00:29:31 RRSAgent has joined #agentic-browsing-sec 00:29:35 logging to https://www.w3.org/2025/11/12-agentic-browsing-sec-irc 00:29:35 RRSAgent, do not leave 00:29:40 RRSAgent, this meeting spans midnight 00:29:40 RRSAgent, make logs public 00:29:42 Meeting: Agentic Browsing and the Web's Security Model 00:29:42 Chair: Johann Hofmann, Chris Fredrickson 00:29:42 Agenda: https://github.com/w3c/tpac2025-breakouts/issues/25 00:29:42 Zakim has joined #agentic-browsing-sec 00:29:43 Zakim, clear agenda 00:29:43 agenda cleared 00:29:44 Zakim, agenda+ Pick a scribe 00:29:45 agendum 1 added 00:29:45 Zakim, agenda+ Reminders: code of conduct, health policies, recorded session policy 00:29:45 agendum 2 added 00:29:46 Zakim, agenda+ Goal of this session 00:29:47 agendum 3 added 00:29:47 Zakim, agenda+ Discussion 00:29:47 agendum 4 added 00:29:48 Zakim, agenda+ Next steps / where discussion continues 00:29:49 agendum 5 added 00:29:49 Zakim, agenda+ Adjourn / Use IRC command: Zakim, end meeting 00:29:49 agendum 6 added 00:29:49 breakout-bot has left #agentic-browsing-sec 00:31:49 johannhof has joined #agentic-browsing-sec 00:31:53 present+ 00:31:58 q? 00:32:02 q+ 00:32:05 ack johannhof 00:32:42 christianliebel has joined #agentic-browsing-sec 00:39:59 smcgruer_[EST] has joined #agentic-browsing-sec 00:41:30 lilin has joined #agentic-browsing-sec 00:42:04 ktoumura has joined #agentic-browsing-sec 00:42:26 AramZS has joined #agentic-browsing-sec 00:43:14 cfredric has joined #agentic-browsing-sec 00:47:10 tantek-projector has joined #agentic-browsing-sec 00:54:09 benvds has joined #agentic-browsing-sec 00:56:12 gendler has joined #agentic-browsing-sec 00:56:27 johannhof has joined #agentic-browsing-sec 00:57:24 ErikAnderson has joined #agentic-browsing-sec 00:58:49 camille has joined #agentic-browsing-sec 00:58:54 schenney has joined #agentic-browsing-sec 00:59:01 ohmata has joined #agentic-browsing-sec 00:59:43 cfredric has joined #agentic-browsing-sec 01:00:17 present+ 01:00:37 q? 01:00:44 present+ 01:00:58 present+ 01:01:02 present+ 01:01:09 present+ 01:01:26 krgovind has joined #agentic-browsing-sec 01:01:26 lei_zhao has joined #agentic-browsing-sec 01:01:29 scheib has joined #agentic-browsing-sec 01:01:34 scribenick: cfredric 01:01:42 AramZS has joined #agentic-browsing-sec 01:01:51 kbabbitt has joined #agentic-browsing-sec 01:02:03 benvds6 has joined #agentic-browsing-sec 01:02:05 [Introduction: will go through slides, then have a discussion] 01:02:08 kush has joined #agentic-browsing-sec 01:02:20 is there a link to the slides? 01:02:39 Haruki has joined #agentic-browsing-sec 01:02:43 Slides: https://docs.google.com/presentation/d/1JvAw5x6y1GBNQeR5NYrzN01o0txmuCG-LbmeY-5Cqjc/edit?usp=sharing 01:02:56 hadleybeeman has joined #agentic-browsing-sec 01:03:17 igrigorik has joined #agentic-browsing-sec 01:03:24 mt_hates_irc has joined #agentic-browsing-sec 01:03:25 bvandersloot has joined #agentic-browsing-sec 01:03:29 present+ 01:03:43 vasilii has joined #agentic-browsing-sec 01:03:46 present+ 01:03:46 present= 01:03:48 present+ 01:03:51 Mark_Foltz has joined #agentic-browsing-sec 01:03:52 present+ 01:03:52 present+ 01:03:57 lionel has joined #agentic-browsing-sec 01:03:57 present+ 01:03:58 present+ 01:04:02 DP has joined #agentic-browsing-sec 01:04:03 dwaite has joined #agentic-browsing-sec 01:04:11 tomayac has joined #agentic-browsing-sec 01:04:16 ekinnear has joined #agentic-browsing-sec 01:04:20 Present+ Thomas_Steiner 01:04:20 hsano has joined #agentic-browsing-sec 01:04:21 mtavenrath has joined #agentic-browsing-sec 01:04:22 dveditz has joined #agentic-browsing-sec 01:04:23 yigu has joined #agentic-browsing-sec 01:04:24 antosart has joined #agentic-browsing-sec 01:04:26 alexmt has joined #agentic-browsing-sec 01:04:26 KevinDean has