ECDH deriveKey example should use HKDF #49
Description
The ECDH examples output the raw bits from the ECDH secret value, either directly or into the importKey operation of AES-CTR. As I pointed out on the WebCrypto spec page this is not secure as the secret value is not uniformly random. The recommendation is usually to pass the value through some key derivation function such as HKDF including some context information such as the public keys used in the agreement (better: a hash of the full transcript of messages exchanged up to that point). See for instance Chapter 11 of Serious Cryptography for a discussion of the issues with using the shared secret directly.
I think it should be possible to create an example that passes the ECDH secret bits into HKDF and then into AES-CTR importKey.