@VishnuDfx discovered that clicking the “sign in” button, when viewing a secret Gist, would navigate the user to the login page with the Gist URL in the ?return_to= query parameter. This query paramter was then sent to our analytics provider, giving them the URL to the secret Gist.

We addressed this issue by not sending the query string to our analytics provider on our login page.