Opera reports:
CORS (Cross-Origin Resource Sharing) allows web pages to retrieve
the contents of pages from other sites, with their permission,
as they would appear for the current user.
When requests are made in this way, the browser should only allow
the page content to be retrieved if the target site sends the
correct headers that give permission for their contents to be
used in this way. Specially crafted requests may trick Opera
into thinking that the target site has given permission when it
had not done so. This can result in the contents of any target page
being revealed to untrusted sites, including any
sensitive information or session IDs contained within the
source of those pages.
Also reported are vulnerabilities involving SVG graphics and XSS.