Fixes https://github.com/nhooyr/websocket/issues/359

Credits to @maggie44 for making me add staticcheck.
See #407

Co-authored-by: maggie0002 <64841595+maggie0002@users.noreply.github.com>

Co-authored-by: lazypassion <25536767+lazypassion@users.noreply.github.com>

Cherry picked from master at 129d3035

Also ran gofmt on everything. Thanks again @paralin. #334

Co-authored-by: Christian Stewart <christian@paral.in>

Co-authored-by: lazypassion <25536767+lazypassion@users.noreply.github.com>

Fix DOS attack from malicious pongs

A double channel close panic was possible if a peer sent back multiple
pongs for every ping.

If the second pong arrived before the ping goroutine deleted its channel
from the map, the channel would be closed twice and so a panic would
ensue.

This fixes that by having the read goroutine send on the ping
goroutine's channel rather than closing it.

Reported via email by Tibor Kálmán @kalmant

Please update to the new release ASAP!

Closes #247

Updates #255

netconn.go: Disable read limit on WebSocket

Closes #245

Closes #242

Closes #87

Merge master into dev

Thank you @icholy for identifying these in
https://github.com/nhooyr/websocket/pull/259#issuecomment-702279421

There were a few PRs merged into the master branch that were then not
merged into the dev branch. This branch merges those changes in cleanly.

- #261
- #266
- #273

HTTP header values, as opposed to header keys,
are case sensitive, but implementation of headerTokens()
before this patch would return lowered values always.

This old behavior could lead to chromium (v87) WebSocket
rejecting connnection because negotiated subprotocol,
returned in Sec-WebSocket-Protocol header (lowered
be headerToken() function) would not match one sent
by client, in case client specified value with capital
letters.