": "Comments, notes, and collaborative annotations",
|
|
872
|
+
"pattern_name": "Reviewer message embedded in content tool",
|
|
873
|
+
"entry_kind": "artifact_surface_pattern",
|
|
874
|
+
"summary": "Instruction-like text arrives through comments, tracked changes, notes, chat sidebars, or collaborative annotations rather than main body content.",
|
|
875
|
+
"surface_kind": "annotation",
|
|
876
|
+
"default_controls": [
|
|
877
|
+
"annotation channel separation",
|
|
878
|
+
"low-trust default",
|
|
879
|
+
"user-shared-only promotion",
|
|
880
|
+
"main-body vs annotation provenance"
|
|
881
|
+
],
|
|
882
|
+
"source_ids": [
|
|
883
|
+
"SRC_OWASP_PI_CHEATSHEET_2026",
|
|
884
|
+
"SRC_ANTHROPIC_BROWSER_USE_2025",
|
|
885
|
+
"SRC_OPENAI_PROMPT_INJECTION_2026"
|
|
886
|
+
],
|
|
887
|
+
"credibility": "high",
|
|
888
|
+
"last_verified": "2026-03-28"
|
|
889
|
+
}
|
|
890
|
+
]
|
|
891
|
+
}
|