CSP: Document http->https, and wss being allowed in `'self'`

[wbamberg]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src has a note:

This is I think out of date but it refers to an interesting spec change that we should document: w3c/webappsec-csp@0e81d81.

http: is not equivalent to http: https:, and ws: to ws: wss:.
Likewise, handling for 'self' now includes https: and wss: on
the protected resource's host.

(I think "not" above should be "now")

The idea I think is that:

• if you specify http: as the scheme in a source expression, the browser will allow https:
• if you specify ws: as the scheme in a source expression, the browser will allow wss:
• if you specify 'self' in a source expression, then wss: is allowed for the scheme if the rest of the origin matches

[hamishwillee]

FWIW

1. the ability to specify http and https in a schema is very new https://developer.mozilla.org/en-US/docs/Web/API/WebSocket/WebSocket#url - less than a year.
2. For this case I think I would have expected a compat data update.