The HTTP Content-Security-Policy
(CSP) frame-ancestors
directive specifies valid parents that may embed a page using <frame>
, <iframe>
, <object>
, <embed>
, or <applet>
.
Setting this directive to 'none'
is similar to X-Frame-Options
: DENY
(which is also supported in older browers).
CSP version | 2 |
---|---|
Directive type | Navigation directive |
default-src fallback | No. Not setting this allows anything. |
This directive is not supported in the <meta> element. |
One or more sources can be set for the frame-ancestors
policy:
Content-Security-Policy: frame-ancestors <source>; Content-Security-Policy: frame-ancestors <source> <source>;
<source> can be one of the following:
The frame-ancestors
directive’s syntax is similar to a source list of other directives (e.g. default-src
, but doesn't allow 'unsafe-eval'
or 'unsafe-inline'
for example. It will also not fall back to a default-src
setting. Only the sources listed below are allowed:
'*'
), and you may use a wildcard (again, '*'
) as the port number, indicating that all legal ports are valid for the source.http://*.example.com
: Matches all attempts to load from any subdomain of example.com using the http:
URL scheme.mail.example.com:443
: Matches all attempts to access port 443 on mail.example.com.https://store.example.com
: Matches all attempts to access store.example.com using https:
.data:
' Allows data:
URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
'mediastream:'
Allows mediastream:
URIs to be used as a content source.'blob:'
Allows blob:
URIs to be used as a content source.'filesystem:'
Allows filesystem:
URIs to be used as a content source.'self'
blob
and filesystem
from source directives. Sites needing to allow these content types can specify them using the Data attribute.'none'
Content-Security-Policy: frame-ancestors 'none';
Specification | Status | Comment |
---|---|---|
Content Security Policy Level 3 The definition of 'frame-ancestors' in that specification. | Working Draft | No changes. |
Content Security Policy Level 2 The definition of 'frame-ancestors' in that specification. | Recommendation | Initial definition. |
Desktop | ||||||
---|---|---|---|---|---|---|
Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | |
Basic support | 40 | 15 | 33
|
No | 26 | 10 |
Mobile | |||||||
---|---|---|---|---|---|---|---|
Android webview | Chrome for Android | Edge Mobile | Firefox for Android | Opera for Android | iOS Safari | Samsung Internet | |
Basic support | ? | Yes | No | 33
|
? | 9.3 | Yes |
© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors