Search the knowledge base

Advisory: Data URIs can be used to facilitate Cross-Site Scripting

Severity

High

Description

Data URIs are only supposed to inherit the scripting origin from the site that creates them, such as by including them as the target of a link or an inline frame in the source of the document. Specific sequences of document and data URI loading can cause Opera to forget which document created the data URI, and to allow the data URI document to inherit the scripting origin of a target page instead. The data URI document would then be allowed to interact with the target page, instead of the document that created it, resulting in cross-site scripting (XSS).

Opera's Response

Opera Software has released Opera 12.10, where this issue has been fixed.

Credits

Thanks to multiple users who reported this issue to Opera Software after its details were publicized.


Browse through articles in the same categories: advisory

Support

Opera Help

Need help? Hit F1 anytime while using Opera to access our online help files, or go here.