Replace CSRF cookie with CrossOriginProtection (#36183)

Removes the CSRF cookie in favor of
[`CrossOriginProtection`](https://pkg.go.dev/net/http#CrossOriginProtection)
which relies purely on HTTP headers.

Fixes: https://github.com/go-gitea/gitea/issues/11188
Fixes: https://github.com/go-gitea/gitea/issues/30333
Helps: https://github.com/go-gitea/gitea/issues/35107

TODOs:

- [x] Fix tests
- [ ] Ideally add tests to validates the protection

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

tests/integration/delete_user_test.go

@@ -32,11 +32,8 @@ func TestUserDeleteAccount(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
 	session := loginUser(t, "user8")
-	csrf := GetUserCSRFToken(t, session)
 	urlStr := "/user/settings/account/delete?password=" + userPassword
-	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
-		"_csrf": csrf,
-	})
+	req := NewRequest(t, "POST", urlStr)
 	session.MakeRequest(t, req, http.StatusSeeOther)
 
 	assertUserDeleted(t, 8)
@@ -47,11 +44,8 @@ func TestUserDeleteAccountStillOwnRepos(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
 	session := loginUser(t, "user2")
-	csrf := GetUserCSRFToken(t, session)
 	urlStr := "/user/settings/account/delete?password=" + userPassword
-	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
-		"_csrf": csrf,
-	})
+	req := NewRequest(t, "POST", urlStr)
 	session.MakeRequest(t, req, http.StatusSeeOther)
 
 	// user should not have been deleted, because the user still owns repos