[7.0] Accept requests with the encrypted X-XSRF-TOKEN HTTP header

[jessarcher]

This updates TokenGuard to accept requests with a valid encrypted X-XSRF-TOKEN HTTP header in the same way as Laravel's VerifyCsrfToken middleware.

Amongst other things, this would allow us to simplify Laravel's bootstrap.js by taking advantage of Axios's default functionality to automatically send the X-XSRF-TOKEN header on same-origin requests using the contents of the XSRF-TOKEN cookie.

I note that this feature has been requested and rejected several times, often because of concerns it opens a CSRF vulnerability. I believe this is not the case because we are only opening it to accept requests with a valid X-XSRF-TOKEN HTTP header, which will never be automatically sent by the browser (on first party initiated requests or third party initiated requests), unlike the XSRF-TOKEN cookie which is always sent.

A valid X-XSRF-TOKEN HTTP header can only added by JavaScript with access to our cookies in the same way that a valid X-CSRF-TOKEN header can only be added by JavaScript with access to our DOM. It has to be running on our domain. An XSS vulnerability could bypass CSRF using either header, but that's always going to be the case and thankfully Laravel has great tools for protecting against XSS.

This is also no different to what is already happening in the VerifyCsrfToken middleware.

To help ease concerns, I have added a test to validate that the XSRF-TOKEN cookie alone is not sufficient to bypass TokenGuard.

This also addresses the PR request at #515 (comment)

I welcome as much scrutiny as possible on this as security is obviously the top priority.

Thanks!