Security specifications in Opera Presto 2.1.1

This document applies to all versions of Opera 9.6x on FreeBSD, Mac, Linux, Solaris, Windows, plus Opera Mobile running on the Opera Presto 2.1.1 user agent engine. It serves as a guide to Opera's implementation of Opera user privacy and security preferences and Opera system security permissions and restrictions. Opera highly recommends all users to update to the latest released Opera version to take advantage of its security advances and improvements.

Published: March 4, 2009

Opera user: Privacy and Security preferences

The following preferences allow users to control and personalize their Opera privacy and security environment:

Content dialog box

The Content dialog box supports the following user preferences:
Optional:
  • Manage Site Preferences
  • Blocked Content
Enabled by default:
  • Enable animated images
  • Enable sound in web pages
  • Enable JavaScript
  • Enable Java
  • Enable plug-ins
JavaScript options
  • Optional:
    • Allow raising of windows
    • Allow lowering of windows
    • Allow script to receive right clicks
    • Open console on error
    • User JavaScript files
  • Enabled by default:
    • Allow resizing of windows
    • Allow moving of windows
    • Allow changing of status field
    • Allow script to hide address bar

Cookies dialog box

The Cookies dialog box supports the following user preferences:
Optional:
  • Accept cookies only from the site I visit
  • Never accept cookies
  • Delete new cookies when exiting Opera
  • Ask me before accepting cookies
  • Manage cookies
Enabled by default:
  • Accept cookies

Delete Private Data dialog box

The Delete Private Data dialog box is located at Tools > Delete Private Data and contains check boxes allowing a user to control the exposure of personal information. Default settings may be accepted or changed based on preference, before the user-initated delete of personal information takes place.

The Delete Private Data dialog box supports the following user preferences:
Optional:
  • Clear all e-mail account passwords
  • Clear all Wand passwords
Enabled by default:
  • Delete temporary cookies
  • Delete all cookies
  • Delete password-protected pages and data
  • Delete entire cache
  • Clear history of visited pages
  • Clear history of file transfers
  • Clear bookmark visited time
  • Close all tabs

Network dialog box

The Network dialog box supports the following user preferences:
Optional:
  • Proxy servers
Enabled by default:
  • Encode international Web addresses with UTF-8
  • Send referrer information
  • Enable automatic redirection

Notifications dialog box

The Notifications dialog box supports the following user preferences:
Enabled by default:
  • Show notification for blocked pop-ups

Quick Preferences menu

The Quick Preferences menu is available at Tools > Quick preferences. It lists user options to enable/disable various security-related items.

The Quick Preferences menu supports the following user preferences:
Optional:
  • Open All Pop-Ups
  • Open Pop-Ups in Background
  • Block All Pop-Ups
  • Enable Proxy Servers
  • Edit Site Preferences
Enabled by default:
  • Block Unwanted Pop-Ups
  • Enable Animated Images
  • Enable Sound in Web Pages
  • Enable Java
  • Enable Plug-Ins
  • Enable JavaScript
  • Enable Cookies
  • Send Referrer Information

Security dialog box

The following user-security-related preference dialog boxes are available in the Advanced tab, located at Tools > Preferences > Advanced.

The Security dialog box supports the following user preferences:
Set Master Password
Ask for password
Enable Fraud Protection (enabled by default)
Manage certificates:
  • Personal
  • Authorities (including EV (Extended Validation) certificates [1])
  • Intermediate
  • Approved
  • Rejected
Security protocols:
  • Enable SSL 3 (enabled by default)
  • Enable TLS 1 (enabled by default)
  • Enable TLS 1.1 (enabled by default)
    • Security protocol ciphers (SSL 3/TLS 1):
      • Optional:
        • 0 bit Authentication Only (RSA/MD5)
        • 0 bit Authentication Only (RSA/SHA)
        • 168 bit 3-DES (Anonym DH/SHA)
        • 128 bit ARC4 (Anonym DH/MD5)
      • Enabled by default:
        • 168 bit 3-DES (RSA/SHA)
        • 168 bit 3-DES (DH_RSA/SHA)
        • 168 bit 3-DES (DHE_RSA/SHA)
        • 168 bit 3-DES (DH_DSS/SHA)
        • 168 bit 3-DES (DH_DSS/SHA)
        • 168 bit 3-DES (DHE_DSS/SHA)
        • 128 bit ARC4 (RSA/MD5)
        • 128 bit ARC4 (RSA/SHA)
        • 128 bit AES (RSA/SHA)
        • 128 bit AES (DH_DSS/SHA)
        • 128 bit AES (DH_RSA/SHA)
        • 128 bit AES (DHE_DSS/SHA)
        • 128 bit AES (DHE_RSA/SHA)
        • 256 bit AES (RSA/SHA)
        • 256 bit AES (DH_DSS/SHA)
        • 256 bit AES (DH_RSA/SHA)
        • 256 bit AES (DHE_DSS/SHA)
        • 256 bit AES (DHE_RSA/SHA)