joined #agentic-browsing-sec 01:04:31 alanbuxey7 has joined #agentic-browsing-sec 01:04:32 nidhi has joined #agentic-browsing-sec 01:04:33 present+ 01:04:44 aaj has joined #agentic-browsing-sec 01:04:45 present+ 01:04:50 Nick has joined #agentic-browsing-sec 01:04:52 wseltzer has joined #agentic-browsing-sec 01:04:55 jan has joined #agentic-browsing-sec 01:05:10 Siyaman has joined #agentic-browsing-sec 01:05:15 Penny has joined #agentic-browsing-sec 01:05:17 present+ 01:05:20 Jem has joined #agentic-browsing-sec 01:05:21 present+ 01:05:21 present+ 01:05:22 whsieh has joined #agentic-browsing-sec 01:05:26 Shuji has joined #agentic-browsing-sec 01:05:30 present+ 01:05:41 EmLauber has joined #agentic-browsing-sec 01:05:42 GabrielBrito has joined #agentic-browsing-sec 01:05:45 cpn has joined #agentic-browsing-sec 01:05:47 ErikAnderson has joined #agentic-browsing-sec 01:05:50 present+ 01:05:55 philippp has joined #agentic-browsing-sec 01:05:57 present+ 01:06:00 Tatsuya has joined #agentic-browsing-sec 01:06:13 hayato has joined #agentic-browsing-sec 01:06:18 dschinazi5 has joined #agentic-browsing-sec 01:06:22 present+ Emily Lauber 01:06:32 dschinazi has joined #agentic-browsing-sec 01:06:36 LeoLee has joined #agentic-browsing-sec 01:06:40 dschinazi5 has left #agentic-browsing-sec 01:07:12 Slides: https://docs.google.com/presentation/d/1JvAw5x6y1GBNQeR5NYrzN01o0txmuCG-LbmeY-5Cqjc/edit?usp=sharing 01:07:12 nournabil has joined #agentic-browsing-sec 01:07:15 access to private data is not right. it's access to capabilities, which includes access to private data 01:07:42 present+ 01:07:42 plh has joined #agentic-browsing-sec 01:07:47 Roy_Ruoxi has joined #agentic-browsing-sec 01:07:52 zcorpan has joined #agentic-browsing-sec 01:08:11 goto has joined #agentic-browsing-sec 01:08:14 +1: the "change state" alone is roughly requivalent to CSRF changing your router settings -- they don't need any response, or your data 01:08:47 sorry, the "change state" plus the untrusted content circle with the prompt injection, of course 01:09:02 I think we've generally defined it as access to private data or ability to trigger actions on behalf of the user 01:09:21 humans being in the loop means that setting .textContent is not completely safe in all cases 01:09:28 which seems relatively similar to capabilities, I would be curious if there's a non-trivial delta between the definitions though 01:10:03 Victor8 has joined #agentic-browsing-sec 01:10:13 Present+ Victor Huang 01:11:17 present+ 01:11:53 present+ 01:14:24 wseltzer has joined #agentic-browsing-sec 01:14:39 present+ Alan Buxey 01:14:44 Related reference on the lethal trifecta - https://simonwillison.net/2025/Nov/2/new-prompt-injection-papers/ 01:15:49 q? 01:16:49 antosart has joined #agentic-browsing-sec 01:17:01 present+ Victor Huang 01:17:37 reillyg has joined #agentic-browsing-sec 01:17:51 Nick has left #agentic-browsing-sec 01:18:15 nwatson has joined #agentic-browsing-sec 01:18:40 That's a useful article krgovind. Not an encouraging conclusion though. 01:18:49 jan has joined #agentic-browsing-sec 01:21:50 Penny has joined #agentic-browsing-sec 01:22:29 I find the "model-level defenses are unlikely to be robust enough" conclusion to be quite encouraging, because it points us in the direction of more deterministic, traditional-ish controls 01:23:03 what was frustrating is the idea of a never-ending model-level arms race that defenders would likely never win 01:23:33 dwaite has joined #agentic-browsing-sec 01:23:51 https://github.com/webmachinelearning/webmcp 01:23:53 present+ 01:24:50 how do you avoid small misalignments? I get that this works for gross misalignment, but I'm not convinced that these are effective. For example, in the "buy a wotsit" case, you might have price guardrails. What stops a site from using prompt injection to push someone to a product choice that has a modestly inflated price? 