All this boils down to, yes full HTTPS is best
practice, but if you make use
of external APIs or services, it may be hard to achieve.
Using an external API or service by including stuff from third-party
sites would send users' IP addresses to those sites, which would
violate Wikimedia's privacy policy, so this isn't an issue for us.
Fair enough. Every situation is different. As I had recently attempted to go
full HTTPS with a project, I thought I would share my experience of what it
takes in practice.