Sidejack Prevention Phase 3: SSL Proxied Assets
This is the third, and hopefully final, response to session hijacking on github.com. We’ve been safe from session hijacking for a while now but we were still serving pages with…
This is the third, and hopefully final, response to session hijacking on github.com. We’ve been safe from session hijacking for a while now but we were still serving pages with mixed-content warnings. People have complained about these warnings in the past but it still remains an issue in most browsers. We want our users to focus on getting things done and we want them to feel secure while they use our site.
A few of our pages allowed people to embed images directly via github flavored markdown. Our users find this really useful and we wanted to avoid leaving people’s browsers looking like this:
You can now link to remote images in your comments/readmes/issues without creating mixed content warnings.
We did this by rewriting the src
attribute on img
tags when we render github flavored markdown. The src
attribute is rewritten to proxy through our normal asset servers so it appears to come from a secure source. On the backend we wrote a simple HTTP proxy in node that runs behind our normal nginx setup. The code is available here.
Please open a support ticket if you find pages on the site that are still generating mixed content warnings. So far the system seems to be holding up well and we’re ready to get back to hacking on features for GitHub. Thanks for your patience over the last few weeks.
Written by
Related posts
![](https://github.blog/wp-content/uploads/2023/09/screencapture-innovationgraph-github-2023-09-20-15_44_54-1.png?resize=400%2C212)
How researchers are using GitHub Innovation Graph data to estimate the impact of ChatGPT
An interview with economic researchers who are applying causal inference techniques to analyze the effect of generative AI tools on software development activity.
![](https://github.blog/wp-content/uploads/2024/01/Enterprise-DarkMode-1.png?resize=400%2C212)
GitHub Availability Report: June 2024
In June, we experienced two incidents that resulted in degraded performance across GitHub services.
![](https://github.blog/wp-content/uploads/2024/06/AI-DarkMode-4.png?resize=400%2C212)
Advancing responsible practices for open source AI
Outcomes from the Partnership on AI and GitHub workshop.