Security changes in Opera 20 update
We have just released a silent update of Opera 20, you would most likely not even have noticed. From a security perspective, we have made two interesting changes in this update.
The first one regards what we call the badge, the icon to the left of the address field. In Opera 19, there were two different icons one could see; for regular pages , and for secure pages . However, the world is often complicated, and there is a large gray area in between. So for Opera 20, we experimented with a third icon, a padlock with a cross over it , for web pages which tried to be secure, but failed. In previews, we did not get much feedback, but once this change went into the Stable releases, many users noticed, and wondered why the pages they viewed were insecure, they had not noticed this before. (Two high profile examples were gmail being insecure after clicking on the Apps icon, and Angry Birds on iTunes.) So in this respect, the new icon succeeded, but as it simultaneously made users uncomfortable and sceptical, we have decided to revert this change. We will do some more work on this, and may release an improved version in the future. Even small changes we make to the address bar can have large effects for users.
The second change is related to a feature called Content Security Policy (CSP). A user noticed that CSP 1.1 leaks significant amounts of information cross domain, and showed how this could be abused to gain information about visitors’ relationships with other sites. There is currently a detailed discussion about this in the Web Application Security Working Group. Opera has not previously participated in developing CSP, but we are now actively partaking in the discussion in order to enhance its security. Opera 20 used to fully support CSP 1.1, but with this change, we are no longer supporting paths as specified. Webmasters can still specify paths, but Opera will only consider the domain. This was a change which could be deployed to our users fast, which takes care of the main security issues, and which continues to work with existing sites and configurations. Once CSP 1.1 is changed to be secure, we plan to follow the specification again.
In addition, the update contains relevant fixes from upstream, as always.