Replace CSRF cookie with CrossOriginProtection (#36183)

Removes the CSRF cookie in favor of
[`CrossOriginProtection`](https://pkg.go.dev/net/http#CrossOriginProtection)
which relies purely on HTTP headers.

Fixes: https://github.com/go-gitea/gitea/issues/11188
Fixes: https://github.com/go-gitea/gitea/issues/30333
Helps: https://github.com/go-gitea/gitea/issues/35107

TODOs:

- [x] Fix tests
- [ ] Ideally add tests to validates the protection

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

templates/user/settings/notifications.tmpl

@@ -7,7 +7,6 @@
 			<div class="ui list flex-items-block">
 				<div class="item">
 					<form class="ui form tw-w-full" action="{{AppSubUrl}}/user/settings/notifications/email" method="post">
-						{{$.CsrfTokenHtml}}
 						<div class="field">
 							<label>{{ctx.Locale.Tr "settings.email_desc"}}</label>
 							<div class="ui selection dropdown">
@@ -38,7 +37,6 @@
 			<div class="ui list flex-items-block">
 				<div class="item">
 					<form class="ui form tw-w-full" action="{{AppSubUrl}}/user/settings/notifications/actions" method="post">
-						{{$.CsrfTokenHtml}}
 						<div class="field">
 							<label>{{ctx.Locale.Tr "settings.email_notifications.actions.desc" "https://docs.gitea.com/usage/actions/overview/"}}</label>
 							<div class="ui selection dropdown">