frame-ancestors
frame-ancestors
frame-ancestors
The frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>. This directive helps prevent clickjacking attacks by ensuring that your content is only embedded on trusted sites.
Recommended Values
'none'
Prevents any domain from framing the content
Prevents any domain from framing the content
'self'
Allows embedding only from the same origin
Allows embedding only from the same origin
Explore detailed value definitions
Tips & Tricks
The frame-ancestors directive supersedes the older X-Frame-Options header for modern browsers that support CSP.
If X-Frame-Options is also present, the browser will use the frame-ancestors directive as it's more specific and overrides X-Frame-Options.
The frame-ancestors directive does not apply to the <frame> element.
The frame-ancestors does not fall back to default-src
Examples
Allow embedding only from the same origin
Content-Security-Policy: frame-ancestors 'self' https://trusted-site.com ;
Allowed
<iframe src='https://trusted-site.com/page'></iframe>
Blocked
<iframe src='https://malicious-site.com/page'></iframe>
Frequently Asked Questions
What is the frame-ancestors directive used for?
The frame-ancestors directive specifies which domains can embed your website using frames, iframes, objects, embeds, or applets. This helps prevent clickjacking attacks by controlling which sites can embed your content.
Relationship with X-Frame-Options
frame-ancestors is the CSP equivalent of the X-Frame-Options header, but with more granular control. While X-Frame-Options only supports 'deny', 'sameorigin', or a single domain, frame-ancestors allows multiple domains and more flexible policies.
Can I use both X-Frame-Options and frame-ancestors?
Yes, you can use both headers together for better browser compatibility. Modern browsers will prefer the frame-ancestors directive, while older browsers that don't support CSP will fall back to X-Frame-Options. However, ensure both headers specify consistent policies to avoid confusion.
Browser Support
While most modern browsers support frame-ancestors, keeping X-Frame-Options as a fall back ensures protection for users with older browsers that don't support CSP.
What are common values for frame-ancestors?
Common values include 'none' to prevent any embedding, 'self' to only allow embedding from the same origin, or specific domains like 'frame-ancestors https://trusted-site.com'. Multiple trusted domains can be specified to allow embedding from various sources.
Security Best Practice
Unless your site needs to be embedded in other websites, it's recommended to set frame-ancestors to 'none' to prevent clickjacking attacks.
How does frame-ancestors protect against clickjacking?
frame-ancestors prevents clickjacking attacks by controlling which websites can embed your content in frames. Without proper restrictions, attackers could embed your site in a malicious page and trick users into clicking on disguised elements. By limiting embedding to trusted sources, this attack vector is blocked.
Implementation Note
frame-ancestors policies are enforced by the browser and cannot be bypassed using JavaScript or other client-side techniques.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now