force https for blob url in _frame.js. Updates helmet to allow more inspectlet domains.

public/js/lib/jailed/_frame.js

@@ -36,7 +36,7 @@ try {
   blobUrl = blobUrl.getBlob();
 }
 
-var worker = new Worker(URL.createObjectURL(blobUrl));
+var worker = new Worker(URL.createObjectURL('https:' + blobUrl));
 
 // telling worker to load _pluginWeb.js (see blob code above)
 worker.postMessage({

server/server.js

@@ -132,7 +132,8 @@ var trusted = [
   'wss://inspectletws.herokuapp.com/',
   'http://hn.inspectlet.com/',
   '*.googleapis.com',
-  '*.gstatic.com'
+  '*.gstatic.com',
+  'https://hn.inspectlet.com/'
 ];
 
 app.use(helmet.csp({