Last modified: 2014-08-16 19:36:38 UTC
Since fix of bug 27655 adding a page to the watchlist needs a token. The api module setnotificationtimestamp also required a token. MediaWiki should force a token at least for the reset="all" on the watchlist.
> should force a token What is currently the problem? Things don't work?
The reset option does write actions on the database, so this should be protected against CSRF or so. You can submit a post against https://www.mediawiki.org/wiki/Special:Watchlist?reset=all and the show marker on the watclist of the logged in user gets cleared.