Bug 193502

Hi all. On its password reset page, Django (https://www.djangoproject.com/) does an internal redirect to avoid leaking the password reset token via the referer header. This does not seem to work with recent Safari versions if there is an additional prior redirect by a third party. In my case, users who use Safari in combination with Gmail are unable to use the password reset feature. The password reset links I send to my users do not point at any kind of tracker / redirect, but I suspect that Gmail replaces those links with links to some kind of redirect service. But still, if I understand https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/ correctly, in this situation ITP should not kick in? But it seems to do so nonetheless. Ticket on the Django bugtracker: https://code.djangoproject.com/ticket/29975 Discussion on the django-developers ML: https://groups.google.com/forum/#!topic/django-developers/RyDdt1TcH0c