Security specifications support in Opera Presto

Last update: December 20, 2010

This document serves as a guide to Opera's implementation of security permissions and restrictions.

Opera highly recommends all users to update to the latest released Opera version to take advantage of its security advances, stability, and improvements.

Opera system security policies

The following topics list various security standards support built into the Opera Presto rendering engine. They are identified as supported, partially supported, and not supported where appropriate.

Cascading Style Sheets (CSS)

Opera security supports CSS style parsing in the following manner:

  • CSS field-value separator characters (excluding \t \r \n \x20): \x0C \ \xA0

Opera security does not support CSS style parsing in the following manner:

  • JavaScript expression(...)
  • script-targeted url(...)
  • script-executing -moz-binding
  • </style> taking precedence over comment block parsing

Client-side JavaScript

Opera security supports the following client-side JavaScript.

  • getters and setters

Opera security partially supports the following client-side JavaScript.

  • Opera allows aliasing the eval method, but when invoked with an alias the code will not run in the scope from which eval is called.

Opera security does not support the following client-side JavaScript.

  • Access to prototypes via __proto__
  • charset= being honored on <script src="...">
  • E4X extension
  • Watches on objects

Content-handling mechanisms

► Content-sniffing behavior

Behavior for HTML resources

Opera security supports the following content-sniffing behaviors:

  • Content sniffing window size when no content-type is seen: ~130 kB
  • Content sniffing window size for second-guessing MIME type: ~130 kB
  • HTML being sniffed when no content-type is received
  • HTML being sniffed when it has been determined that the content-type application/octet-stream content is just text
  • HTTP error codes being ignored on sub-resources

Opera security partially supports the following content-sniffing behaviors:

  • HTML being sniffed when a non-parseable content-type value is received
  • HTML being sniffed on application/octet-stream documents
  • An image/svg+xml document containing a HTML xmlns payload

Opera security does not support the following content-sniffing behaviors:

  • HTML being sniffed on application/binary documents
  • HTML being sniffed on unknown/unknown documents
  • HTML being sniffed on MIME types not known to Opera
  • HTML being sniffed on unknown MIME when .html, .xml, or .txt is seen in URL parameters
  • HTML being sniffed on unknown MIME when .html, .xml, or .txt is seen in a URL path
  • HTML being sniffed on text/plain documents (with or without file extension in URL)
  • HTML being sniffed on GIF served as image/jpeg
Behavior for non-HTML resources

Opera security supports the following detection methods for non-HTML resources:

  • File type detection for ftp:// resources: extension checked then content guessed
  • File type detection for file:// resources: extension checked then content guessed

► Downloads and Content-Disposition

Opera security supports downloads and content-disposition in the following manner:

  • Content-Disposition header (attachments leading to direct downloads)
  • RFC 2231 for determining filename encoding types: filename*
  • The ";" (semi-colon) being handled correctly in file names
  • Extensions in filenames are checked against the registered extension for the MIME type of the resource and if necessary, changed (octet-stream exempted) including:
    • an .html filename overriding content-type
    • an .exe filename overriding content-type
    • an URL-derived .html filename overriding content-type
    • an URL-derived .exe filename overriding content-type

Opera security does not support Downloads and Content-Disposition in the following manner:

  • Mark-of-the-Web / Zone.Identifier

► Character-set handling and detection

Opera security supports character-set handling and detection in the following manner:

  • content-type header / http-EQUIV tag precedence: header

Opera security does not support character-set handling and detection in the following manner:

  • Fall-back to http-EQUIV if the header charset is invalid
  • us-ascii parsing stripping of high bits
  • The utf-7 character set or any of the following associated conditions
    • 7-bit ASCII being encoded as utf-8 on HTML pages
    • 7-bit ASCII consumption in utf-8
    • 7-bit ASCII consumption in EUC-JP
    • 7-bit ASCII consumption in Big5

► Document caching

Opera security supports document caching the following manner:

  • expires being relative to date
  • date is needed for expires to work
  • cache-control overrides expires in http/1.0
  • Invalid max-age stops caching

Opera security does not support document caching in the following manner:

  • An invalid expires value stops caching
  • no-cache winning on cache-control conflicts
  • pragma: no-cache

Defenses against disruptive scripts

► Pop-up and dialog filtering logic

Opera security supports pop-up and dialog filtering logic in the following manner:

