SECURITY: Don't send CSRF token in query string

The token is already present in the headers thanks to the csrf-token
initializer.

app/assets/javascripts/discourse/components/composer-editor.js.es6

@@ -657,13 +657,10 @@ export default Ember.Component.extend({
     this._pasted = false;
 
     const $element = $(this.element);
-    const csrf = this.session.get("csrfToken");
 
     $element.fileupload({
       url: Discourse.getURL(
-        `/uploads.json?client_id=${
+        `/uploads.json?client_id=${this.messageBus.clientId}`
-          this.messageBus.clientId
-        }&authenticity_token=${encodeURIComponent(csrf)}`
       ),
       dataType: "json",
       pasteZone: $element

app/assets/javascripts/discourse/mixins/upload.js.es6

@@ -23,8 +23,6 @@ export default Ember.Mixin.create({
       getUrl(this.getWithDefault("uploadUrl", "/uploads")) +
       ".json?client_id=" +
       (this.messageBus && this.messageBus.clientId) +
-      "&authenticity_token=" +
-      encodeURIComponent(Discourse.Session.currentProp("csrfToken")) +
       this.uploadUrlParams
     );
   },