@soaj1664 reported an XSS vulnerability in the sandbox domain we use for proxying images coming from non-HTTPS sources. By using our image proxy to request an SVG resource, an attacker could have caused arbitrary JavaScript to execute in the image-proxy domain.

While this vulnerability existed in a sandbox domain, largely intended to mitigate the risk of serving user-supplied content, we still took the threat seriosuly. We addressed the behavior by disallowing SVG images until we moved the image proxy to a domain that is not a subdomain of GitHub.com.