Is it really worth making a new request to retrieve the master token to be stored in a variable? #139
Description
One of the highlights of the 3.1 release notes is that the master token is retrieved using a new request, just to store the token in a variable. Could someone provide some details on why is this worth the performance penalty and what is the security benefit besides the obscurity, especially if the back-end either way initializes the JavaScript code with a master token value?
Besides the JavaScript code, the master token or respectively the page tokens can be found in the DOM as the JavaScript code injects it after initialization.
The logic could be modified to get rid of the first request and just rely on the value which the back-end initialized the JavaScript with, then modify the back-end code to expect a master token before returning the page tokens. This approach would come with a performance benefit (1 less request) and page tokens would not be returned without a valid master token.