The routes that are protected by CSRF tokens all only need to accept JSON post data. So we can remove CSRF tokens. This removes a lot of complexity in our security model (@slimsag, @keegancsmith, and I have spent time researching whether our CSRF tokens impl is correct, when it isn't actually being used for anything).
Note that this just removes CSRF tokens, not CORS or other CSRF protections.
