This avoids modifying the Rack-env in request forgery protection.

If we do allow the env to be modified, this would cause requests made
to our public API by our own frontend to be incorrectly recorded in
metrics and logs.

The Gitlab::RequestForgeryProtection::Controller and it's index action
would be recorded as the caller instead of the actual endpoint being
called.