The Content dialog box supports the following user preferences:

Optional:

• Manage Site Preferences
• Blocked Content

Enabled by default:

• Enable animated images
• Enable sound in web pages
• Enable JavaScript
• Enable Java
• Enable plug-ins

JavaScript options

• Optional:
  • Allow raising of windows
  • Allow lowering of windows
  • Allow script to receive right clicks
  • Open console on error
  • User JavaScript files
• Enabled by default:
  • Allow resizing of windows
  • Allow moving of windows
  • Allow changing of status field
  • Allow script to hide address bar

The Cookies dialog box supports the following user preferences:

Optional:

• Accept cookies only from the site I visit
• Never accept cookies
• Delete new cookies when exiting Opera
• Ask me before accepting cookies
• Manage cookies

Enabled by default:

• Accept cookies

The Delete Private Data dialog box is located at Tools > Delete Private Data and contains check boxes allowing a user to control the exposure of personal information. Default settings may be accepted or changed based on preference, before the user-initated delete of personal information takes place.

The Delete Private Data dialog box supports the following user preferences:

Optional:

• Clear all e-mail account passwords
• Clear all Wand passwords

Enabled by default:

• Delete temporary cookies
• Delete all cookies
• Delete password-protected pages and data
• Delete entire cache
• Clear history of visited pages
• Clear history of file transfers
• Clear bookmark visited time
• Close all tabs

The Network dialog box supports the following user preferences:

Optional:

• Proxy servers

Enabled by default:

• Encode international Web addresses with UTF-8
• Send referrer information
• Enable automatic redirection

The Notifications dialog box supports the following user preferences:

Enabled by default:

• Show notification for blocked pop-ups

The Quick Preferences menu is available at Tools > Quick preferences. It lists user options to enable/disable various security-related items.

The Quick Preferences menu supports the following user preferences:

Optional:

• Open All Pop-Ups
• Open Pop-Ups in Background
• Block All Pop-Ups
• Enable Proxy Servers
• Edit Site Preferences

Enabled by default:

• Block Unwanted Pop-Ups
• Enable Animated Images
• Enable Sound in Web Pages
• Enable Java
• Enable Plug-Ins
• Enable JavaScript
• Enable Cookies
• Send Referrer Information

The following user-security-related preference dialog boxes are available in the Advanced tab, located at Tools > Preferences > Advanced.

The Security dialog box supports the following user preferences:

Set Master Password

Ask for password

Enable Fraud Protection (enabled by default)

Manage certificates:

• Personal
• Authorities (including EV (Extended Validation) certificates ^[1])
• Intermediate
• Approved
• Rejected

Security protocols:

• Enable SSL 3 (enabled by default)
• Enable TLS 1 (enabled by default)
• Enable TLS 1.1 (enabled by default)
  • Security protocol ciphers (SSL 3/TLS 1):
    • Optional:
      • 0 bit Authentication Only (RSA/MD5)
      • 0 bit Authentication Only (RSA/SHA)
      • 168 bit 3-DES (Anonym DH/SHA)
      • 128 bit ARC4 (Anonym DH/MD5)
    • Enabled by default:
      • 168 bit 3-DES (RSA/SHA)
      • 168 bit 3-DES (DH_RSA/SHA)
      • 168 bit 3-DES (DHE_RSA/SHA)
      • 168 bit 3-DES (DH_DSS/SHA)
      • 168 bit 3-DES (DH_DSS/SHA)
      • 168 bit 3-DES (DHE_DSS/SHA)
      • 128 bit ARC4 (RSA/MD5)
      • 128 bit ARC4 (RSA/SHA)
      • 128 bit AES (RSA/SHA)
      • 128 bit AES (DH_DSS/SHA)
      • 128 bit AES (DH_RSA/SHA)
      • 128 bit AES (DHE_DSS/SHA)
      • 128 bit AES (DHE_RSA/SHA)
      • 256 bit AES (RSA/SHA)
      • 256 bit AES (DH_DSS/SHA)
      • 256 bit AES (DH_RSA/SHA)
      • 256 bit AES (DHE_DSS/SHA)
      • 256 bit AES (DHE_RSA/SHA)

^[1] Further information regarding Extended Validation certificates and Opera is available at Yngve Pettersen's my.opera.com blog post and his Opera Labs EV article.

