External websites can construct POST requests that submit data to user/admin forms on musicbrainz.org. If the user is logged in on MusicBrainz, these requests will be processed if the fields validate.

This would theoretically be mitigated by browsers moving to a non-permissive SameSite=Lax by default, but this also breaks release editor seeding (MBS-10717).

We should add CSRF tokens to any forms that can modify user data or administrate the site.