Perhaps it would be better to just force one protocol or the other. I'm not sure supporting both is necessary.

Is this a issue with our skin, or upstream in wordpress?

http://core.trac.wordpress.org/query?status=accepted&status=assigned&status=new&status=reopened&status=reviewing&description=~wp-comments-post.php&order=priority does not show anything in upstream bugtracker.

Cannot see anythins suspicious in https://gerrit.wikimedia.org/r/gitweb?p=wikimedia/communications/WMBlog.git;a=blob;f=WMBlog.php;hb=refs/heads/master either.

That's http://git.wikimedia.org/blob/wikimedia%2Fcommunications%2FWP-Victor.git/9b57e64c52a961b313edc4f012a08003b049e04f/comments.php -- it uses get_option('siteurl') which has been deprecated[1] while it should be using site_url which is capable of returning HTTPS links[2].

That being said, there have been rumours that the template was supposed to be rewritten from scratch (I think the WMF even hired a Wordpress magician to do that?) and the blog moved somewhere else, so I'm not sure it's worth spending time on it.

In case someone thinks it is, please feel free to use the linked Wordpress documentation below.

References

• [1] https://codex.wordpress.org/Function_Reference/get_option('siteurl')
• [2] https://codex.wordpress.org/Function_Reference/site_url

Change 138533 had a related patch set uploaded by Withoutaname:
Convert links to https or protocol-relative

https://gerrit.wikimedia.org/r/138533

Change 138533 abandoned by Withoutaname:
Convert links to https or protocol-relative

https://gerrit.wikimedia.org/r/138533

On https:

<form action="https://wikimediablog.wordpress.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">

On http:

<form action="http://blog.wikimedia.org/wp-comments-post.php" method="post" id="commentform" class="comment-form">

(why different domain?!).