Allow both encrypted + unencrypted CSRF header token

[barryvdh]

I know something similar has been submitted before, but currently CSRF works for these situations:

• CSRF works for hidden _token input
• CSRF works automatically for Angular, which uses the encrypted value from the cookie (+ X-XSRF-TOKEN header)

But it doesn't for other common use-cases:

• Plain text token header
• Scripts that use X-CSRF convention

Proposal: Also check the X-CSRF-TOKEN header for plain-text token. This make it easier to add a meta-tag to the page which javascript checks.
<meta name="csrf-token" content="<?= csrf_token ?>" />

Some frameworks/scripts already use this convention. like Jquery UJS

CSRFProtection: function(xhr) {
      var token = $('meta[name="csrf-token"]').attr('content');
      if (token) xhr.setRequestHeader('X-CSRF-Token', token);
    },

We see a lot of issues by people not understaning the decryption or need to remove it. This will allow all cases:

1. Check the _token input, plain text
2. Check the X-CSRF-TOKEN, plain text
3. Check the X-XSRF-TOKEN, encrypted

And a section would needed to be added to the docs, but I'm willing to write that, with a few simple examples.

Fixes #7418 #7437 #7436 #7373 #7435 #7288 #7287

[JoostK]

Now this seems like a proper universal fix. Clears up the apparently unknown convention of XSRF vs. CSRF.

[barryvdh]

Well I don't know if that is really the convention. I think the token being encrypted is more of a side-effect of laravel's cookies always being encrypted, which just doesn't matter for Angular bot does for other ways to pass the token.

[taylorotwell]

Can you submit a documentation PR?

[barryvdh]

Docs PR in laravel/docs#1179