[05:30:05] <Krinkle>	 tgr|away: How difficult would it be to update auth code to not emit forceHttps if the wiki is https-only? E.g. based on wgServer or some other wgSecure somethign
[05:30:56] <Krinkle>	 Might get complicated if the wiki doesn't have wgServer explicitly set in which case it'll be set to https always if current request has https.
[05:31:18] <Krinkle>	 Thoguh presumably this logic only works if wgServer is explicitly set relative.
[06:11:36] <tgr>	 Krinkle: not difficult at all
[06:12:38] <tgr>	 it's stored in the session for validation, so we'd have to careful not to mass-logout people on dual-protocol wikis when they get upgraded, but that's not too hard
[06:13:17] <tgr>	 I guess one problem is that a wiki might set wgServer dynamically to the incoming request URL
[06:14:26] <tgr>	 se either we outlaw that or add some new config flag
[19:03:13] <tgr>	 anomie: anything special for SoS?
[19:03:25] <tgr>	 beyond code review and the RfC wrapping up
[19:03:36] <anomie>	 tgr: Nope
[19:04:20] <tgr>	 would you prefer to send the email? since you wrote most of the text
[19:05:45] <tgr>	 anomie: do you think the css parser needs security review?
[19:05:57] <tgr>	 an official one, from the Security team, I mean
[19:07:46] <anomie>	 tgr: I'm fine with you sending it. It'll need security review eventually to be added to the mediawiki/vendor repo, but chances are we could combine that with the re-review of TemplateStyles.
[19:08:46] <tgr>	 good point, that's gonna be late March / early April maybe?
[19:08:53] <tgr>	 would be good to give them a heads up