URL API and the
host property of anchor elements. This lead to incorrect origin comparisons when sending XHR requests and could have resulted in CSRF tokens being sent to third parties. When used in conjunction with an XSS vulnerability, this could have bypassed our CSP protections, resulting in CSRF.
This vulnerability was considered to be low-risk because exploitation would require an XSS vulnerability. The mitigation for this bug will be included in the next GitHub Enterprise release.