Disable CSRF tokens for GET requests

there are currently a lot CSRF errors for Safari-Users on sentry (251k events, 91k users). Somehow safari sends somehow a different token than the one stored in the cookie, but I could not reproduce that.

Since we agreed to never change any data with GET requests on our /api/ endpoints and an attacker can't access the body via cross site requests (no Access-Control-Allow-Origin header present), I think it is safe to disable the CSRF protection on GET requests anyway.