The Wand dialog box is available at Tools > Preferences > Advanced > Wand. It will hold usernames and passwords, and also offers an auto-complete facility for personal information to be entered into Web forms. All choices are optional and at the discretion of the user. User-entered personal information contained in Wand can be deleted in this dialog box, and passwords entered into Wand may also be deleted in Tools > Advanced > Wand passwords > Wand Manager dialog box.

The Wand dialog box supports the following user preferences:

Optional:

• Usernames and passwords:
  • Let Wand remember passwords
• Personal information:
  • First name
  • Last name
  • E-mail
  • Home page
  • Telephone
  • Mobile
  • Address
  • City
  • Region/state
  • Postal code
  • Country
  • Other

Opera security supports CSS style parsing in the following manner:

CSS field-value separator characters (excluding \t \r \n \x20): \x0C \ \xA0

Opera security does not support CSS style parsing in the following manner:

JavaScript expression(...)

script-targeted url(...)

script-executing -moz-binding

</style> taking precedence over comment block parsing

Opera security supports the following client-side JavaScript feature:

getters and setters

Opera security partially supports the following client-side JavaScript method:

Opera allows aliasing the eval method, but when invoked with an alias the code will not run in the scope from which eval is called.

Opera security does not support client-side JavaScript in the following manner:

Access to prototypes via __proto__

charset= being honored on <script src="...">

E4X extension

Watches on objects

Content-sniffing behavior

Behavior for HTML resources

Opera security supports the following content-sniffing behaviors:

Content sniffing window size when no content-type is seen: ~130 kB

Content sniffing window size for second-guessing MIME type: ~130 kB

HTML being sniffed when no content-type is received

HTML being sniffed when it has been determined that the content-type application/octet-stream content is just text

HTTP error codes being ignored on sub-resources

Opera security partially supports the following content-sniffing behaviors:

HTML being sniffed when a non-parseable content-type value is received

HTML being sniffed on application/octet-stream documents

An image/svg+xml document containing a HTML xmlns payload

Opera security does not support the following content-sniffing behaviors:

HTML being sniffed on application/binary documents

HTML being sniffed on unknown/unknown documents

HTML being sniffed on MIME types not known to Opera

HTML being sniffed on unknown MIME when .html, .xml, or .txt is seen in URL parameters

HTML being sniffed on unknown MIME when .html, .xml, or .txt is seen in a URL path

HTML being sniffed on text/plain documents (with or without file extension in URL)

HTML being sniffed on GIF served as image/jpeg

Behavior for non-HTML resources

Opera security supports the following detection methods for non-HTML resources:

File type detection for ftp:// resources: extension checked then content guessed

File type detection for file:// resources: extension checked then content guessed

Downloads and Content-Disposition

Opera security supports downloads and content-disposition in the following manner:

Content-Disposition header (attachments leading to direct downloads)

RFC 2231 for determining filename encoding types: filename*

The ";" (semi-colon) being handled correctly in file names

Extensions in filenames are checked against the registered extension for the MIME type of the resource and if necessary, changed (octet-stream exempted) including:

• an .html filename overriding content-type
• an .exe filename overriding content-type
• an URL-derived .html filename overriding content-type
• an URL-derived .exe filename overriding content-type

Opera security does not support Downloads and Content-Disposition in the following manner:

Mark-of-the-Web / Zone.Identifier

Character-set handling and detection

Opera security supports character-set handling and detection in the following manner:

content-type header / http-EQUIV tag precedence: header

Opera security does not support character-set handling and detection in the following manner:

Fall-back to http-EQUIV if the header charset is invalid

us-ascii parsing stripping of high bits

The utf-7 character set or any of the following associated conditions

• 7-bit ASCII being encoded as utf-8 on HTML pages
• 7-bit ASCII consumption in utf-8
• 7-bit ASCII consumption in EUC-JP
• 7-bit ASCII consumption in Big5

