HTTP Referer header security: who has your reset password url?

How much do websites trust other companies with their reset password urls?<p>Many websites use third party assets on their pages, which for most doesn&#x27;t matter too much: but for the reset password url often results in those parties getting a user access token.<p>In the time it takes to set your password: those receiving the reset password url can set their own, scrape your account and disappear.<p>If your attempt to reset the password failed... would you a) believe you&#x27;d entered it wrong b) think the site had gone wrong or c) report it to the website as a security problem.<p>It&#x27;s easy to dismiss the problem... For most sites who cares? What are the chances someone is misusing this?<p>Ideally, web browsers should stop sending referer headers completely.<p>In the meantime, web developers should protect their users, not because it&#x27;s likely to be abused (I have no reason to believe it is) but because it is their responsibility to look after any user token.