CSRF protection for /-/messages tool and writable canned queries

[simonw]

The /-/messages debug tool will need CSRF protection or people will be able to add messages using a hidden form on another website.
Originally posted by @simonw in #790 (comment)

[simonw]

This is a minor security issue with master at the moment, but I'll resolve this before I ship the next release.

[simonw]

I need this for writable canned queries in #698 and #796 too.

[simonw]

I need to land and release the fix for signing cookies in simonw/asgi-csrf#2