frame-ancestors

The frame-ancestors directive controls which parent pages can embed your page in an <iframe>, <frame>, <object>, <embed>, or <applet>. This directive is crucial for preventing clickjacking attacks and controlling how your content can be embedded by other websites.

Important The frame-ancestors directive is not available when implementing CSP via meta tags. It must be delivered via HTTP header. See our CSP Implementation Methods article for more details.

Recommended Values

Recommended frame-ancestors configuration

Content-Security-Policy: frame-ancestors 'none';

Security Implications

The frame-ancestors directive is particularly important for:
  • Preventing clickjacking attacks
  • Controlling how your content can be embedded
  • Protecting sensitive pages from being loaded in iframes
  • Maintaining control over your application's presentation

Tips & Tricks

  • The 'none' value is recommended for most applications as it prevents any embedding.

  • Using 'self' or specific domains should be carefully considered as it may expose your application to clickjacking attacks.

  • This directive replaces the older X-Frame-Options header, though both can be used together for broader browser support.

  • This directive can only be implemented via HTTP headers, not via meta tags.

Possible Values

  • 'none': No embedding is allowed
  • 'self': Only same-origin embedding is allowed
  • Specific domains: https://trusted-domain.com
  • Multiple domains: https://trusted1.com https://trusted2.com
  • Wildcards: https://*.trusted-domain.com

Example Configurations

Example policy preventing all embedding

CSP Header preventing all embedding

Content-Security-Policy: frame-ancestors 'none';

Example policy allowing specific domains

CSP Header allowing specific domains

Content-Security-Policy: frame-ancestors 'self' https://trusted-partner.com;

Allowed

<!-- Allowed when using 'self' -->
<iframe src="/page"></iframe>

<!-- Allowed when domain is specified -->
<iframe src="https://trusted-partner.com/page"></iframe>

Blocked

<!-- Blocked when domain is not in allowed list -->
<iframe src="https://malicious-site.com/page"></iframe>

Additional Information

  • The frame-ancestors directive is essential for preventing clickjacking attacks
  • Consider using 'none' by default unless embedding is specifically required
  • This directive can be used alongside X-Frame-Options for broader browser support
  • Some browsers may still respect X-Frame-Options even when frame-ancestors is present
  • Unlike most other CSP directives, frame-ancestors cannot be implemented via meta tags

Related Resources

External Articles

Related Documentation Sections