Replace CSRF cookie with CrossOriginProtection (#36183)

Removes the CSRF cookie in favor of
[`CrossOriginProtection`](https://pkg.go.dev/net/http#CrossOriginProtection)
which relies purely on HTTP headers.

Fixes: https://github.com/go-gitea/gitea/issues/11188
Fixes: https://github.com/go-gitea/gitea/issues/30333
Helps: https://github.com/go-gitea/gitea/issues/35107

TODOs:

- [x] Fix tests
- [ ] Ideally add tests to validates the protection

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

templates/admin/auth/edit.tmpl

@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="id" value="{{.Source.ID}}">
 				<div class="inline field">
 					<label>{{ctx.Locale.Tr "admin.auths.auth_type"}}</label>

templates/admin/auth/new.tmpl

@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<!-- Types and name -->
 				<div class="inline required field {{if .Err_Type}}error{{end}}">
 					<label>{{ctx.Locale.Tr "admin.auths.auth_type"}}</label>

templates/admin/config.tmpl

@@ -228,7 +228,6 @@
 					<dt class="tw-py-1 tw-flex tw-items-center">{{ctx.Locale.Tr "admin.config.send_test_mail"}}</dt>
 					<dd class="tw-py-0">
 						<form class="ui form ignore-dirty" action="{{AppSubUrl}}/-/admin/config/test_mail" method="post">
-							{{.CsrfTokenHtml}}
 							<div class="ui tiny input">
 								<input type="email" name="email" placeholder="{{ctx.Locale.Tr "admin.config.test_email_placeholder"}}" size="29" required>
 							</div>
@@ -260,7 +259,6 @@
 				<dt class="tw-py-1 tw-flex tw-items-center">{{ctx.Locale.Tr "admin.config.cache_test"}}</dt>
 				<dd class="tw-py-0">
 					<form class="ui form ignore-dirty" action="{{AppSubUrl}}/-/admin/config/test_cache" method="post">
-						{{.CsrfTokenHtml}}
 						<button class="ui tiny primary button">{{ctx.Locale.Tr "test"}}</button>
 					</form>
 				</dd>

templates/admin/cron.tmpl

@@ -32,7 +32,6 @@
 				</tbody>
 			</table>
 			<input type="hidden" name="from" value="monitor">
-			{{.CsrfTokenHtml}}
 		</form>
 	</div>
 </div>

templates/admin/dashboard.tmpl

@@ -10,7 +10,6 @@
 		</h4>
 		<div class="ui attached table segment">
 			<form method="post" action="{{AppSubUrl}}/-/admin">
-				{{.CsrfTokenHtml}}
 				<table class="ui very basic table tw-mt-0 tw-px-4">
 					<tbody>
 						<tr>

templates/admin/emails/list.tmpl

@@ -83,8 +83,6 @@
 			<form class="content ui form" action="{{AppSubUrl}}/-/admin/emails/activate" method="post">
 				<p class="center">{{ctx.Locale.Tr "admin.emails.change_email_text"}}</p>
 
-				{{$.CsrfTokenHtml}}
-
 				<input type="hidden" name="sort" value="{{.SortType}}">
 				<input type="hidden" name="q" value="{{.Keyword}}">
 				<input type="hidden" name="is_primary" value="{{.IsPrimary}}">

templates/admin/notice.tmpl

@@ -34,7 +34,6 @@
 							<th></th>
 							<th colspan="5">
 								<form class="tw-float-right" method="post" action="{{AppSubUrl}}/-/admin/notices/empty">
-									{{.CsrfTokenHtml}}
 									<button type="submit" class="ui red small button">{{ctx.Locale.Tr "admin.notices.delete_all"}}</button>
 								</form>
 								<div class="ui floating upward dropdown small button">

templates/admin/packages/list.tmpl

@@ -6,7 +6,6 @@
 			{{ctx.Locale.Tr "admin.packages.unreferenced_size" (FileSize .TotalUnreferencedBlobSize)}})
 			<div class="ui right">
 				<form method="post" action="{{AppSubUrl}}/-/admin/packages/cleanup">
-					{{.CsrfTokenHtml}}
 					<button class="ui primary tiny button">{{ctx.Locale.Tr "admin.packages.cleanup"}}</button>
 				</form>
 			</div>
@@ -90,7 +89,6 @@
 	</div>
 
