frame-src
Theframe-src
directive specifies valid sources for nested browsing contexts loading using elements such as <frame>
and <iframe>
. This directive is crucial for controlling which external content can be embedded in your web application.
Recommended Values
'none' No sources are allowed
'self' Allows the resource to be loaded and executed
https://subdomain.domain.com/path Allows the resource to be loaded and executed
Recommended frame-src configuration
Content-Security-Policy: frame-src 'self' https://trusted-domain.com;
Tips & Tricks
If frame-src is not defined, the child-src directive will be used (which falls back to default-src)
Allowing arbitrary frame sources can lead to clickjacking and other security vulnerabilities
Consider using frame-ancestors directive alongside frame-src for complete iframe security
Possible Values
'none'
: No frames allowed'self'
: Only frames from the same origin are allowed- URLs: Specific domains (e.g.,
https://trusted-domain.com
) - Schemes: Protocol schemes (e.g.,
https:
)
Example Configurations
Basic policy with trusted domain
CSP Header with trusted domain
Content-Security-Policy: frame-src 'self' https://example.com;
Allowed
<!-- allowed as it's from same origin -->
<iframe src="/iframe.html"></iframe>
<!-- allowed as it's from trusted domain -->
<iframe src="https://example.com/iframe.html"></iframe>
Blocked
<!-- blocked as domain is not in allowed sources -->
<iframe src="https://malicious.website.com/iframe.html"></iframe>
<!-- blocked as protocol is not https -->
<iframe src="http://example.com/iframe.html"></iframe>
Additional Information
- The
frame-src
directive helps prevent clickjacking attacks - Use this directive to control which sites can be embedded in iframes
- Consider combining with
frame-ancestors
for complete iframe security - Always prefer HTTPS sources over HTTP