MIX: Drop 'active'/'passive' distinction, limit CORS.

Responding to feedback from Mozilla[1], Cox[2], and others, this change
drops the 'active'/'passive' distinction from the document. The concepts
are replaced with 'blockable'/'optionally-blockable': the former
includes what was previously categorized as 'active' or 'blockable
passive', and the latter 'optionally-blockable passive'.

At the same time, this change brings in the 'context frame type' concept
from Fetch in order to explain what we previously called a 'navigational
request context'. This should clarify the algorithms.

Finally, we now block mixed requests with a 'mode' of 'CORS' or
'CORS-with-forced-preflight' as a mechanism of further subsetting
content types we can't outright block (proposed in [3]).

[1]: http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0108.html
[2]: http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0052.html
[3]: http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0049.html

specs/biblio.json

@@ -25,6 +25,12 @@
     "status": "WD",
     "publisher": "W3C"
   },
+  "DANGEROUS-MIX": {
+    "authors": [ "Ping Chen", "Nick Nikiforakis", "Christopher Huygens", "Lieven Desmet" ],
+    "href": "http://www.securitee.org/files/mixedinc_isc2013.pdf",
+    "title": "A Dangerous Mix: Large-scale analysis of mixed-content websites",
+    "publisher": "Proceedings of the Information Security Conference"
+  },
   "FETCH": {
     "authors": [ "Anne van Kesteren" ],
     "href": "http://fetch.spec.whatwg.org/",
@@ -126,6 +132,13 @@
     "status": "RFC",
     "publisher": "IETF"
   },
+  "RFC6455": {
+    "authors": [ "Ian Fette", "Alexey Melnikov" ],
+    "href": "http://www.ietf.org/rfc/rfc6455.txt",
+    "title": "The WebSocket Protocol",
+    "status": "RFC",
+    "publisher": "IETF"
+  },
   "RFC6797": {
     "authors": [ "Jeff Hodges", "Collin Jackson", "Adam Barth" ],
     "href": "http://www.ietf.org/rfc/rfc6797.txt",