Document caching

Opera security supports document caching the following manner:

expires being relative to date

date is needed for expires to work

cache-control overrides expires in http/1.0

Invalid max-age stops caching

Opera security does not support document caching in the following manner:

An invalid expires value stops caching

no-cache winning on cache-control conflicts

pragma: no-cache

Pop-up and dialog filtering logic

Opera security supports pop-up and dialog filtering logic in the following manner:

A pop-up blocker

A maximum delay between click and pop-up of less than 5 seconds

An infinite (∞) number of per-click pop-ups being opened

window.alert() being limited or suppressed

window.confirm() being limited or suppressed

window.prompt() being limited or suppressed

Opera security does not support pop-up and dialog filtering logic in the following manner:

Pop-ups being permitted on non-onclick events

window.print() being limited or suppressed

Window-appearance restrictions

Opera security supports the following window-appearance permissions:

Specifying their own dimensions

Specifying screen positioning (user option)

Closing non-script windows

Opera security does not support the following window permissions:

Grabing full screen

Fully hiding the URL bar

Hiding other chrome

Taking focus

Surrendering focus

Repositioning themselves

Execution timeouts and memory limits

Opera security supports the following execution timeouts and memory limits:

Opera does not impose a limit on script execution time.

• Opera's UI is designed to be responsive at all times even while scripts are running.

A call stack size limit of ~1000

A heap size limit of 16M

Page transition logic

Opera security does not support the following page transition logic:

Scripts inhibiting page transitions

Pages hijacking transitions

Opera security supports the DOM in the following manner:

window being the same object as window.window

Built-in DOM objects being clobbered ^[2] by overwriting

getElementsByName doing look ups by ID= values

.innerHTML assignments being truncated at NUL

location.* assignments being truncated at NUL

Opera security does not support the DOM in the following manner:

document.URL being writable

Keywords "window", "top" and "parent" may not be redefined by page scripts

^[2] Scripts can create global variables or functions that match the name of a DOM object, such as "document". This is known as "clobbering", and makes the DOM object and the information it contains become inaccessible, unless it was also referenced by some other means.

Opera security supports HTML in the following manner:

Parser resets on nested HTML tags (<foo <bar...)

Trace-back recovery on missing tag closure (<foobar="<baz(eof))

!-type tags being parsed in a non-HTML manner (<!foo bar="-->"... breaks)

Characters accepted as tag name / parameter separators (excluding \t \r \n \x20): \x0B \x0C \xA0

Characters ignored between parameter name, equals sign, and value (excluding \t \r \n): \x20 \xA0

Characters accepted in lieu of quotes for HTML parameters (excluding "): '

Characters accepted in tag names (excluding A-Z / ? !): \0

Opera security does not support HTML in the following manner:

Recursive recovery with nested tags (both foo and bar interpreted)

Parser resets out on invalid tag names (<foo=">bar...)

SGML-style comment parsing in strict mode (-- and > may appear separately)

HTML Entity Encoding

Opera security supports HTML entity encoding in the following manner:

The maximum length of a correctly terminated decimal entity: Infinite (∞)

The maximum length of an incorrectly terminated decimal entity: Infinite (∞)

The maximum length of a correctly terminated hex entity: Infinite (∞)

The maximum length of an incorrectly terminated hex entity: Infinite (∞)

Opera security does not support HTML entity encoding in the following manner:

Characters permitted in entity names (excluding A-Z a-z 0-9)

HTTP authentication

Opera security supports HTTP authentication in the following manner:

HTTP authentication

All Basic/Digest authenticated usernames and passwords are UTF-8 encoded before use

Link-embedded authentication by prompt

Authentication being bound to the host name

Authentication being bound to a protocol or port

Password prompts activation on <img>

Password prompts activation on <script> and style sheets?

