fixes #8925 - support plugin asset manifests beneath app root

This supports Debian packaging where storing the assets manifest.yml beneath
the gem installation directory isn't possible, as bundler manages gem
installations.

Instead, support loading ${app.root}/public/assets/${plugin}/manifest.yml so...

Fixes #8091: connect-src accepts WSS

(cherry picked from commit 8553650c50f0ab8a9bf9d3ce223ddac7af2afe0a)

fixes #7586, #7734, #7172 - user preferences for receiving mail notifications

Adds a framework for user-selectable mail notifications. The work is
still done in ActionMailer classes and launch by rake in cron, however a
wrapper called MailNotification is used to provide RBAC and make the...

Fixes #8009 - Make sure the final version of helpers is in the controller

(cherry picked from commit 94651a72552d90a811f8b5623ece86d1ef038028)

Fixes #746 - Generate all the Host template when click on Build to avoid errors during installation

Fixes #6710 - unicode characters in url parameters

Original methods to_param defined on resources called name.parameterize
to get rid of url-unsafe characters. This function unfortunately also
stripped off unicode characters.

Changes:
- parameterization extracted into a separate module Parameterizable...

fixes #7985 - add support for ws:// in secure headers

fixes #3492 - API v2 nested routes for each controller

fixes #7907 - Allow images from gravatar on secure headers

fixes #7805 - Add several security related HTTP headers - security hardening.

• Content Security Policy
• HTTP Strict Transport Security
• X-XSS-Protection...