If you wish to use Reset Password tokens, then be sure to block referers and/or not include any third party loaded assets (JavaScript, css, etc).

It's not just reset password tokens: beware any protected data, like PII (emails, etc)!