  • A pop-up blocker
  • A maximum delay between click and pop-up of less than 5 seconds
  • An infinite (∞) number of per-click pop-ups being opened
  • window.alert() being limited or suppressed
  • window.confirm() being limited or suppressed
  • window.prompt() being limited or suppressed

Opera security does not support pop-up and dialog filtering logic in the following manner:

  • Pop-ups being permitted on non-onclick events
  • window.print() being limited or suppressed

► Window-appearance restrictions

Opera security supports the following window-appearance permissions:

  • Specifying their own dimensions
  • Specifying screen positioning (user option)
  • Closing non-script windows

Opera security does not support the following window permissions:

  • Grabing full screen
  • Fully hiding the URL bar
  • Hiding other chrome
  • Taking focus
  • Surrendering focus
  • Repositioning themselves

► Execution timeouts and memory limits

Opera security supports the following execution timeouts and memory limits:

  • Opera does not impose a limit on script execution time.
    • Opera's UI is designed to be responsive at all times even while scripts are running.
  • A call stack size limit of ~1000
  • A heap size limit of 16M

► Page transition logic

Opera security does not support the following page transition logic:

  • Scripts inhibiting page transitions
  • Pages hijacking transitions

Document Object Model (DOM)

► DOM

Opera security supports the DOM in the following manner:

  • Built-in DOM objects being clobbered by overwriting
    • Note: Scripts can create global variables or functions that match the name of a DOM object, such as "document". This is known as "clobbering", and makes the DOM object and the information it contains become inaccessible, unless it was also referenced by some other means.
  • window being the same object as window.window
  • getElementsByName doing look ups by ID= values
  • .innerHTML assignments being truncated at NUL
  • location.* assignments being truncated at NUL

Opera security does not support the DOM in the following manner:

  • Keywords "window", "top" and "parent" may not be redefined by page scripts
  • document.URL being writable

Hypertext Markup Language (HTML)

► HTML

Opera security supports HTML in the following manner:

  • Parser resets on nested HTML tags (<foo <bar...)
  • Trace-back recovery on missing tag closure (<foobar="<baz(eof))
  • !-type tags being parsed in a non-HTML manner (<!foo bar="-->"... breaks)
  • Characters accepted as tag name / parameter separators (excluding \t \r \n \x20): \x0B \x0C \xA0
  • Characters ignored between parameter name, equals sign, and value (excluding \t \r \n): \x20 \xA0
  • Characters accepted in lieu of quotes for HTML parameters (excluding "): '
  • Characters accepted in tag names (excluding A-Z / ? !): \0

Opera security does not support HTML in the following manner:

  • Recursive recovery with nested tags (both foo and bar interpreted)
  • Parser resets out on invalid tag names (<foo=">bar...)
  • SGML-style comment parsing in strict mode (-- and > may appear separately)

► HTML Entity Encoding

Opera security supports HTML entity encoding in the following manner:

  • The maximum length of a correctly terminated decimal entity: Infinite (∞)
  • The maximum length of an incorrectly terminated decimal entity: Infinite (∞)
  • The maximum length of a correctly terminated hex entity: Infinite (∞)
  • The maximum length of an incorrectly terminated hex entity: Infinite (∞)

Opera security does not support HTML entity encoding in the following manner:

  • Characters permitted in entity names (excluding A-Z a-z 0-9)

Hypertext Transfer Protocol (HTTP)

► HTTP authentication

Opera security supports HTTP authentication in the following manner:

  • HTTP authentication
  • All Basic/Digest authenticated usernames and passwords are UTF-8 encoded before use
  • Link-embedded authentication by prompt
  • Authentication being bound to the host name
  • Authentication being bound to a protocol or port
  • Password prompts are activated for loading resources requested by these tags when they are authenticated:
    • Password prompts activation on <img>
    • Password prompts activation on <script> and style sheets?
    • Password prompts activation on <iframe>
  • Password Manager operation model opened by User Interface (UI) action
  • Stored https passwords being restricted to SSL only
  • Content-Length header value overriding actual content length
  • First field value in a HTTP header taking precedence
  • Response body on invalid 30x redirect being shown to the user
  • High-bit character handling in HTTP cookies using UTF-8
  • Quoted-string values for HTTP cookies

Opera security partially supports HTTP authentication in the following manner:

  • Password prompts activation on <embed> / <applet>

Opera security does not support HTTP authentication in the following manner:

  • Authentication data being bound to realms
    • In Opera, a password is not associated with a realm, just a server.
  • Stored passwords being restricted to a full URL path
  • First HTTP header of the same name taking precedence
  • Referer header being sent on HTTPS to HTTP navigation

