Disable ReadFormOnPost by default

[Shane32]

See notes for GraphQLHttpMiddlewareOptions.ReadFormOnPost (which may be inaccurate).

See https://www.apollographql.com/blog/backend/file-uploads/file-upload-best-practices

Based on CORS spec, I actually think CORS would be triggered if cookies were sent, but I'm not sure. Assuming CORS was triggered in that scenario, it seems unlikely that there is a serious security vulnerability with parsing form data requests. Unless someone were exclusively using CORS for security, which seems like pretty weak security.