Rules reference

The extension ships 28 rules grouped into five rough categories. Each rule is independently toggleable from the extension popup. Rules marked default: on are active on fresh install; default: off rules must be enabled manually.

Rules marked top frame only never run inside iframes — useful for page-wide targets (footers, cookie overlays, URL recipes) so they don’t fire pointlessly in every embedded frame.

The authoritative source for these definitions is extension/src/rules/; the initial enabled/disabled state for each rule lives in extension/data/rule-defaults.json. If this page disagrees with either, trust the source. The Install page covers how to override defaults at build time without forking the repo.

Sensitive data masking

Replace credentials and personal identifiers with placeholders before they reach the model. Both rules walk text nodes and substitute in place — the page still renders normally for humans.

Mask PII

ID: pii-redact
Default: on

Hide credit card numbers (Luhn-validated), phone numbers, and SSNs.

Prior art: Microsoft’s open-source Presidio framework uses the same mix of regex patterns, checksum validation (e.g., Luhn for credit cards), and named-entity recognition to detect and redact PII in text.

Mask Secrets

ID: secrets-redact
Default: on

Hide API keys, tokens, JWTs, private keys, and other high-entropy credentials.

Prior art: Repository secret-scanning tools — gitleaks, trufflehog, and Yelp’s detect-secrets — use comparable regex and entropy heuristics to surface API keys, tokens, and private keys in source repositories. This rule applies the same approach to live page text instead of files on disk.

Prompt-injection defense

Remove or hide content that could carry attacker-controlled instructions — user-generated text, invisible text, and HTML comments.

Background: Greshake et al., Not what you’ve signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection (AISec 2023), introduces the indirect prompt injection threat model — attacker text reaches the model via the page or document the LLM reads, not via the user’s prompt. Wu et al., WIPI: A New Web Threat for LLM-Driven Web Agents, extends that model specifically to LLM-driven web agents. The rules in this section each target a delivery vector documented in those threat models.

Hide Prompt Injection

ID: prompt-injection-redact
Default: on

Hide page sections matching known prompt-injection patterns. The pattern set is intentionally not reproduced in docs — see the project README for how patterns are sourced and shipped.

Strip Hidden Text

ID: hidden-text-strip
Default: on

Remove text that is invisible to humans (foreground matching background, visibility:hidden, opacity:0, font-size:0, off-screen positioning, zero-area clipping) but still readable by agents. Defends against “unseeable” prompt injection. Screen-reader-only text is preserved (via .sr-only, .visually-hidden, .a-offscreen, .aok-offscreen, MUI visuallyHidden, and the 1×1 + overflow:hidden + position:absolute envelope) so a11y-tree affordances like Amazon SERP prices stay intact. display:none is left alone so collapsed menus and tab panels keep working.

Prior art: Liao et al., EIA: Environmental Injection Attack on Generalist Web Agents for Privacy Leakage (ICLR 2025), demonstrates that web elements made invisible via CSS — opacity, off-screen positioning, zero-area clipping — are read by web agents but unseen by humans, the exact asymmetry this rule closes.

Strip Unicode Invisibles

ID: unicode-invisibles-strip
Default: on

Remove Unicode code points that have no visible glyph but are still read by agents walking the DOM or accessibility tree: the Unicode Tags block (U+E0000–U+E007F), bidi override and isolate characters (U+202A–U+202E, U+2066–U+2069), and the zero-width family (U+200B, U+2060–U+2064, U+FEFF, U+180E). Applied to text nodes and to every attribute value, so the rule also closes the aria-label / alt / title / placeholder surface. Code points with legitimate script-shaping use are preserved: ZWJ (U+200D, emoji and Indic joining), ZWNJ (U+200C, Persian/Hindi ligature control), and the directional marks LRM/RLM (U+200E/U+200F).

