* Adding "foo.com" to your CSP via browser-policy now adds both
"http://foo.com" and "https://foo.com". This smooths over the fact
that some browsers interpret "foo.com" as "http://foo.com" and some
interpret it as http AND https.
* Trim trailing slashes from origins. Firefox does not allow content
from foo.com if you add "foo.com/" to your CSP.
Specifically, in all Underscore "collection" functions which treat their
arguments polymorphically as either "object-like" or "array-like", don't
treat arguments with `x.constructor === Object` as arrays (except for
the 'arguments' object).
Fixes#594. Fixes#1737.
This implies it is not allowed in `observe` either, or in cursors
returned from publish functions, or in cursors used in {{#each}}
Why? observeChanges and DDP publication use the ID as part of the
callback/message, and eliding it completely breaks them. Meteor UI uses
the ID with {{#each}} to properly move nodes around instead of
re-rendering. We could try to allow it for `observe` outside of
{{#each}}, but it would feel somewhat inconsistent.
Document `Meteor.onConnection` instead of `Meteor.server.onConnection`.
Condense sections about when there is a session reconnect into a
single {{note}}.
Document the `stop` handle returned by `onConnect`.
Document `this.session` in Meteor.methods section.
* browser-policy uses browser-policy-framing and browser-policy-content, both of
which set default policies when they are used. This way you get a default
policy when you add a browser policy package, but you can pick and choose
different packages if you only want to think about one of them.
* The two packages use different namespaces: BrowserPolicy.framing and
BrowserPolicy.content, which meant some functions got renamed (e.g. not using
"framing" or "content in the function name when it's already in the
namespace).
