fenced-frame-srcfenced-frame-src controls the sources of content that may be embedded via the <fencedframe> element. Fenced Frames are part of the Privacy Sandbox — a new isolated embedding mechanism that strongly blocks communication between embedded content and the parent page.
Fenced Frames are an experimental feature introduced to isolate ads and personalized content from the parent document, preventing cross-site data joining. Unlike regular iframes, parent-child postMessage and URL observation are restricted. fenced-frame-src allowlists the URLs this element may load. Notably, this directive has value constraints — it permits https: scheme sources and opaque sources — so some keywords (e.g., script-family keywords like 'unsafe-eval') are meaningless here.
Its fallback behavior when omitted may differ from other frame-family directives in the spec, and since the standard and implementations are still evolving, verify target-browser support and whether you use the Fenced Frame API before adding it to production policy. Ordinary sites not using Fenced Frames need not declare this directive.
Content-Security-Policy: fenced-frame-src https://ads.example.com