Disable CSRF for API calls

[jace]

CSRF protection is meant to protect users from malicious form POST events originating from third party hosts. It should not be enabled for API calls by scripts as there is no likelihood of user misdirection there.

However, we currently require CSRF validation for any form being posted. Baseframe's Form baseclass should counter this by explicitly disabling CSRF check when the request contains headers that cannot have come from a web form*, such as:

1. Authorization header with a bearer token (valid or not; validation happens in Flask-Lastuser)
2. Other?

* Since CORS already prevents cross-site submissions from JavaScript, we only need to be concerned about web forms being forged.

[jace]

According to this Rails security note from 2011, it is possible for a malicious browser extension to inject arbitrary headers into any request. Therefore we need to reconsider:

CSRF protection is meant to protect a user when additional data such as an authentication cookie is automatically submitted with the request. Therefore, if there is no cookie, there is no user authenticated via a cookie and nobody to protect. Such a request will be stateless, carrying only explicitly provided authorization credentials, so stateful protection doesn't apply to it.

Caveat: the app may still try to set a cookie, and the client's HTTP library may automatically accept and replay this cookie, triggering stateful CSRF validation on the next request. (Hasjob will even create an anonymous user account if the cookie comes back.)