frame-ancestors
Theframe-ancestors
directive controls which parent pages can embed your page in an <iframe>
, <frame>
, <object>
, <embed>
, or <applet>
. This directive is crucial for preventing clickjacking attacks and controlling how your content can be embedded by other websites.
Important The frame-ancestors
directive is not available when implementing CSP via meta tags. It must be delivered via HTTP header. See our CSP Implementation Methods article for more details.
Recommended Values
'none' Prevent any embedding.
https://subdomain.domain.com/path Allow embedding by a specific subdomain of a trusted domain.
Recommended frame-ancestors configuration
Content-Security-Policy: frame-ancestors 'none';
Security Implications
Theframe-ancestors
directive is particularly important for:
- Preventing clickjacking attacks
- Controlling how your content can be embedded
- Protecting sensitive pages from being loaded in iframes
- Maintaining control over your application's presentation
Tips & Tricks
The 'none' value is recommended for most applications as it prevents any embedding.
Using 'self' or specific domains should be carefully considered as it may expose your application to clickjacking attacks.
This directive replaces the older X-Frame-Options header, though both can be used together for broader browser support.
This directive can only be implemented via HTTP headers, not via meta tags.
Possible Values
'none'
: No embedding is allowed'self'
: Only same-origin embedding is allowed- Specific domains:
https://trusted-domain.com
- Multiple domains:
https://trusted1.com https://trusted2.com
- Wildcards:
https://*.trusted-domain.com
Example Configurations
Example policy preventing all embedding
CSP Header preventing all embedding
Content-Security-Policy: frame-ancestors 'none';
Example policy allowing specific domains
CSP Header allowing specific domains
Content-Security-Policy: frame-ancestors 'self' https://trusted-partner.com;
Allowed
<!-- Allowed when using 'self' -->
<iframe src="/page"></iframe>
<!-- Allowed when domain is specified -->
<iframe src="https://trusted-partner.com/page"></iframe>
Blocked
<!-- Blocked when domain is not in allowed list -->
<iframe src="https://malicious-site.com/page"></iframe>
Additional Information
- The
frame-ancestors
directive is essential for preventing clickjacking attacks - Consider using
'none'
by default unless embedding is specifically required - This directive can be used alongside X-Frame-Options for broader browser support
- Some browsers may still respect X-Frame-Options even when frame-ancestors is present
- Unlike most other CSP directives,
frame-ancestors
cannot be implemented via meta tags
Related Resources
External Articles
- MDN Web Docs: frame-ancestors
- OWASP: Clickjacking Defense Cheat Sheet
- Google Web Fundamentals: Content Security Policy