[chatmasta]

You can just put a JPG hosted on your server in the readme and get their full IP.

[rtldg]

Github proxies images so this shouldn't be possible https://github.blog/2014-01-28-proxying-user-images/

[chatmasta]

Oh wow TIL. Very interesting. And since 2014 too? Nice. They must have done that around the same time Google did it for GMail.

I wonder if it's still true. I imagine they have some Content-Security-Policy preventing it so you can't do hacks like embedding an external URL in an SVG.

[rtldg]

Their CSP does seem to prevent an svg I threw in a readme from loading a png so that's good to see. And a test png in the readme was proxied too.

content-security-policy: default-src 'none'; img-src data:; style-src 'unsafe-inline'

[jrootabega]

Yes, and that is something that will always be possible between the author and the reader, but this is about a third party, GitHub, providing this information to a possible fourth party. That's what the Twitter post wanted to get across.

[chatmasta]

Oh right, I missed that because the post linked to the middle tweet in the thread.

Still doesn't sound too outrageous. At least, it's not unprecedented and is in line with the existing practices of companies responding to law enforcement requests.