Cross-domain JSON resources may be exposed as JavaScript variable data – Opera Security Advisories




JSON strings are sometimes exported by sites as a resource that cannot be read cross-domain, and may contain confidential data. The format of a JSON string ensures that it cannot be read as the contents of a variable, if it is included as a normal script. In some cases, Opera does not correctly impose this restriction, and allows pages to load a cross-domain JSON resource, and read some of its contents as JavaScript variables, exposing the data contained in the JSON.

Opera’s Response

Opera Software has released Opera 12 and Opera 11.65, where this issue has been fixed.