a little more clarification around the child/frame-src problem

oreoshake · oreoshake · commit ecc8bb0b3661 · 2018-04-11T08:30:34.000-10:00
diff --git a/docs/upgrading-to-6-0.md b/docs/upgrading-to-6-0.md
@@ -51,4 +51,4 @@ The first example: we will now send `'unsafe-inline'` along with nonce source ex
 
 ## No more frame-src/child-src magic
 
-First there was frame-src. Then there was child-src which deprecated frame-src. Then child-src became deprecated in favor of frame-src and worker-src. In the meantime, every browser did something different. For a while, it was recommended to set child-src and frame-src but the values had to be identical. secure_headers would sniff the UA to determine whether to use frame or child src. Now that the dust has settled, I think we can stop sniffing UAs and just go with a straightforward application.
+First there was frame-src. Then there was child-src which deprecated frame-src. Then child-src became deprecated in favor of frame-src and worker-src. In the meantime, every browser did something different. For a while, it was recommended to set child-src and frame-src but the values had to be identical. secure_headers would sniff the UA to determine whether to use frame or child src. That can lead to confusing things like setting frame-src but seeing child-src. If the child-src and frame-src did not match up, an error is raised. This can be very confusing when using dynamic overrides ("Do we use child-src or frame-src?" => :boom:). Now that the dust has settled, I think we can stop sniffing UAs and just go with a straightforward application.

Original file line number	Diff line number	Diff line change
@@ -51,4 +51,4 @@ The first example: we will now send `'unsafe-inline'` along with nonce source ex
`51`	`51`
`52`	`52`	`## No more frame-src/child-src magic`
`53`	`53`
`54`		`-First there was frame-src. Then there was child-src which deprecated frame-src. Then child-src became deprecated in favor of frame-src and worker-src. In the meantime, every browser did something different. For a while, it was recommended to set child-src and frame-src but the values had to be identical. secure_headers would sniff the UA to determine whether to use frame or child src. Now that the dust has settled, I think we can stop sniffing UAs and just go with a straightforward application.`
	`54`	+First there was frame-src. Then there was child-src which deprecated frame-src. Then child-src became deprecated in favor of frame-src and worker-src. In the meantime, every browser did something different. For a while, it was recommended to set child-src and frame-src but the values had to be identical. secure_headers would sniff the UA to determine whether to use frame or child src. That can lead to confusing things like setting frame-src but seeing child-src. If the child-src and frame-src did not match up, an error is raised. This can be very confusing when using dynamic overrides ("Do we use child-src or frame-src?" => :boom:). Now that the dust has settled, I think we can stop sniffing UAs and just go with a straightforward application.