[1] Further information regarding Extended Validation certificates and Opera is available at Yngve Pettersen's my.opera.com blog post and his Opera Labs EV article.

Wand dialog box

The Wand dialog box is available at Tools > Preferences > Advanced > Wand. It will hold usernames and passwords, and also offers an auto-complete facility for personal information to be entered into Web forms. All choices are optional and at the discretion of the user. User-entered personal information contained in Wand can be deleted in this dialog box, and passwords entered into Wand may also be deleted in Tools > Advanced > Wand passwords > Wand Manager dialog box.

The Wand dialog box supports the following user preferences:
Optional:
  • Usernames and passwords:
    • Let Wand remember passwords
  • Personal information:
    • First name
    • Last name
    • E-mail
    • Home page
    • Telephone
    • Mobile
    • Address
    • City
    • Region/state
    • Postal code
    • Country
    • Other

Opera system: Security policies

The following topics list various security standards in Opera Presto 2.1.1/Opera 9.6x. Opera identifies them as supported, partially supported and not supported where appropriate.

Cascading Style Sheets (CSS)

Opera security supports CSS style parsing in the following manner:
CSS field-value separator characters (excluding \t \r \n \x20): \x0C \ \xA0
Opera security does not support CSS style parsing in the following manner:
JavaScript expression(...)
script-targeted url(...)
script-executing -moz-binding
</style> taking precedence over comment block parsing

Client-side JavaScript

Opera security supports the following client-side JavaScript feature:
getters and setters
Opera security partially supports the following client-side JavaScript method:
Opera allows aliasing the eval method, but when invoked with an alias the code will not run in the scope from which eval is called.
Opera security does not support client-side JavaScript in the following manner:
Access to prototypes via __proto__
charset= being honored on <script src="...">
E4X extension
Watches on objects

Content-handling mechanisms

Content-sniffing behavior

Behavior for HTML resources
Opera security supports the following content-sniffing behaviors:
Content sniffing window size when no content-type is seen: ~130 kB
Content sniffing window size for second-guessing MIME type: ~130 kB
HTML being sniffed when no content-type is received
HTML being sniffed when it has been determined that the content-type application/octet-stream content is just text
HTTP error codes being ignored on sub-resources
Opera security partially supports the following content-sniffing behaviors:
HTML being sniffed when a non-parseable content-type value is received
HTML being sniffed on application/octet-stream documents
An image/svg+xml document containing a HTML xmlns payload
Opera security does not support the following content-sniffing behaviors:
HTML being sniffed on application/binary documents
HTML being sniffed on unknown/unknown documents
HTML being sniffed on MIME types not known to Opera
HTML being sniffed on unknown MIME when .html, .xml, or .txt is seen in URL parameters
HTML being sniffed on unknown MIME when .html, .xml, or .txt is seen in a URL path
HTML being sniffed on text/plain documents (with or without file extension in URL)
HTML being sniffed on GIF served as image/jpeg
Behavior for non-HTML resources
Opera security supports the following detection methods for non-HTML resources:
File type detection for ftp:// resources: extension checked then content guessed
File type detection for file:// resources: extension checked then content guessed

Downloads and Content-Disposition

Opera security supports downloads and content-disposition in the following manner:
Content-Disposition header (attachments leading to direct downloads)
RFC 2231 for determining filename encoding types: filename*
The ";" (semi-colon) being handled correctly in file names
Extensions in filenames are checked against the registered extension for the MIME type of the resource and if necessary, changed (octet-stream exempted) including:
  • an .html filename overriding content-type
  • an .exe filename overriding content-type
  • an URL-derived .html filename overriding content-type
  • an URL-derived .exe filename overriding content-type
Opera security does not support Downloads and Content-Disposition in the following manner:
Mark-of-the-Web / Zone.Identifier

