Directive: frame ancestors

Overview

The frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, or <embed>. Resources can use this directive to avoid many UI Redressing attacks by avoiding being embedded into potentially hostile contexts. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

Note

frame-ancestors allows you to specify what parent source may embed a page. This differs from frame-src, which allows you to specify where iframes in a page may be loaded from.

In order for this to be most effective across a large swath of newer and older browsers, use this together with the X-Frame-Options header.

X-Frame-Options	frame-ancestors
DENY	'none'
SAMEORIGIN	'self'

Affects: <frame>; <iframe>; <object>; <embed>

Required reading:

• Can I use frame-ancestors?
• Can I use X-FRAME-OPTIONS?
• MDN Web Docs reference

Usage examples

Accepts one or more schemes or hosts, the 'self' keyword, or the 'none' keyword.

frame-ancestors 'none'

frame-ancestors 'self'

frame-ancestors example.com

frame-ancestors example.com example.org

frame-ancestors https://*.example.com

frame-ancestors https:

Fallbacks

❌ frame-ancestors does not fallback to default-src.

Possible errors

• CSP-0200 — [ERROR] directive %s has an invalid value %s

For developers

ABNF (CSP3)

directive-name  = "frame-ancestors"
directive-value = serialized-source-list

See ABNF: serialized-source-list

Type

• source-list in CSP2
• serialized-source-list in CSP3

References

• CSP Level 2 reference
• CSP Level 3 reference
• MDN Web Docs reference
• Can I use frame-ancestors?
• Can I use X-FRAME-OPTIONS?