Only set missing csrftoken cookie if needed by current page

[simonw]

See comment on simonw/datasette#798 (comment) - right now this middleware sets the csrftoken cookie if it is missing on EVERY page.

This is bad, because it doesn't take caching into account. Pages should not be cached by Varnish/CloudFlare etc if they are setting a secret cookie value!

Instead, we should do what Django does. Here's a snippet from the Django docs on CSRF and caching: https://docs.djangoproject.com/en/3.0/ref/csrf/#caching

If the csrf_token template tag is used by a template (or the get_token function is called some other way), CsrfViewMiddleware will add a cookie and a Vary: Cookie header to the response. This means that the middleware will play well with the cache middleware if it is used as instructed

[simonw]

Since the token is passed as part of the scope, I'm going to change scope["csrftoken"] from a string value into a function which returns a string value.

That way the outer middleware can detect if the csrftoken was accessed or displayed on a page, which means it knows if it should set the cookie on the response or not.