[Cross-domain Referer leakage] Password reset token leakage via referer

A security researcher discovered that sensitive information, like password reset tokens could still be leaked to analytics services like Google Analytics or via the Referer [sic] header. Even though tokens were immediately invalidated, we decided to re-engineer the process to eliminate any possibility of token leakage.