Reloads and redirects can allow spoofing and cross site scripting

2010-10-06T00:00:00
ID OPERA:973
Type opera
Reporter Opera
Modified 2010-10-06T00:00:00

Description

Scripts on a page are supposed to be restricted so that they can only interact with other pages from the same domain and security context. Carefully timed reloads and redirects, when combined with appropriate caching, can cause scripts to execute in the wrong security context in Opera. This allows cross site scripting (XSS). In some cases, the address bar will also show the address of the target page.With minimal user interaction, this particular XSS vector may also be used to modify Opera's configuration, and this may in turn be used to execute arbitrary code on the computer.