Search the knowledge base

Pages can set cookies and communicate cross-site for some top level domains

Severity

Moderate

Description

Two-letter top level domains (such as .no and .uk), and some three-letter top level domains, do not follow fixed patterns for what should be considered the site's own base domain. Some require at least two dot (".") characters, while others require only one. Sites should only be allowed to set cookies for their own base domain name, and should only be allowed to share a scripting context with their own subdomains.

Due to a mistake when determining how many dot characters are needed for each top level domain, Opera does not apply this rule correctly for some top level domains, and may allow cookies to be set for the top level domain itself, so that all sites in that top level domain can read it. Similarly, this allows sites to set their scripting context to the top level domain, so that they can communicate with other sites that set their scripting context to the top level domain.

Opera's Response

Opera Software has released Opera 11.60, where this issue has been fixed.

Credits

Thanks to Opera users who have noticed and reported this issue to Opera Software.


Browse through articles in the same categories: advisory

Support

Opera Help

Need help? Hit F1 anytime while using Opera to access our online help files, or go here.