CSP: frame-ancestors
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.
The HTTP Content-Security-Policy
(CSP) frame-ancestors
directive specifies valid parents that may embed a page using <frame>
, <iframe>
, <object>
, or <embed>
.
Setting this directive to 'none'
is similar to X-Frame-Options
: deny
(which is also supported in older browsers).
Note: frame-ancestors
allows you to specify what parent source may embed a page.
This differs from frame-src
, which allows you to specify where iframes in a page may be loaded from.
CSP version | 2 |
---|---|
Directive type | Navigation directive |
default-src fallback |
No. Not setting this allows anything. |
This directive is not supported in the <meta>
element.
|
Syntax
Content-Security-Policy: frame-ancestors 'none';
Content-Security-Policy: frame-ancestors <source-expression-list>;
This directive may have one of the following values:
'none'
-
This resource may not be embedded. The single quotes are mandatory.
<source-expression-list>
-
A space-separated list of source expression values. This resource may be embedded if the embedder matches any of the given source expressions. For this directive, the following source expression values are applicable:
Note:
The frame-ancestors
directive's syntax is similar to the source list syntax accepted by other directives (e.g., child-src
), but it does not fall back to the default-src
setting. A policy that declares default-src 'none'
still allows the resource to be embedded by anyone.
Examples
Content-Security-Policy: frame-ancestors 'none';
Content-Security-Policy: frame-ancestors 'self' https://www.example.org;
Content-Security-Policy: frame-ancestors 'self' https://example.org https://example.com https://store.example.com;
Specifications
Specification |
---|
Content Security Policy Level 3 # directive-frame-ancestors |
Browser compatibility
Report problems with this compatibility data on GitHubdesktop | mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
frame-ancestors |
Legend
Tip: you can click/tap on a cell for more information.
- Full support
- Full support
- Partial support
- Partial support
- Has more compatibility info.