The only cookies we set on upload.wikimedia.org responses are GeoIP, WMF-Last-Access, and CP (connection properties). GeoIP and CP are not useful, since they cannot be read by JavaScript code with a different origin.
I am not so sure about WMF-Last-Access. Do we count upload.wikimedia.org requests? (We probably shouldn't, since images can be hotlinked.) We also have to be careful not to trip the X-WMF-NOCOOKIES code for upload.wikimedia.org if we go cookie-less.