Menu
What do frame-src and frame-ancestors do exactly? The definition shows the purpose is the same to define valid contents for frames for both directives. When to use which one? I was able to load an external domain content in iframe using -
frame-ancestors and default-src rulesframe-srcBoth are working but couldn't get correct use cases.
548
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame> , <iframe> , <object> , <embed> , or <applet> . Setting this directive to 'none' is similar to X-Frame-Options : deny (which is also supported in older browsers).
The frame-ancestors directive allows you to specify which parent URLs can frame the current resource. Using the frame-ancestors CSP directive we can block or allow a page from being placed within a frame or iframe.
The frame-src directive was deprecated in Content-Security-Policy level 2 in favor of child-src (which was introduced in level2). It was then undeprecated in level 3 to replace child-src again (although child-src is still available and not deprecated.
default-src, frame-ancestors, and frame-src are all part of the Content-Security-Policy response header.
Restricts what domains and page can load in an iframe.
The HTTP Content-Security-Policy (CSP)
frame-srcdirective specifies valid sources for nested browsing contexts loading using elements such as<frame>and<iframe>.
For example: If the website at https://example.com has a response header of Content-Security-Policy: frame-src 'self', it can only load https://example.com inside iframes.
Restricts what domains and page can be loaded in from an iframe (similar to the X-Frame-Options header, but takes precedence over it).
The HTTP Content-Security-Policy (CSP)
frame-ancestorsdirective specifies valid parents that may embed a page using<frame>,<iframe>,<object>,<embed>, or<applet>.
For example: If the website at https://example.com has a response header of Content-Security-Policy: frame-ancestors 'self', it can only be loaded inside iframes from https://example.com.
Acts as the default value for any fetch directive that isn't explicitly set (here is a list of all fetch directives)
The HTTP Content-Security-Policy (CSP)
default-srcdirective serves as a fallback for the other CSP fetch directives. For each of the following directives that are absent, the user agent will look for thedefault-srcdirective and will use this value for it.
For example: Content-Security-Policy: default-src 'self' will default to the value 'self' for all fetch directives. Other directives will be unaffected.
Note: since frame-ancestors is not a fetch directive, setting default-src won't restrict it. It needs to be set separately.
95
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
