@homakov reported an XSS vulnerability in the sandbox domain we use for proxying images coming from non-HTTPS sources. By setting the Content-Type
header value to image,text/html
it would pass our content-type checks, which were only ensuring that the value started with image
.
While this vulnerability existed in a sandbox domain, largely intended to mitigate the risk of serving user-supplied content, we still took the threat seriosuly. We addressed the behavior by strictly whitelisting the allowed values for the Content-Type
header. We also moved the image proxy to a domain that is not a subdomain of GitHub.com
.