CSRF protection (#798)

Closes #793.

* Rename RequestParameters to MultiParams, refs #799
* Allow tuples as well as lists in MultiParams, refs #799
* Use csrftokens when running tests, refs #799
* Use new csrftoken() function, refs https://github.com/simonw/asgi-csrf/issues/7
* Check for Vary: Cookie hedaer, refs https://github.com/simonw/asgi-csrf/issues/8

datasette/templates/messages_debug.html

@@ -8,7 +8,7 @@
 
 <p>Set a message:</p>
 
-<form action="/-/messages" method="POST">
+<form action="/-/messages" method="post">
     <div>
         <input type="text" name="message" style="width: 40%">
         <div class="select-wrapper">
@@ -19,6 +19,7 @@
                 <option>all</option>
             </select>
         </div>
+        <input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
         <input type="submit" value="Add message">
     </div>
 </form>