Fallback to default client configuration if `requestConfigFromFrame` configuration is invalid

[robertknight]

The Hypothesis white-label VitalSource book reader at https://hypothesis.vitalsource.com is configured for use inside the Hypothesis LMS app. To enable the Hypothesis client to talk to our LMS app, the book reader frame that loads the client sets the requestConfigFromFrame key:

// `window.hypothesisConfig` function in the iframe where the client is loaded
function () {return {requestConfigFromFrame: {origin: "https://lms.hypothes.is",ancestorLevel: 3},openSidebar: true};} = $1

If you try to access a book at https://hypothesis.vitalsource.com directly, the client fails to load due to this configuration. It logs this error on startup:

The preferred solution here would be that https://hypothesis.vitalsource.com changes the Hypothesis client configuration depending on whether it was launched by our LMS app or not:

1. When launched by our LMS app, the H-VS book reader should use the above configuration
2. Otherwise, the H-VS reader should omit the requestConfigFromFrame key

As a fallback we can implement purely on our side, ignore the requestConfigFromFrame configuration with a console warning if it is invalid (eg. specifies that the configuration should be retrieved from the ancestor N levels up the frame tree, and N is greater than the number of ancestors). The console warning is important in case the code path ever ends up getting executed when it shouldn't be.

[robertknight]

The preferred solution here would be that https://hypothesis.vitalsource.com/ changes the Hypothesis client configuration depending on whether it was launched by our LMS app or not.

Depending on how authentication is set up, the Hypothesis LMS app may launch the VitalSource book viewer by one of these methods:

1. Loading https://hypothesis.vitalsource.com/books/{book_id}/cfi/{cfi} inside an iframe, with no authentication
2. Using the endpoint at https://developer.vitalsource.com/hc/en-us/articles/204317878-POST-v3-redirects-SSO-to-Bookshelf-eReader to get a launch URL which is loaded inside the iframe

The parent of the iframe will have an origin that ends with .hypothes.is. We have a number of different domains for our LMS app depending on where the customer is (eg. US vs Canada) and the environment (eg. staging, prod).

Any logic in the VS viewer that needs to detect whether it is part of an LTI launch would need to accommodate one of these methods. The absolute dumbest thing I can think of would be to simply check whether the https://hypothesis.vitalsource.com frame is the top-level frame in the tab. If it is the top-level frame, it is not in the LMS app. If it is not the top-level frame, we can assume we are in the LMS app. A slightly better version of this would be to check if any of the ancestor origins (location.ancestorOrigins) ends with .hypothes.is, though that won't work in Firefox. VitalSource developers can probably think of some other ways to check.

[robertknight]

This is super low priority IMO, so I'm taking it out of the current sprint.