frame-src
frame-src
frame-src
The frame-src directive specifies valid sources for iframe in the document.
Recommended Values
'none'
Disallows all frame sources
Disallows all frame sources
'self'
Allows scripts from the same origin
Allows scripts from the same origin
https://subdomain.domain.com
Allows scripts from a specific external site
Allows scripts from a specific external site
Explore detailed value definitions
Tips & Tricks
If frame-src is not defined, the child-src directive will be used (which falls back to default-src)
Examples
Allows scripts from the same origin and a specific external site
Content-Security-Policy: frame-src 'self' https://example.com;Allowed
<!-- allowed by 'self' --> <iframe src='/iframe.html'></iframe> <!-- allowed by https://example.com --> <iframe src='https://example.com/iframe.html'></iframe>Blocked
<!-- blocked as https://malicious.website.com is not in the allowed sources --> <iframe src='https://malicious.website.com/iframe.html'></iframe>
Frequently Asked Questions
What is frame-src and how does it work?
The frame-src directive controls which URLs can be loaded into frames (<frame>) and iframes (<iframe>) on your webpage. It helps prevent unauthorized content from being embedded in your page through frames, which could potentially be used for clickjacking attacks or to load malicious content.
Default Behavior
If frame-src is not specified, the browser will first check child-src, and if that's not specified, it will fall back to default-src for a frame loading policy.
What are common values for frame-src?
Common values include 'self' for loading frames from your own domain, specific URLs for trusted providers (like YouTube, Vimeo, or payment processors), and 'none' to block all frames. It's important to be specific about which domains can load frames to prevent security issues.
Security Note
Always specify trusted frame sources explicitly and avoid using wildcards (*) to maintain security. Consider using frame-ancestors alongside frame-src for complete frame control.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now