Heads up: nosniff header support coming to Chrome and Firefox

Both GitHub and Gist offer ways to view “raw” versions of user content. Instead of viewing files in the visual context of the website, the user can see the actual text content as it was commited by the author. This can be useful if you want to select-all-and-copy a file or just see a Markdown file without having it be rendered. The key point is that this is a feature to improve the experience of our human users.

Some pesky non-human users (namely computers) have taken to “hotlinking” assets via the raw view feature — using the raw URL as the src for a <script> or <img> tag. The problem is that these are not static assets. The raw file view, like any other view in a Rails app, must be rendered before being returned to the user. This quickly adds up to a big toll on performance. In the past we’ve been forced to block popular content served this way because it put excessive strain on our servers.

We added the X-Content-Type-Options: nosniff header to our raw URL responses way back in 2011 as a first step in combating hotlinking. This has the effect of forcing the browser to treat content in accordance with the Content-Type header. That means that when we set Content-Type: text/plain for raw views of files, the browser will refuse to treat that file as JavaScript or CSS.

Until recently, Internet Explorer has been the only browser to respect this header, so this method of hotlinking prevention has not been effective for many users. We’re happy to report that the good people at Google and Mozilla are moving towards adoption as well. As nosniff support is added to Chrome and Firefox, hotlinking will stop working in those browsers, and we wanted our beloved users, human and otherwise, to know why.

Written by

Ben Toews

@mastahyeti