01:26:29 Em has joined #agentic-browsing-sec 01:27:03 q+ 01:27:07 q? 01:28:22 that's an excellent question! definitely beyond the scope of an IRC message, but my hunch is that if we have a deterministic "outer envelope" (e.g. sets of sites that an agent can actuate on for a given prompt, other protections such as e.g. controlling whether an agent should be able to paste data / use form/password/CC autofill on which sites, 01:28:22 etc.) then we'll already lop off a major chunk of the attack surface. Then the question is how we design an "inner envelope" for actions that are still allowed - maybe there model-level defenses are sufficient in some substantial fraction of cases. 01:28:23 [Begin discussion] 01:28:24 I can't imagine how a website might abuse a control that triggered the invocation of user prompting. 01:28:35 q? 01:28:41 q+ 01:29:19 Johann: How can we work together to rise to this challenge, and not silo each effort? 01:29:25 q? 01:29:31 but I think it would be great to figure out non-model-level defenses within the inner envelope as well (e.g. direct hooks between the agent and websites) 01:29:38 bvandersloot has joined #agentic-browsing-sec 01:29:41 ack Victor 01:29:48 devlin has joined #agentic-browsing-sec 01:30:04 masonf has joined #agentic-browsing-sec 01:30:21 Great talk. I see this as how we have x-origin embedder policies that give websites some control. If we can push web standards forward on this, this will help. There is work for us to do as a standards community. 2 Things to propose. 01:30:33 present+ 01:30:59 Ugur has joined #agentic-browsing-sec 01:31:09 q? 01:31:49 s/Great talk./Victor: Great talk./ 01:32:06 .... First, is there any assumption on how agents are going to be consuming information? One thing we're thinking about is how to track where the information has come from. E.g. if information has come from reddit.com, other sites can allow or disallow information from reddit.com to be used on their site. 01:32:09 aaj, you have to keep in mind that all the same attacks that work on humans are in play here. Convincing a human to spend more money than necessary on a product is something that some entities specialize in. It's called Marketing. Agents seem to be especially vulnerable to that. Particularly since agents are uniform. For humans, there are 01:32:09 transferable techniques, but everyone has their own biases and defenses, so marketing isn't always uniformly effective. Against an agent, you might imagine that a single effective attack would be extraordinarily effective. Nothing to do with "envelopes" can address that sort of thing. 01:32:30 yoav has joined #agentic-browsing-sec 01:33:07 ... Second: We don't even want agents to ingest this content. Have to think of agents on web as separate entities, browser can enforce policies upon the agent re: what it can see. Question for the general web: how opinionated do we want to be? 01:33:08 q? 01:33:28 mt_hates_irc agreed, I just consider this to be a different problem. An online merchant that can convince your agent to buy a more expensive sweater seems less scary than an online merchant (or random user-supplied comment on the merchant site) being able to read your email. 01:34:00 Johann: agree, it's very early and I think we don't want to over-dictate a direction right now. re: first point, like the idea of tracking context, might go in the reverse, e.g. "my context should not leak to ". 01:34:07 q? 01:34:23 ack AramZS 01:34:24 ack AramZS 01:34:24 jan has joined #agentic-browsing-sec 01:34:25 johannhof has joined #agentic-browsing-sec 01:34:59 hagio has joined #agentic-browsing-sec 01:35:01 AramZS: as a dev, idea 2 sounds like a good idea, but for a dev for a publisher that doesn't want to be crawled, want to mark all content as untrusted and all ads as trusted. 