README.md in secure_headers-0.2.1 vs README.md in secure_headers-0.3.0

- old
+ new

@@ -57,12 +57,11 @@
   config.x_frame_options = 'DENY'
   config.x_content_type_options = "nosniff"
   config.x_xss_protection = {:value => '1', :mode => false}
   config.csp = {
     :default_src => "https://* inline eval",
-    # ALWAYS supply a full URL for report URIs
-    :report_uri => 'https://example.com/uri-directive',
+    :report_uri => '//example.com/uri-directive',
     :img_src => "https://* data:",
     :frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
   }
 end
 
@@ -105,16 +104,16 @@
 :csp => {
   :enforce     => false,        # sets header to report-only, by default
   # default_src is required!
   :default_src     => nil,      # sets the default-src/allow+options directives
 
-  # Where reports are sent. Use full URLs.
-  :report_uri  => 'https://mylogaggregator.example.com',
+  # Where reports are sent. Use protocol relative URLs if you are posting to the same domain (TLD+1). Use paths if you are posting to the application serving the header
+  :report_uri  => '//mysite.example.com',
 
   # Send reports that cannot be sent across host here. These requests are sent
   # the server, not the browser. If no value is supplied, it will default to
-  # the value in report_uri.
+  # the value in report_uri. Use this if you cannot use relative protocols mentioned above due to host mismatches.
   :forward_endpoint => 'https://internal.mylogaggregator.example.com'
 
   # these directives all take 'none', 'self', or a globbed pattern
   :img_src     => nil,
   :frame_src   => nil,
@@ -237,12 +236,11 @@
   config.x_frame_options = 'DENY'
   config.x_content_type_options = "nosniff"
   config.x_xss_protection = {:value => '1', :mode => false}
   config.csp = {
     :default_src => "https://* inline eval",
-    # ALWAYS supply a full URL for report URIs
-    :report_uri => 'https://example.com/uri-directive',
+    :report_uri => '//example.com/uri-directive',
     :img_src => "https://* data:",
     :frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
   }
 end
 
@@ -279,11 +277,10 @@
       config.x_frame_options        = 'DENY'
       config.x_content_type_options = "nosniff"
       config.x_xss_protection       = {:value   => '1', :mode => false}
       config.csp                    = {
         :default_src => "https://* inline eval",
-        # ALWAYS supply a full URL for report URIs
-        :report_uri => 'https://example.com/uri-directive',
+        :report_uri => '//example.com/uri-directive',
         :img_src => "https://* data:",
         :frame_src => "https://* http://*.twimg.com http://itunes.apple.com"
       }
     end
 