add docs about child/frame-src handling

Author: oreoshake

README.md

@@ -55,7 +55,7 @@ SecureHeaders::Configuration.default do |config|
     default_src: %w(https: 'self'),
     base_uri: %w('self'),
     block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
-    child_src: %w('self'),
+    child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
     connect_src: %w(wss:),
     font_src: %w('self' data:),
     form_action: %w('self' github.com),