Use "modern" CSRF (XSRF) protection #945
Description
We should replace the CSRF protection with a header approach, as described in this writeup.
Currently we use a token that gets added to forms etc. In #919 this token was moved from the PHP session to our cache, to have a longer default validity. But it is still possible for users to run into the timeout, which is a very bad experience when you are not accustomed to it, especially when writing long articles. The new approach avoids the timeout (to my understanding) completely: Instead of using a token, check a browser header (Sec-Fetch-Site, with Origin as a possible fallback).
One question to decide is browser support: It is widely supported, but not in very old browsers. We could either use the origin fallback, or just use no fallback, with two possible modes: Block browsers without the header or just allow them, since this protection is kinda optional anyway (the attack is 1) unlikely and 2) the SameSite=Strict cookie header is still there, also blocking the session when requests cross origins).