Character-set handling and detection

Opera security supports character-set handling and detection in the following manner:
content-type header / http-EQUIV tag precedence: header
Opera security does not support character-set handling and detection in the following manner:
Fall-back to http-EQUIV if the header charset is invalid
us-ascii parsing stripping of high bits
The utf-7 character set or any of the following associated conditions
  • 7-bit ASCII being encoded as utf-8 on HTML pages
  • 7-bit ASCII consumption in utf-8
  • 7-bit ASCII consumption in EUC-JP
  • 7-bit ASCII consumption in Big5

Document caching

Opera security supports document caching the following manner:
expires being relative to date
date is needed for expires to work
cache-control overrides expires in http/1.0
Invalid max-age stops caching
Opera security does not support document caching in the following manner:
An invalid expires value stops caching
no-cache winning on cache-control conflicts
pragma: no-cache

Defenses against disruptive scripts

Pop-up and dialog filtering logic

Opera security supports pop-up and dialog filtering logic in the following manner:
A pop-up blocker
A maximum delay between click and pop-up of less than 5 seconds
An infinite (∞) number of per-click pop-ups being opened
window.alert() being limited or suppressed
window.confirm() being limited or suppressed
window.prompt() being limited or suppressed
Opera security does not support pop-up and dialog filtering logic in the following manner:
Pop-ups being permitted on non-onclick events
window.print() being limited or suppressed

Window-appearance restrictions

Opera security supports the following window-appearance permissions:
Specifying their own dimensions
Specifying screen positioning (user option)
Closing non-script windows
Opera security does not support the following window permissions:
Grabing full screen
Fully hiding the URL bar
Hiding other chrome
Taking focus
Surrendering focus
Repositioning themselves

Execution timeouts and memory limits

Opera security supports the following execution timeouts and memory limits:
Opera does not impose a limit on script execution time.
  • Opera's UI is designed to be responsive at all times even while scripts are running.
A call stack size limit of ~1000
A heap size limit of 16M

Page transition logic

Opera security does not support the following page transition logic:
Scripts inhibiting page transitions
Pages hijacking transitions

Document Object Model (DOM)

Opera security supports the DOM in the following manner:
window being the same object as window.window
Built-in DOM objects being clobbered [2] by overwriting
getElementsByName doing look ups by ID= values
.innerHTML assignments being truncated at NUL
location.* assignments being truncated at NUL
Opera security does not support the DOM in the following manner:
document.URL being writable
Keywords "window", "top" and "parent" may not be redefined by page scripts

[2] Scripts can create global variables or functions that match the name of a DOM object, such as "document". This is known as "clobbering", and makes the DOM object and the information it contains become inaccessible, unless it was also referenced by some other means.

Hypertext Markup Language (HTML)

Opera security supports HTML in the following manner:
Parser resets on nested HTML tags (<foo <bar...)
Trace-back recovery on missing tag closure (<foobar="<baz(eof))
!-type tags being parsed in a non-HTML manner (<!foo bar="-->"... breaks)
Characters accepted as tag name / parameter separators (excluding \t \r \n \x20): \x0B \x0C \xA0
Characters ignored between parameter name, equals sign, and value (excluding \t \r \n): \x20 \xA0
Characters accepted in lieu of quotes for HTML parameters (excluding "): '
Characters accepted in tag names (excluding A-Z / ? !): \0
Opera security does not support HTML in the following manner:
Recursive recovery with nested tags (both foo and bar interpreted)
Parser resets out on invalid tag names (<foo=">bar...)
SGML-style comment parsing in strict mode (-- and > may appear separately)

HTML Entity Encoding

Opera security supports HTML entity encoding in the following manner:
The maximum length of a correctly terminated decimal entity: Infinite (∞)
The maximum length of an incorrectly terminated decimal entity: Infinite (∞)
The maximum length of a correctly terminated hex entity: Infinite (∞)
The maximum length of an incorrectly terminated hex entity: Infinite (∞)
Opera security does not support HTML entity encoding in the following manner:
Characters permitted in entity names (excluding A-Z a-z 0-9)

Hypertext Transfer Protocol (HTTP)

