-
Notifications
You must be signed in to change notification settings - Fork 0
Directive: frame ancestors
The frame-ancestors
directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, or <embed>. Resources can use this directive to avoid many UI Redressing attacks by avoiding being embedded into potentially hostile contexts. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
Note
frame-ancestors
allows you to specify what parent source may embed a page. This differs from frame-src, which allows you to specify where iframes in a page may be loaded from.
In order for this to be most effective across a large swath of newer and older browsers, use this together with the X-Frame-Options header.
X-Frame-Options | frame-ancestors |
---|---|
DENY |
'none' |
SAMEORIGIN |
'self' |
Affects: <frame>; <iframe>; <object>; <embed>
Required reading:
Accepts one or more schemes or hosts, the 'self'
keyword, or the 'none'
keyword.
frame-ancestors 'none'
frame-ancestors 'self'
frame-ancestors example.com
frame-ancestors example.com example.org
frame-ancestors https://*.example.com
frame-ancestors https:
❌ frame-ancestors
does not fallback to default-src
.
-
CSP-0200 — [ERROR] directive
%s
has an invalid value%s
ABNF (CSP3)
directive-name = "frame-ancestors"
directive-value = serialized-source-list
See ABNF: serialized-source-list
- source-list in CSP2
- serialized-source-list in CSP3
Content licensed under CC BY-SA.
- 🧪 Experimental, with limited support
⚠️ Important notes on usage- 🚫 Deprecated or obsolete
- base-uri
- block-all-mixed-content 🚫
- child-src
- connect-src
- default-src
- fenced-frame-src 🧪
- font-src
- form-action
- frame-ancestors
- frame-src
- img-src
- manifest-src
- media-src
- navigate-to 🚫
- object-src
- plugin-types 🚫
- prefetch-src 🚫
- referrer 🚫
- report-to 🧪
-
report-uri
⚠️ - require-trusted-types-for 🧪
- sandbox
- script-src-attr
- script-src-elem
- script-src
- style-src-attr
- style-src-elem
- style-src
- trusted-types 🧪
- upgrade-insecure-requests
- webrtc
- worker-src