Problem

PR #1551 enabled XSRF in Streamlit server by default.
In order for XSRF to work, a cookie secret (default available) that works fine with one server. However, if deploying onto multiple servers without sticky routing, a cookie secret must be passed in to ensure a seamless experience for the end user.

In addition, to send a cookie, CORS must be disabled. Need to ensure that our configurations for XSRF and CORS are not in conflict.

Solution

1. Create a new boolean config option server.enableXSRF to toggle XSRF. It should be enabled by default, and optionally users can override and disable it.
2. Add a conflict check for CORS and XSRF toggles. If a conflict exists, throw an error