Per Asher, this result in session creation for anon users and their requests bypassing frontend caches. Marking as blocker as this prevents us from deploying new code (which retrieves even more tokens).
Version: unspecified
Severity: blocker
URL: https://mingle.corp.wikimedia.org/projects/mobile/cards/450
We can certainly turn these off for anonymous users by attaching a class to the html tag for logged in users (provided that doesn't effect caching)
However I'd be very surprised if the large increase in the amount of session creation is due to watch and edit token requesting since this is limited to beta.
Talking to Patrick he said it was mostly due to the CSRF requests caused in non-beta
Mobile token has been mostly killed with https://gerrit.wikimedia.org/r/30812
Other tokens aren't retrieved for anons as of https://gerrit.wikimedia.org/r/#/c/30806/
Session is now initialized for anons only when they visit Special:MobileOptions - for CSRF protection, however usual reading shall not create any cache-bypassing cookies now.
Still a pointless request on every logged-in page view:
GET /w/api.php?format=json&action=tokens&type=watch
Should be fixed during our performance sprint.