Special:OpenIDXRDS returns URLs based on $wgCanonicalServer. But when it attempts to redirect the user to these URLs, the forceHTTPS cookie kicks in and triggers a redirect to the corresponding https URL, which then fails due to loss of POST data.
Chris suggests this be worked around somehow in OpenID rather than having core use a 307 redirect instead of a 302.
Version: master
Severity: normal