Home/ Glossary/ frame-ancestors CSP Directive

frame-ancestors CSP Directive (frame-ancestors)

Security Glossary - Security Headers

Definition: The frame-ancestors CSP directive specifies which origins are allowed to embed the current page in a frame, iframe, object, or embed element. frame-ancestors 'none' prevents all framing (equivalent to X-Frame-Options: DENY), and frame-ancestors 'self' allows only same-origin framing.

Why frame-ancestors Matters

frame-ancestors is the modern, more flexible replacement for X-Frame-Options. While X-Frame-Options only supports DENY, SAMEORIGIN, and the deprecated ALLOW-FROM, frame-ancestors can specify multiple allowed origins with full URL pattern matching.

This directive is critical for preventing clickjacking attacks, where an attacker embeds your site in a transparent iframe and tricks users into clicking buttons on your site while thinking they are interacting with the visible page. Banks, social media sites, and any page with sensitive actions should use frame-ancestors 'none' or 'self'.

Unlike most CSP directives, frame-ancestors in an enforcing CSP takes precedence over X-Frame-Options. However, for backward compatibility with browsers that do not support CSP (mainly IE11), setting both frame-ancestors and X-Frame-Options is recommended.

Checking Your Setup

A security audit checks both the frame-ancestors CSP directive and the X-Frame-Options header. Verify your site cannot be framed by untrusted origins. If you need to allow specific partners to embed your content, list their origins explicitly in frame-ancestors.

See how your site handles frame-ancestors

Run a Security Audit

Frequently Asked Questions

Does frame-ancestors replace X-Frame-Options?
Yes, frame-ancestors is the modern replacement. It is more flexible (supports multiple origins) and is part of CSP. However, set both for backward compatibility since older browsers may only support X-Frame-Options.
Can I allow specific sites to frame my page?
Yes. Use frame-ancestors 'self' https://trusted-partner.com to allow your own site and a specific partner. This is more flexible than X-Frame-Options, which could only allow SAMEORIGIN or a single origin with the deprecated ALLOW-FROM.

Related Terms

Content Security Policy X-Frame-Options Clickjacking Security Headers Overview Cross-Origin Resource Sharing
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.