Prior art: Boucher & Anderson, Trojan Source: Invisible Vulnerabilities (USENIX Security 2023; CVE-2021-42574), introduces the bidi-override attack class — invisible reordering chars that make text render one way to humans and parse another way to compilers / interpreters / LLMs. Boucher, Pajola, Brookes, Anderson, Bad Characters: Imperceptible NLP Attacks (IEEE S&P 2022), extends the same family — zero-width insertions, homoglyph swaps, bidi reordering — to NLP systems and shows comparable degradation in sentiment, translation, and toxicity classifiers. The Unicode-tag-block variant against LLM-integrated browsers (the U+E0000–U+E007F carrier that encodes arbitrary ASCII as invisible tag characters) was popularized by Goodside (2024) and is now a standard test case in the indirect-injection benchmarks cited elsewhere on this page.

Strip HTML Comments

ID: html-comment-strip
Default: on

Remove HTML comments from the page. Comments are invisible to humans but readable by agents and can carry prompt-injection payloads. Comments inside <script>/<style>/<noscript> are preserved. Removal is not reversible within the current page load.

Prior art: HTML comments are explicitly enumerated as a non-rendered carrier for indirect prompt injection in Greshake et al. (cited in the section preamble).

Strip Noscript

ID: noscript-strip
Default: on

Remove every <noscript> element from the page. A browser-use agent runs in a browser at all precisely because the site requires JavaScript — an operator who could read the same data from the server directly would do that and skip the browser entirely. With JS enabled, <noscript> content is, by definition, never rendered to a human, but the markup still sits in the DOM and is still walked by accessibility-tree and innerText consumers. That makes it a clean carrier for prompt-injection payloads, fabricated authority claims, or fallback chrome the agent may treat as load-bearing. html-comment-strip previously preserved Comment nodes inside <noscript> so that SSR hydration markers and conditional-CSS fragments survived; with this rule on, the surrounding noscript element is removed outright, taking those comments with it.

Prior art: Greshake et al. (cited in the section preamble) enumerates non-rendered DOM regions — HTML comments, hidden text, alt and metadata attributes — as standard carriers for indirect prompt injection; <noscript> is the same class of carrier for the JS-on case. The general “renderer-and-reader disagree on what’s visible” asymmetry is the same one Boucher et al., Bad Characters: Imperceptible NLP Attacks (IEEE S&P 2022), and Liao et al., EIA: Environmental Injection Attack on Generalist Web Agents (ICLR 2025), formalize for zero-width characters and CSS-hidden DOM respectively.

Strip Meta Injection

ID: meta-injection-strip
Default: on

Walk every <meta> element with a content attribute and every <title> element. When the value matches the prompt-injection pattern set (the same regex bundle as prompt-injection-redact), remove the <meta> element outright and blank the <title> text. The rule does not gate on specific name= / property= values — any meta whose content carries instruction-shaped text is removed, covering name="description", name="keywords", property="og:title", property="og:description", name="twitter:title", name="twitter:description", name="twitter:image:alt", and the article:* family. Meta tags without a content attribute are left alone. The rule scans document.head in addition to the engine’s apply root, since meta and title normally live in <head> and SPA frameworks (React 19 native head metadata, react-helmet) mutate <head> on route changes.

Page metadata is invisible to a sighted human (it surfaces in the browser tab, social-share unfurls, and search-result snippets, not in the rendered article body), but agents that summarize a page frequently pull description / og:description / <title> first as a compact “what is this page” answer. A poisoned description reaches the agent without ever appearing in the page content the user reviews.

Prior art: Greshake et al. (cited in the section preamble) enumerates HTML metadata among the non-rendered carriers for indirect prompt injection. The metadata vocabularies themselves are Open Graph (Facebook, 2010 — og:*) and Twitter Cards (Twitter / X — twitter:*); the underlying <meta name="description"> is in the HTML Living Standard.

Scrub Attribute Injection

ID: attribute-injection-sanitize
Default: on

Walk every element and, for a small allowlist of agent-readable attributes — aria-label, aria-description, alt, title, placeholder, data-tooltip, and value on disabled <input> elements — remove the attribute outright when its value matches the prompt-injection pattern set (the same regex bundle used by prompt-injection-redact). Clean attributes are preserved. Attributes outside the allowlist are not inspected. We remove the whole attribute rather than blank it because an empty aria-label actively hides an element from accessibility-tree consumers, whereas a missing aria-label lets fallback name computation (visible text, alt, associated label) proceed normally.

