Hello all,
I faced the same problem after upgrading from xwiki 11 to 13.10. And I also run short-URLs and would prefer not to abandon them.
Based on the detailed attempts of @heinoh I observed the network tab of the inspector for the wysiwyg editor: The xredirect and form_token parameters are passed at the URL. This, probably, allows an upload form recipient to check the validity of the the CSRF token before starting to swallow the attachment which is, otherwise, as part of the big stream of attachments.
So I tried to correct upload.min.js to do the same.
I simply replaced upload.min.js by upload.js (to make it readable) then changed the line 237 from request.open('POST', this.formData.action); to request.open('POST', this.formData.action + "?form_token="+this.formData.additionalFields["form_token"] + "&xredirect=" + escape(this.formData.additionalFields["xredirect"]));.
This made my uploads work. ShortURLs remain active :-).
I am not sure if or how I should file a fix within a jira issue.
paul