As of Cubicweb 3.32, there is a CSRF check on every controllers. However, the
RQLIO one is a bit peculiar, as it is intended to be used by authenticated
3rd-parties, meaning that we can disable CSRF check because the RQLIO
controllers does not rely on cookie authentication.