These attributes are almost never the main visible label sighted users read — they surface in screen readers, hover popups, and empty-state hints. Browser-use agents, on the other hand, read the accessibility tree where they are first-class names and descriptions, so an attribute is a quiet carrier for instruction-shaped text the operator never has to render.

Prior art: Greshake et al. (cited in the section preamble) enumerates HTML attribute values among the non-rendered carriers for indirect prompt injection. Liao et al., EIA: Environmental Injection Attack on Generalist Web Agents for Privacy Leakage (ICLR 2025), demonstrates that web agents act on accessibility-tree content that has no visible counterpart, the exact asymmetry this rule closes. The accessibility-tree threat surface itself is documented by the W3C ARIA specs (Accessible Name and Description Computation 1.2) and by Mozilla’s A11y Tree explainer.

Sanitize JSON-LD

ID: json-ld-sanitize
Default: on

Walk every <script type="application/ld+json"> block, parse it, recursively replace any string field whose value matches the prompt-injection pattern set (the same regex bundle used by prompt-injection-redact) with an empty string, and re-serialize. Structural fields useful to the agent — price, priceCurrency, availability, sku, identifier, ratingValue, reviewCount, position — are preserved exactly. Malformed JSON-LD is left alone; non-application/ld+json <script> blocks are not touched.

Structured data is invisible to a sighted human reviewing the page but is increasingly cited by browser-use agents as a “trusted summary” of what the page is: schema.org/Product gives them name / brand / SKU / price, schema.org/Article gives them author / publisher / datePublished, and schema.org/Review gives them rating context. A site (or a third-party fragment writing into the page) can poison description, articleBody, name, or author.name without changing what a human sees.

Prior art: JSON-LD is the JSON serialization of the schema.org vocabulary (W3C JSON-LD 1.1 Recommendation, 2020) — the same vocabulary reviews-redact reads to find user-generated reviews. The non-rendered-but-agent-read carrier model comes from Greshake et al. (cited in the section preamble); JSON-LD is the schema.org-shaped instance of that carrier. Liao et al., EIA: Environmental Injection Attack on Generalist Web Agents for Privacy Leakage (ICLR 2025), and Wu et al., WIPI, both demonstrate that web agents read page metadata an end user never sees.

Hide Comments

ID: comments-redact
Default: on

Hide user-generated comment threads so agents aren’t exposed to potential prompt injection from commenters. Covers common platforms (Disqus, Facebook) plus Reddit, YouTube, and Hacker News.

Prior art: User-generated text as an injection delivery vector is core to the WIPI threat model (Wu et al., cited in the section preamble).

Hide Reviews

ID: reviews-redact
Default: on

Hide user-generated review text so agents aren’t exposed to potential prompt injection from reviewers. Covers schema.org microdata and supported sites (Amazon, Walmart); aggregate star ratings are kept visible.

Detection relies on the schema.org Review microdata vocabulary where sites expose it; user-generated reviews as an indirect-prompt-injection vector are covered by the same WIPI threat model referenced above.

ID: social-embed-redact
Default: on

Hide embedded social-media widgets (Twitter/X, YouTube, Facebook, Instagram, TikTok, LinkedIn, Reddit, Spotify, SoundCloud). Replaced with a placeholder so the agent knows an embed lived there. Skipped on the embed providers’ own domains, where embeds are the page content.

Prior art: Same indirect-prompt-injection threat model as above; social embeds are a third-party content surface whose text the host page does not control.

Hide Cross-Origin Frames (Experimental)

ID: cross-origin-frame-redact
Default: off

Replace every <iframe> whose src resolves to a different web origin with a click-to-reveal placeholder, so a browser-use agent reading the parent page doesn’t ingest the embedded-origin content. Same-origin frames, srcdoc frames, and inert about:/javascript:/data:/blob: frames are left alone. Each frame in the page processes its own direct children, so a cross-origin frame nested inside a same-origin frame is also caught. Off by default because legitimate cross-origin embeds (payment widgets, OAuth pop-ins, video, third-party comments) are common and removing them will break those flows until the user reveals.

