The new [CrossOriginProtection] implements protections against [Cross-Site
Request Forgery (CSRF)][] by rejecting non-safe cross-origin browser requests.
It uses [modern browser Fetch metadata][Sec-Fetch-Site], doesn't require tokens
or cookies, and supports origin-based and pattern-based bypasses.

[Sec-Fetch-Site]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site
[Cross-Site Request Forgery (CSRF)]: https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF