Thanks to SameSite-by-default cookies, CSRF protection is pretty much redundant these days. However, if I strip out the call to CSRFProtect.init_app, Flask-WTF still generates and inserts a csrf_token field into forms, even if WTF_CSRF_ENABLED is set to False.

Would you accept a PR to make it so that a project that never calls CSRFProtect.init_app leaves csrf, csrf_class, and csrf_context as their empty defaults?