Disable the default CSRF protection.

This was added in Rails 5.2 defaults, but we upgraded from 5.1 defaults to 6.1, so we didn't notice until now.

closes #8374

config/application.rb

@@ -39,6 +39,11 @@ module Diaspora
     # Enable escaping HTML in JSON.
     config.active_support.escape_html_entities_in_json = true
 
+    # We specify CSRF protection manually in ApplicationController with
+    # protect_from_forgery - having it enabled anywhere by default breaks
+    # federation.
+    config.action_controller.default_protect_from_forgery = false
+
     # Enable the asset pipeline
     config.assets.enabled = true