child-src
child-src
child-src
The child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>. For workers, non-compliant requests are treated as fatal network errors by the user agent.
Recommended Values
'self'
Allows child frames and workers from the same origin
Allows child frames and workers from the same origin
Explore detailed value definitions
Tips & Tricks
If child-src is not defined, the default-src directive will be used.
Examples
Allows child frames and workers from the same origin and a specific external site
Content-Security-Policy: child-src 'self' https://example.com;Allowed
<!-- allowed by 'self' --> <iframe src="/local-frame.html"></iframe> <!-- allowed by https://example.com --> <iframe src="https://example.com/external-frame.html"></iframe> <!-- allowed by 'self' --> <script> var worker = new Worker('/js/worker.js'); </script>Blocked
<!-- blocked as https://malicious.website.com is not in the allowed sources --> <iframe src="https://malicious.website.com"></iframe> <!-- blocked as data: URI is not allowed --> <script> var blockedWorker = new Worker("data:application/JavaScript, ..."); </script>
Frequently Asked Questions
What happens if I don't set this directive?
If you don't set a directive, it falls back to the default-src directive. If default-src is not set either, the browser will apply its default policy, which generally allows all sources.
Security Note
Relying on browser defaults may lead to a less secure configuration. It's recommended to explicitly set your CSP directives.
What's the difference between child-src and frame-src?
While both directives control frame content, child-src is considered deprecated in favor of frame-src for frame control. child-src was originally designed to control both frames and workers, but this dual purpose has been split into frame-src and worker-src for better specificity.
Deprecation Notice
child-src is deprecated. Use frame-src for frames and worker-src for workers instead.
Can I use child-src to control web workers?
While child-src historically controlled both frames and workers, it's recommended using worker-src specifically for web workers. This provides clearer policy intentions and better browser compatibility.
Best Practice
Use worker-src instead of child-src for controlling web workers to ensure better policy clarity and future compatibility.
Is child-src still relevant for modern web development?
While child-src still works, modern best practices recommend using more specific directives like frame-src and worker-src instead. This provides better clarity and control over your security policies. However, you might need to maintain child-src for backward compatibility with older browsers.
Browser Compatibility
Consider using both child-src and its modern alternatives (frame-src/worker-src) if you need to support older browsers.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now