CentralCSP

frame-src


frame-src

frame-src

The frame-src directive specifies valid sources for iframe in the document.

Recommended Values

  • 'none'

    Disallows all frame sources

    Disallows all frame sources

  • 'self'

    Allows scripts from the same origin

    Allows scripts from the same origin

  • https://subdomain.domain.com

    Allows scripts from a specific external site

    Allows scripts from a specific external site

Explore detailed value definitions

Tips & Tricks

  • If frame-src is not defined, the child-src directive will be used (which falls back to default-src)

Examples

  • Allows scripts from the same origin and a specific external site

    Content-Security-Policy: frame-src 'self' https://example.com;

    Allowed

    <!-- allowed by 'self' -->
    <iframe src='/iframe.html'></iframe>
    
    <!-- allowed by https://example.com -->
    <iframe src='https://example.com/iframe.html'></iframe>

    Blocked

    <!-- blocked as https://malicious.website.com is not in the allowed sources -->
    <iframe src='https://malicious.website.com/iframe.html'></iframe>

Frequently Asked Questions

What is frame-src and how does it work?

The frame-src directive controls which URLs can be loaded into frames (<frame>) and iframes (<iframe>) on your webpage. It helps prevent unauthorized content from being embedded in your page through frames, which could potentially be used for clickjacking attacks or to load malicious content.

Default Behavior

If frame-src is not specified, the browser will first check child-src, and if that's not specified, it will fall back to default-src for a frame loading policy.

What are common values for frame-src?

Common values include 'self' for loading frames from your own domain, specific URLs for trusted providers (like YouTube, Vimeo, or payment processors), and 'none' to block all frames. It's important to be specific about which domains can load frames to prevent security issues.

Security Note

Always specify trusted frame sources explicitly and avoid using wildcards (*) to maintain security. Consider using frame-ancestors alongside frame-src for complete frame control.

Need to monitor CSP violations and maintain it easily?

Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.

Set up your endpoint now

Learn more about other topics

Docs

CSP ScannerCSP EvaluatorReporting Endpoint

Contact


CentralSaaS © 2025