Cross-domain checks may be bypassed, allowing limited data theft using CSS – Opera Security Advisories




CSS can be loaded cross-domain. In some cases, files that do not contain CSS may be partially interpreted as CSS. It is possible to make Opera incorrectly treat remote CSS files as if they were CSS files from the document-origin server, allowing the interpreted parts of a remote file to be read by scripts, leading to the possibility of cross-domain data theft.

Opera’s response

Opera Software has released Opera 10.63, where this issue has been fixed.


Thanks to Isaac Dawson for reporting this issue to Opera Software.