Extend origins option to allow a function

[timdown]

This is to support custom origin checking in the Overleaf real-time service.

Changes:

• Overhaul origins option to allow a regex, function, string or boolean, or an array of any mix of these
• Change origins option default to disallow any origin
• Extend origins option to allow a function
• Remove htmlfile transport
• Remove flashsocket transport

This still falls back to checking the referrer header when origin is missing. This is a questionable practice and modern versions of socket.io don't do this. The referrer header also has the path, unlike the origin, which means we have to handle that in the origins option, probably using a regex. I've opted for a a minimal change that simply allows a function to be passed into the origins option, which receives the origin/referrer and the request object. If the origins setting is not a function, it behaves exactly as before, and the default is still to allow any origin.

This will fix https://github.com/overleaf/internal/issues/22644, in combination with some small tweaks to the check the origin in the real-time service.

We'll need to create a tag (probably 0.9.19-overleaf-11) once this is merged so that we can point the real-time dependency to the new version.

[Seinzu]

I think we need to fix the default case before we can go ahead. The rest of it looks good.

[Seinzu]

I'm not a big fan of the way the default setup works but it doesn't seem to be blocking

[timdown]

I've updated this by changing the origins option back to how it was (including defaulting to letting anything through) and allowing it to be function, so it's just a simple escape hatch. This seems the simplest possible change. I have kept the refactor that removes duplication of the origin check code in the various websocket implementations, which seems safe to me.

[Seinzu]

I haven't tested this version (but have tested similar implementations). I think this is the lowest risk thing we can do for now.