01:35:16 aaj, it's a specialized instance of a problem that can be generalized. Anything that is plausibly within the envelope is available. But how do you define the sandbox? 01:35:23 ... Doesn't seem to be a way around that. Incentives don't align. 01:35:27 q? 01:35:35 q? 01:35:39 q+ 01:35:46 +1 aram 01:36:39 q+ 01:36:40 wanderview has joined #agentic-browsing-sec 01:36:49 q? 01:37:06 ling has joined #agentic-browsing-sec 01:37:09 lflores has joined #agentic-browsing-sec 01:37:23 John Wilander: 3 points: Browsers are used today with a visual interface. We're rendering webpages and that becomes the interface for agents, but maybe we need a separate interface for agents. Have the data carry some context, e.g. this data is part of a particular security context. A headless browser comes to mind. 01:37:26 EmLauber has joined #agentic-browsing-sec 01:37:27 q+ 01:37:42 Jxck has joined #agentic-browsing-sec 01:37:56 doniv has joined #agentic-browsing-sec 01:37:58 dbaron has joined #agentic-browsing-sec 01:37:59 ... Second: discoverability of these interfaces. PSL comes to mind, search index too. Wondering if discoverability mechanism could be standardized. 01:38:03 +1 on discoverability 01:38:04 q+ 01:38:04 q? 01:38:10 ack tomayac 01:38:17 q+ 01:38:25 ... 3: talking about roles, we used to have "user agent" and now we have a third agent. 01:38:49 q+ 01:39:07 I dunno, like thinking about an evil browser, I'm not sure we can engineer things that protect against an evil agent *in this context* at least. 01:39:08 tomayac: Might be advantageous for agents to ignore hints on the page. 01:39:29 q+ (on behalf of Nick) 01:39:38 q+ Nick 01:39:59 ningxin has joined #agentic-browsing-sec 01:40:05 ... E.g. for an accessibility agent, might be necessary to ignore "sensitive data" annotations in order to accomplish the user's task. 01:40:13 mnot has joined #agentic-browsing-sec 01:40:20 ack bvandersloot 01:40:55 q+ (Sam) 01:40:57 I also feel kinda the same way. IRL, how would you feel comfortable delegating the decision-making process to an untrusted individual? It feels like much of the issues discussed here should be dealt with by engineering better behaved agents. 01:41:10 q- (Sam) 01:41:14 wseltzer has joined #agentic-browsing-sec 01:41:43 We trust browsers to act upon our behalf, but they're deterministic (so long as the vendor doesn't update it against our interest in the background). Agents are a different thing. 01:41:44 ack 01:41:48 Roger has joined #agentic-browsing-sec 01:41:49 q+ 01:41:50 ack mt_hates_irc 01:41:50 bvandersloot: Very related to previous breakout. (Scribe missed first point). Second: is this the user agent trying to defend the user from their browser? Seems silly, we should decide the threat model and maybe get to a CSP structure where we have a cooperative environment. 01:41:52 Itoe has joined #agentic-browsing-sec 01:41:53 q+ 01:42:15 LeoLee has joined #agentic-browsing-sec 01:42:20 Natalia has joined #agentic-browsing-sec 01:42:22 q+ 01:43:42 q+ 01:44:06 q+ 01:44:06 mt_hates_irc: Cooperative side does offer opportuntities, but there are downsides. If there's a signal that says "please invoke a user", bad outcome. On guardrails, supervisory agent doesn't necessarily help. Have to set the bounds such that bad things don't happen (e.g. for payments), but whatever bounds you describe, there will be things in that 01:44:06 space that are outside the user's goals. E.g., want to buy something, set bounds on the price. Agent is vulnerable to marketing, and might be convinced to spend more than necessary. 