Search the knowledge base

JavaScript "in" operator allows leakage of cross-domain information




Scripts running on a given web site are not allowed to see the contents of variables on other sites, and should not be able to check for their existence. This policy was not correctly implemented for the "in" operator, allowing web sites to check for the existence of variables on sites from other domains. Their contents could not be read, but their existence may reveal limited information such as logged-in state.

Opera's Response

Opera Software has released Opera 11.60, where this issue has been fixed.


Thanks to David Bloom for reporting this issue to Opera Software.

Browse through articles in the same categories: advisory


Opera Help

Need help? Hit F1 anytime while using Opera to access our online help files, or go here.