fix(app): skip csrf injection for off-origin post forms

[cssbruno]

Summary

• Fixes CSRF HTML personalization so hidden tokens are only injected into POST forms whose action resolves to the current request origin.
• Leaves off-origin and protocol-relative external POST forms untouched, and avoids token generation/cache mutation when no same-origin POST form needs a token.
• Keeps same-origin absolute actions and local/root-relative actions working.

Issue Closure

Fixes #779

Verification

• I ran the relevant tests, lint, and build commands.
• I ran scripts/test-go-modules.sh when Go code or compiler behavior changed.
• I ran go build ./cmd/gowdk when CLI, compiler, runtime, addon, or release behavior changed.
• I ran node --check editors/vscode/extension.js when editor files changed.
• I updated docs for behavior, setup, or architecture changes.
• I added or updated tests for changed behavior.
• I considered security-sensitive surfaces such as auth, CSRF, redirects, request-time handlers, logs, diagnostics, embedded assets, editor commands, WASM, contracts, and realtime behavior.

Commands run:

• go test ./runtime/app -count=1
• go test ./internal/appgen -run 'TestGenerate.*CSRF|TestSSR.*CSRF|TestGenerateSSR.*CSRF' -count=1
• go build ./cmd/gowdk
• git diff --check

LLM Assistance

• LLM session summary: AI assistance narrowed CSRF token injection to same-origin POST forms and added regression coverage for off-origin actions.
• Human-reviewed assumptions: Same-origin absolute, root-relative, relative, and empty form actions remain eligible for injection; malformed or off-origin actions skip injection.
• Follow-up work: None for [High] Do not inject CSRF tokens into off-origin POST forms #779.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 095001874c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Honor forwarded HTTPS when deriving form origin

In the documented TLS-terminating reverse-proxy setup, the generated app receives plain HTTP with request.TLS == nil and X-Forwarded-Proto: https; this branch still defaults the origin to http, so an absolute same-site form action such as https://example.com/signup is treated as off-origin and no hidden CSRF field or cookie is injected, while the generated POST validator still requires CSRF. Reuse the existing HTTPS/proxy detection before defaulting to http so same-origin absolute HTTPS actions keep working behind the proxy.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Use browser URL parsing for form actions

When an HTML file reaches this runtime path with an action like ///evil.example/collect or /\evil.example/collect, Go's net/url resolves it as a same-host path, but browsers submit those forms as network-path URLs to evil.example (the repo's URL safety code already treats /\ as protocol-relative). In that scenario this check returns same-origin and injects the CSRF token into an off-origin POST form, reintroducing the token leak this commit is trying to prevent.

Useful? React with 👍 / 👎.