01:44:11 q+ 01:44:14 s/space that are/... space that are 01:44:44 zakim, close the queue 01:44:44 ok, smcgruer_[EST], the speaker queue is closed 01:44:49 ... Marketing works on humans in different ways. But with a shared agent, one vuln turns into a business opportunity that is completely within the bounds of the sandbox. 01:45:06 smcgruer_[EST]: does that syntax work without the ending slash? 01:45:13 +1 to mt_hates_irc. The problem space here reminds me a lot of human-targeted phishing and I wonder if there's room for cross pollination of ideas on how to defend against those. 01:45:20 ack Victor 01:45:20 Johann: agree, this is why we can't have nice things. This is something we have to balance. 01:45:28 alexmt has joined #agentic-browsing-sec 01:45:31 chunming has joined #agentic-browsing-sec 01:45:35 imo confirmation fatigue is the single biggest problem for hitl 01:45:37 kush has joined #agentic-browsing-sec 01:45:43 q? 01:45:46 q- 01:46:10 Victor8: Concern about agents and user agents merging together. I propose that we view them separately, that way the browser can enforce things on the agent. Could be a good way to enforce deterministic things on a nondeterministic system. 01:46:13 ack alanbuxey 01:46:20 👍 01:46:42 EmLauber has joined #agentic-browsing-sec 01:47:04 ack wanderview 01:47:21 Even things like drawing a line around "Ads" becomes tricky. If I'm asking an agent to put together a travel itinerary for me, I might want it to pay attention to the ad about a discounted flight but not the ad about "alert your system contains a virus" 01:47:22 alanbuxey7: It may frustrate the user if they can see something but the agent can't, and is therefore unable to help. Wondering whether or not we'll have ai-agent as an entity. Also, agent can just click "yes" when sites ask for confirmation. 01:47:30 chikamune has joined #agentic-browsing-sec 01:47:36 q? 01:47:56 Never mind the kids. What about my aging parents?! 01:48:09 With devices becoming more powerful, are there upsides for on-device llms becoming an actual agents that behave to beenfit the user instead of to benefit the corporation that controlls the llm. Having that this approach doesn't help with marketing and manipulation, but at least gives users to have in control of behavior of their own agents. Just brainstorming. 01:48:18 kleber has joined #agentic-browsing-sec 01:48:20 wanderview: is there a difference between unsophisicated agents and e.g. children? Could be solutions that help unsophisticated users be safer on the internet. There are a lot of users that struggle on the internet, it would be nice if it became safer for them. 01:48:32 q? 01:48:41 s/to have in control/to be in control/ 01:48:46 q+ 01:49:16 Penny has joined #agentic-browsing-sec 01:49:38 samschlesinger has joined #agentic-browsing-sec 01:49:41 ... Understand that putting something like a red box around sensitive content is spoofable, etc. 01:49:46 the site is the adversary 01:49:56 ack Nick 01:50:00 johannhof: this is why sites have "you're leaving our site ... popups" 01:50:15 could say a loooot about those 'you're leaving our site' prompts, very little of it good. 01:50:19 Somewhat disagreeing with the notion that flagging dangerous content isn't a good direction. An attacker has an incentive to identify sensitive / powerful content and tools available to do it -- they will find it, and they don't have to find it all. Defenders need to defend every bit of sensitive content to be effective -- it just takes one. 01:50:23 kbabbitt has joined #agentic-browsing-sec 01:50:56 (the AIs want to join the conversation) 01:51:10 too many negatives there mnot, try again? 