frame-ancestorsframe-ancestors controls which origins may embed the current page via <iframe>, <frame>, <object>, or <embed>. It is the core clickjacking-defense directive and replaces the legacy X-Frame-Options header. This directive does NOT fall back to default-src.
frame-ancestors 'none' prevents any site from framing this page (equivalent to X-Frame-Options: DENY), while frame-ancestors 'self' allows only the same origin (equivalent to SAMEORIGIN). To permit embedding by specific partners, list their domains. Unlike X-Frame-Options — which cannot name a single arbitrary domain and has limited values — frame-ancestors flexibly accepts multiple origins and schemes, making it the modern replacement.
Mind the direction: frame-ancestors controls others framing you, whereas frame-src controls you framing others — they are opposites. Also note frame-ancestors is ignored when CSP is delivered via a <meta> tag; it is effective only when sent as an HTTP response header.
Content-Security-Policy: frame-ancestors 'self' https://trusted-partner.example.com