Experimental: This feature is experimental and subject to change. It may not be supported by all browsers and could have compatibility issues.

fenced-frame-src

The fenced-frame-src directive specifies which sources can be loaded for fenced frames in your web application. This directive helps control and secure the content loaded within fenced frames.

Recommended Values

Recommended fenced-frame-src configuration

Content-Security-Policy: fenced-frame-src 'self' https://example.com;

Tips & Tricks

  • This directive is experimental and may not be supported by all browsers.

  • Only the following values are allowed: the scheme-source https:, the host-source https://<subdomain>.<domain>.com/<path>, and wildcard *

Possible Values

  • 'self': Only allows fenced frames from the same origin
  • 'none': Blocks all fenced frames
  • URLs: Specific domains (e.g., https://example.com)
  • Schemes: Protocol schemes (e.g., https:)
  • Wildcards: Limited pattern matching (e.g., *.example.com)

Example Configurations

Basic policy example

Allows fenced frames from same origin and example.com

Content-Security-Policy: fenced-frame-src 'self' https://example.com;

Allowed

<!-- allowed by 'self' -->
<script>
  var fencedFrame = document.createElement('fencedframe');
</script>

<!-- allowed by https://example.com -->
<script>
  var fencedFrame = document.createElement('fencedframe');
  fencedFrame.src = 'https://example.com/fenced-frame.html';
</script>

Blocked

<!-- blocked as data: URI is not allowed -->
<script>
  var blockedFencedFrame = document.createElement('fencedframe');
  blockedFencedFrame.src = 'data:application/JavaScript, ...';
</script>

<!-- blocked as https://malicious.website.com is not in the allowed sources -->
<script>
  var blockedFencedFrame = document.createElement('fencedframe');
  blockedFencedFrame.src = 'https://malicious.website.com/fenced-frame.html';
</script>

Additional Information

  • Fenced frames are an experimental feature designed to enhance privacy and security
  • They provide stronger isolation than traditional iframes
  • Always verify browser compatibility before implementation
  • Consider combining with other CSP directives for comprehensive security

Related Resources

External Articles

Related Documentation Sections