@zhuowei reported an XSS vulnerability in the sandbox domain we use for proxying images coming from non-HTTPS sources. If the Content-Type header existed in the proxied response, we were checking that it contained an image media type. Responses without a Content-Type header were forwarded though.

Firefox and Internet Explorer attempt to guess the content-type of resources that do not specify a Content-Type header. This is a very old issue that often leads to XSS. By using our image proxy to request an HTML resource that does not specify a content-type, an attacker could have caused an arbitrary HTML file to be served from our image-proxy domain.

While this vulnerability existed in a sandbox domain, largely intended to mitigate the risk of serving user-supplied content, we still took the threat seriosuly. We addressed the behavior by disallowing responses not containg a Content-Type header. We also moved the image proxy to a domain that is not a subdomain of GitHub.com.