CSP: fenced-frame-src
Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.
The HTTP Content-Security-Policy (CSP)
fenced-frame-src directive specifies valid sources for nested browsing contexts loaded into <fencedframe> elements.
| CSP version | 1 |
|---|---|
| Directive type | Fetch directive |
| Fallback |
If this directive is absent, the user agent will look for the
frame-src directive (which falls back to the
child-src directive).
|
Syntax
One or more sources can be allowed for the fenced-frame-src policy:
http
Content-Security-Policy: fenced-frame-src <source>;
Content-Security-Policy: fenced-frame-src <source> <source>;
Sources
<source>s for fenced-frame-src are more limited than for frame-src. Only the following source expressions can be used:
- The scheme-source
"https:" - The host-source
"https://*:*" - The string
"*"
Note: See the full list of CSP Source Values.
Examples
Violation cases
Given this CSP header:
http
Content-Security-Policy: fenced-frame-src https://example.com/
The following sources will not load in a fenced frame:
https://not-example.com/(domain doesn't match)https://example.org/(TLD doesn't match)
Specifications
| Specification |
|---|
| Fenced Frame # new-csp-directive |
Browser compatibility
BCD tables only load in the browser