Frame-ancestors is one of the directives of the Content-Security-Policy header. It allows website administrators to determine whether a site or page may be embedded in another site (like being loaded in an iFrame).
Why you should use frame-ancestors
iFrames are frequently used to execute click-jacking attacks. During these attacks a malicious site loads the affected site in an iFrame, tricking site visitors to unintentionally click on buttons or links on the malicious site. The intention could be to download malware, to harvest likes for social pages or to gain access to credentials, personal data, etc.
The frame-ancestors directive has a very similar function as the X-Frame-Options header. In contrast to the X-Frame-Options headers that now only supportsĀ denying or allowing same-origin embedding, the frame-ancestors directive has options for specifying specific sources and schemes used that are allowed to embed your site.
We recommend setting both headers to ensure maximum compatibility and security across all browsers. Very old browsers might not support the Content-Security-Policy frame-ancestors directive.
Options
The frame-ancestors directive provides the following settings:
Self: Only allows the page to be loaded in an iFrame from within the same domain.
None: Does not allow the page to be loaded in an iFrame at all.
URI : If specific domains are specified, the CSP header will only allow the page to be loaded in iFrame on the specified domains.
Really Simple SSL Pro allows you to easily configure both the X-Frame-Options header and the Content-Security-Policy with frame-ancestors directive.
Note: Make sure the frame-ancestors and X-Frame-Options policies match. If they don’t, browsers will use the most restrictive setting. Example: If you set frame-ancestors to allow embedding on a third party site but have X-Frame-Options set to SAMEORIGIN, embedding will fail.
