CSP: frame-ancestors

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.

The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, or <embed>.

Setting this directive to 'none' is similar to X-Frame-Options: deny (which is also supported in older browsers).

Note: frame-ancestors allows you to specify what parent source may embed a page. This differs from frame-src, which allows you to specify where iframes in a page may be loaded from.

CSP version 2
Directive type Navigation directive
default-src fallback No. Not setting this allows anything.
This directive is not supported in the <meta> element.

Syntax

http
Content-Security-Policy: frame-ancestors 'none';
Content-Security-Policy: frame-ancestors <source-expression-list>;

This directive may have one of the following values:

'none'

This resource may not be embedded. The single quotes are mandatory.

<source-expression-list>

A space-separated list of source expression values. This resource may be embedded if the embedder matches any of the given source expressions. For this directive, the following source expression values are applicable:

Note: The frame-ancestors directive's syntax is similar to the source list syntax accepted by other directives (e.g., child-src), but it does not fall back to the default-src setting. A policy that declares default-src 'none' still allows the resource to be embedded by anyone.

Examples

http
Content-Security-Policy: frame-ancestors 'none';

Content-Security-Policy: frame-ancestors 'self' https://www.example.org;

Content-Security-Policy: frame-ancestors 'self' https://example.org https://example.com https://store.example.com;

Specifications

Specification
Content Security Policy Level 3
# directive-frame-ancestors

Browser compatibility

Report problems with this compatibility data on GitHub
desktopmobile
Chrome
Edge
Firefox
Opera
Safari
Chrome Android
Firefox for Android
Opera Android
Safari on iOS
Samsung Internet
WebView Android
WebView on iOS
frame-ancestors

Legend

Tip: you can click/tap on a cell for more information.

Full support
Full support
Partial support
Partial support
Has more compatibility info.

See also