X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=RELEASE-NOTES-1.28;h=5d88fbf1c9dbfac1ae23bd48c427e6cd162d9ec6;hb=dbf02ea2b2b7dd8392c958cd6d4c5bd8e4779405;hp=f6c353031695e70ce51daf4b5dadacbad4bf18d4;hpb=9b95e76c6c45e263baf29486eca615000d440418;p=lhc%2Fweb%2Fwiklou.git

diff --git a/RELEASE-NOTES-1.28 b/RELEASE-NOTES-1.28
index f6c3530316..5d88fbf1c9 100644
--- a/RELEASE-NOTES-1.28
+++ b/RELEASE-NOTES-1.28
@@ -61,6 +61,13 @@ production.
 * The following response properties from action=login, deprecated in 1.27, are
   now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
   to properly manage session state.
+* Submitting the lgtoken and lgpassword parameters in the query string to
+  action=login is now deprecated and outputs a warning. They should be submitted
+  in the POST body instead.
+* Submitting sensitive authentication request parameters to action=clientlogin,
+  action=createaccount, action=linkaccount, and action=changeauthenticationdata
+  in the query string is now deprecated and outputs a warning. They should be
+  submitted in the POST body instead.
 
 === Action API internal changes in 1.28 ===
 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
@@ -111,6 +118,9 @@ changes to languages because of Phabricator reports.
 * AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
   on requests needed by primary providers even if all primaries need them.
   Primary providers are discouraged from returning multiple REQUIRED requests.
+* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
+  will no longer be automatically infused. You should call `OO.ui.infuse()`
+  on them yourself from your JavaScript code.
 
 == Compatibility ==