Motivated by Roesner & Kohlbrenner, Agentic Browsers and the Same-Origin Policy (ICLR 2026 Workshop), which shows that agents willing to read cross-origin frame content turn the same-origin policy from a hard guarantee into a soft one.

Dark-pattern blocking

Block manipulative UI patterns that work on humans and can mislead agents the same way. For evidence that current computer-use agents are highly susceptible to these patterns — sometimes more so than humans — see SusBench (Guo et al., 2025) and DECEPTICON (Cuvin et al., 2025).

The pattern taxonomy itself traces to Harry Brignull’s 2010 deceptive.design catalog (originally darkpatterns.org) and the empirical study by Mathur et al., Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites (CSCW 2019), which enumerates Scarcity, Sneaking (sneak-into-basket), Preselection, and Urgency (countdown timers) — the four categories the rules below target. Bösch et al., Tales from the Dark Side: Privacy Dark Strategies and Privacy Dark Patterns (PoPETs 2016), gives the parallel privacy-side taxonomy.

Hide Countdown Timers

ID: countdown-timer-redact
Default: on

Hide running countdown timers so agents aren’t pressured by the artificial time-sensitivity dark pattern. Snapshots timer-shaped text and confirms the value decreased after 1.5s; re-scans on subtree mutations to catch lazy-loaded sections.

The snapshot-and-confirm approach follows Mathur et al., Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites (CSCW 2019), who detected countdown timers by capturing DOM mutations over time and comparing successive snapshots to confirm a ticking value.

Hide Scarcity Warnings

ID: scarcity-redact
Default: on

Hide scarcity- and activity-based urgency messages (“Only 3 left”, “Selling fast”, “12 viewing now”) so agents aren’t pressured by manufactured scarcity. Out-of-stock indicators and bestseller badges are kept visible because they convey real purchaseability or preference information.

Prior art: Cataloged as Scarcity (low-stock and high-demand subtypes) in Mathur et al. 2019 (cited in the section preamble), which found scarcity claims on roughly a fifth of the 11K shopping sites they crawled.

Clear Checkout Checkboxes

ID: checkout-checkbox-sanitize
Default: on

On checkout-like URLs (/cart, /checkout, /basket, /bag, /payment, /order), uncheck every pre-checked checkbox so the agent inherits no silently selected add-ons (insurance, warranty, gift wrap, donations, marketing opt-ins). The agent is then expected to re-check anything it actually wants to opt into, including required agreements. role="checkbox" widgets and radio groups are out of scope.

Prior art: Pre-checked opt-ins are Preselection in Mathur et al. 2019 and Brignull’s deceptive.design catalog (both cited in the section preamble).

Neutralize Confirmshame Buttons

ID: confirmshame-sanitize
Default: on

Rewrite guilt-tripping decline buttons to a neutral No thanks so an agent reading the DOM or accessibility tree isn’t pushed away from the decline option by manipulative copy. Coverage spans monetary confirmshame (“No, I’d rather pay full price”, “I don’t want to save money”, “I hate discounts”), health and safety guilt (“I don’t care about my family’s safety”, “I’m fine being unprotected”), loyalty downgrades (“Downgrade to basic”, “Forfeit my Gold status”), gamified progress loss (“Lose my streak”, “Sacrifice my XP”), imperative self-commands (“Charge me extra”, “Stop helping me save”), sarcastic acceptance (“Whatever, take my money”), and the reverse-positive “Yes, [bad outcome]” framing common on confirmation dialogs (“Yes, skip my savings”, “Confirm: pay full price”).

The underlying control is preserved — only its visible label and any matching aria-label / title are rewritten — so the agent can still click it normally. Plain decline labels like “No thanks”, “Decline”, “Maybe later”, “Skip”, and “Continue as guest” are left untouched.

