GeoIP and WMF-Last-Access cookies come from Varnish. We should be marking them as secure!
Note there are probably question-marks around these about insecure requests. We don't yet block/deny insecure POST traffic ( T105794 ), but we've been warning about it and trying to weed them out from top log entries for a long time now, and sending warnings on the API requests. This could break requests which currently send these two cookies along with an insecure POST , but IMHO we're well past the date range where we can say "Hey, fix your insecure POST traffic instead of complaining about the broken cookies"