Rather than using the cross site request forgery token in the URL
for the WebSocket, check the HTTP Origin header. All spec-compliant
user agents send a proper Origin header so this is sufficient to
protect users from malicious cross-site access to the WebSocket.

As a consequence, the front-end code to bootstrap the streamer can
be simplified. The streamer no longer has any provider. Its URL and
transport are passed explicitly to the ``open`` method.

While I was here, I added support for the ``protocols`` argument to
the ``open`` method, added support for the ``onopen`` and ``onclose``
handlers, set the client identifier on the ``$http`` service default
headers, aligned the state constants with the standard ones, and
ensured that the socket cannot be closed twice.