Better non-signing implementation

[dcramer]

We need to implement some behavior in Sentry (so this ticket applies to both raven-js and Sentry) that removes the need for Raven to send a signed request. The signed request in JS doesn't actually provide any benefit, as it exposes the signing key (secret key).

Two things we should do:

1. Implement ProjectDomain (model exists in Sentry, but its not implemented yet) to check for whitelisted trusted domains.
2. Fully support non-signed requests officially. This should probably just be public key to allow it, and should not be enabled in Sentry by default. Possibly make it a per-project option that says "allow public errors" which dont require the secret key or a signed request.

[bkonkle]

I could also add an option to omit the secretKey and send the message to the server for signing. It would be a very simple view to write, and someone could probably write a dead-simple Nginx module to avoid the app server entirely. Whitelisting is definitely the easier choice for now, though.

[bkonkle]

I went ahead and added a signatureUrl option to allow it to operate without a secretKey and hit a url to get the signature. I also added the option to configure it with a base64 string to obfuscate it. I added a note to the Readme explaining that this option was still insecure, but less obvious.

Next week I'll try to send a pull request for Sentry to add whitelisting.

[dcramer]

This is now fixed