Password prompts activation on <iframe>

Password manager operation model opened by User Interface (UI) action

Stored https passwords being restricted to SSL only

Content-Length header value overriding actual content length

First field value in a HTTP header taking precedence

Response body on invalid 30x redirect being shown to the user

High-bit character handling in HTTP cookies using utf-8

Quoted-string values for HTTP cookies

Opera security partially supports HTTP authentication in the following manner:

Password prompts activation on <embed> / <applet>

Opera security does not support HTTP authentication in the following manner:

Authentication data being bound to realms

Stored passwords being restricted to a full URL path

First HTTP header of the same name taking precedence

Referer header being sent on HTTPS > HTTPS navigation

Referer header being sent on HTTPS > HTTP navigation

Opera security supports HTTPS in the following manner:

Behavior on invalid certificates by showing a prompt

EV (Extended Validation) SSL being visually distinguished

Permitting mixed content behavior on <img>

Permitting mixed content behavior on <iframe>

Opera security partially supports HTTPS in the following manner:

Permitting mixed content behavior on <script>

Permitting mixed content behavior on style sheets

Permitting mixed content behavior on <applet>

Permitting mixed content behavior on <embed>

Opera security does not support HTTPS in the following manner:

A referer header being sent on HTTPS > HTTPS navigation

A referer header being sent on HTTPS > HTTP navigation

Dividing local/remote networks

Opera security supports the dividing of local/remote networks in the following manner:

Direct navigation to RFC 1918 IPs

Navigation to names that resolve to RFC 1918 ranges

Navigation to non-qualified host names

Port access restrictions

Opera implements the following security-blocked ports:

1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 22, 23, 25, 37, 42, 43, 53, 70, 77, 79, 80, 87, 95, 101, 102, 103, 104, 109, 110, 111, 113, 115, 117, 119, 123, 135, 139, 143, 179, 194, 210, 389, 443, 465, 512, 513, 514, 515, 526, 530, 531, 532, 540, 556, 563, 587, 601, 636, 993, 995, 2049, 4045, 6000, 6667

URL-scheme access rules

file: specific

Opera security does not support the following URL-scheme access rules:

File loading into or clicking to any non-file: resource, e.g., HTTP, including:

• <img> file: targets
• <script> file: targets
• <iframe> file: targets
• <embed> file: targets
• <applet> file: targets
• Style sheet file: targets

javascript: specific

Opera security supports the running of the following javascript: specific rules:

<iframe> javascript: targets

Opera security partially supports the running of the following javascript: specific rules:

<img> javascript: targets

<script> javascript: targets

<embed> javascript: targets

Style sheet javascript: targets

Opera security does not support the running of the following javascript: specific rules:

<applet> javascript: targets

Redirection restrictions

Opera security supports the following redirection restrictions:

Same-origin XMLhttpRequest redirection

Opera security partially supports the following redirection restrictions:

location redirection to data:

location redirection to javascript:

refresh redirection to javascript:

refresh redirection to data:

Opera security does not support the following redirection restrictions:

location redirection to file:

refresh redirection to file:

International domain name checks

Opera security supports a white list of top-level domains (TDLs) that are trusted to enforce a safe policy on domain names. Opera for Windows, Mac and UNIX will check for an updated list of trusted TLDs on a regular basis. Please see our Knowledge Base article for more information. Top-level domain registrars who have enforced strict domain name policies are encouraged to contact Opera Software to be included in the browser's white list, provided that their policies are approved.

• Important Note: TDLs not on the white list are not allowed to have mixes of Latin1, Greek, Cyrillic or Cherokee in the same label; otherwise, all permitted characters may be used.

Simultaneous connection limits

Opera security supports the following simultaneous connection limits:

Network read timeout of 5 minutes

The maximum number of same-origin connections is 4 persistent for the default maximum of 8 per server

• The actual number is half of what is specified for the maximum connections per server
• Disabling opera:config#Performance|ReduceMaxPersistentHTTPConnections removes this limitation

Opera security supports the following non-HTML document-type behaviors:

Generic XML documents

RSS feeds

ATOM feeds

javascript: or data: URLs in feeds

CSS specifications in feeds

SVG images

image/svg+xml documents containing HTML xmlns payloads

Opera security does not support the following non-HTML document-type behavior:

JavaScript execution within feeds

Opera security partially supports the following image formats:

Bitmap formats (excluding JPG, GIF, PNG): BMP

Opera 9.64 security supports the following operating system/platform-specific features:

DEP (Data Execution Prevention) in Microsoft WindowsXP® SP2 and higher and Microsoft Windows Server 2003® with SP1

