Merge pull request #47 from jagaapple/release/v2.2.0

# New Features
- Add navigation directives #41 
  - Move to `navigation-to` directive from `ReportingDirective` to `NavigationDirective`
- Add about frame-ancestors CSP directive to readme #46


# Changes and Fixes
- Modify English in readme
- Update dev dependencies

Author: jagaapple

CHANGELOG.md

@@ -1,4 +1,12 @@
 # Changelog
+## 2.2.0 (2021-02-25)
+- Add navigation directives #41 - [@naotone](https://github.com/naotone)
+  - Support `form-action` `frame-ancestors` directives
+  - Move to `navigation-to` directive from ReportingDirective to NavigationDirective
+- Add about frame-ancestors CSP directive to readme #46 - [@mattdell](https://github.com/mattdell)
+- Improve development environment
+  - Update dependencies - [@jagaapple](https://github.com/jagaapple)
+
 ## 2.1.0 (2020-12-27)
 - Add support for Node.js 14 #36 - [@jagaapple](https://github.com/jagaapple)
 - Add support for chain-case directive styles to CSP #40 - [@jagaapple](https://github.com/jagaapple)

README.md

@@ -101,7 +101,7 @@ was born. next-secure-headers is built for Next.js project so that you can speci
 components.
 
 #### next-secure-headers vs Helmet
-The following are rules next-secure-headers has and Helmet has. next-secure-headers is inspired by Helmet, but it don't have
+The following are rules next-secure-headers has and Helmet has. next-secure-headers is inspired by Helmet, but it doesn't have
 some rules for some reason.
 
 |                                   | next-secure-headers     | Helmet                  | Comment                                                                                           |
@@ -355,6 +355,8 @@ blocks many XSS attacks, but Content Security Policy is recommended to use compa
               | "allow-top-navigation-by-user-activation";
           }>
           & Partial<{
+            formAction: string | string[];
+            frameAncestors: string | string[];
             navigateTo: string | string[];
             reportURI: string | URL | (string | URL)[];
             reportTo: string;
@@ -375,6 +377,11 @@ If you give true to `reportOnly` , this sets "Content-Security-Policy-Report-Onl
 
 Also you can specify directives using chain-case names such as `child-src` instead of `childSrc` .
 
+> **❗️ When setting `frameAncestors` :X-Frame-Options takes priority.**
+> [Section "Relation to X-Frame-Options" of the CSP Spec](https://w3c.github.io/webappsec-csp/#frame-ancestors-and-frame-options) says: _"If a resource is delivered with a policy that includes a directive named frame-ancestors and whose disposition is "enforce", then the X-Frame-Options header MUST be ignored"_, but Chrome 40 & Firefox 35 ignore the frame-ancestors directive and follow the X-Frame-Options header instead.
+> 
+> Therefore, if setting `frameAncestors` you should set `frameGuard` to `false`.
+
 ### `expectCT`
 ```ts
 {