Malicious setRequestHeader cross-site vulnerability – Opera Security Advisories



A malicious setRequestHeader can be used to stealuser credentials and inject cross-site JavaScript.


Severity: high


Opera’s response


Since version 8.02 of Opera, double newlinesor a single newline not followed by a space areremoved. Users with a version older than 8.02should upgrade to the most recent version ofOpera.




Thanks to Yutaka OIWA for reporting this issue.