@adob reported an issue where Adobe Flash would interpret raw Gists as Flash movies. Flash will treat any file as a Flash movie, regardless of file extension or the values of the Content-Type or X-Content-Type-Options headers. A malicious website could host an embed tag with the src pointing to a raw Gist. Even though the Flash movie would be loaded by the malicious site, Flash would allow the movie to make HTTPS requests to gist.github.com and to read the response, including any sensitive information such as CSRF tokens.

The only ways to prevent Flash from interpreting a resource as a Flash movie are to not allow user control of the first bytes of the response or to set the Content-Disposition header to attachment. We mitigated the vulnerability by hosting the user-controlled data on a sandbox domain where potentially serving Flash files is not dangerous.