HTTP authentication

Opera security supports HTTP authentication in the following manner:
HTTP authentication
All Basic/Digest authenticated usernames and passwords are UTF-8 encoded before use
Link-embedded authentication by prompt
Authentication being bound to the host name
Authentication being bound to a protocol or port
Password prompts activation on <img>
Password prompts activation on <script> and style sheets?
Password prompts activation on <iframe>
Password manager operation model opened by User Interface (UI) action
Stored https passwords being restricted to SSL only
Content-Length header value overriding actual content length
First field value in a HTTP header taking precedence
Response body on invalid 30x redirect being shown to the user
High-bit character handling in HTTP cookies using utf-8
Quoted-string values for HTTP cookies
Opera security partially supports HTTP authentication in the following manner:
Password prompts activation on <embed> / <applet>
Opera security does not support HTTP authentication in the following manner:
Authentication data being bound to realms
Stored passwords being restricted to a full URL path
First HTTP header of the same name taking precedence
Referer header being sent on HTTPS > HTTPS navigation
Referer header being sent on HTTPS > HTTP navigation

Hypertext Transfer Protocol Secure (HTTPS encryption)

Opera security supports HTTPS in the following manner:
Behavior on invalid certificates by showing a prompt
EV (Extended Validation) SSL being visually distinguished
Permitting mixed content behavior on <img>
Permitting mixed content behavior on <iframe>
Opera security partially supports HTTPS in the following manner:
Permitting mixed content behavior on <script>
Permitting mixed content behavior on style sheets
Permitting mixed content behavior on <applet>
Permitting mixed content behavior on <embed>
Opera security does not support HTTPS in the following manner:
A referer header being sent on HTTPS > HTTPS navigation
A referer header being sent on HTTPS > HTTP navigation

Network-related restrictions

Dividing local/remote networks

Opera security supports the dividing of local/remote networks in the following manner:
Direct navigation to RFC 1918 IPs
Navigation to names that resolve to RFC 1918 ranges
Navigation to non-qualified host names

Port access restrictions

Opera implements the following security-blocked ports:
1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 22, 23, 25, 37, 42, 43, 53, 70, 77, 79, 80, 87, 95, 101, 102, 103, 104, 109, 110, 111, 113, 115, 117, 119, 123, 135, 139, 143, 179, 194, 210, 389, 443, 465, 512, 513, 514, 515, 526, 530, 531, 532, 540, 556, 563, 587, 601, 636, 993, 995, 2049, 4045, 6000, 6667

URL-scheme access rules

file: specific
Opera security does not support the following URL-scheme access rules:
File loading into or clicking to any non-file: resource, e.g., HTTP, including:
  • <img> file: targets
  • <script> file: targets
  • <iframe> file: targets
  • <embed> file: targets
  • <applet> file: targets
  • Style sheet file: targets
javascript: specific
Opera security supports the running of the following javascript: specific rules:
<iframe> javascript: targets
Opera security partially supports the running of the following javascript: specific rules:
<img> javascript: targets
<script> javascript: targets
<embed> javascript: targets
Style sheet javascript: targets
Opera security does not support the running of the following javascript: specific rules:
<applet> javascript: targets

Redirection restrictions

Opera security supports the following redirection restrictions:
Same-origin XMLhttpRequest redirection
Opera security partially supports the following redirection restrictions:
location redirection to data:
location redirection to javascript:
refresh redirection to javascript:
refresh redirection to data:
Opera security does not support the following redirection restrictions:
location redirection to file:
refresh redirection to file:

International domain name checks

Opera security supports a white list of top-level domains (TDLs) that are trusted to enforce a safe policy on domain names. Opera for Windows, Mac and UNIX will check for an updated list of trusted TLDs on a regular basis. Please see our Knowledge Base article for more information. Top-level domain registrars who have enforced strict domain name policies are encouraged to contact Opera Software to be included in the browser's white list, provided that their policies are approved.

  • Important Note: TDLs not on the white list are not allowed to have mixes of Latin1, Greek, Cyrillic or Cherokee in the same label; otherwise, all permitted characters may be used.

