In Symfony 3, the framework.csrf_protection option has been removed (#15695). See also: symfony/symfony-standard#879.

However, the framework.csrf_protection option wasn't deprecated in 2.8, the framework.csrf_protection.field_name option only is. One should still be able to disable/enable the CSRF component without the forms. This change should be reverted, see also symfony/symfony-docs#5855