ASLR (Address Space Layout Randomization) in Microsoft Windows Vista®

Opera security supports the following plug-in-supported content:

Tag type and TYPE= / CLASSID= values: #1

content-type=value if type= is missing: #2

Opera security does not support (ignores) the following Plug-in-supported content:

content-type value if type= is not recognized

Content sniffing if type= is not recognized

Content sniffing if type= is missing

Same-origin policy for DOM access

Opera security supports the following DOM access policy:

Port numbers that wrap around in same origin checks: uint16

Opera security partially supports the following DOM access policy:

Local HTML accessing unrelated local files via DOM

Opera security does not support the following DOM access policies:

document.domain being set to right-hand IP address fragments

Local HTML accessing sites on the Internet via the DOM

Same-origin policy for XMLHttpRequest

Opera security supports the following XMLHttpRequest policies:

Accept

Accept-Language

User-Agent

Opera security does not support the following XMLHttpRequest policies:

Accept-Charset

Accept-Encoding

Cache-Control

Cookie

If-* family (If-Modified-Since, etc)

Host

Range

Referer

Transfer-Encoding

Via

Additional XMLhttpRequest security policies

Opera security supports the following XMLHttpRequest policies:

XMLhttpRequest seeing other HTTP non-200 responses

Opera security partially supports the following XMLHttpRequest policies:

Local HTML accessing unrelated local files via XMLhttpRequest

Opera security does not support the following XMLHttpRequest policies:

connnect trace (Implements a white list of known schemes and replaces non-white listed schemes with GET)

XMLhttpRequest seeing httponly cookies

XMLhttpRequest seeing invalid HTTP 30x responses

XMLhttpRequest seeing cross-domain HTTP 30x responses

Local HTML accessing sites on the Internet via XMLhttpRequest

Same-origin policy for Cookies

Opera security supports the following cookie policies:

DNS heuristic validation when a ccTLD cookie specifies a second-level domain, or a domain more than one level up

Scripts clobbering httponly cookies

document.cookie on file URLs

RFC 2965 the Set-Cookie2 standard

The max-age parameter

max-age=0 to delete cookies

The httponly flag

Ordering of duplicate cookies with different scope: most specific first

Maximum length of a single cookie: Infinite (∞)

Maximum number of cookies per site: Infinite (∞)

Maximum size of a set-cookie header: 4095 bytes

Maximum size of a list of cookies for sending: 5 kB

• Note: cookies that would be in the sequence beyond this are ignored

Opera security does not support the following cookie policies:

document.cookie working on ftp URLs

Multiple comma-separated Set-Cookie pairs

Cookies for right-hand IP address fragments

Same-origin policy for Java (applets)

Opera security does not support the following Java (applets) policy:

DOMService

Origin inheritance rules

Opera security supports the following origin inheritance rules:

Inherited context for domain-less iframes: parent

Inherited context for about:blank windows: parent

Inherited context for javascript: windows: parent

Inherited context for data: windows: blank

Navigation and content-inclusion across domains

Opera security supports the following navigation and content-inclusion features:

Auto-clicking of links via click()

getComputedStyle for CSS

currentStyle for CSS

Blocking of cross-domain character-set inheritance

Opera security partially supports the following navigation and content-inclusion features:

enctype=text/plain on forms

Opera security does not support the following navigation and content-inclusion features:

Verbose onerror messages produced for <script>

Verbose onerror messages produced for <style>

Arbitrary page mashups (user interface redressing)

Opera security supports arbitrary page mashups (user interface redressing) in the following manner:

CSS opacity ("decoy underneath")

Partly obstructed clickable iframe containers ("decoy on top")

Cross-domain, anchor-based frame positioning

Opera security does not support arbitrary page mashups (user interface redressing) in the following manner:

