commit 3903631b3c9a882ee46d79ddf192fb7f4d326b9f
author Luo Wen <luowenbiz@gmail.com> Wed Jul 22 12:36:06 2015 +0800
committer Nikhil Khandelwal <nikhilkh@microsoft.com> Mon Oct 26 09:04:17 2015 -0700
tree b71bce80934cade83265ffe744e3fd952e4af168
parent 695006d5e607f88bef5824ce1071d2c916ba9295

Update README.md

Update some confusing comments.

see: `Content-Security-Policy Examples` in http://content-security-policy.com/. This closes #8

README.md

diff --git a/README.md b/README.md
index bb46111..63517a0 100644
--- a/README.md
+++ b/README.md
@@ -130,13 +130,16 @@
     -->
     <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">
 
-    <!-- Allow requests to foo.com -->
+    <!-- Allow everything but only from the same origin and foo.com -->
     <meta http-equiv="Content-Security-Policy" content="default-src 'self' foo.com">
 
-    <!-- Enable all requests, inline styles, and eval() -->
+    <!-- This policy allows everything (eg CSS, AJAX, object, frame, media, etc) except that 
+        * CSS only from the same origin and inline styles,
+        * scripts only from the same origin and inline styles, and eval()
+    -->
     <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
 
-    <!-- Allow XHRs via https only -->
+    <!-- Allows XHRs only over HTTPS on the same domain. -->
     <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:">
 
     <!-- Allow iframe to https://cordova.apache.org/ -->