* browser-policy uses browser-policy-framing and browser-policy-content, both of
which set default policies when they are used. This way you get a default
policy when you add a browser policy package, but you can pick and choose
different packages if you only want to think about one of them.
* The two packages use different namespaces: BrowserPolicy.framing and
BrowserPolicy.content, which meant some functions got renamed (e.g. not using
"framing" or "content in the function name when it's already in the
namespace).
Thus if two objects are EJSON.equals, their serialization strings will
be equal also.
(This should mean that reactive-dict could now allow objects to be
used as the key for `equal`).
Note this change does not affect livedata because livedata uses the
EJSON adjust functions to convert between JSON and EJSON (not
stringify).
Adds a couple options to EJSON.stringify:
* keyOrderSensitive: in parallel with EJSON.equals, outputs objects in
native key order (the old behavior).
* indent: pretty-prints the output.
The serialization code is based json2, which makes it easy to preserve
the indentation functionality provided by JSON.stringify. Only enough
code is included to serialize arrays and objects; serializing
primitive values such as strings is delegated to the native
JSON.stringify to reduce code and in case the native implementation is
more efficient.
Include underscore as an explicit dependency in package.js.
Document options to EJSON.equals and EJSON.stringify.
- Remove starter-browser-policy and replace it with
BrowserPolicy.enableContentSecurityPolicy(), which gives you the starter
policy and allows you to use the other BrowserPolicy functions to configure
it. This is motivated by the fact that the API isn't very intuitive without a
well-defined starting policy. ex: if the package starts off without a policy,
and then the user calls allowAllContentSameOrigin(), that will result in
turning off inline scripts, which is probably not what they wanted.
- AllContent functions do more of what you'd expect now;
i.e. BrowserPolicy.disallowAllContent() actually disallows all content,
instead of setting default-src to 'none', which will allow other types of
content that have previously had srcs set for them.
- Add some tests
