Fixes T8984. Because of how drag-and-drop upload works, the text file with content code is interpreted as a forbidden variable. Disable this check for the drop upload controller.
(The risk here is a general one where the controller redirects and bundles paramters; this controller does not do that, so it's safe to make this change.)