Hypertext Transfer Protocol Secure (HTTPS encryption)

► HTTPS

Opera security supports HTTPS in the following manner:

  • Behavior on invalid certificates by showing a prompt
  • EV (Extended Validation) SSL being visually distinguished
  • Permitting mixed content behavior on <img>
  • Permitting mixed content behavior on <iframe>

Opera security partially supports HTTPS in the following manner:

  • Permitting mixed content behavior on <script>
  • Permitting mixed content behavior on style sheets
  • Permitting mixed content behavior on <applet>
  • Permitting mixed content behavior on <embed>

Opera security does not support HTTPS in the following manner:

  • A referer header being sent on HTTPS to HTTP navigation

Network-related restrictions

► Dividing local/remote networks

Opera security supports the dividing of local/remote networks in the following manner:

  • Direct navigation to RFC 1918 IPs
  • Navigation to names that resolve to RFC 1918 ranges
  • Navigation to non-qualified host names

► Port access restrictions

Opera implements the following security-blocked ports:

  • 1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 22, 23, 25, 37, 42, 43, 53, 70, 77, 79, 80, 87, 95, 101, 102, 103, 104, 109, 110, 111, 113, 115, 117, 119, 123, 135, 139, 143, 179, 194, 210, 389, 443, 465, 512, 513, 514, 515, 526, 530, 531, 532, 540, 556, 563, 587, 601, 636, 993, 995, 2049, 4045, 6000, 6667

► URL-scheme access rules

file: specific:

Opera security does not support the following URL-scheme access rules:

  • File loading into or clicking to any non-file: resource, e.g., HTTP, including:
    • <img> file: targets
    • <script> file: targets
    • <iframe> file: targets
    • <embed> file: targets
    • <applet> file: targets
    • Style sheet file: targets
javascript: specific:

Opera security supports the running of the following javascript: specific rules:

  • <iframe> javascript: targets

Opera security partially supports the running of the following javascript: specific rules:

  • <img> javascript: targets
  • <script> javascript: targets
  • <embed> javascript: targets
  • Style sheet javascript: targets

Opera security does not support the running of the following javascript: specific rules:

  • <applet> javascript: targets

► Redirection restrictions

Opera security supports the following redirection restrictions:

  • Same-origin XMLhttpRequest redirection

Opera security partially supports the following redirection restrictions:

  • location redirection to data:
  • location redirection to javascript:
  • refresh redirection to javascript:
  • refresh redirection to data:

Opera security does not support the following redirection restrictions:

  • location redirection to file:
  • refresh redirection to file:

► International domain name checks

Opera security supports a white list of top-level domains (TDLs) that are trusted to enforce a safe policy on domain names. Opera for Windows, Mac and UNIX will check for an updated list of trusted TLDs on a regular basis. Please see our Knowledge Base article for more information. Top-level domain registrars who have enforced strict domain name policies are encouraged to contact Opera Software to be included in the browser's white list, provided that their policies are approved.

Important note: TDLs not on the white list are not allowed to have mixes of Latin1, Greek, Cyrillic or Cherokee in the same label; otherwise, all permitted characters may be used.

► Simultaneous connection limits

Opera security supports the following simultaneous connection limits:

  • Network read timeout for automatic downloads: 15 seconds
    • More recently up to a minute, assuming data continues to arrive at least every 5 seconds
  • The maximum number of same-origin connections is 4 persistent for the default maximum of 8 per server

Non-HTML document-type behaviors

Opera security supports the following non-HTML document-type behaviors:

  • Generic XML documents
  • RSS feeds
  • ATOM feeds
  • CSS specifications in feeds
  • SVG images
  • javascript: or data: URLs in feeds
  • image/svg+xml documents containing HTML xmlns payloads

Opera security partially supports the following image formats:

  • Bitmap formats (excluding JPG, GIF, PNG): BMP

Opera security does not support the following non-HTML document-type behavior:

  • JavaScript execution within feeds

Operating System/Platform-specific policies

Opera 10.x security supports the following operating system/platform-specific features:

  • DEP (Data Execution Prevention) in Microsoft WindowsXP® SP2 and higher, and Microsoft Windows Server 2003® with SP1
  • ASLR (Address Space Layout Randomization) in Microsoft Windows Vista®

Plug-in-supported content

Opera security supports the following plug-in-supported content:

  • Tag type and TYPE= / CLASSID= values: #1
  • content-type=value if type= is missing: #2

Opera security does not support (ignores) the following Plug-in-supported content:

  • Content sniffing if type= is not recognized
  • Content sniffing if type= is missing
  • content-type value if type= is not recognized

Same-origin policies

► Same-origin policy for DOM access

Opera security supports the following DOM access policy:

  • Port numbers that wrap around in same origin checks: uint16

Opera security partially supports the following DOM access policy:

  • Local HTML accessing unrelated local files via DOM

Opera security does not support the following DOM access policies:

  • document.domain being set to right-hand IP address fragments
  • Local HTML accessing sites on the Internet via the DOM

► Same-origin policy for XMLHttpRequest

Opera security supports the following XMLHttpRequest policies:

  • Accept
  • Accept-Language
  • User-Agent

Opera security does not support the following XMLHttpRequest policies:

  • Accept-Charset
  • Accept-Encoding
  • Cache-Control
  • If-* family (If-Modified-Since, etc)
  • Cookie
  • Host
  • Range
  • Referer
  • Transfer-Encoding
  • Via

► Additional XMLhttpRequest security policies

Opera security supports the following XMLHttpRequest policies:

  • XMLhttpRequest seeing other HTTP non-200 responses

Opera security partially supports the following XMLHttpRequest policies:

  • Local HTML accessing unrelated local files via XMLhttpRequest

Opera security does not support the following XMLHttpRequest policies:

  • connnect trace (Implements a white list of known schemes and replaces non-white listed schemes with GET)
  • XMLhttpRequest seeing httponly cookies
  • XMLhttpRequest seeing invalid HTTP 30x responses
  • XMLhttpRequest seeing cross-domain HTTP 30x responses
  • Local HTML accessing sites on the Internet via XMLhttpRequest

► Same-origin policy for Cookies

Opera security supports the following cookie policies:

  • DNS heuristic validation when a ccTLD cookie specifies a second-level domain, or a domain more than one level up
  • Scripts clobbering httponly cookies
  • document.cookie on file URLs
  • RFC 2965 the Set-Cookie2 standard
  • The max-age parameter
  • max-age=0 to delete cookies
  • The httponly flag
  • Ordering of duplicate cookies with different scope: most specific first
  • Maximum length of a single cookie: Infinite (∞)
  • Maximum number of cookies per site: Infinite (∞)
  • Maximum size of a set-cookie header: 4095 bytes
  • Maximum size of a list of cookies for sending: 5 kB
    • Note: cookies that would be in the sequence beyond this are ignored

Opera security does not support the following cookie policies:

  • document.cookie working on ftp URLs
  • Multiple comma-separated Set-Cookie pairs
  • Cookies for right-hand IP address fragments

► Same-origin policy for Java (applets)

Opera security does not support the following Java (applets) policy:

  • DOMService

► Origin inheritance rules

Opera security supports the following origin inheritance rules:

  • Inherited context for domain-less iframes: parent
  • Inherited context for about:blank windows: parent
  • Inherited context for javascript: windows: parent
  • Inherited context for data: windows: blank

► Navigation and content-inclusion across domains

Opera security supports the following navigation and content-inclusion features:

  • Auto-clicking of links via click()
  • getComputedStyle for CSS
  • currentStyle for CSS
  • Blocking of cross-domain character-set inheritance

Opera security partially supports the following navigation and content-inclusion features:

  • enctype=text/plain on forms

Opera security does not support the following navigation and content-inclusion features:

  • Verbose onerror messages produced for <script>
  • Verbose onerror messages produced for <style>

► Arbitrary page mashups (user interface redressing)

Opera security supports arbitrary page mashups (user interface redressing) in the following manner:

  • CSS opacity ("decoy underneath")
  • Partly obstructed clickable iframe containers ("decoy on top")
  • Cross-domain, anchor-based frame positioning

Opera security does not support arbitrary page mashups (user interface redressing) in the following manner:

  • Cross-domain scrollBy scrolling

► DOM access control gaps

Opera security supports DOM access control in the following manner:

  • postMessage API

Opera security partially supports DOM access control in the following manner:

  • target= links repositioning unrelated targets

Opera security does not support DOM access control in the following manner:

  • window.open() looking up unrelated windows
  • frames[] looking up unrelated windows
  • <win>.frames[] accessing third-party iframes
  • <win>.frames[] iterator
  • window.open() repositioning unrelated windows
  • <win>.history.* methods calling on unrelated targets
  • <win>.location.* properties being set on unrelated targets
  • <win>.location.* methods being called on unrelated targets
  • <win>.document.write() being called on unrelated targets
  • Setting window.on* properties across domains
  • Setting window.opener across domains
  • Setting window.name across domains
  • Calling frameElements methods across domains

► Privacy-related side channels

Opera security supports privacy-related side channels in the following manner:

  • Detection of :visited styles
  • CSS parser accepting HTML documents as style sheets
  • onerror firing on all common HTTP errors

Opera security does not support privacy-related side channels in the following manner:

  • Image sizes being read back
  • delete <win>.var probing

Third-party cookie rules

Opera security supports the following third-party cookie rules:

  • Cookie handling: no distiction is made between session and persistent cookies with regard to third-party rules
  • Cookie filtering depends on both site and referrer: site takes preference
  • Third party determination (RFC 2965 rules):
    • First party: anyone inside the site's parent domain
    • Third-parties: non-user-initiated requests out of that domain
    • Redirects: all inherit these policies

Opera security does not support the following third-party cookie rules:

Uniform Resource Locators (URLs)

► URLs

Opera security supports URLs in the following manner:

  • Characters ignored in front of URL schemes: \t \r \n \x0B \x0C \xA0
  • Non-standard characters in URL scheme names (excluding 0-9 A-Z a-z + - .): \r \n +UTF8
  • Non-standard characters kept as-is with no escaping in URL query strings:
    • Excluding the following: 0-9 A-Z a-z - . _ ~ : / ? # [ ] @ ! $ & ' ( ) * + , ; =),
    • Support is provided for: ^ { | } \x7F
  • Non-standard characters fully ignored in host names: \x0A-\x0D \xA0 \xAD
  • Types of partial or broken URLs auto-corrected to fully qualified ones //y \\y x://[y]

Opera security does not support URLs in the following manner:

  • Fragment ID (hash) being encoded by applying RFC-mandated URL escaping rules

► Unicode in URLs

Opera security supports unicode in URLs the following manner:

  • URL path encoding when following plain links: UTF-8
  • URL query string encoding when following plain links: page encoding
  • URL path encoding for XMLhttpRequest calls: page encoding
  • URL query string encoding for XMLhttpRequest calls: page encoding
  • URL path encoding for manually entered URLs: UTF-8
  • URL query string encoding for manually entered URLs: stripped to " ? "
  • URL bar Unicode display method for host names: Unicode
  • URL bar Unicode display method outside host names: display as " ? "
  • Raw Unicode in host names auto-converting to Punycode
  • Percent-escaped UTF-8 in host names auto-converting to Punycode
  • Opera URLs

► True URL Schemes

Opera security supports the following true URL Schemes:

Opera security does not support the following true URL Schemes:

► Pseudo URLs: Encapsulating schemes

Opera security does not support the following pseudo URL schemes:

  • Feed (RSS, draft spec)
  • HCP, ITS, MHTML, MK, MS-Help, MS-ITS, MS-ITSS (Windows help archive parsing)
  • JAR (Java archive parsing)
  • View-cache, WYSIWYG (cached-page views)
  • View-source (page-source views)

► Pseudo URLs: Internal feature-access schemes

Opera security supports the following internal feature-access URL schemes:

Opera security does not support the following internal feature-access URL schemes:

Widgets

Widgets are Web applications that run on a desktop, mobile or other device. Opera supports Widgets. The Opera Widgets specification was submitted to the W3C Widgets 1.0 and is currently a W3C working draft.

► New security model for widgets

network="public"

A new security model has been intoduced for Opera 10 (Opera Presto 2.2) which among other things means that widgets do not have network access on by default. In order to enable network access for non-intranet sites, add a network attribute to the widget element in the config.xml of your widget with the value "public". For example:

  <widget network="public">
    ...
  </widget>

This will make your widget work as intended in Opera 10, but will not affect previous versions. Older browsers will simply ignore the network attribute and give your widget access as per the existing security model.

network="private" and network="public private"

The widget element attributes network="private" and network="public private" can enable network access for either private networks, public networks, or both. For example:

  <widget network="private">
    ...
  </widget>
  <widget network="public private">
    ...
  </widget>

The "private network" attribute value depends on a definition in a widgets.xml file within an Opera installation.

References

Documentation

Opera Help

Need help? Hit F1 anytime while using Opera to access our online help files, or go here.