Prior art: Cataloged as Confirmshaming in Brignull’s deceptive.design and as part of the Misdirection family in Mathur et al. 2019 (both cited in the section preamble).

Flag Cart Add-Ons (Sneak-Into-Basket)

ID: cart-addon-annotate
Default: on

On checkout-like URLs, prepend a visible [abs: likely cart add-on] annotation to line items matching common sneak-into-basket patterns (protection plans, extended warranties, AppleCare/SquareTrade/Asurion, insurance, donation/round-up, gift wrap, carbon offset, shipping/package protection, Route, Seel, Navidium, driver tips). The line item is not removed — the agent reads the annotation and decides whether to click the line’s remove control.

Prior art: Brignull’s original 2010 Sneak into Basket pattern, generalized to the Sneaking family in Mathur et al. 2019 (both cited in the section preamble).

Flag Roach-Motel Sign-Ups

ID: roach-motel-annotate
Default: on
Scope: top frame only

On signup, subscription, and checkout pages of sites documented to make cancellation difficult, embed a screen-reader-only landmark carrying a normalized cancellation-difficulty grade (hard, very-hard, impossible), the canonical cancel/delete URL when known, and a short note. Agents reading the accessibility tree see the warning before completing signup; sighted users see nothing.

Two data sources back the rule:

A hand-curated list under extension/data/sites/ for FTC-defendant cases (Amazon Prime, Care.com, Match.com, Cleo AI, LA Fitness, Adobe, Vonage) and well-documented cancellation-friction cases (NYTimes, Washington Post, WSJ, Planet Fitness, Equinox), each with its own signup/subscription pathnames. Curated entries take precedence on URL match.
A vendored snapshot of JustDeleteMe’s account-deletion directory (MIT License, Robb Lewis & contributors), filtered to entries graded hard or impossible. Used as a fallback when the curated list misses, gated to signup-shaped pathnames (/signup, /subscribe, /join, /membership, /checkout, /plans, /pricing, /billing, /cart, /upgrade, /register). JustDeleteMe attribution is included in the landmark text so the agent can cite the source back to the user. Refresh with bun run fetch-justdeleteme.

Prior art: Brignull’s original 2010 Roach Motel pattern, renamed Hard to cancel in the current deceptive.design taxonomy. Vasudevan et al., Staying at the Roach Motel: Cross-Country Analysis of Manipulative Subscription and Cancellation UXes (CHI 2024), gives the empirical basis: cancellation flows asymmetric to signup flows on a significant share of subscription sites across the US, EU, and UK. The legal “good” standard converges on signup/cancel symmetry — the FTC’s 2024 Click-to-Cancel rule, California AB-2863, and EU Digital Services Act Art. 25.

Token-saving cleanup

Remove page chrome that costs tokens without helping the agent complete its task.

Background: Content-vs-boilerplate separation has a long line of prior art, starting with Kohlschütter et al., Boilerplate Detection using Shallow Text Features (WSDM 2010) — the basis for the Boilerpipe library — and Mozilla’s Readability.js, the algorithm behind Firefox Reader View. Several rules below are the agent-facing analogue of those heuristics, targeted at specific chrome categories instead of running a single generic article extractor.

ID: footer-redact
Default: on

Hide the page footer (legal links, sitemap, social icons, marketing copy) to save tokens. Per-section footers inside articles or asides are left visible.

Prior art: Footers are a canonical boilerplate region in Kohlschütter et al. and are stripped by Readability.js (cited in the section preamble).

ID: cookie-banner-hide
Default: on
Scope: top frame only

Remove GDPR/CCPA cookie consent banners (OneTrust, Cookiebot, TrustArc, Sourcepoint, Quantcast, Osano, Didomi, and generic patterns). These overlays float above the page, so they’re removed entirely rather than replaced with an in-flow placeholder.

Prior art: Aarhus University’s Consent-O-Matic maintains the canonical open ruleset for matching CMPs (Consent Management Platforms) like OneTrust, Cookiebot, and TrustArc — the same CMP coverage this rule targets, though Consent-O-Matic auto-fills banners while this rule removes them outright.

