We should default to Xor CSRF tokens in 6.0: * Use `XorCsrfTokenRequestAttributeHandler` in `CsrfFilter` * Use `XorServerCsrfTokenRequestAttributeHandler` in `CsrfWebFilter` Related gh-4001
