frame-src

The frame-src directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>. This directive is crucial for controlling which external content can be embedded in your web application.

Recommended Values

  • 'none' No sources are allowed

  • 'self' Allows the resource to be loaded and executed

  • https://subdomain.domain.com/path Allows the resource to be loaded and executed

Recommended frame-src configuration

Content-Security-Policy: frame-src 'self' https://trusted-domain.com;

Tips & Tricks

  • If frame-src is not defined, the child-src directive will be used (which falls back to default-src)

  • Allowing arbitrary frame sources can lead to clickjacking and other security vulnerabilities

  • Consider using frame-ancestors directive alongside frame-src for complete iframe security

Possible Values

  • 'none': No frames allowed
  • 'self': Only frames from the same origin are allowed
  • URLs: Specific domains (e.g., https://trusted-domain.com)
  • Schemes: Protocol schemes (e.g., https:)

Example Configurations

Basic policy with trusted domain

CSP Header with trusted domain

Content-Security-Policy: frame-src 'self' https://example.com;

Allowed

<!-- allowed as it's from same origin -->
<iframe src="/iframe.html"></iframe>

<!-- allowed as it's from trusted domain -->
<iframe src="https://example.com/iframe.html"></iframe>

Blocked

<!-- blocked as domain is not in allowed sources -->
<iframe src="https://malicious.website.com/iframe.html"></iframe>

<!-- blocked as protocol is not https -->
<iframe src="http://example.com/iframe.html"></iframe>

Additional Information

  • The frame-src directive helps prevent clickjacking attacks
  • Use this directive to control which sites can be embedded in iframes
  • Consider combining with frame-ancestors for complete iframe security
  • Always prefer HTTPS sources over HTTP

Related Resources

External Articles

Related Documentation Sections