Remove "assertion" GET param from token requests

When fetching a JWT from the server, the client needs to supply the
session CSRF token in order to prevent third-party pages from being able
to fetch and use tokens without the user's permission.

Previously, we supplied the CSRF token in an "assertion" GET parameter
(partially in an attempt to make this look a bit like an OAuth token
issuance API) but in Pyramid 1.7 this isn't allowed. (This is good:
allowing the CSRF to be passed as a GET parameter makes it easier to
construct a cross-domain attack which retrieves a token for the user).

This commit moves the CSRF token into a request header, which works
because there are only two legitimate situations in which this request
is made:

- from an embed iframe, which is on the same origin as the service
- from a Chrome extension iframe, which is permitted to make
  cross-origin XHR requests to URLs specified in the manifest (in our
  case, `<all_urls>`).

Note that we cannot rely on Angular's built-in CSRF support here,
because it does not operate for cross-domain requests.

This reverts commit e0e23bde. This needs
more thought, as the X-CSRF-Token header won't currently be set for
cross-domain requests (such as those made by the extension sidebar).

Remove "assertion" GET param from token requests

When fetching a JWT from the server, the client needs to supply the
session CSRF token in order to prevent third-party pages from being able
to fetch and use tokens without the user's permission.

Previously, it was necessary to supply this token in the "assertion" GET
parameter -- in an attempt to make this look a bit like an OAuth token
issuance API -- but in Pyramid 1.7 this isn't allowed, and it turns out
not to be necessary, because Angular's CSRF support retrieves the token
from an XSRF-TOKEN cookie set in earlier requests and sets the
X-CSRF-Token request header automatically.

When receiving annotation updates via the WebSocket, merge the updated
annotation with the existing local annotation, preserving the local tag
and anchoring status flags.

This fixes a problem where Annotations would be shown as Orphans after
an update was received via the WebSocket

 * When an annotation update is received, merge the current/new
   versions rather than removing the current version and replacing
   it with the new one.

 * Remove mutation of existing annotation in `loadAnnotations()`,
   since the reducer function is now responsible for merging changes
   and triggering UI updates

Do not hide annotation thread when annotations are waiting to anchor.

When an annotation is created or updated the sidebar briefly transitions into the
`waitingToAnchor` state and hides the entire thread list, losing the user's scroll
position as a result.
Instead of hiding the entire thread, filter out the annotations which are waiting to
anchor.

https://trello.com/c/hQRpsUPj/444-avoid-hiding-thread-list-while-new-annotations-received-over-ws-are-being-anchored

Document the default values of client config keys

Document the `showHighlights` config option

On group change, reset tab selection to annotations if the selected t…

This is not used by the client. The client does use the [Angular
Bootstrap](http://angular-ui.github.io/bootstrap/) 3rd-party module for
dropdown menus but that does not use the Bootstrap build's JS or CSS.

Remove unused CSS

This file is used only by the H service

Remove unused CSS rules. These were found by using used-css-classes [1]
and find-unused-css-classes [2]:

  used-css-classes h/templates/client/*.html > used-classes.txt
  find-unused-css-classes used-classes.txt build/styles/app.css > unused-css-classes

And then manually checking classes in `unused-css-classes` to verify
that the classes were not referenced in first or third-party code, since
the tools only extract used class names from templates.

[1] https://github.com/robertknight/used-css-classes
[2] https://github.com/robertknight/find-unused-css-classes

This caused a parsing exception in BeautifulSoup when gathering the
set of used CSS classes with https://github.com/robertknight/used-css-classes

- #!/bin/sh is in POSIX, no need for env
- `set -eu` to explode if something fails or a var isn't defined
- a simpler way of ensuring we're in the right place to run the releaser
  script.
- "git push --follow-tags" will push pending commits and annotated tags
  attached to them in a single command

Avoid an issue where trying to create a GH release immediately after
pushing the tag often fails.

In browsers that support Shadow DOM (currently only Chrome, plus Firefox
behind a feature flag), use it to isolate the adder from the host page's
CSS.

This fixes various problems where very generic CSS on the page could
affect the adder's styling.

- Only mark annotations as orphans after a timeout in the sidebar,
   not in the stream where anchoring does not happen.
 - Do not filter annotations by type on the stream, where annotation
   tabs are not displayed.

When the orphans feature flag is not set, do not indicate orphans in
annotation cards by striking through their quotes.

The feature flag is hoisted outside of the `isOrphan` call because I
recall that `flagEnabled` was actually quite an expensive call in the
past so we want to avoid invoking it during every digest cycle.

If an annotation is loaded and then quickly removed before the anchoring
timeout expires, the call to `findByID()` will return null, causing an
error when trying to check the `$orphan` flag in `isWaitingToAnchor`.

Fix this by ignoring annotations which no longer exist when the timeout
expires.

If anchoring an annotation fails to complete within 500ms then assume
that an error occurred during anchoring and that the annotation is
therefore an orphan.

If it later turns out that anchoring just took a long time then the
annotation will simply move from the Orphans tab to the Annotations tab
once anchoring completes.

A timeout within the sidebar app is used rather than relying on the page
code to send back a message if an error occurs during anchoring because
the code that runs in the page context could fail in arbitrary ways due
to interactions with JavaScript on the page.

Remove the 'selection_tabs' feature flag

This is now enabled for all users.