@adob reported an issue where Adobe Flash would interpret raw Gists as Flash movies. Flash will treat any file as a Flash movie, regardless of file extension or the values of the
X-Content-Type-Options headers. A malicious website could host an
embed tag with the
src pointing to a raw Gist. Even though the Flash movie would be loaded by the malicious site, Flash would allow the movie to make HTTPS requests to
gist.github.com and to read the response, including any sensitive information such as CSRF tokens.
The only ways to prevent Flash from interpreting a resource as a Flash movie are to not allow user control of the first bytes of the response or to set the
Content-Disposition header to
attachment. We mitigated the vulnerability by hosting the user-controlled data on a sandbox domain where potentially serving Flash files is not dangerous.