Comment 12 for bug 1463698

Is that csrftoken a value that is being used by Horizon?

Is your Swift deployment at the same domain as Horizon? That would be bad. You should never have protected content (eg the parts of an app behind auth) at the same domain as where untrusted users can upload content. Doing so allows untrusted users to load data in the same context as the protected content, thus allowing javascript (or whatever) to get/set cookies etc. If untrusted users are storing content in Swift, you should always have Swift on its own domain.

Is that the issue you're seeing here? What's the difference between serving these bad-EXIF pictures through Swift or through some other web server?