Merge "resourceloader: Move batch fetch logic out of mw.loader.work()"

[lhc/web/wiklou.git] / RELEASE-NOTES-1.28

diff --git a/RELEASE-NOTES-1.28 b/RELEASE-NOTES-1.28
index f6c3530..5d88fbf 100644 (file)
--- a/RELEASE-NOTES-1.28
+++ b/RELEASE-NOTES-1.28
@@ -61,6 +61,13 @@ production.
 * The following response properties from action=login, deprecated in 1.27, are
   now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
   to properly manage session state.
+* Submitting the lgtoken and lgpassword parameters in the query string to
+  action=login is now deprecated and outputs a warning. They should be submitted
+  in the POST body instead.
+* Submitting sensitive authentication request parameters to action=clientlogin,
+  action=createaccount, action=linkaccount, and action=changeauthenticationdata
+  in the query string is now deprecated and outputs a warning. They should be
+  submitted in the POST body instead.
 
 === Action API internal changes in 1.28 ===
 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
@@ -111,6 +118,9 @@ changes to languages because of Phabricator reports.
 * AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
   on requests needed by primary providers even if all primaries need them.
   Primary providers are discouraged from returning multiple REQUIRED requests.
+* OOjs UI PHP widgets constructed with the `'infusable' => true` config option
+  will no longer be automatically infused. You should call `OO.ui.infuse()`
+  on them yourself from your JavaScript code.
 
 == Compatibility ==