Content-Security-Policy: frame-ancestors directive
        
        
          
                Baseline
                
                  Widely available
                
                
              
        
        
        
          
                
              
                
              
                
              
        
        
      
      This feature is well established and works across many devices and browser versions. It’s been available across browsers since January 2018.
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, or <embed>.
Setting this directive to 'none' is similar to X-Frame-Options: deny (which is also supported in older browsers).
Note:
frame-ancestors allows you to specify what parent source may embed a page.
This differs from frame-src, which allows you to specify where iframes in a page may be loaded from.
Note:
The frame-ancestors directive checks each ancestor. If any ancestor doesn't match, the load is cancelled. Therefore all ancestors should be allowed by the frame-ancestors directive of leaf frames when using nested frames.
| CSP version | 2 | 
|---|---|
| Directive type | Navigation directive | 
| default-srcfallback | No. Not setting this allows anything. | 
| This directive is not supported in the <meta>element. | |
Syntax
Content-Security-Policy: frame-ancestors 'none';
Content-Security-Policy: frame-ancestors <source-expression-list>;
This directive may have one of the following values:
- 'none'
- 
This resource may not be embedded. The single quotes are mandatory. 
- <source-expression-list>
- 
A space-separated list of source expression values. This resource may be embedded if the embedder matches any of the given source expressions. For this directive, the following source expression values are applicable: 
Note:
The frame-ancestors directive's syntax is similar to the source list syntax accepted by other directives (e.g., child-src), but it does not fall back to the default-src setting. A policy that declares default-src 'none' still allows the resource to be embedded by anyone.
Examples
Content-Security-Policy: frame-ancestors 'none';
Content-Security-Policy: frame-ancestors 'self' https://www.example.org;
Content-Security-Policy: frame-ancestors 'self' https://example.org https://example.com https://store.example.com;
Specifications
| Specification | 
|---|
| Content Security Policy Level 3> # directive-frame-ancestors> | 
Browser compatibility
Loading…