Dashboard Widgets may no longer need CSRF disabled
CSRF is deliberately disabled in some widgets stuch as traffic_graphs.widget.php but it's unclear if that is still necessary.
I removed the
$nocsrf = true; line from traffic_graphs.widget.php and the widget is still functional and settings can still be saved.
We may need to test each widget individually and verify if any still have issues. The original commit disabling CSRF in widgets was 7 years ago and the dashboard has went through significant architecture changes since then.