@ytrezq identified that Referer headers could be leaked through specially crafted cross-origin requests that bypass our image proxy. This was considered a low risk vulnerability since our use of the CSP img-src directive dramatically reduces the number of origins that can be used for image resources. In addition, we support the meta referrer policy to further mitigate against cross-origin referrer leaks. We remediated this issue by making more robust checks when rewriting links to our image proxy.