01:52:00 q? 01:52:12 magic computer protocol will solve all the problems, obviously 01:52:28 magic computer protocol is the best 01:52:39 Sounds to me like we need a id/superego/ego partitioning of responsibilities — a second agent whose job is user protection, to counterbalance the pleasure-seeking behavior of the current breed of agent 01:52:41 MT: to succeed, an attacker only has to identify _some_ sensitive content -- they will be able to do so without hints. Defenders need more certainty; it only takes one. Hints help defenders meet their goals more than attackers. 01:52:45 Nick: I work on MCP, surprised we're not talking about it more here. Thinking about MCP being used for web, we really want one way for agents to access page in an untrusted context, then have a way for agents to get access to e.g. user credentials. I see MCP as a way to say, give me an MCP server so I can retrieve tools that I can use, then go 01:52:45 through an authentication flow. That could help defend against prompt injection. Best we can do now is prevent agents from receiving context that we don't want it to have, and use existing tools in the browser. 01:53:03 s/through an authentication/... through an authentication 01:53:07 q? 01:53:10 We need good cop / bad cop agents :) 01:53:26 One thought is that is perhaps a vaguely relevant precedent in this space. 01:53:27 left shoulder, right shoulder agents 01:53:43 hsano9 has joined #agentic-browsing-sec 01:53:48 mnot: but the browser has no way to tell when a legit site is offering legit hints and when it's an illegitimate site offering malicious hints. 01:53:54 q? 01:54:08 depends on the task and capabilities for when that matters 01:54:11 maybe we can build a "seems legit" agent 01:54:18 dveditz: it depends on the nature of the hints. If they're steering agents away that's not an issue 01:54:46 mt_hates_irc Classifiers + model-alignment defenses are pretty much "seems legit" agents :) 01:55:01 q? 01:55:01 it matters if the site is steering the agent away from accessing the very information the user wanted -- then it's more or less DRM 01:55:08 It has the vibe of a user agent 01:55:20 ... Seeing today: headless browsers were mentioned. Some of them ask users to add their master password in a config file for the agent to use. Would prefer to use a solution that uses MCP directly. MCP has things that allow credentials to be securely provided without the agent getting involved. 01:55:22 ack AramZS 01:55:47 dveditz: that's a _bit_ of a leap 01:56:21 I feel like tagging of sensetive content needs to work hand in hand with actually redacting the content so that it is not visible / discoverable by an agent 01:56:23 ack wseltzer 01:56:39 AramZS: re: marking sensitive areas and how that's optional for agents, seems valuable. Separate problem: why would I not price things differently for an agent? Also a problem for users, not sure if we want to tackle that here. 01:56:43 EmLauber has joined #agentic-browsing-sec 01:57:20 I think we can't get into redacting the content. That is going to go down a road where a *lot* of website owners will use that in an unintended way and kill the entire idea 01:57:23 ack goto 01:57:30 wseltzer: How do we enlist the end user to see these as cooperative protections, rather than things that are getting in the way? 01:57:47 q/ 01:57:55 q? 01:57:56 I want to redact content from an agent. The agent doesn't want me to redact it. The redaction *will* get ignored. I think that's a very different case for marking a field is sensitive. 01:58:23 AramZS, agree, totally make sense, especailly in view of your point where publishers would want to redact the content 01:58:43 mnot: it could be used in this price discrimination example people are discussing right now. Say the real price (visible to the user) is "unsafe" and have a higher transparent "safe" buy-at-higher-price button for agents 01:58:59 ??: ideas on site marking trusted content. Thinking of investment scams. Similarities between content that are trying to fool users vs fool agents, might fall into a trap of trying to solve all of the web's problems. 