X-Git-Url: http://git.heureux-cyclage.org/?a=blobdiff_plain;f=RELEASE-NOTES-1.28;h=5d88fbf1c9dbfac1ae23bd48c427e6cd162d9ec6;hb=67ed0f0c0d85ce8c8e125aa5d7072afeb586dee5;hp=f6c353031695e70ce51daf4b5dadacbad4bf18d4;hpb=ee1743481cc64d74b3d5513c7abd8a77c18f3595;p=lhc%2Fweb%2Fwiklou.git

diff --git a/RELEASE-NOTES-1.28 b/RELEASE-NOTES-1.28
index f6c3530316..5d88fbf1c9 100644
--- a/RELEASE-NOTES-1.28
+++ b/RELEASE-NOTES-1.28
@@ -61,6 +61,13 @@ production.
 * The following response properties from action=login, deprecated in 1.27, are
   now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
   to properly manage session state.
+* Submitting the lgtoken and lgpassword parameters in the query string to
+  action=login is now deprecated and outputs a warning. They should be submitted
+  in the POST body instead.
+* Submitting sensitive authentication request parameters to action=clientlogin,
+  action=createaccount, action=linkaccount, and action=changeauthenticationdata
+  in the query string is now deprecated and outputs a warning. They should be
+  submitted in the POST body instead.
 
 === Action API internal changes in 1.28 ===
 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
@@ -111,6 +118,9 @@ changes to languages because of Phabricator reports.
 * AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
   on requests needed by primary providers even if all primaries need them.
   Primary providers are discouraged from returning multiple REQUIRED requests.
+* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
+  will no longer be automatically infused. You should call `OO.ui.infuse()`
+  on them yourself from your JavaScript code.
 
 == Compatibility ==