Replace CSRF cookie with CrossOriginProtection (#36183)

Removes the CSRF cookie in favor of
[`CrossOriginProtection`](https://pkg.go.dev/net/http#CrossOriginProtection)
which relies purely on HTTP headers.

Fixes: https://github.com/go-gitea/gitea/issues/11188
Fixes: https://github.com/go-gitea/gitea/issues/30333
Helps: https://github.com/go-gitea/gitea/issues/35107

TODOs:

- [x] Fix tests
- [ ] Ideally add tests to validates the protection

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

tests/integration/user_avatar_test.go

@@ -35,7 +35,6 @@ func TestUserAvatar(t *testing.T) {
 	}
 
 	session := loginUser(t, "user2")
-	csrf := GetUserCSRFToken(t, session)
 
 	imgData := &bytes.Buffer{}
 
@@ -66,7 +65,6 @@ func TestUserAvatar(t *testing.T) {
 	}
 
 	req := NewRequestWithBody(t, "POST", "/user/settings/avatar", body)
-	req.Header.Add("X-Csrf-Token", csrf)
 	req.Header.Add("Content-Type", writer.FormDataContentType())
 
 	session.MakeRequest(t, req, http.StatusSeeOther)