Integrate CSRF protection using pyramid builting middleware

see https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/security.html#checking-csrf-tokens-manually

understanding CSRF https://owasp.org/www-community/attacks/csrf

Remaining checklist:

• test on real life instances (this can be done now) (see bellow for details)
• find out how to whitelist a CW controller
• write documentation

Because of how potentially breaking this MR can be we have discussed about the idea of doing a release only integrating this MR (probably the 3.33?)

How to test:

• grab this topic in cubicweb (hg clone https://forge.extranet.logilab.fr/cubicweb/cubicweb/, hg update wip_csrf, pip install -e .)
• launch your project with pyramid
• navigate in it and unsure things aren't broken
  • this MR impact every web requests that aren't GET/HEAD/OPTIONS (so test forms and ajax modifying requests)
• check if there are csrf tokens in your forms, it looks like this: <input type="hidden" name="csrf_token" value="$random_value">, this should be the case for cubicweb views (except if you aren't using cubicweb.views.form.Form base class or are overwriting the way it injects fields), for pyramid templates you'll need to add it yourself
• check that the token is available in the cookies
• check that if you do a post request this is correctly sent to the server
• check that it is sent as X-CSRF-Token on ajax request (it probably shouldn't by default)
• check that if the csrf token isn't sent you get a 400 response on POST/PUT/DELETE etc...
  • to do that you can delete the input field in the form using the web inspector before submitting the form
  • ↑ check using the network tab of the browser that it isn't send
  • you might also need to remove it from the cookies
  • you should get a 400 response
• biggest goals are:
  • ensure that the token is verified
  • and that you application isn't broken