No content type constraint

[sio4]

What is being done in this PR?

• Removed content-type constraint. I don't think CSRF is only for HTML or Plain Text. (MW-CSRF ignores POST/PUT/DELETE with Content-Type: application/json #6)
• Made it return 403 Forbidden instead of a generic error which will become 500 by the error handler.
• Updated module dependencies

fixes #6

What are the main choices made to get to this solution?

For the Content-Type constraint, I couldn't imagine any reason for the current limitation, and I believe CSRF doesn't care about the content type. I found some histories of the code block at gobuffalo/buffalo#387, gobuffalo/buffalo#767, and gobuffalo/buffalo#768 but there is no detailed information. (see also #6 (comment))

For the response code, 403 is normal for CSRF protection so it could be nice than 500 Internal Server Error :-)

[paganotoni]

This seems reasonable to me @sio4. Thanks for putting it together.

[paganotoni]

I just saw your question in the issue and I do not remember being part of that choice. Maybe with some of the PR template we can get historical conversations and things for the future. That said, I think it would be good to tell some of the reasoning behind this change in the second question of this PR.

[sio4]

I just saw your question in the issue and I do not remember being part of that choice. Maybe with some of the PR template we can get historical conversations and things for the future. That said, I think it would be good to tell some of the reasoning behind this change in the second question of this PR.

yeah, indeed, I submitted the PR before writing and erasing all required/unnecessary PR comments :-)

I think it could be fine since we cannot find a reason for the limitation, then I think it's OK :-) Let's see if it make another issue :-)