Created by: slimsag
Now that window.context does not even contain CSRF tokens/headers (i.e., now that
we have proven those are not used in our CSRF security model) we can now update our
security model doc to indicate that window.context is entirely unprivileged
data.
Signed-off-by: Stephen Gutekanst stephen@sourcegraph.com