Replace CSRF cookie with CrossOriginProtection (#36183)

Removes the CSRF cookie in favor of
[`CrossOriginProtection`](https://pkg.go.dev/net/http#CrossOriginProtection)
which relies purely on HTTP headers.

Fixes: https://github.com/go-gitea/gitea/issues/11188
Fixes: https://github.com/go-gitea/gitea/issues/30333
Helps: https://github.com/go-gitea/gitea/issues/35107

TODOs:

- [x] Fix tests
- [ ] Ideally add tests to validates the protection

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

tests/integration/pull_create_test.go

@@ -59,7 +59,6 @@ func testPullCreate(t *testing.T, session *TestSession, user, repo string, toSel
 	link, exists = htmlDoc.doc.Find("form.ui.form").Attr("action")
 	assert.True(t, exists, "The template has changed")
 	req = NewRequestWithValues(t, "POST", link, map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
 		"title": title,
 	})
 	resp = session.MakeRequest(t, req, http.StatusOK)
@@ -103,7 +102,6 @@ func testPullCreateDirectly(t *testing.T, session *TestSession, opts createPullR
 	link, exists := htmlDoc.doc.Find("form.ui.form").Attr("action")
 	assert.True(t, exists, "The template has changed")
 	params := map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
 		"title": opts.Title,
 	}
 	if opts.ReviewerIDs != "" {
@@ -131,7 +129,6 @@ func testPullCreateFailure(t *testing.T, session *TestSession, baseRepoOwner, ba
 	link, exists := htmlDoc.doc.Find("form.ui.form").Attr("action")
 	assert.True(t, exists, "The template has changed")
 	req = NewRequestWithValues(t, "POST", link, map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
 		"title": title,
 	})
 	resp = session.MakeRequest(t, req, http.StatusBadRequest)
@@ -159,7 +156,6 @@ func TestPullCreate(t *testing.T) {
 		// test create the pull request again and it should fail now
 		link := "/user2/repo1/compare/master...user1/repo1:master"
 		req := NewRequestWithValues(t, "POST", link, map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
 			"title": "This is a pull title",
 		})
 		session.MakeRequest(t, req, http.StatusBadRequest)
@@ -200,7 +196,6 @@ func TestPullCreate_TitleEscape(t *testing.T) {
 		assert.True(t, exists, "The template has changed")
 
 		req = NewRequestWithValues(t, "POST", editTestTitleURL, map[string]string{
-			"_csrf": htmlDoc.GetCSRF(),
 			"title": "<u>XSS PR</u>",
 		})
 		session.MakeRequest(t, req, http.StatusOK)
@@ -219,25 +214,15 @@ func TestPullCreate_TitleEscape(t *testing.T) {
 
 func testUIDeleteBranch(t *testing.T, session *TestSession, ownerName, repoName, branchName string) {
 	relURL := "/" + path.Join(ownerName, repoName, "branches")
-	req := NewRequest(t, "GET", relURL)
-	resp := session.MakeRequest(t, req, http.StatusOK)
-	htmlDoc := NewHTMLParser(t, resp.Body)
-
-	req = NewRequestWithValues(t, "POST", relURL+"/delete", map[string]string{
-		"_csrf": htmlDoc.GetCSRF(),
-		"name":  branchName,
+	req := NewRequestWithValues(t, "POST", relURL+"/delete", map[string]string{
+		"name": branchName,
 	})
 	session.MakeRequest(t, req, http.StatusOK)
 }
 
 func testDeleteRepository(t *testing.T, session *TestSession, ownerName, repoName string) {
 	relURL := "/" + path.Join(ownerName, repoName, "settings")
-	req := NewRequest(t, "GET", relURL)
-	resp := session.MakeRequest(t, req, http.StatusOK)
-	htmlDoc := NewHTMLParser(t, resp.Body)
-
-	req = NewRequestWithValues(t, "POST", relURL+"?action=delete", map[string]string{
-		"_csrf":     htmlDoc.GetCSRF(),
+	req := NewRequestWithValues(t, "POST", relURL+"?action=delete", map[string]string{
 		"repo_name": repoName,
 	})
 	session.MakeRequest(t, req, http.StatusSeeOther)