Remove Chat Widgets

ID: chat-widget-hide
Default: on
Scope: top frame only

Remove live-chat widgets (Intercom, Drift, Zendesk, Crisp, Tawk.to, HubSpot, Olark, LiveChat, Freshchat, Zopim). These bubbles float above the page, so they’re removed entirely rather than replaced with an in-flow placeholder.

Prior art: Same boilerplate-removal lineage as the section preamble; chat bubbles are floating chrome that Readability-style extractors discard.

ID: newsletter-modal-hide
Default: on
Scope: top frame only

Remove interstitial newsletter signup modals that cover the page. Detects fixed-position dialogs containing signup language and an email input. Standard login modals, paywalls, and small toasts are kept visible.

Prior art: Interstitial signup modals are categorized as Nagging in Mathur et al. 2019 (cited in the Dark-pattern section preamble); reader-mode tools like Readability.js routinely strip them as non-article chrome.

Hide Ads & Sponsored Results

ID: ads-hide
Default: on

Remove display ads and paid/sponsored search results. Well-known surfaces (AdSense, GAM, Outbrain, Taboola, Google/Bing/Amazon sponsored results) are stripped from the DOM so the agent never sees them. ~13k additional ad selectors from EasyList are injected as a display:none stylesheet for broader coverage of third-party ad networks.

Prior art: Selectors come directly from EasyList, the filter list that powers uBlock Origin, Adblock Plus, and most other consumer ad blockers — over a decade of community-maintained ad and tracker selector patterns.

Remove Unused SVG Sprites

ID: svg-sprite-strip
Default: on

Remove hidden SVG sprite containers (those holding only <symbol>/<defs> definitions) when none of their symbols are referenced by any <use> element on the page. Referenced sprites are preserved so icons keep working.

Prior art: Dead-code elimination — the bundler optimization of dropping references that no live code reaches — applied to SVG <symbol> definitions at runtime. No direct academic prior art known.

Hide Irrelevant Sections (AI)

ID: irrelevant-sections-redact
Default: off
Scope: top frame only
Availability: requires an OpenAI API key — either bundled at build time via OPENAI_API_KEY, or saved on the extension’s options page. Until a key is configured the rule shows as Unavailable in the popup and options.

Use a small LLM to identify engagement/exploration rails (related products, “you might also like”, recommended articles, trending now, etc.) and replace them with click-to-reveal placeholders. Sends a compressed page tree with stable refs so the LLM can choose the right granularity; interactive elements (search, cart, checkout, login) are labeled as protected. Re-scans on scroll to catch lazy-loaded content.

Prior art: This is an LLM-driven generalization of the boilerplate-detection heuristics in Kohlschütter et al. (cited in the section preamble) and Readability.js. The specific targeting of engagement and recommendation rails aligns with the Nagging/Interface Interference families in Mathur et al. 2019 (cited in the Dark-pattern section preamble).

Agent affordances

Inject hints that make pages easier for agents to navigate without changing the human-visible UI.

Embed Search URL Recipes

ID: search-url-helper
Default: on
Scope: top frame only

On covered hosts (Amazon, Best Buy, Etsy, IKEA, Home Depot, REI, GitHub, Wikipedia, Hacker News, MDN, npm, weather.gov, arXiv, Python docs, BBC), embed a screen-reader-only landmark at the top of the page describing how to run searches, filters, sorts, and direct lookups via URL. Lets agents navigate by URL instead of typing into search boxes and clicking facets. No visible affordance — the landmark is preserved by hidden-text-strip via the sr-only class allowlist.

Prior art: Same goal as the llms.txt proposal (Howard, Answer.AI, 2024) — give LLMs a compact, machine-readable hint about how to use a site — but injected client-side as a hidden landmark instead of relying on the site to publish a top-level file. The hidden-but-readable delivery mechanism reuses the long-established sr-only / visually-hidden convention from screen-reader accessibility practice.