Issue #2515050 by alexpott, pwolanin, YesCT, David_Rothstein, prasad_gogate: A valid one-time login link may be leaked by the referer header to 3rd parties