Replace CSRF cookie with CrossOriginProtection (#36183)

Removes the CSRF cookie in favor of
[`CrossOriginProtection`](https://pkg.go.dev/net/http#CrossOriginProtection)
which relies purely on HTTP headers.

Fixes: https://github.com/go-gitea/gitea/issues/11188
Fixes: https://github.com/go-gitea/gitea/issues/30333
Helps: https://github.com/go-gitea/gitea/issues/35107

TODOs:

- [x] Fix tests
- [ ] Ideally add tests to validates the protection

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

tests/integration/repo_test.go

@@ -157,7 +157,6 @@ func testViewRepoPrivate(t *testing.T) {
 
 		// set unit code to "anonymous read"
 		req = NewRequestWithValues(t, "POST", "/org3/repo3/settings/public_access", map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
 			"repo-unit-access-" + strconv.Itoa(int(unit.TypeCode)): "anonymous-read",
 		})
 		session.MakeRequest(t, req, http.StatusSeeOther)
@@ -168,9 +167,7 @@ func testViewRepoPrivate(t *testing.T) {
 		assert.Contains(t, resp.Body.String(), `<span class="ui basic orange label">Public Access</span>`)
 
 		// remove "anonymous read"
-		req = NewRequestWithValues(t, "POST", "/org3/repo3/settings/public_access", map[string]string{
-			"_csrf": GetUserCSRFToken(t, session),
-		})
+		req = NewRequest(t, "POST", "/org3/repo3/settings/public_access")
 		session.MakeRequest(t, req, http.StatusSeeOther)
 
 		// try to "anonymous read" (not found)