 <form class="ui small modal form-fetch-action" method="post" id="admin-package-delete-modal">
-	{{.CsrfTokenHtml}}
 	<div class="header">{{svg "octicon-trash"}} {{ctx.Locale.Tr "packages.settings.delete"}}</div>
 	<div class="content">
 		{{ctx.Locale.Tr "packages.settings.delete.notice" (HTMLFormat `<span class="%s"></span>` "package-name") (HTMLFormat `<span class="%s"></span>` "package-version")}}

templates/admin/queue_manage.tmpl

@@ -31,7 +31,6 @@
 							{{else}}
 								{{$sum}}
 								<form action="{{$.Link}}/remove-all-items" method="post" class="tw-inline-block tw-ml-4">
-									{{$.CsrfTokenHtml}}
 									<button class="ui tiny basic red button">{{ctx.Locale.Tr "admin.monitor.queue.settings.remove_all_items"}}</button>
 								</form>
 							{{end}}
@@ -47,7 +46,6 @@
 		<div class="ui attached segment">
 			<p>{{ctx.Locale.Tr "admin.monitor.queue.settings.desc"}}</p>
 			<form method="post" action="{{.Link}}/set">
-				{{$.CsrfTokenHtml}}
 				<div class="ui form">
 					<div class="inline field">
 						<label for="max-number">{{ctx.Locale.Tr "admin.monitor.queue.settings.maxnumberworkers"}}</label>

templates/admin/repo/list.tmpl

@@ -102,7 +102,6 @@
 	</div>
 
 <form class="ui small modal form-fetch-action" id="admin-repo-delete-modal" method="post">
-	{{.CsrfTokenHtml}}
 	<div class="header">{{svg "octicon-trash"}} {{ctx.Locale.Tr "repo.settings.delete"}}</div>
 	<div class="content">
 		<p>{{ctx.Locale.Tr "repo.settings.delete_desc"}}</p>

templates/admin/repo/unadopted.tmpl

@@ -32,7 +32,6 @@
 											<p>{{ctx.Locale.Tr "repo.adopt_preexisting_content" $dir}}</p>
 										</div>
 										<form class="ui form" method="post" action="{{AppSubUrl}}/-/admin/repos/unadopted">
-											{{$.CsrfTokenHtml}}
 											<input type="hidden" name="id" value="{{$dir}}">
 											<input type="hidden" name="action" value="adopt">
 											<input type="hidden" name="q" value="{{$.Keyword}}">
@@ -49,7 +48,6 @@
 											<p>{{ctx.Locale.Tr "repo.delete_preexisting_content" $dir}}</p>
 										</div>
 										<form class="ui form" method="post" action="{{AppSubUrl}}/-/admin/repos/unadopted">
-											{{$.CsrfTokenHtml}}
 											<input type="hidden" name="id" value="{{$dir}}">
 											<input type="hidden" name="action" value="delete">
 											<input type="hidden" name="q" value="{{$.Keyword}}">

templates/admin/user/edit.tmpl

@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="./edit" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<div class="field {{if .Err_UserName}}error{{end}}">
 					<label for="user_name">{{ctx.Locale.Tr "username"}}</label>
 					<input id="user_name" name="user_name" value="{{.User.Name}}" maxlength="40">
@@ -173,7 +172,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form" action="./avatar" method="post" enctype="multipart/form-data">
-				{{.CsrfTokenHtml}}
 				{{if not .DisableGravatar}}
 				<div class="inline field">
 					<div class="ui radio checkbox">
@@ -214,7 +212,6 @@
 	<form class="ui form" method="post" action="./delete">
 		<div class="content">
 			<p>{{ctx.Locale.Tr "settings.delete_account_desc"}}</p>
-			{{$.CsrfTokenHtml}}
 			<div class="field">
 				<div class="ui checkbox">
 					<label for="purge">{{ctx.Locale.Tr "admin.users.purge"}}</label>

templates/admin/user/new.tmpl

@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<!-- Types and name -->
 				<div class="inline required field {{if .Err_LoginType}}error{{end}}">
 					<label>{{ctx.Locale.Tr "admin.users.auth_source"}}</label>