fix(AppFramework): Allow requests with OCS-APIRequest header to pass CSRF checks

[provokateurin]

Summary

Minimal fix extracted from #43699.
OCS APIs use the custom header to prevent CSRF attacks as described in https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#employing-custom-request-headers-for-ajaxapi:

Both the synchronizer token and the double-submit cookie are used to prevent forgery of form data, but they can be tricky to implement and degrade usability. Many modern web applications do not use <form> tags to submit data. A user-friendly defense that is particularly well suited for AJAX or API endpoints is the use of a custom request header. No token is needed for this approach.

While it is possible for clients to obtain CSRF tokens, it is a lot easier sending the custom header and not maintaining any state.

Using the same method for non-OCS endpoints is safe and simply allows using endpoints that require CSRF protection at the moment.
Usually external clients do not need to send the CSRF token as the cookie check will skip the token check, but if the client needs to send cookies because it also has to call APIs that are session aware (e.g. Talk room join/leave) or it runs in a browser, where the cookies are sent automatically, this measure is necessary. The existing CORS protection will prevent hijacks as it will requests with the header.

Ideally the two CSRF protections would be aligned and merged into a single implementation as there is no reason to have separate implementations of this protection, but this can be done in the future.

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)