Cookies can be set for a top-level domain – Opera Security Advisories




Browsers should only allow cookies to be set for the website that created them. In some specific cases, Opera does not apply this restriction correctly, and allows a website to set a cookie for its entire top-level domain (such as .com or A malicious site could then redirect the user to another website in the same top-level domain, causing that site to receive the cookie. In some cases, this may confuse a site’s cookie handling, causing it to mistake that cookie for one of its own, and reusing it for authentication without modification. This could lead to the user’s accounts being compromised on that site.

Opera’s Response

Opera Software has released Opera 12.15, where this issue has been fixed.