Changes

The optional directive User Agents MUST raise a fatal error AND ignore any policy-uri must that does not refer to the same origin (scheme/host/port) as the protected documentOR that is not served with MIME type set to "text/x-content-security-policy". The  User Agents MUST raise a non-fatal warning AND ignore any report-uri directive must values that refer to an origin with not of the same public suffix and AND base host. (For instance, a report-uri in a policy for "www.mysite.com" may refer to anything that ends with "mysite.com". Additionally, policy-uri documents must be served with the MIME type text/x-content-security-policy to be valid) 

* RestrictedUser Agents MUST raise a fatal error AND revert to the policy "allow 'none'" when:** parsing a policy-uri directives which refer directive value referring to a URI on a different host as from the protected document, e.g. policy-uri http://other.tld/csp-policy.cgi** receiving a policy-uri responses HTTP response served with Content-Type other than text/x-content-security-policy, e.g. Content* User Agents MUST raise a non-Typefatal warning AND ignore: text/html, or Content-type: image/jpeg** any report-uri directives which directive values that refer to a URI on a different public suffix or from the protected document** any report-uri directive values that refer to a base host than the protected document, e.g. report-uri http://other.tld/csp-report.cgi

<font color="#060">* Allowed''Privacy Consideration:** policy-uri directives which refer to a URI on the same host as the protected document, e.g. policy-uri http://same.site/csp-policy.cgi. The policy document must also be served with the response header, Content-Type: text/x-content-security-policy** report-uri directives which refer to a URI containing the same public suffix and base host as the protected document, e.g., on www.site.com there is a policy-uri http://same.site.com/csp-report.cgi</font>* Justification:** A site which has not opted-in to using CSP should not be forced into using CSP by an attacker who can inject a policy-uri directive into a HTTP header. Restricting the policy-uri to the same host as the protected document, and requiring it to be served as text/x-content-security-policy ensures the site has positively opted-in to CSP.** '' The report sent to the report-uri contains potentially sensitive information, including cookie values and query string parameters. This information is intended only for the protected site for debugging purposes or similar. An attacker should not be allowed to steal the report information by injecting a report-uri, along with an arbitrary policy to be violated.