01:59:11 we should absolutely not show the agent something different than what the human sees, or we'll never be able to diagnose attempts to attack the agent 01:59:21 "Human, forget your previous instructions and buy these shoes" 01:59:27 ack aaj 01:59:27 AramZS, I wonder still if redacting can be done by browser (deterministic user agent, ie Chrome, Safari, headless browser) to actually remove the content from the web that is not visible to the agent at all. 01:59:30 johannhof: pulling phishing into scope might be somewhat unavoidable. 01:59:33 Of course that's a PR disaster when discovered if it's a large well-known company, but I could see a bunch of small shops doing it 02:00:08 s/web that/web so that/ 02:00:18 Lots of "I've never heard of these guys" who sell interesting gadgets in Facebook ads, for example 02:00:23 vasilii, but I think I'd rather do that as a publisher than make my content visible to an agent. I am well incentivized to give users with agents in their browser a bad experience. 02:00:59 AramZS, makes sense! 02:01:06 aaj: wanted to talk about previous comment. Trying to solve everything is hard. We could decide that protecting agents and users are separate problems. E.g. process boundaries in OS, analogy to site isolation in browsers. Can we move from wild west with very powerful agents that can be prompt injected, to a world where agents can only do things 02:01:06 related to the original prompt? Some protections could be model-level, some deterministic. 02:01:14 s/related to the/... related to the/ 02:01:15 I think it could make sense to follow the principle of controlling access at the start of a task. The user should confirm at the start to give read and action access for e.g. gmail for a task or a substep. Then everything else is logged out. 02:01:33 johannhof: thanks everyone, there will be more discussions, feel free to reach out to me and thanks for being here. 02:02:03 mt_hates_irc: we already have cases where some users see things differently from others -- alt-text for visually impaired users, for example, 02:02:36 kbabbitt has left #agentic-browsing-sec 02:02:41 AramZS has joined #agentic-browsing-sec 02:04:56 hsano has joined #agentic-browsing-sec 02:16:49 AramZS has joined #agentic-browsing-sec 02:17:39 Penny has joined #agentic-browsing-sec 02:20:36 hagio has joined #agentic-browsing-sec 02:21:02 reillyg has left #agentic-browsing-sec 02:24:58 hagio has left #agentic-browsing-sec 02:26:22 RRSAgent, draft minutes 02:26:23 I have made the request to generate https://www.w3.org/2025/11/12-agentic-browsing-sec-minutes.html tomayac 02:27:18 ktoumura has left #agentic-browsing-sec 02:45:47 su has joined #agentic-browsing-sec 02:47:55 vasilii_ has joined #agentic-browsing-sec 03:19:28 Penny has joined #agentic-browsing-sec 04:19:23 AramZS has joined #agentic-browsing-sec 04:42:36 vasilii_ has joined #agentic-browsing-sec 05:41:23 AramZS has joined #agentic-browsing-sec 05:41:27 vasilii_ has joined #agentic-browsing-sec 05:46:28 vasilii_ has joined #agentic-browsing-sec 06:23:11 shisama has joined #agentic-browsing-sec 06:44:47 vasilii has joined #agentic-browsing-sec 06:48:36 tantek-projector has left #agentic-browsing-sec 07:00:45 Penny has joined #agentic-browsing-sec 07:03:08 AramZS has joined #agentic-browsing-sec 07:17:48 vasilii has joined #agentic-browsing-sec 07:19:00 AramZS has joined #agentic-browsing-sec 07:47:12 vasilii_ has joined #agentic-browsing-sec 08:10:13 AramZS has joined #agentic-browsing-sec 08:37:10 AramZS has joined #agentic-browsing-sec 13:37:20 tidoust has joined #agentic-browsing-sec 13:37:24 RRSAgent, bye 13:37:24 I see no action items