views:

361

answers:

4

Unlike other browsers (IE, FF, Chrome) Opera 10 doesn't allow websites to access content from localhost. Only when 127.0.0.1 is explicitly added to the trusted websites list in Opera does this work - all other browsers don't need this.

Any suggestions on how I can either programatically add this to the trusted sites list in Opera (unlikely that this is possible), or make Opera hit localhost using some alternate means like some type of cross-domain policy file on my website?

Thanks!

+6  A: 

Since this is a security feature it's not supposed to be possible to circumvent it from web content - otherwise it would be no point in having that feature in the first place. What's your use case?

hallvors
I have an iFrame that's what to render some data obtained from 127.0.0.1Every other browser allows it - not sure why Opera wont.
psychotik
Perhaps because Opera is more secure (or trying to be so) :). The cross-network limitations are in fact developed as a response to the security threat called "pharming" where malicious sites might reconfigure your router or intranet services. It may not yet be flexible enough configuration-wise, but it's certainly safer than browsers used to be.Do you see a cross-network access error page? You might try writing a User JavaScript that is limited to 127.0.0.1, detects the network error page and clicks the "Continue" link..
hallvors
This is a silly security feature for a browser. Preventing pharming is the OS's responsibility, by sandboxing browsers. Browsers artificially preventing websites from doing legitimate operations in the name of security is a sham. It is 100% legit to expect a webserver running on a user's machine to be able to serve content. I'm not talking about some silly XSS thing here - this is in an iframe which is already sandboxed from the rest of the website.
psychotik
How on earth could the *OS* prevent pharming?
Nicolás
Nicolas - pharming involves messing your hosts file or reconfiguring your router. By preventing non privileged processes from accessing the hosts file, the OS can help with the former (i.e. sandboxing). Strong router admin password and good router firmware (not susceptible to CSRF, for instance) implementation prevents the second.
psychotik
Of course in a better world we'd have routers with strong passwords and proper CSRF-protection measures. Trying to solve this problem in the browser IS hackish and has drawbacks - but we don't live in an ideal world and as browser developers we want to protect our users from web-based threats.
hallvors
+1  A: 

I'm assuming that you are installing some kind of software on your clients' machines -- otherwise, how can you be certain that there is a webserver at 127.0.0.1? If so, @Autocracy's comment to the question applies: find where the "Trusted Sites" settings are stored, and modify it during the installation.

Alex Lyman
Yes. And yea, I like Autocracy's suggestion too. At first glance, it looks like Opera stores this info in a binary file. There is a ini file called override.ini which looks promising although it isn't directly edited by changing the trusted site list. This workaround is butt-ugly though... time to not support Opera, methinks!
psychotik
+3  A: 

File location in Windows: $USER_FOLDER/Application Data/Opera/Opera/

Ensure opera is closed, append, enjoy.

$ cat trusted_repositories.ini                                                                                      
Opera Preferences version 2.1
; Do not edit this file while Opera is running
; This file is stored in UTF-8 encoding

[whitelist]
http://widgets.opera.com
https://widgets.opera.com
http://unite.opera.com
https://unite.opera.com
Autocracy
A: 

I am not sure what you are accessing on localhost/127.0.0.1?

Are request browser for a direct file system access? Or is your server running on localhost.

I just tested (on Linux), if your server is bound to 127.0.0.1 interface, opera is allowing the access.

chinmaya