Diaspora added an X-CSRF-Token header to XHR made by fileupload.
Since fileupload doesn't think Opera supports XHR, it builds a form and submits that instead.
By adding a hidden authenticity_token to the form, Opera can submit the form without logging the user out.