Product · Injection filter

Strip the attack surface before the agent sees it.

Indirect prompt injection works by hiding instructions in DOM nodes that the user can't see. We strip those nodes from the accessibility tree at the browser layer — before the snapshot ever reaches the model.

Default onPer-session prefBrowser-layer defence

What it filters

On every Page.getFullAXTree call, the content-process filter walks the tree and removes nodes that match any of seven visibility checks, ordered by cost so common cases short-circuit first.

aria-hidden="true"

Explicit author intent. First check, cheapest.

display: none

Computed style. Removes whole subtrees from layout.

visibility: hidden

Element exists but is not painted.

opacity: 0

Common injection vector — invisible but layout-active.

Zero-dimension overflow

Bounding rect is collapsed and overflow is clipped.

Off-screen by 500px+

Positioned far outside viewport, the classic trick.

clip-path: inset(100%)

Modern equivalent of clip: rect(0,0,0,0).

Where it runs

The filter lives in additions/juggler/content/PageAgent.js, which runs with chrome privilege in the Camoufox content process. It is controlled by the vulpineos.injection_filter.enabled pref — default on. The telemetry service emits an injectionAttemptDetected event whenever a node is removed, so you can audit attempts after a run.

Resources

Architecture deep-dive
docs.vulpineos.com/architecture — every patch, where it lives, and why.
VulpineOS source
github.com/VulpineOS/VulpineOS — runtime, patches, additions.

Self-host the runtime today.

Pull the source, build the binary, and drive your first agent. The waitlist gates the managed runtime; the open-source path is open now.

Read the docs→Star on GitHub