Remove CSRF check (#29910)

* Use color_mode for gating "sign up" button

* Remove csrf check

* Add `res.removeHeader('set-cookie')` to cache-control

* Update static-assets.js

* Remove package

* Remove tough-cookie

* Update cache-control.js

* Update cache-control.js

* Update cache-control.js

middleware/handle-errors.js

@@ -7,8 +7,6 @@ const cacheControl = cacheControlFactory(60) // 1 minute
 
 function shouldLogException(error) {
   const IGNORED_ERRORS = [
-    // avoid sending CSRF token errors (from bad-actor POST requests)
-    'EBADCSRFTOKEN',
     // Client connected aborted
     'ECONNRESET',
   ]
@@ -41,8 +39,6 @@ export default async function handleError(error, req, res, next) {
       // The Cache-Control is short, and let's use the default surrogate
       // key just in case it was a mistake.
       cacheControl(res)
-      // Undo the cookie setting that CSRF sets.
-      res.removeHeader('set-cookie')
       // Makes sure the surrogate key is NOT the manual one if it failed.
       // This basically unsets what was assumed in the beginning of
       // loading all the middlewares.
@@ -76,7 +72,7 @@ export default async function handleError(error, req, res, next) {
     }
 
     // If the error contains a status code, just send that back. This is usually
-    // from a middleware like `express.json()` or `csrf`.
+    // from a middleware like `express.json()`.
     if (error.statusCode || error.status) {
       return res.sendStatus(error.statusCode || error.status)
     }