Cross-domain checks may be bypassed, allowing limited data theft using CSS

Type opera
Reporter Opera
Modified 2010-10-06T00:00:00


CSS can be loaded cross-domain. In some cases, files that do not contain CSS may be partially interpreted as CSS. It is possible to make Opera incorrectly treat remote CSS files as if they were CSS files from the document-origin server, allowing the interpreted parts of a remote file to be read by scripts, leading to the possibility of cross-domain data theft.