Simultaneous connection limits

Opera security supports the following simultaneous connection limits:
Network read timeout of 5 minutes
The maximum number of same-origin connections is 4 persistent for the default maximum of 8 per server

Non-HTML document-type behaviors

Opera security supports the following non-HTML document-type behaviors:
Generic XML documents
RSS feeds
ATOM feeds
javascript: or data: URLs in feeds
CSS specifications in feeds
SVG images
image/svg+xml documents containing HTML xmlns payloads
Opera security does not support the following non-HTML document-type behavior:
JavaScript execution within feeds
Opera security partially supports the following image formats:
Bitmap formats (excluding JPG, GIF, PNG): BMP

Operating System/Platform-specific policies

Opera 9.64 security supports the following operating system/platform-specific features:
DEP (Data Execution Prevention) in Microsoft WindowsXP® SP2 and higher and Microsoft Windows Server 2003® with SP1
ASLR (Address Space Layout Randomization) in Microsoft Windows Vista®

Plug-in-supported content

Opera security supports the following plug-in-supported content:
Tag type and TYPE= / CLASSID= values: #1
content-type=value if type= is missing: #2
Opera security does not support (ignores) the following Plug-in-supported content:
content-type value if type= is not recognized
Content sniffing if type= is not recognized
Content sniffing if type= is missing

Same-origin policies

Same-origin policy for DOM access

Opera security supports the following DOM access policy:
Port numbers that wrap around in same origin checks: uint16
Opera security partially supports the following DOM access policy:
Local HTML accessing unrelated local files via DOM
Opera security does not support the following DOM access policies:
document.domain being set to right-hand IP address fragments
Local HTML accessing sites on the Internet via the DOM

Same-origin policy for XMLHttpRequest

Opera security supports the following XMLHttpRequest policies:
Accept
Accept-Language
User-Agent
Opera security does not support the following XMLHttpRequest policies:
Accept-Charset
Accept-Encoding
Cache-Control
Cookie
If-* family (If-Modified-Since, etc)
Host
Range
Referer
Transfer-Encoding
Via

Additional XMLhttpRequest security policies

Opera security supports the following XMLHttpRequest policies:
XMLhttpRequest seeing other HTTP non-200 responses
Opera security partially supports the following XMLHttpRequest policies:
Local HTML accessing unrelated local files via XMLhttpRequest
Opera security does not support the following XMLHttpRequest policies:
connnect trace (Implements a white list of known schemes and replaces non-white listed schemes with GET)
XMLhttpRequest seeing httponly cookies
XMLhttpRequest seeing invalid HTTP 30x responses
XMLhttpRequest seeing cross-domain HTTP 30x responses
Local HTML accessing sites on the Internet via XMLhttpRequest

Same-origin policy for Cookies

Opera security supports the following cookie policies:
DNS heuristic validation when a ccTLD cookie specifies a second-level domain, or a domain more than one level up
Scripts clobbering httponly cookies
document.cookie on file URLs
RFC 2965 the Set-Cookie2 standard
The max-age parameter
max-age=0 to delete cookies
The httponly flag
Ordering of duplicate cookies with different scope: most specific first
Maximum length of a single cookie: Infinite (∞)
Maximum number of cookies per site: Infinite (∞)
Maximum size of a set-cookie header: 4095 bytes
Maximum size of a list of cookies for sending: 5 kB
  • Note: cookies that would be in the sequence beyond this are ignored
Opera security does not support the following cookie policies:
document.cookie working on ftp URLs
Multiple comma-separated Set-Cookie pairs
Cookies for right-hand IP address fragments

Same-origin policy for Java (applets)

Opera security does not support the following Java (applets) policy:
DOMService

Origin inheritance rules

Opera security supports the following origin inheritance rules:
Inherited context for domain-less iframes: parent
Inherited context for about:blank windows: parent
Inherited context for javascript: windows: parent
Inherited context for data: windows: blank

Navigation and content-inclusion across domains

Opera security supports the following navigation and content-inclusion features:
Auto-clicking of links via click()
getComputedStyle for CSS
currentStyle for CSS
Blocking of cross-domain character-set inheritance
Opera security partially supports the following navigation and content-inclusion features:
enctype=text/plain on forms
Opera security does not support the following navigation and content-inclusion features:
Verbose onerror messages produced for <script>
Verbose onerror messages produced for <style>

Arbitrary page mashups (user interface redressing)

