Removing http schemes

[davidhan527]

I noticed that the http schemes are being stripped when using version 3.X for csp. Why was this change made? It would help if this is also mentioned in the upgrade path since any tests that check the csp header value will break based on this change.

[reedloden]

This is likely due to preserve_schemes: false being the default now. If you change that to true, I suspect things will go back to what you expect.

[oreoshake]

This change was made because the need to preserve schemes implies that you have mixed content. A source without a scheme defaults to the current scheme and allows "upgrades". "Mixed was a mistake" which is why the default is to not support it. As @reedloden mentions, true will add the schemes back.

Added to the upgrade doc: e8f5103

[davidhan527]

Got it. Thank you for the explanation.