@homakov reported an XSS vulnerability in the sandbox domain we use for proxying images coming from non-HTTPS sources. By setting the Content-Type header value to image,text/html it would pass our content-type checks, which were only ensuring that the value started with image.

While this vulnerability existed in a sandbox domain, largely intended to mitigate the risk of serving user-supplied content, we still took the threat seriosuly. We addressed the behavior by strictly whitelisting the allowed values for the Content-Type header. We also moved the image proxy to a domain that is not a subdomain of GitHub.com.