Cross-domain scrollBy scrolling

DOM access control gaps

Opera security supports DOM access control in the following manner:

postMessage API

Opera security partially supports DOM access control in the following manner:

target= links repositioning unrelated targets

Opera security does not support DOM access control in the following manner:

window.open() looking up unrelated windows

frames[] looking up unrelated windows

<win>.frames[] accessing third-party iframes

<win>.frames[] iterator

window.open() repositioning unrelated windows

<win>.history.* methods calling on unrelated targets

<win>.location.* properties being set on unrelated targets

<win>.location.* methods being called on unrelated targets

<win>.document.write() being called on unrelated targets

Setting window.on* properties across domains

Setting window.opener across domains

Setting window.name across domains

Calling frameElements methods across domains

Privacy-related side channels

Opera security supports privacy-related side channels in the following manner:

Detection of :visited styles

CSS parser accepting HTML documents as style sheets

onerror firing on all common HTTP errors

Opera security does not support privacy-related side channels in the following manner:

Image sizes being read back

delete <win>.var probing

Opera security supports the following third-party cookie rules:

Cookie handling: persistent only

Cookie filtering depends on both site and referrer: site takes preference

Third party determination (RFC 2965 rules):

• First party: anyone inside the site's parent domain
• Third-parties: non-user-initiated requests out of that domain
• Redirects: all inherit these policies

Opera security does not support the following third-party cookie rules:

P3P (W3C: Platform for Privacy Preferences)

Opera security supports URLs in the following manner:

Characters ignored in front of URL schemes: \t \r \n \x0B \x0C \xA0

Non-standard characters in URL scheme names (excluding 0-9 A-Z a-z + - .): \r \n +UTF8

Non-standard characters kept as-is with no escaping in URL query strings
    (excluding 0-9 A-Z a-z - . _ ~ : / ? # [ ] @ ! $ & ' ( ) * + , ; =): ^ { | } \x7F

Non-standard characters fully ignored in host names: \x0A-\x0D \xA0 \xAD

Types of partial or broken URLs auto-corrected to fully qualified ones //y \\y x://[y]

Opera security does not support URLs in the following manner:

Fragment ID (hash) being encoded by applying RFC-mandated URL escaping rules

Unicode in URLs

Opera security supports unicode in URLs the following manner:

URL path encoding when following plain links: UTF-8

URL query string encoding when following plain links: page encoding

URL path encoding for XMLhttpRequest calls: page encoding

URL query string encoding for XMLhttpRequest calls: page encoding

URL path encoding for manually entered URLs: UTF-8

URL query string encoding for manually entered URLs: stripped to " ? "

URL bar Unicode display method for host names: Unicode

URL bar Unicode display method outside host names: display as " ? "

Raw Unicode in host names auto-converting to Punycode

Percent-escaped UTF-8 in host names auto-converting to Punycode

opera: URLs

True URL Schemes

Opera security supports the following true URL Schemes:

HTTP (RFC 2616)

HTTPS (RFC 2818)

FTP (RFC 1738)

File (RFC 1738)

News (draft RFC)

Opera security does not support the following true URL Schemes:

SHTTP (RFC 2660)

Gopher (RFC 4266)

Pseudo URLs: Encapsulating schemes

Opera security does not support the following pseudo URL schemes:

Feed (RSS, draft spec)

HCP, ITS, MHTML, MK, MS-Help, MS-ITS, MS-ITSS (Windows help archive parsing)

JAR (Java archive parsing)

View-cache, WYSIWYG (cached-page views)

View-source (page-source views)

Pseudo URLs: Internal feature-access schemes

Opera security supports the following internal feature-access URL schemes:

Data (in-place documents, RFC 2397)

JavaScript (Web scripting)

Opera security does not support the following internal feature-access URL schemes:

VBScript (Microsoft proprietary scripting)

Data for this document was gathered from the Opera Security group, Opera Core Engineering group, and the Opera Techno group.

Additional security references are:

• Security @ Opera, home page of the Opera Security Group
• The Opera Rootstore, home page of the Opera Root Certificate Store
• Extended Validation:
  • my.opera.com blog post by Yngve Pettersen
  • Opera Labs EV article by Yngve Pettersen
• Opera Fraud Protection
• Getting Your Root Certificate Included in Opera
• Opera: Shopping and Transaction Security
• CA/Browser Forum, home page of the CA/Browser Forum for CA's and Extended Validation
• Browser Security HandbookCC license