Opera 18 is now out on the stable channel, so we wanted to take a moment to go through some of the new features from a security perspective.

Media Access

One of the new features is media access. That is; camera and microphone support for Web applications. We fully recognise how important it is for users to have complete control over whether or not a website can access these devices. Users must be fully aware of which websites can access these devices, to avoid unexpectedly exposing any sensitive imagery or audio to a website.

Our implementation is based on the same approach as geolocation, where the user is prompted for their permission for the website to access the media devices. With media access, this happens every time the page is loaded. If the user denies it, this is remembered per website to prevent the user from being pestered by repeated requests. Whenever a website has access to a camera or microphone, an icon will appear in the address bar to show that this access is available to the website. Users can use the icon or their privacy settings to toggle this access again.

Some gritty details coming up. The website that this permission is associated with is the website that makes the request, not the one that shows in the address bar. So for example if website A holds website B in an inline frame (iframe), and website B makes the request for access to the user’s camera, the permission is associated with website B, even though the address bar shows website A. The user needs to know which website actually gets the access – they may trust the website in the address bar, but not the one that is in the iframe.

However, because users may not actually realise that an iframe on one site points to the same website that appears in another iframe on another site, or is the same as one that the user visits directly, Opera associates the permission with the combination of those two websites. Therefore, if the user gives permission to website B when it is loaded in an iframe on website A, they will have to give website B permission once again when it is used in an iframe on website C, and again if website B is loaded directly.

Security issue fixes

The following security issue was fixed in Opera 18:

• DNA-13356; Low severity: Address bar spoofing when error dialogs are displayed, reported by Masato Kinugawa

Other security-related fixes and changes

A few bugs also got fixed that while not actively exploitable, do relate to how we want the browser’s security UI to appear.

• DNA-11576; Blacklisted extensions on third party websites should be blocked before installation begins, and not wait for installation to be authorised before being blocked
• DNA-10440; Addresss bar should show website address after using Quick Access Bar bookmarklet
• DNA-11792; Page information details dropdown should only show organization string for EV, not DV

In addition to these, we are keeping our eye on how continued development may affect the existing UI. Users of the Developer and Next channels may have noticed that for a little while, Opera 18 Windows builds failed to show the domain name in JavaScript dialogs. This was fixed before the stable Opera 18 release.

---