fenced-frame-src
fenced-frame-src
fenced-frame-src
The fenced-frame-src directive is used to specify the sources from which scripts can be loaded for fenced frames.
Recommended Values
https://subdomain.domain.com
Allows scripts from a specific external site
Allows scripts from a specific external site
Explore detailed value definitions
Tips & Tricks
This directive is experimental and may not be supported by all browsers.
Only the following values are allowed: the scheme-source https:, the host-source https://<subdomain>.<domain>.com/<path> and wildcard *
Examples
Allows scripts from the same origin and a specific external site
Content-Security-Policy: fenced-frame-src 'self' https://example.com;Allowed
<!-- allowed by 'self' --> <script> var fencedFrame = document.createElement('fencedframe'); </script> <!-- allowed by https://example.com --> <script> var fencedFrame = document.createElement('fencedframe'); fencedFrame.src = 'https://example.com/fenced-frame.html'; </script>Blocked
<!-- blocked as data: URI is not allowed --> <script> var blockedFencedFrame = document.createElement('fencedframe'); blockedFencedFrame.src = 'data:application/JavaScript, ...'; </script> <!-- blocked as https://malicious.website.com is not in the allowed sources --> <script> var blockedFencedFrame = document.createElement('fencedframe'); blockedFencedFrame.src = 'https://malicious.website.com/fenced-frame.html'; </script>
Frequently Asked Questions
What is fenced-frame-src and how does it work?
The fenced-frame-src directive controls which URLs can be loaded into fenced frames on a web page. Fenced frames are a new type of embedded content frame that provides additional privacy protections by isolating the frame's content from the embedding page.
Browser Support
Fenced frames are a relatively new feature and may not be supported in all browsers.
How is fenced-frame-src different from frame-src?
While frame-src controls regular iframes, fenced-frame-src specifically controls fenced frames. Fenced frames provide stronger isolation between the frame content and the parent page, making them more suitable for privacy-sensitive content like ads or third-party widgets.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now