WAP form content can be leaked to other sites

Type opera
Reporter Opera
Modified 2010-12-14T00:00:00


When accepting user input in form fields on a WAP page, WML requires that the input contents are remembered, and used to populate every further input sharing the same name. This should continue as long as the user continues to click links (known as a WAP session), even populating similarly named inputs on other sites. WAP site authors are expected to remove sensitive information from the browser context by clearing the variables containing this information. Failure to clear this information could lead to the sensitive information being leaked to other sites that are linked to.When the user creates a new WAP session by manually entering a new URL to visit, any existing variables are supposed to be cleared. Opera failed to clear the variables in this case, allowing sensitive information to be leaked to unrelated sites even if the user manually navigated to those sites, not just when accessed through links.