Don't reset the sortKey unless actually switching tabs

Creating a new annotation or page note would reset the sortKey for the
sidebar to the default, because doing so can trigger a call to
`selectTab`.

This change ensures that we shortcut the state update if we're already
on the correct tab, and don't update `sortKey` in that case.

Sort notes tab by date

This commit prevents page notes from being sorted by "Location" (i.e.
document location), a meaningless property for page notes, which would
result in them being sorted unpredictably.

Instead, we define a default sort key and a set of allowable sort keys
for each sidebar tab. When switching between tabs, the sort key is
updated to the default, and the set of allowable sort keys updated
depending on the tab.

This results in page notes being sorted (by default) in ascending order
of their most recent update. Using "updated" rather than "created" is a
bit dubious, but changing this requires a bit of care to avoid strange
behaviour on the stream, so I've left that for another time.

N.B. As implemented, the sort key on each tab will be reset to the
default every time the tab changes. This is less surprising than
preserving the sort key across tab switches, and doesn't involve any
requirement to remember system state across tab switches. We can also
revisit this in the future if it seems wrong.

Fixes #96.

Extract virtualized thread list into its own component

Annotation quotes now have a default color of `$grey-7`, so there is no
need to have an additional selector for when the annotation card is
hovered.

 * Extract thread list into its own component for better encapsulation
   and easier testing

 * Rename `annotation-card` to `thread-list__card` and move it to
   the component styling file for `thread-list`.

   Unfortunately a couple of visual effects still require it
   to be referenced in annotation.scss

 * Remove ng-show hack in thread list

   Remove the "ng-show" attribute which was added as a hack for reasons
   which are no longer applicable. See
   https://github.com/hypothesis/h/issues/2642#issuecomment-150629305
   for original context.

 * Remove unused js-hover class and the code that supports it

   It turns out that this class is no longer referenced in code or
   applicable styling.

Fix missing initialization of $orphan flag for new annotations and
properly account for annotations that do not have IDs in ADD_ANNOTATIONS
and UPDATE_ANCHOR_STATUS actions.

 - Fix ADD_ANNOTATIONS action replacing the first existing unsaved
   annotation when a second unsaved annotation is added
 - Fix UPDATE_ANCHOR_STATUS action not matching annotations without
   IDs (ie. new annotations) correctly.
 - Fix $orphan flag not being initialized for new annotations

Fixes #94

Remove "assertion" GET param from token requests

When fetching a JWT from the server, the client needs to supply the
session CSRF token in order to prevent third-party pages from being able
to fetch and use tokens without the user's permission.

Previously, we supplied the CSRF token in an "assertion" GET parameter
(partially in an attempt to make this look a bit like an OAuth token
issuance API) but in Pyramid 1.7 this isn't allowed. (This is good:
allowing the CSRF to be passed as a GET parameter makes it easier to
construct a cross-domain attack which retrieves a token for the user).

This commit moves the CSRF token into a request header, which works
because there are only two legitimate situations in which this request
is made:

- from an embed iframe, which is on the same origin as the service
- from a Chrome extension iframe, which is permitted to make
  cross-origin XHR requests to URLs specified in the manifest (in our
  case, `<all_urls>`).

Note that we cannot rely on Angular's built-in CSRF support here,
because it does not operate for cross-domain requests.

This reverts commit e0e23bde. This needs
more thought, as the X-CSRF-Token header won't currently be set for
cross-domain requests (such as those made by the extension sidebar).

Remove "assertion" GET param from token requests

When fetching a JWT from the server, the client needs to supply the
session CSRF token in order to prevent third-party pages from being able
to fetch and use tokens without the user's permission.

Previously, it was necessary to supply this token in the "assertion" GET
parameter -- in an attempt to make this look a bit like an OAuth token
issuance API -- but in Pyramid 1.7 this isn't allowed, and it turns out
not to be necessary, because Angular's CSRF support retrieves the token
from an XSRF-TOKEN cookie set in earlier requests and sets the
X-CSRF-Token request header automatically.

When receiving annotation updates via the WebSocket, merge the updated
annotation with the existing local annotation, preserving the local tag
and anchoring status flags.

This fixes a problem where Annotations would be shown as Orphans after
an update was received via the WebSocket

 * When an annotation update is received, merge the current/new
   versions rather than removing the current version and replacing
   it with the new one.

 * Remove mutation of existing annotation in `loadAnnotations()`,
   since the reducer function is now responsible for merging changes
   and triggering UI updates

Do not hide annotation thread when annotations are waiting to anchor.

When an annotation is created or updated the sidebar briefly transitions into the
`waitingToAnchor` state and hides the entire thread list, losing the user's scroll
position as a result.
Instead of hiding the entire thread, filter out the annotations which are waiting to
anchor.

https://trello.com/c/hQRpsUPj/444-avoid-hiding-thread-list-while-new-annotations-received-over-ws-are-being-anchored

Document the default values of client config keys

Document the `showHighlights` config option

On group change, reset tab selection to annotations if the selected t…

This is not used by the client. The client does use the [Angular
Bootstrap](http://angular-ui.github.io/bootstrap/) 3rd-party module for
dropdown menus but that does not use the Bootstrap build's JS or CSS.

Remove unused CSS

This file is used only by the H service

Remove unused CSS rules. These were found by using used-css-classes [1]
and find-unused-css-classes [2]:

  used-css-classes h/templates/client/*.html > used-classes.txt
  find-unused-css-classes used-classes.txt build/styles/app.css > unused-css-classes

And then manually checking classes in `unused-css-classes` to verify
that the classes were not referenced in first or third-party code, since
the tools only extract used class names from templates.

[1] https://github.com/robertknight/used-css-classes
[2] https://github.com/robertknight/find-unused-css-classes

This caused a parsing exception in BeautifulSoup when gathering the
set of used CSS classes with https://github.com/robertknight/used-css-classes

- #!/bin/sh is in POSIX, no need for env
- `set -eu` to explode if something fails or a var isn't defined
- a simpler way of ensuring we're in the right place to run the releaser
  script.
- "git push --follow-tags" will push pending commits and annotated tags
  attached to them in a single command

Avoid an issue where trying to create a GH release immediately after
pushing the tag often fails.

In browsers that support Shadow DOM (currently only Chrome, plus Firefox
behind a feature flag), use it to isolate the adder from the host page's
CSS.

This fixes various problems where very generic CSS on the page could
affect the adder's styling.