Merge "Move CSRF token handling into MediaWiki\Session\Session"

diff --combined RELEASE-NOTES-1.27
index b48d0b6,2ce8046..d9b6dd5
--- 1/RELEASE-NOTES-1.27
--- 2/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@@ -81,6 -81,8 +81,8 @@@ production
     MediaWiki\Session\SessionProvider.
  ** The User cannot be loaded from session until after Setup.php completes.
     Attempts to do so will be ignored and the User will remain unloaded.
+ ** CSRF tokens may be fetched from the MediaWiki\Session\Session, which uses
+    the MediaWiki\Session\Token class.
  * MediaWiki will now auto-create users as necessary, removing the need for
    extensions to do so. An 'autocreateaccount' right is added to allow
    auto-creation when 'createaccount' is not granted to all users.
@@@ -88,6 -90,10 +90,10 @@@
  * Most cookie-handling methods in User are deprecated.
  * $wgAllowAsyncCopyUploads and $CopyUploadAsyncTimeout were removed. This was an
    experimental feature that has never worked.
+ * Login and createaccount tokens now vary by timestamp.
+ * LoginForm::getLoginToken() and LoginForm::getCreateaccountToken()
+   return a MediaWiki\Session\Token, and tokens must be checked using that
+   class's methods.
  
  === New features in 1.27 ===
  * $wgDataCenterId and $wgDataCenterRoles where added, which will serve as
@@@ -146,10 -152,6 +152,10 @@@
  * Added MWRestrictions as a class to check restrictions on a WebRequest, e.g.
    to assert that the request comes from a particular IP range.
  * Added bot passwords, a rights-restricted login mechanism for API-using bots.
 +* Whitelisted the following HTML attributes for all elements in wikitext:
 +  aria-describedby, aria-flowto, aria-label, aria-labelledby, aria-owns.
 +* Removed "presentation" restriction on the HTML role attribute in wikitext.
 +  All values are now allowed for the role attribute.
  
  === External library changes in 1.27 ===