@tomvangoethem along with @mathiasbynens discovered that Gist could leak Referer headers for Gists containing certain user-content. This did not allow an attacker to disclose the private URLs of arbitrary Gists. We remediated this issue within modern browsers by adding support for the <meta name="referrer" content="never"> tag on private Gists.