Separate xsrf handling and version checking

[epixa]

Traditionally we've relied on the kbn-version header for csrf
protection, but that is also used for the client-side Kibana version
check that alerts users when their client is out of date and needs to be
refreshed, so it must match the version of Kibana exactly.

This poses a problem for any programmatic access that would only get set
up once but may run repeatedly throughout the future (e.g. watcher), so
there's now the additional option of specifying the kbn-xsrf header
instead. The value of the header does not matter, but its very presence
is all that is necessary to avoid xsrf attacks.

The xsrf protection just needs either one of these headers to exist.

Forward port of #8152

[ppisljar]

jenkins, test this

[ppisljar]

seems tests on master are broken. otherwise it LGTM

[epixa]

I need to do some changes to this, but I figured I'd get the 4.6 stuff done first: #8152

[epixa]

I marked this as a blocker since it went into 4.6 already.

[w33ble]

Do we really need this? I realize previously we had conflated version checking and xsrf, but we always exposed it as an xsrf check. The version check is new, and users could legitimately want to skip xsfr check, but not the version check. This prevents them from choosing one or the other.

[epixa]

Yeah, don't review this PR right now. The 4.6 PR changed a bunch of this and was merged this morning: #8152

I'll forward port those changes to this PR before we review again.

[w33ble]

@epixa you're still planning to update this PR, right?

[epixa]

Yep, once 4.6.1 goes out.

[epixa]

@w33ble This is good to go

[jbudz]

LGTM