9a24eab7aa53e82ca200d92f532411f37d8487f3
braney
  Sat Feb 24 18:09:09 2018 -0800
add lazy loading to hgCollection, modify CSP policy to allow blob:

diff --git src/lib/htmshell.c src/lib/htmshell.c
index ad835ab..b04c93e 100644
--- src/lib/htmshell.c
+++ src/lib/htmshell.c
@@ -939,31 +939,31 @@
 
 
 char *getCspPolicyString()
 /* get the policy string */
 {
 // example "default-src 'self'; child-src 'none'; object-src 'none'"
 struct dyString *policy = dyStringNew(1024);
 dyStringAppend(policy, "default-src *;");
 
 /* more secure method not used yet 
 dyStringAppend(policy, "default-src 'self';");
 
 dyStringAppend(policy, "  child-src 'self';");
 */
 
-dyStringAppend(policy, " script-src 'self'");
+dyStringAppend(policy, " script-src 'self' blob:");
 // Trick for backwards compatibility with browsers that understand CSP1 but not nonces (CSP2).
 dyStringAppend(policy, " 'unsafe-inline'");
 // For browsers that DO understand nonces and CSP2, they ignore 'unsafe-inline' in script if nonce is present.
 char *noncePolicy=getNoncePolicy();
 dyStringPrintf(policy, " %s", noncePolicy);
 freeMem(noncePolicy);
 dyStringAppend(policy, " code.jquery.com");          // used by hgIntegrator jsHelper and others
 dyStringAppend(policy, " www.google-analytics.com"); // used by google analytics
 // cirm cdw lib and web browse
 dyStringAppend(policy, " www.samsarin.com/project/dagre-d3/latest/dagre-d3.js");
 dyStringAppend(policy, " cdnjs.cloudflare.com/ajax/libs/d3/3.4.4/d3.min.js");
 dyStringAppend(policy, " cdnjs.cloudflare.com/ajax/libs/jquery/1.12.1/jquery.min.js");
 dyStringAppend(policy, " cdnjs.cloudflare.com/ajax/libs/jstree/3.2.1/jstree.min.js");
 dyStringAppend(policy, " cdnjs.cloudflare.com/ajax/libs/bowser/1.6.1/bowser.min.js");
 dyStringAppend(policy, " cdnjs.cloudflare.com/ajax/libs/jstree/3.3.4/jstree.min.js");