diff --git a/index.html b/index.html
index 1c5b90d..c210d0e 100644
--- a/index.html
+++ b/index.html
@@ -1273,6 +1273,11 @@ <h3 class="heading settled" data-level="1.3" id="changes-from-level-2"><span cla
      <li data-md="">
       <p>The <code>frame-src</code> directive, which was deprecated in CSP Level
   2, has been removed.</p>
+     <li data-md="">
+      <p>Insecure schemes in source expressions now match their secure variants.
+  That is, <code>http:</code> is equivalent to <code>http: https:</code>, and <code>http://a.com</code> to <code>http://a.com https://a.com</code>.</p>
+      <p>Likewise, <code>'self'</code> now matches <code>https</code> and <code>wss</code> variants of the page’s
+  origin, even on pages whose scheme is <code>http</code>.</p>
     </ol>
     <h3 class="heading settled" data-level="1.4" id="open-questions"><span class="secno">1.4. </span><span class="content">Open Questions</span><a class="self-link" href="#open-questions"></a></h3>
     <ol>
diff --git a/index.src.html b/index.src.html
index 24b13b7..ab904d4 100644
--- a/index.src.html
+++ b/index.src.html
@@ -321,6 +321,13 @@ <h3 id="changes-from-level-2">Changes from Level 2</h3>
   2.  The `frame-src` directive, which was deprecated in CSP Level
       2, has been removed.
 
+  3.  Insecure schemes in source expressions now match their secure variants.
+      That is, `http:` is equivalent to `http: https:`, and `http://a.com`
+      to `http://a.com https://a.com`.
+
+      Likewise, `'self'` now matches `https` and `wss` variants of the page's
+      origin, even on pages whose scheme is `http`.
+
   <h3 id="open-questions">Open Questions</h3>
 
   1.  Do we really want to remove `frame-src`? Though the threat model of