Merge "Do not automatically infuse any OOjs UI widgets"

diff --combined RELEASE-NOTES-1.28
index eac4e2c,ee5b394..5d88fbf
--- 1/RELEASE-NOTES-1.28
--- 2/RELEASE-NOTES-1.28
+++ b/RELEASE-NOTES-1.28
@@@ -61,13 -61,6 +61,13 @@@ production
  * The following response properties from action=login, deprecated in 1.27, are
    now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
    to properly manage session state.
 +* Submitting the lgtoken and lgpassword parameters in the query string to
 +  action=login is now deprecated and outputs a warning. They should be submitted
 +  in the POST body instead.
 +* Submitting sensitive authentication request parameters to action=clientlogin,
 +  action=createaccount, action=linkaccount, and action=changeauthenticationdata
 +  in the query string is now deprecated and outputs a warning. They should be
 +  submitted in the POST body instead.
  
  === Action API internal changes in 1.28 ===
  * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
@@@ -118,6 -111,9 +118,9 @@@ changes to languages because of Phabric
  * AuthenticationRequest::$required is now changed from REQUIRED to PRIMARY_REQUIRED
    on requests needed by primary providers even if all primaries need them.
    Primary providers are discouraged from returning multiple REQUIRED requests.
+ * OOjs UI PHP widgets constructed with the `'infusable' => true` config option
+   will no longer be automatically infused. You should call `OO.ui.infuse()`
+   on them yourself from your JavaScript code.
  
  == Compatibility ==