@ealf reported an issue where the Safari browser incorrectly parsed URLs using the JavaScript URL API and the host property of anchor elements. This lead to incorrect origin comparisons when sending XHR requests and could have resulted in CSRF tokens being sent to third parties. When used in conjunction with an XSS vulnerability, this could have bypassed our CSP protections, resulting in CSRF.

This vulnerability was mitigated by assuming that an XHR request is cross-origin if the browser fails to parse the URL. Safari fixed their parsing of URLs in version 8.0.4.

This vulnerability was considered to be low-risk because exploitation would require an XSS vulnerability. The mitigation for this bug will be included in the next GitHub Enterprise release.

@ealf earned an additional 500 points for donating his bounty to a great cause — The Electronic Frontier Foundation. GitHub matches all bounties donated to 501(c)(3) organizations.