Safari and IE (but not FF or Chrome) will display 'text/plain'-served-content as HTML. That means the GitHub 'raw' view of project content can be used to execute arbitrary user JS from github.com.
Such JS can get at a logged-in user's name and make (at the very least) superficial changes to profile information. A harmless demo (works on Safari and IE) is here:
The 'raw' issue seems more serious and isn't affected by whether Pages are on .github.com subdomains or not. Still, subdomains have a slight leg up on exploiting any security slip-ups and browser bugs that may occur.
Sorry, should have specified: Safari 3 on Windows. All my tests were on Windows, none on MacOS or Linux.
If it hadn't still been your 'topmost' comment, and a recent top story possibly still monitored by multiple GitHubbers -- or if I hadn't received an ack by this morning -- I would have tried an alternate means of report.
Or, if I thought this was a higher-risk issue. (Your general user-management already seems well-fortified by https against all but superficial mischief.)
Still, I understand the preference that a security bug however small be reported directly first, and I'll respect that in the future.
