fix: on /rqlio, csrf is activaved only on multipart/form-data

POST for application/json are safe from csrf but not multipart/form-data.
CSRF protection is thus disabled on application/json (no matter the authentications method).

For multipart/form-data, there are 3 usecases:

1. multipart/form-data authenticated by cookies (webrowser), this requires
   csrf and this is handled by MultipartRqlIOController.
2. multipart/form-data anon user, this does not require csrf and this in
   handled by AnonMultipartRqlIOController
3. multipart/form-data authenticated with authorization, this does not
   requires csrf as there is an authentification. This is not handled here
   but in signed-request that implements the authentification.
4 jobs for !24 with topic/default/csrf-signedrequest-auth in 2 minutes and 5 seconds (queued for 10 seconds)
latest detached
Status Job ID Name Coverage
  Lint
passed black #364215

00:00:31

passed check-manifest #364216

00:00:36

passed flake8 #364214

00:00:26

 
  Tests
passed py3 #364217

00:01:23