Prevent file download without POST + CSRF

Summary: This prevents <applet /> attacks unless the attacker can upload an
applet which has a viewable MIME type as detected by file. I'm not sure if
this is possible or not. It should, at least, narrow the attack window. There
are no real tradeoffs here, this is probably a strictly better application
behavior regardless of the security issues.
Test Plan:

• Tried to download a file via GET, got redirected to info.
• Downloaded a file via POST + CSRF from the info page.

Reviewers: andrewjcg, erling, aran, jungejason, tuomaspelkonen
CC: aran
Differential Revision: 759