Opera security supports arbitrary page mashups (user interface redressing) in the following manner:
CSS opacity ("decoy underneath")
Partly obstructed clickable iframe containers ("decoy on top")
Cross-domain, anchor-based frame positioning
Opera security does not support arbitrary page mashups (user interface redressing) in the following manner:
Cross-domain scrollBy scrolling

DOM access control gaps

Opera security supports DOM access control in the following manner:
postMessage API
Opera security partially supports DOM access control in the following manner:
target= links repositioning unrelated targets
Opera security does not support DOM access control in the following manner:
window.open() looking up unrelated windows
frames[] looking up unrelated windows
<win>.frames[] accessing third-party iframes
<win>.frames[] iterator
window.open() repositioning unrelated windows
<win>.history.* methods calling on unrelated targets
<win>.location.* properties being set on unrelated targets
<win>.location.* methods being called on unrelated targets
<win>.document.write() being called on unrelated targets
Setting window.on* properties across domains
Setting window.opener across domains
Setting window.name across domains
Calling frameElements methods across domains

Privacy-related side channels

Opera security supports privacy-related side channels in the following manner:
Detection of :visited styles
CSS parser accepting HTML documents as style sheets
onerror firing on all common HTTP errors
Opera security does not support privacy-related side channels in the following manner:
Image sizes being read back
delete <win>.var probing

Third-party cookie rules

Opera security supports the following third-party cookie rules:
Cookie handling: persistent only
Cookie filtering depends on both site and referrer: site takes preference
Third party determination (RFC 2965 rules):
  • First party: anyone inside the site's parent domain
  • Third-parties: non-user-initiated requests out of that domain
  • Redirects: all inherit these policies
Opera security does not support the following third-party cookie rules:
P3P (W3C: Platform for Privacy Preferences)

Uniform Resource Locators (URLs)

Opera security supports URLs in the following manner:
Characters ignored in front of URL schemes: \t \r \n \x0B \x0C \xA0
Non-standard characters in URL scheme names (excluding 0-9 A-Z a-z + - .): \r \n +UTF8
Non-standard characters kept as-is with no escaping in URL query strings
    (excluding 0-9 A-Z a-z - . _ ~ : / ? # [ ] @ ! $ & ' ( ) * + , ; =): ^ { | } \x7F
Non-standard characters fully ignored in host names: \x0A-\x0D \xA0 \xAD
Types of partial or broken URLs auto-corrected to fully qualified ones //y \\y x://[y]
Opera security does not support URLs in the following manner:
Fragment ID (hash) being encoded by applying RFC-mandated URL escaping rules

Unicode in URLs

Opera security supports unicode in URLs the following manner:
URL path encoding when following plain links: UTF-8
URL query string encoding when following plain links: page encoding
URL path encoding for XMLhttpRequest calls: page encoding
URL query string encoding for XMLhttpRequest calls: page encoding
URL path encoding for manually entered URLs: UTF-8
URL query string encoding for manually entered URLs: stripped to " ? "
URL bar Unicode display method for host names: Unicode
URL bar Unicode display method outside host names: display as " ? "
Raw Unicode in host names auto-converting to Punycode
Percent-escaped UTF-8 in host names auto-converting to Punycode
opera: URLs

True URL Schemes

Opera security supports the following true URL Schemes:
HTTP (RFC 2616)
HTTPS (RFC 2818)
FTP (RFC 1738)
File (RFC 1738)
News (draft RFC)
Opera security does not support the following true URL Schemes:
SHTTP (RFC 2660)
Gopher (RFC 4266)

Pseudo URLs: Encapsulating schemes

Opera security does not support the following pseudo URL schemes:
Feed (RSS, draft spec)
HCP, ITS, MHTML, MK, MS-Help, MS-ITS, MS-ITSS (Windows help archive parsing)
JAR (Java archive parsing)
View-cache, WYSIWYG (cached-page views)
View-source (page-source views)

Pseudo URLs: Internal feature-access schemes

Opera security supports the following internal feature-access URL schemes:
Data (in-place documents, RFC 2397)
JavaScript (Web scripting)
Opera security does not support the following internal feature-access URL schemes:
VBScript (Microsoft proprietary scripting)

Acknowledgments

Data for this document was gathered from the Opera Security group, Opera Core Engineering group, and the Opera Techno group.

References

Additional security references are:

Documentation

Opera Help

Need help? Hit F1 anytime while using Opera to access our online help files, or go here.