Experimental: This feature is experimental and subject to change. It may not be supported by all browsers and could have compatibility issues.
fenced-frame-src
Thefenced-frame-src
directive specifies which sources can be loaded for fenced frames in your web application. This directive helps control and secure the content loaded within fenced frames.
Recommended Values
'self' Allows the resource to be loaded and executed
https://subdomain.domain.com/path Allows the resource to be loaded and executed
Recommended fenced-frame-src configuration
Content-Security-Policy: fenced-frame-src 'self' https://example.com;
Tips & Tricks
This directive is experimental and may not be supported by all browsers.
Only the following values are allowed: the scheme-source https:, the host-source https://<subdomain>.<domain>.com/<path>, and wildcard *
Possible Values
'self'
: Only allows fenced frames from the same origin'none'
: Blocks all fenced frames- URLs: Specific domains (e.g.,
https://example.com
) - Schemes: Protocol schemes (e.g.,
https:
) - Wildcards: Limited pattern matching (e.g.,
*.example.com
)
Example Configurations
Basic policy example
Allows fenced frames from same origin and example.com
Content-Security-Policy: fenced-frame-src 'self' https://example.com;
Allowed
<!-- allowed by 'self' -->
<script>
var fencedFrame = document.createElement('fencedframe');
</script>
<!-- allowed by https://example.com -->
<script>
var fencedFrame = document.createElement('fencedframe');
fencedFrame.src = 'https://example.com/fenced-frame.html';
</script>
Blocked
<!-- blocked as data: URI is not allowed -->
<script>
var blockedFencedFrame = document.createElement('fencedframe');
blockedFencedFrame.src = 'data:application/JavaScript, ...';
</script>
<!-- blocked as https://malicious.website.com is not in the allowed sources -->
<script>
var blockedFencedFrame = document.createElement('fencedframe');
blockedFencedFrame.src = 'https://malicious.website.com/fenced-frame.html';
</script>
Additional Information
- Fenced frames are an experimental feature designed to enhance privacy and security
- They provide stronger isolation than traditional iframes
- Always verify browser compatibility before implementation
- Consider combining with other CSP directives for comprehensive security
Related Resources
External Articles
- W3C: Fenced Frame Specification
- Chrome Platform Status: Fenced Frames
- Privacy Sandbox: Fenced Frames
- Google Developers: Fenced Frames