@adob identified that Referer headers could be leaked through specially crafted cross-origin image requests. In combination with a previously reported vulnerability in our OAuth redirect URI path parsing, this could lead to the disclosure of sensitive information passed to Gist on OAuth redirects. We remediated this issue by making more robust checks when rewriting links to our image proxy.