A form is composed of a validator schema and a widget form schema.
Form also takes care of CSRF protection by default.
A CSRF secret can be any random string. If set to false, it disables the
CSRF protection, and if set to null, it forces the form to use the global
CSRF secret. If the global CSRF secret is also null, then a random one
is generated on the fly.