Heads up: nosniff header support coming to Chrome and Firefox
Both GitHub and Gist offer ways to view “raw” versions of user content. Instead of viewing files in the visual context of the website, the user can see the actual…
Both GitHub and Gist offer ways to view “raw” versions of user content. Instead of viewing files in the visual context of the website, the user can see the actual text content as it was commited by the author. This can be useful if you want to select-all-and-copy a file or just see a Markdown file without having it be rendered. The key point is that this is a feature to improve the experience of our human users.
Some pesky non-human users (namely computers) have taken to “hotlinking” assets via the raw view feature — using the raw URL as the src
for a <script>
or <img>
tag. The problem is that these are not static assets. The raw file view, like any other view in a Rails app, must be rendered before being returned to the user. This quickly adds up to a big toll on performance. In the past we’ve been forced to block popular content served this way because it put excessive strain on our servers.
We added the X-Content-Type-Options: nosniff
header to our raw URL responses way back in 2011 as a first step in combating hotlinking. This has the effect of forcing the browser to treat content in accordance with the Content-Type
header. That means that when we set Content-Type: text/plain
for raw views of files, the browser will refuse to treat that file as JavaScript or CSS.
Until recently, Internet Explorer has been the only browser to respect this header, so this method of hotlinking prevention has not been effective for many users. We’re happy to report that the good people at Google and Mozilla are moving towards adoption as well. As nosniff
support is added to Chrome and Firefox, hotlinking will stop working in those browsers, and we wanted our beloved users, human and otherwise, to know why.
Written by
Related posts
GitHub and JFrog partner to unify code and binaries for DevSecOps
This partnership between GitHub and JFrog enables developers to manage code and binaries more efficiently on two of the most widely used developer platforms in the world.
2024 GitHub Accelerator: Meet the 11 projects shaping open source AI
Announcing the second cohort, delivering value to projects, and driving a new frontier.
Introducing GitHub Copilot Extensions: Unlocking unlimited possibilities with our ecosystem of partners
The world of Copilot is getting bigger, improving the developer experience by keeping developers in the flow longer and allowing them to do more in natural language.